The security threat and intelligence landscape is evolving faster than ever before thanks to more and more advanced, capable and motivated adversaries. For example, the various entities powering Regin, Carbanak and Dyre had no lack of resources and motivation to pursue their goals.
To keep up with these increasingly complex attacks, we have to focus our attention on actions at an earlier phase of the cyberattack life cycle and create a common ground for standardizing threat information. Instead of focusing on the response aspect, we have to push as much as possible toward early detection and prevention — ideally before the exploit phase happens. For incidents to be mitigated or dealt with by your team, they must first be detected, preferably as early in the attack phase as possible.
This can be illustrated with the different phases of a cyberattack, loosely inspired by the different phases of a penetration test:
Up until now, the bulk of the action happens after the exploit — that is, after the attackers have already gained access and can do their thing. Incident response and cleaning up is a resource-intensive task, and all the attackers need to keep their foothold is one entry point that is overlooked. However, what if we could respond before the offensive part of the attack begins?
Faster Detection, Faster Sharing
Faster detection and prevention demands more intelligent, automatic and fluent sharing of threat intelligence. Ideally, you should strive for sharing when something happens, at wire speed. Sharing and improving security through collaboration is nothing new, but it is typically focused on manual interactions, with little to no contextual information.
The way we share information and what we share should increase our knowledge of the adversaries and which assets they are after. This can only happen if we get information from a wide range of players from different fields. No single participant can detect all relevant information. The problem is not that people don’t want to share, but that the sharing process takes time and resources, and there is no real benefit for the people sharing the information. Participants are often willing to share information on incidents that directly affect them, but something that only matters to a third party earns a lower priority.
You also have to define what you would like to share before an incident occurs. It is important to agree on standardizing threat information. Defining the content, topic fields and items you want to share when the incident takes place is bound to causes errors due to an increased stress level.
Enter STIX, TAXII and CybOX
This is where the Trusted Automated Exchange of Indicator Information (TAXII), Cyber Observable Expression (CybOX) and Structured Threat Information Expression (STIX) come in. They are an open community-driven effort and a set of free, available specifications that help with the automated exchange of cyberthreat information. This allows cyberthreat information to be represented in a standardized format. They are not pieces of software themselves, but rather standards that software can use. The combination of STIX and TAXII allow you to more easily share threat information with your constituency and peers.
What Is TAXII?
TAXII is not an information sharing program and does not define trust agreements. Rather, it is a set of specifications for exchanging cyberthreat information to help organizations share information with their partners.
TAXII has the following three sharing models:
- Hub and Spoke: One central clearinghouse.
- Source/Subscriber: One organization is the single source of information.
- Peer-to-Peer: Multiple organizations share their information.
TAXII defines the following four services, where each service is optional and services can be combined in different ways for different sharing models:
- Inbox: A service to receive pushed content (push messaging).
- Poll: A service to request content (pull messaging).
- Collection Management: A service to learn about and request subscriptions to data collections.
- Discovery: Learn which services are supported and how to interact with them.
There is a Python library “libtaxii” and a proof-of-concept TAXII server called “Yeti.” Everything that is being done for TAXII is published on GitHub. Currently, TAXII defines XML messages over HTTP(S), but the design allows for other possibilities.
What Is CybOX?
CybOX provides a common structure for representing cyber observables across and among the operational areas of enterprise cybersecurity. Cyber observables can be dynamic events or stateful properties. CybOX objects can be an email message that is received from a specific address, a network connection that is established toward a specific address, the MD5 hash of a file, a process, a URI or the modification of a registry key. CybOX can be used for threat assessment, log management, malware characterization, indicator sharing and incident response.
What Is STIX?
STIX is a language for having a standardized communication for the representation of cyberthreat information. Similar to TAXII, it is not a sharing program or tool, but rather a component that supports programs or tools. The STIX language has a number of constructs or components, including the following:
- Observable: A dynamic event or stateful property, represented in CybOX.
- Indicator: An observable with context. An indicator can contain a time range, information source, intrusion detection system rules, etc.
- Incident: A set of activity associated with the same adversary along with context.
