Utilizing STIX to Foreshadow Cybersecurity Risks
Exploring STIX: How to Utilize Open Source Threat Intelligence
During this three-part blog series, the VerSprite Geopolitical Risk (GPR) team will take a deeper dive into how the Structured Threat Information eXpression, or STIX, data format can provide detailed information on cyber campaigns and cyber threats.
Cyber campaigns, or campaigns, in general, are a series of attempted breaches against an entity, or multiple entities, for a specific purpose. VerSprite believes cyber campaigns can provide cybersecurity practitioners with the critical information needed to help organizations strengthen their cybersecurity initiatives.
GPR is especially excited to utilize STIX because campaigns can provide evidence geopolitical events can foreshadow cybersecurity risks an organization may face.
In this blog post, the first of a three-part series, we will start by:
- Defining STIX
- Reviewing the origins of STIX
- Providing examples of how companies endorse STIX
Interested in learning more about working with STIX? VerSprite encourages organizations and cyber threat intelligence (CTI) professionals to learn more about STIX in order to understand how the data format can benefit their organization. Contact VerSprite to discover resources, tools, and methodologies related to STIX.
What is STIX: Structured Threat Information eXpression:
STIX is a way to organize digital information so entities, such as businesses and government agencies, can easily understand and share actionable information regarding cyber attacks, such as information regarding threat actors.
Because organizations are required to transmit, collect, and structure their data and information in a specified manner, STIX allows institutions to share information about cybersecurity attacks in a way that is easier for professionals of all industries to understand.
The structure of STIX 2, in fact, is based on concepts, or domain objects, cybersecurity analysts believe are fundamental to understanding cyber attacks.
Below are the domain objects in STIX 2, a short abstraction of each domain object, and primary features of each domain object:
|Attack Pattern||How an attack occurred.||Could allow threat intelligence analysts to make inferences about potential threat actors targeting various organizations.|
|Identity||An entity of interest.||Allows entities, both governmental and non-governmental, to make claims about potential threat actors and victims. Also provides an understanding of an attacker or target of interest.|
|Report||A source of information.||Provides sources of reference which establish credibility in reports or discussions.|
|Threat Actor||An entity which conducted a cyber attack.||Allows organizations to make predictions regarding an attacker, including, attack methods and possible motives. The value of the threat actor domain cannot be understated: companies write reports on threat actors regularly. These threat reports are meant to show the targets of various threat actors and their common attack methods.|
|Campaign||A series of cyber attacks conducted for a main objective.||A domain object which provides context regarding previous cyber attacks against a person or industry.|
|Course of Action||Steps taken to prevent or respond to cyber attacks.||Provides information on how agencies, whether governmental or non-governmental, responded to a cybersecurity threat.|
|Indicator||Detectable patterns of a cyber attack.||Describes features of an attack which are observable, such as, domain names, links, or email addresses, which threat actors used for malicious purposes.|
|Intrusion Set||Information related to cyber attacks which suggest a single organization carried out multiple attacks.||Provides organizations information which can both identify a threat actor or attack methods.|
|Malware||A malicious program injected into a system.||Describes unique properties of malware used in a cyber attack.|
|Observed Data||Observed information of systems related to a cyber attack.||Used to inform audiences about various properties of a cyber attack, such as IP addresses, files, or network connections.|
|Tool||Software used to perform attacks.||Lists software which threat actors use to accomplish cyber attacks.|
|Vulnerability||A mistake in software which can allow access to a system or network.||Lists mistakes in software which can allow threat actors to compromise systems.|
STIX and TAXII:
Sharing information about cyber attacks in a formatted way, such as the domain objects in the table above, allows organizations to manage cybersecurity risks. Information about courses of action, for example, can provide organizations with insight on how to prevent risks associated with specific types of malware, attack patterns, and vulnerabilities.
Members of Information Sharing and Analysis Centers (ISACs) and Organizations (ISAOs) shared STIX formatted data for security professionals to analyze and provide actionable advice. Other companies offer unique services which inform security professionals about their organization’s cybersecurity risks.
In 2012, the Department of Homeland Security (DHS) funded MITRE to develop Structure Threat Information Expression (STIX), a data standard which could provide users information on cybersecurity incidences, such as breaches or attempted compromises.
MITRE created a data format which allowed multiple organizations to understand cybersecurity risks. From a retroactive perspective, companies could manage risk by patching vulnerabilities other organizations shared. Organizations could also take a proactive approach by analyzing STIX data, such as patterns in the primary motivations or goals of threat actors. In both cases, STIX allows organizations to learn more about their threat landscape.
