Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:17 PM
Connect Directly

New Lingua Franca For Exchanging Cyberattack Intelligence

Free, open-source framework from Mandiant aimed at simplifying the sharing of attack information technical details among victim organizations

It's not easy for organizations to share firsthand attack intelligence in a confidential or even meaningful way, so many don't bother, which gives the bad guys another leg up. But tools to facilitate the sharing of attack information are gradually emerging: most recently, a new open-source framework for describing the technical earmarks of a specific threat.

The so-called Open Indicators of Compromise (OpenIOC) released last week by Mandiant is one layer of facilitating the anonymous sharing of attack intelligence among victim organizations. Mandiant originally built the technology in-house for its homegrown tools and forensics engagements, and is now offering it in the public domain.

There's no single, standardized way for how people to share attack intelligence, says Dave Merkel, CTO at Mandiant. "The technologies used to deploy are varied and not consistent in a way to take intelligence and boil it down to something ... actionable. It's fragmented," he says.

Mandiant originally created IOC for its internal use. "We needed a way to bridge technology and intelligence. That's important because we have services and products," Merkel says. And Mandiant's clients started asking if they could use IOC as well.

Merkel says the idea is to offer security vendors a standardized way to represent intelligence for their products to "consume" and share, but for now, most of the early OpenIOC adopters are organizations in the government, defense, and energy industries.

Mitre also offers a similar open schema, with its Malware Attribute Enumeration and Characterization (MAEC), which provides a standard language for encoding and communicating information -- specifically about malware.

"The characterization of malware using such abstract patterns offers a wide range of benefits over the usage of physical signatures. Namely, it allows for the accurate encoding of how malware operates and the specific actions that it performs. Such information can not only be used for malware detection but also for assessing the end-goal the malware is pursuing and the corresponding threat that it represents," according to the Mitre's description of MAEC.

The idea is to hone in on the malware's behavior and features to help detect threats that bypass existing security products, and to get rid of the confusion with existing malware descriptions and identification.

Mandiant's Merkel says some vendors have their own ways of representing threat intelligence information, and Mitre's MAEC is the closest thing to addressing what OpenIOC does. "We've talked and exchanged [information]. We are not solving the same problem the same way, though, but it's the closest thing I've seen to what OpenIOC [is]," he says.

OpenIOC is an XML-based standard, and Mandiant also is offering for free its IOC Finder tool for incident responders to share threat intelligence in a machine-readable format. OpenIOC also provides a format for describing an attacker's methodology, according to Mandiant. It currently has more than 500 indicator definitions.

"Over the long term, we'd like to build a community around it, sharing techniques in how they are using the schema," Merkel says. "I could see vendors supporting" it, he says.

But the big hurdle continues to be organizations that are wary, or unable to, share intelligence. While the defense industry and some government organizations have done so for some time, there's no go-to place for all organizations to share attack intelligence.

Verizon Business last year took a stab at helping to build out such a destination by releasing its Verizon Incident-Sharing (VerIS) framework for gathering and analyzing forensics data from a data breach that is the basis for its comprehensive annual data breach reports. The hope was that the framework would facilitate more cooperation and data-sharing among breach victim organizations. It's basically a tool for describing security incidents in a consistent way, according to Verizon executives.

Merkel says OpenIOC could serve as a subset of VERIS, for example. "This is solving a lower-order problem" than VERIS, he says.

The importance of intelligence-sharing among victim organizations is not lost on forensics experts. According to Verizon, as many as half of the security breaches it investigates are related to another attack in some way. So sharing that attack information in a way that can be incorporated into their security tools would help block future attacks, and help victims better understand the threats.

"The short-term benefit [of OpenIOC] is it's a consistent way to capture that information and apply it again and again" in a tactical way," Merkel says.

Long term, Merkel says he hopes more industries will build their own intelligence-exchange communities like the defense contractor community has done.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-20
The Transaction Insight reporting component of TIBCO Software Inc.'s TIBCO Foresight Archive and Retrieval System, TIBCO Foresight Archive and Retrieval System Healthcare Edition, TIBCO Foresight Operational Monitor, TIBCO Foresight Operational Monitor Healthcare Edition, TIBCO Foresight Transaction...
PUBLISHED: 2020-10-20
The Boxstarter installer before version 2.13.0 configures C:\ProgramData\Boxstarter to be in the system-wide PATH environment variable. However, this directory is writable by normal, unprivileged users. To exploit the vulnerability, place a DLL in this directory that a privileged service is looking ...
PUBLISHED: 2020-10-20
In Spree before versions 3.7.11, 4.0.4, or 4.1.11, expired user tokens could be used to access Storefront API v2 endpoints. The issue is patched in versions 3.7.11, 4.0.4 and 4.1.11. A workaround without upgrading is described in the linked advisory.
PUBLISHED: 2020-10-20
DomainMOD before 4.14.0 uses MD5 without a salt for password storage.
PUBLISHED: 2020-10-20
Netwrix Account Lockout Examiner before 5.1 allows remote attackers to capture the Net-NTLMv1/v2 authentication challenge hash of the Domain Administrator (that is configured within the product in its installation state) by generating a single Kerberos Pre-Authentication Failed (ID 4771) event on a ...