- Tactics, Techniques and Procedures (TTP): Represents the modus operandi of the adversary.
- Exploit Target: A weakness of a victim in light of a TTP.
- Course of Action (COA): Defensive actions against a threat (prevention, remediation, mitigation).
- Campaign: A set of related TTPs, indicators, incidents and exploit targets.
- Threat Actor: The cyber adversary.
One of the things that sometimes causes confusion with STIX constructs is whether to use incident or indicator. If you are aiming to provide a history for further analysis or follow-up, you have to use an incident construct. If you want to build a list of items to look for, use an indicator construct.
Gluing TAXII, STIX and CybOX Together
An oversimplification of gluing this all together is that STIX is a language that can use CybOX words, and the communication is possible with TAXII. STIX characterizes what is being told, while TAXII defines how the STIX language is shared.
A Human-Readable STIX Example
Understanding the different STIX elements is easier if you use them in an example. Consider the following 10 steps in a computer security incident taking place in a government agency:
- The logs of the file server show an unusually high amount of activity coming from one laptop. You start to investigate.
- A user received an email with the subject “Invoice” and a ZIP attachment (observable). The attachment is a ZIP file with MD5 a0adb2ccf18f65a102c1c975e7e4baec (observable). The ZIP contains an executable with MD5 e4b72ce8ea569b12eabf0aef6ed81615 (observable).
- Further investigation shows you that if a file is seen with MD5 e4b72ce8ea569b12eabf0aef6ed81615, it indicates the presence of a crypto ransomware that was hidden in a ZIP archive (indicator).
- You report that the laptop from user John Doe was infected at 5:15 p.m. on March 23 with a ransomware XYZ and that the ransomware was delivered via email (incident).
- Asking your sharing community returns that the file is ransomware that gets weaponized by downloading its payload via HTTP from four C2 servers located in southern Europe (TTP). You receive an IP watchlist (indicator). You add the list of four C2 servers to a block/watchlist to detect other infractions (COA). Link the mail description, the MD5 and the IP watchlist with the incident.
- You ask the community for more information about the ransomware’s purpose. You learn that it is known to be the Crypto Crew using the ransomware family XYZ-A (threat actor). You can now attribute the incident.
- The block list reveals there are other infected laptops, all belonging to human resources users (TTP update, victims).
- You deploy (COA) blocklists for email attachments with the same MD5 (indicators) or outgoing HTTP traffic to one of the C2s (indicators).
- Other government agencies that applied the same indicators have hits for email messages arriving for users who are part of their human resources department. Update the information to reflect that the ransomware is primarily targeting users in the human resources departments of government agencies (TTP update, victims).
- The sharing community reports a similar case in country ZZ with the same deployment characteristics (link incident to campaign).
This example shows practical use for sharing, detecting and warning. It also shows how STIX relationships are one of the features that make it powerful. Instead of having isolated information, you can use STIX to relate them together, enabling a more contextual understanding of the threat.
Visualization makes information more accessible. With the help of the tool STIX Viz, you can get a visual representation of STIX documents as a node-link tree, with the root at the top of the XML structure:
The samples on the MITRE website are a good start for mapping real-world threat reports.
Build Your Own Tools?
The STIX project provides a Python library for parsing, manipulating and generating STIX content. If you are using a security information and event management system, you can import data from STIX and/or TAXII repositories.
Online Resources for Standardizing Threat Information
MITRE provides a number of excellent online resources to get more information on the details of TAXII, STIX and CybOX, including TAXII Project Documentation, STIX Project Documentation and CybOX Project Documentation.
By using TAXII, STIX and CybOX, you make it easier and faster to share information you find with your users and peers. It allows an entire community to add to and extend the context of threat information and threat intelligence.
These projects are an important part of gathering news and information feeds, centralizing these feeds and adding different contextual information. It allows you to give your peers a “what’s going on” feed and delivers important threat warnings and incident information early on.
Koen Van Impe is a security analyst who worked at the Belgian national
CSIRT and is now an independent security researcher.
He has a twitter feed (@cudes...