Threat Intelligence Protocols - Time for an Update

Threat information sharing requires dedicated protocols in order to accurately and quickly disseminate the information. The industry recognised this, and has developed three formats, each with a specific function:

  • TAXII™, the Trusted Automated eXchange of Indicator Information;
  • STIX™, the Structured Threat Information eXpression; and
  • CybOX™, the Cyber Observable eXpression

TAXII, STIX and CybOX are community-driven technical specifications, designed to enable automated information sharing for cybersecurity situational awareness, real-time network defence, and sophisticated threat analysis (as per the US CERT definition).

In layman's terms, these are machine to machine (M2M) protocols invented to facilitate intelligence sharing, and enable real-time intelligence-led security. These are free to use and globally accepted.

STIX, TAXII and CyBOX

Threat intelligence is complex and varied. Therefore, a single protocol would not have been sufficient to support all the industry’s needs. Consequently, three integrated protocols were developed, each catering to a specific use:

CybOX is a standardised schema for the specification, capture, characterisation, and communication of events or stateful properties that are observable in all system and network operations. A wide variety of cyber-security use cases rely on such information including event management/logging, malware characterisation, intrusion detection/prevention, incident response, and digital forensics. CybOX aims to provide a common structure and content types for addressing cyber observables across this wide range of use cases, to improve consistency and interoperability.

STIX is a standardised, structured language to represent cyber threat information. The STIX framework intends to convey the full range of potential cyber threat data elements and strives to be as expressive, flexible, extensible, automatable, and human-readable as possible. Cybox serves as the building block for STIX.

TAXII defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organisational, product line and service boundaries. TAXII is not an information sharing program itself and does not define trust agreements, governance, or other non-technical aspects of collaboration. Instead, TAXII empowers organisations to share the information they choose with the partners they choose.

Criticism/Suggestions for Improvement

Since their inception, these protocols have become the mainstream “language” of cyber threat intelligence information sharing. However, in our eyes, there is a dire need to revise and update these protocols. We will now explore these shortcomings and suggest ways to improve them.

Conceptual

  • Complicated and inflexible

STIX and TAXII were designed specifically for cyber threat intelligence, yet attempted to be “all-inclusive”, ending up very complicated and inflexible. Various key components required for an effective description of cyber threats are missing.

Their focus is to describe incidents identified within the internal networks, and lack the means to describe contextualised intelligence from the open/dark web.

  • Designed for machines, not for humans

These formats were designed for transferring information between computers. They do not enable human analysts to interact graphically or textually with the information. To overcome this, several vendors offer visualisation tools. However, these are proprietary, and do not offer everyone consuming the information the same visibility/ insight.

  • Designed to support research rather than to disseminate actionable intelligence to security systems

STIX and TAXII aid cyber analysts after an attack has occurred, to investigate and identify connections and additional information relating to the attack and threat actors. They do not enable the threat intelligence systems to communicate with security systems (such as firewall), or provide such systems with actions that allow mitigation – such as blocking a communication port. In this regard, other open protocol, “Open IOC”, are more effective.

  • Multiple TTPs are not supported

Because STIX and TAXII are fairly established and are not updated regularly, it is not surprising that the protocol does not support novel TTPs (techniques, tactics and procedures). For instance, using Jabber/Skype for cyber operations cannot be effectively described today.

Technical

The structure and update process of STIX and TAXXI result in several technical challenges for vendors using it

  • Use of XML

STIX and TAXXI are XML based, which is fairly inflexible. JSON is a far better alternative in regards to Data Representation use. JSON is simpler to work with because unlike XML, where every Tag has attributes and data, Json has only the key -> value. JSON’s structure results in a smaller file size; the same data representation in XML would be twice the size of a JSON file.

  • Limited libraries/code base

STIX and TAXXI libraries and documentation (http://stixproject.github.io/getting-started/) are not comprehensive enough, which makes it difficult for vendors to interact with them. Regular documentation updates would therefore be helpful.

  • Free text vs. pre-selected list

Certain fields are “Free Text” fields, which are probably aimed at facilitating the description of new types not supported by the protocol. We believe that free-form fields dealing with response (action that should be taken) should be altered to a selection from a list of predefined options, to facilitate action and interoperability with external systems which are unable to interpret free text.

Commercial

At IntSights (alongside twenty-odd other cyber threat intelligence vendors), we had to learn to work with these protocols and build our product in a manner that will allow it to receive and share information. Adjustments had to be made to enable this.

We imagine that we’re not the only cybersecurity vendor facing this challenge, a challenge that results in a delay in marketing and development cycles. In addition to being a challenge for vendors, the protocol’s slow update rate and rigidity means it does not accommodate evolving threats and TTPs. This is, to say the least, not ideal.

Conclusion

Common standards and protocols are necessary for achieving efficient information sharing. However, the formats used by the industry are inadequate and should be reviewed and revised quickly. Without this, they will become obsolete, and people will resort to the next best option of sharing cyber threat intelligence and IOCs - email? WhatsApp groups? Slack?
We believe it's time to have an open discussion between all stakeholders - vendors, institutes and customers, with the aim of updating these protocols, or defining new ones. The cyber world is a dynamic one, and the cybersecurity industry simply cannot compete with cybercriminals if we continue to use antiquated tools and protocols.

This post was written by Gal Ben David, IntSights CTO.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.