In 2015, DHS and MITRE transitioned STIX to the Organization for the Advancement of Structured Information Standards (OASIS). OASIS is an nonprofit data consortium which manages data standards to international audiences.
DHS claimed moving STIX to OASIS provided greater stakeholder participation in the development process to, “ensure the stability and continuing viability of STIX and TAXII as true international standards. These changes have the potential to significantly increase adoption and use of STIX and TAXII and thereby strengthen global cybersecurity practices.”
Two years after obtaining STIX, OASIS released STIX 2. STIX 2 altered STIX by: supporting JSON as a serialization to transmit information between organizations, removing unnecessary data values from STIX, creating a language pattern, and adding domain objects and relationships.
These changes made the STIX language more accessible. For example, the new domain objects allow companies to map information about cybersecurity attacks in ways non-technical audiences can understand. Furthermore, adding JSON as a data serialization allows users with less of a background in data science to share STIX formatted data.
An example of a mapped campaign.
VerSprite created this campaign based on the ‘Ethiopian Dissidents Targeted’ campaign report from Citizens Lab. JSON used to create this make is obtainable by contacting VerSprite VerSprite will also send two links to view STIX formatted data.
Open Source Data Driven Cybersecurity:
OASIS publishes rules which define STIX, such as, information which must be included within a given data value, or what information data values represent. By majority rule, the Cyber Threat Intelligence Committee, or CTI TC, determine STIX standards OASIS publishes.
The CTI TC are a group of OASIS members who work on projects related to, “cybersecurity situational awareness, real-time network defense, and sophisticated threat analysis.” OASIS strongly encourages member participation within committees. OASIS also scales their membership plans based on the size and type of organization seeking entry.
Non-CTI-CT members, such as government agencies and private companies, also support STIX. There are five roles organizations can fulfill to encourage STIX adoption:
|How Organizations Support STIX:|
|Roles of Organization:||Description:||Searchable Efforts:|
|Organizations add queries or scripts meant to ease data management tasks||Organizations aid one another by sharing queries or scripts which filter STIX data.||New Context|
|Organizations share intelligence on cybersecurity incidences||Threat intelligence agencies, and Information Sharing and Analysis Centers (ISAC) and Information Sharing and Analysis Organizations (ISAOs) provide organizations insights on industry specific cybersecurity risks.||SWIFT ISAC|
Arizona Cyber Threat Response Alliance
X-Force Threat Intelligence
|Organizations share data on cybersecurity incidences||Collecting data which represents information on cyber attacks is vital for organizations for analysis related purposes.||AIS|
|Organizations share understandings of STIX||People can share information about STIX which can help industry leaders learn more about how STIX works and potential uses for STIX formatted data||cti-mailing list|
|Organizations work with OASIS||Organizations can join OASIS to vote on data standards.|
People can also recommend changes to STIX by contacting CTI-CT members directly or by submitting a comment to the CTI CT comment email list.
|CTI CT Members, Editors, a Chairperson|
Various companies recommendations
Each Action Persuades Organizations to Adopt STIX in Unique Ways
Queries which ease data management tasks convince organizations STIX is an easy language to utilize. Companies which report cybersecurity related findings provide other companies ideas on cybersecurity risks. Entities which share STIX formatted data provides companies information they can use to analyze cyber attacks. Groups which share information about STIX allow organizations to use STIX with ease.
Working with OASIS, especially as a CT member, allows organizations to convince OASIS to adopt data standards, such as adopting JSON as a data serialization, which reduces the effort an organization must exert to use STIX.
VerSprite and Threat Intelligence Sharing
VerSprite is a cybersecurity consulting firm which specializes in providing businesses risk management solutions. Practice areas of VerSprite include application technology solutions, development interface specializations, governance and compliance measures, and more. VerSprite’s Geopolitical Risk (GPR) team focuses on mitigating cybersecurity risks foreshadowed by geopolitical occurrences.
Organizations can learn about their threat environments by contacting VerSprite’s security experts.Traditional services of GPR include conducting due diligence investigations, vetting vendors and partners, preparing for businesses for expansion, and assessing the effectiveness of cybersecurity plans or strategies.
Businesses working with partnering companies should also consider merger and acquisition and joint business services. GPR will also soon offer new services related to STIX, which will be discussed in the third blog post of this series. Our next blog post in this three-part series will discuss how STIX can provide information about cyber campaigns which can inform business leaders about both cybersecurity and geopolitical risks.
A Quick Guide to Geopolitical Risk [EBook]
Cybersecurity and geopolitics are inextricably linked. To holistically tackle threats to our information security, we must take a step back and examine their causal roots and drivers, which take place day after day on the international stage.