Has your company recently been the target of malicious activity? Do you want to provide information related to the attack to help identify potential future attacks and help raise awareness for others and the community as a whole?
That’s where Cyber Observable eXpression (CybOX), Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) come into play. This suite was established to standardize threat information sharing amongst participants.
CybOX is a standardization schema aimed at helping serialize information pertinent to tracking Cyber Threat Intelligence (CTI). This information provides specification, characterization and communication of events or stateful properties that are observable in all system and network operations. An array of cybersecurity use cases relies on event management / logging, malware characterization, and digital forensics, to name a few, to better understand trends in cyber attacks.
STIX is part of a collaboration effort to ensure such events are being relayed in a standardized, structured language to represent this information. The goal is to convey the full range of potential cyber threats and strives to be expressive and automatable, as well as human-readable. STIX is an open source project.
TAXII is the mechanism of relaying such information. There are various implementation methods, of which you can be a Consumer or a Producer. Consumers are those that retrieve the information from Producers or are a part of the network in such actions but in a “pulling” stance. Producers are entities providing the information to be “pulled” or retrieved by Consumers. See below for a visual representation:
*Cyber Threat Intelligence Technical Committee, https://oasis-open.github.io/cti-documentation/
Whether for a Consumer or a Producer, added information can help in distinguishing malicious trends and correlative IP address and hostnames. There are several public TAXII producers as well as STIX feeds that can be viewed here. Collaborative CTI sharing can help all parties involved and raise awareness in new trends and emerging zero-day attacks.
Sharing this information requires gathering information into an Indicator that is known as a STIX Domain Object (SDO). This Indicator contains a pattern of observable information, such as a file hash. Then comes a STIX Relationship Object (SRO) that represents the relationship between the Indicator and Malware objects. With the STIX content generated, this information can be shared by bundling the SDO and SRO into a STIX bundle and then sent to a TAXII Server via a TAXII Channel.
From there, the TAXII Server has the information that can be shared with other Consumers of that Server. Should Consumers of that that Server notice similar trends in their network, they would then generate a Sighting SRO to relay back to the TAXII Server and share it with that community. For a more thorough walk-through on getting this setup, visit this page.
In summary, you will be able to provide valuable information on possible malicious activity, providing observable data to help correlate similarities across the board, as well as further harden your own network based on this data by blocking IP addresses or hosts out on the web. For more details and how to use STIX, refer to:
https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti
– Emil Hozan
References
Cyber Threat Intelligence Technical Committee. Retrieved from https://oasis-open.github.io/cti-documentation/
Us-cert.gov contributors. Information Sharing Specifications for Cybersecurity. Retrieved from https://www.us-cert.gov/Information-Sharing-Specifications-Cybersecurity