The Importance of Threat Intelligence
Collecting threat intelligence data and determining how to process this data is getting more and more attention from security professionals who want to detect and quickly respond to security threats. This holds true not only for advanced persistent threats (APTs), but also for mainstream attacks.
Threat sharing provides you with information on an existing or emerging threat. This information comes with context, indicators, implications and actionable data. Defining whether or not this threat poses a danger to your environment requires you to know your organization and understand your assets, exposure, employees and business area.
So where do you get this threat data from? Your view on what is happening, even if you manage multiple environments or networks, is always limited. How do you improve this? The answer is through sharing. Threat sharing increases everyone’s knowledge of adversaries, the assets they are after and how they may try to gain access to your environment.
Fluent and efficient information sharing can only happen if we agree on a standard. STIX, TAXII and CybOX are community-driven efforts and are also a set of free specifications that help with the automated exchange of cyberthreat information. However, these are just the specifications and not the actual tools that provide a platform for sharing and enriching threat data.
Tools for Sharing Threat Data
I took a look at two tools for the sharing of threat intelligence data: MISP and IBM’s X-Force Exchange. Although both tools aim to achieve the same result — sharing data — they use different approaches to achieve that goal.
MISP, the Malware Information Sharing Platform, needs to be installed on a server in your infrastructure. You need a Web server, database and PHP support with a couple of modules. All of the data is stored on your premises and is under your control. The hardening of the server, securing the access and communication and foreseeing backups and redundancy are your responsibility. Obviously, you fully control what happens with the data.
On the other hand, IBM’s X-Force Exchange is a cloud-based platform. You need an IBM ID to get full access to the available threat data (anonymous access is also possible but with restrictive usage) and only a browser to get started; there’s no need for installing extra software. All the data is stored in the cloud, so you do not have to worry about backups or redundancy.
Data Influences Your Choice
The nature and type of data that you want to share will highly influence the type of solution you want to use — or that you are even allowed to use. For example, if you are dealing with sensitive government data, then using a cloud-based solution instead of an on-premises solution might be less preferable and maybe even forbidden by local legislation.
The distribution of threat information can be limited by the originator by using a traffic light protocol (TLP) code. This can sound counterproductive toward the claim of sharing as much information as possible, but for certain ongoing incidents, restricting distribution makes sense. You don’t want to risk that attackers can read how your investigation is progressing.
Starting with your own empty on-premises database (such as with MISP) will limit the amount of immediate accessible and actionable data. On the other hand, by participating in X-Force Exchange, users get immediate access to 700 TB of threat intelligence information on IPs, URLs, Web applications, malware and vulnerabilities.
A single instance of MISP will start with an empty database. Different MISP instances can be connected to each other. This allows you to get threat information from other instances and then store that data locally, which ensures that the queries for information remain confidential and limited to your server.
MISP foresees four community sharing models:
- Share with your organization only;
- Share with this community only;
- Share with connected communities; and
- Share with all communities.
X-Force Exchange uses the concept of collections, which are sets of information related to an investigation. Users can aggregate different observables and/or indicators in a collection and then share that with as many users as they wish. These users can either be viewers only or a combination of viewers and contributors. Collections can also be private or public.
This doesn’t completely correspond with sharing under the different TLP restrictions or with the community sharing model of MISP, but it does allow fine-grained filtering of who can access your data.
Both solutions have support for STIX. X-Force Exchange supports STIX and TAXII both via an application programming interface (API) and the Web user interface. It has the capability to import and export STIX documents into and out of a collection. MISP supports exporting data in TAXII format.
API Access for Automation
Most users will interact with these two platforms via the Web interface, but this isn’t the optimal way to integrate with your existing infrastructure.
Both solutions provide an API to overcome this problem. The API is necessary to automatically update your security devices (IDS, SIEM, etc.) with the latest available information.
The X-Force Exchange API provides a secure, RESTful, JSON-based API that supports both public and authenticated queries. You can write your own module to access the API or use one of the projects that already exist on Github, such as goxforce, ibmxforceex.checker.py or xForce project.
MISP also has a RESTful, JSON-based API that can be used for automation and feeding your devices. There is a Python library, PyMISP, developed by CIRCL that allows easy access to the API.
Threat intelligence sharing is not something revolutionary, but it’s definitely something you should consider if you want to stay on top of what threats can endanger the security of your IT environment.
MISP is very strong when it comes to building a central indicators of compromise database containing both technical and nontechnical information. Meanwhile, the Web version of X-Force Exchange provides a much slicker interface for viewing trends and ongoing threat activity, giving you an immediate view on what’s happening.
The different tools available for sharing threat intelligence do not exclude each other. It’s perfectly normal to acquire both on-premises and cloud-based solutions and then choose, depending on the type of threat information you are dealing with, where to store the information.