Exploring STIX: How to Utilize Open Source Threat Intelligence
During this three-part blog series, the VerSprite Geopolitical Risk (GPR) team will take a deeper dive into how the Structured Threat Information eXpression, or STIX, data format can provide detailed information on cyber campaigns and cyber threats.
Cyber campaigns, or campaigns, in general, are a series of attempted breaches against an entity, or multiple entities, for a specific purpose. VerSprite believes cyber campaigns can provide cybersecurity practitioners with the critical information needed to help organizations strengthen their cybersecurity initiatives.
What is STIX: Structured Threat Information eXpression:
STIX is a way to organize digital information so entities, such as businesses and government agencies, can easily understand and share actionable information regarding cyber attacks, such as information regarding threat actors.
Because organizations are required to transmit, collect, and structure their data and information in a specified manner, STIX allows institutions to share information about cybersecurity attacks in a way that is easier for professionals of all industries to understand.
The structure of STIX 2, in fact, is based on concepts, or domain objects, cybersecurity analysts believe are fundamental to understanding cyber attacks.
Below are the domain objects in STIX 2, a short abstraction of each domain object, and primary features of each domain object:
How an attack occurred.
Could allow threat intelligence analysts to make inferences about potential threat actors targeting various organizations.
An entity of interest.
Allows entities, both governmental and non-governmental, to make claims about potential threat actors and victims. Also provides an understanding of an attacker or target of interest.
A source of information.
Provides sources of reference which establish credibility in reports or discussions.
An entity which conducted a cyber attack.
Allows organizations to make predictions regarding an attacker, including, attack methods and possible motives. The value of the threat actor domain cannot be understated: companies write reports on threat actors regularly. These threat reports are meant to show the targets of various threat actors and their common attack methods.
A series of cyber attacks conducted for a main objective.
A domain object which provides context regarding previous cyber attacks against a person or industry.
Course of Action
Steps taken to prevent or respond to cyber attacks.
Provides information on how agencies, whether governmental or non-governmental, responded to a cybersecurity threat.
Detectable patterns of a cyber attack.
Describes features of an attack which are observable, such as, domain names, links, or email addresses, which threat actors used for malicious purposes.
Information related to cyber attacks which suggest a single organization carried out multiple attacks.
Provides organizations information which can both identify a threat actor or attack methods.
Observed information of systems related to a cyber attack.
Used to inform audiences about various properties of a cyber attack, such as IP addresses, files, or network connections.
Software used to perform attacks.
Lists software which threat actors use to accomplish cyber attacks.
A mistake in software which can allow access to a system or network.
Lists mistakes in software which can allow threat actors to compromise systems.
STIX and TAXII:
Sharing information about cyber attacks in a formatted way, such as the domain objects in the table above, allows organizations to manage cybersecurity risks. Information about courses of action, for example, can provide organizations with insight on how to prevent risks associated with specific types of malware, attack patterns, and vulnerabilities.
In 2012, the Department of Homeland Security (DHS) funded MITRE to develop Structure Threat Information Expression (STIX), a data standard which could provide users information on cybersecurity incidences, such as breaches or attempted compromises.
MITRE created a data format which allowed multiple organizations to understand cybersecurity risks. From a retroactive perspective, companies could manage risk by patching vulnerabilities other organizations shared. Organizations could also take a proactive approach by analyzing STIX data, such as patterns in the primary motivations or goals of threat actors. In both cases, STIX allows organizations to learn more about their threat landscape.
In 2015, DHS and MITRE transitioned STIX to the Organization for the Advancement of Structured Information Standards (OASIS). OASIS is an nonprofit data consortium which manages data standards to international audiences.
DHS claimed moving STIX to OASIS provided greater stakeholder participation in the development process to, “ensure the stability and continuing viability of STIX and TAXII as true international standards. These changes have the potential to significantly increase adoption and use of STIX and TAXII and thereby strengthen global cybersecurity practices.”
Two years after obtaining STIX, OASIS released STIX 2. STIX 2 altered STIX by: supporting JSON as a serialization to transmit information between organizations, removing unnecessary data values from STIX, creating a language pattern, and adding domain objects and relationships.
These changes made the STIX language more accessible. For example, the new domain objects allow companies to map information about cybersecurity attacks in ways non-technical audiences can understand. Furthermore, adding JSON as a data serialization allows users with less of a background in data science to share STIX formatted data.
Each Action Persuades Organizations to Adopt STIX in Unique Ways
Queries which ease data management tasks convince organizations STIX is an easy language to utilize. Companies which report cybersecurity related findings provide other companies ideas on cybersecurity risks. Entities which share STIX formatted data provides companies information they can use to analyze cyber attacks. Groups which share information about STIX allow organizations to use STIX with ease.
Working with OASIS, especially as a CT member, allows organizations to convince OASIS to adopt data standards, such as adopting JSON as a data serialization, which reduces the effort an organization must exert to use STIX.
Organizations can learn about their threat environments by contacting VerSprite’s security experts.Traditional services of GPR include conducting due diligence investigations, vetting vendors and partners, preparing for businesses for expansion, and assessing the effectiveness of cybersecurity plans or strategies.
Businesses working with partnering companies should also consider merger and acquisition and joint business services. GPR will also soon offer new services related to STIX, which will be discussed in the third blog post of this series. Our next blog post in this three-part series will discuss how STIX can provide information about cyber campaigns which can inform business leaders about both cybersecurity and geopolitical risks.
Cybersecurity and geopolitics are inextricably linked. To holistically tackle threats to our information security, we must take a step back and examine their causal roots and drivers, which take place day after day on the international stage.