With the aim of improving the response to incidents and preventing malware campaigns from spreading globally, potential collaboration activities have emerged, backed by international bodies, companies and security multinationals as well as CERTs from all over the world. From this perspective the concept of Information Sharing takes shape.
- Information sharing and suitable standards -
Benefits and Challenges of Information Sharing
The main objective of Information Sharing is to establish a procedure that allows the collection, storage and distribution of the information necessary in order to act in a homogeneous, quick and effective way against cyberthreats. This, moreover, will result in a better knowledge of malware and its attack mechanisms and will facilitate prevention and response tasks easier for incidents related with the activity.
- Benefits of sharing information on cyberthreats -
However, putting an information sharing procedure into place and maintaining it is not as easy a task as it may initially seem. Invariably, there several hurdles that complicate the process and must be overcome. Among these difficulties we can mention: the establishment of a relation of trust; overcoming suspicion regarding the fact of making obtained information visible and reach a consensus on how to format information and on issues around processing, maintenance, classification and distribution. We are talking about the use of standards.
- Challenges and difficulties in sharing information -
Information on Cyberthreats: What Must be Shared?
Sharing information about security threats is always of great benefit as long as it includes valuable content and is spread in a structured way. In respect to the contents, the useful information must include security warnings about vulnerabilities, reports and studies on protocols, safety practices and systems, but above all, preventive and reactive information in order to tackle cyberthreats and security incidents.
- - Sharing valuable information -
Standards, the Long Road to Successful Information Sharing
Once it is determined that the information is valuable for sharing, the next difficulty to overcome is establishing a common and recognised format among the information beneficiaries. In this sense, the use of standards will make it possible to distribute the information quickly and efficiently.
With this aim, the IETF took the first steps towards standardisation in 2007, publishing the RFC 5070 defining the Incident Object Description Exchange Format or IODEF. This specification covers a series of guidelines for CISRTs (Computer Security Incident Response Teams) which are desirable when documenting the significant indicators in security incidents. It is based on XML schemes for data management and will be a reference point for later adaptations.
- IODEF report with XML format describing the Code Red worm -
There is often more than one road to adopting a standard, with varying success, and after the IODEF specification multiple approaches emerge that struggle to become the de facto standard. Among the most prominent and widely accepted standards, we can point to OpenIOC (from the company FireEye) as well as more collaborative proposals such as CybOX, STIX and TAXII (a US Government initiative through MITRE, DHS and US-CERT).
OpenIOC is an initiative led by the company MANDIANT belonging to the multinational FireEye, which has led the way in defining and establishing the concept of IoC (Indicator of Compromise) in incident management. An IoC is an element that describes forensic evidence in order to identify an intrusion in a system or network.
OpenIOC is distributed under Apache2 license and is based on an XML scheme to define IoCs. It boasts a high degree of maturity and recognition and although it is currently free to implement, the lack of flexibility is clear as it follows, initially, the guidelines of a single manufacturer focused on its own products.
- XML example of IoC -
CybOX, STIX, TAXII
On the other hand, the North American organisation MITRE, a non-profit organisation and much more focused on collaborative developments in multiple technological fields, including Cybersecurity, has put great effort into the standardisation of Information Sharing schemes. MITRE, together with the Department of Homeland Security, the National Cyber Security Communications and Integration Center, and the US CERT of the United States has guided the development of standards: STIX, TAXII and CybOX. This development is currently in transition towards the consortium of standards OASIS.
Cyber Observable eXpression (CybOX)
The first draft of this standard dates back to 2010. It implements a sequence of data in JSON format for the characterisation of information on malware, detection of intrusions, response and management of incidents and digital forensics. In the structure there are more than 70 objects (file, HTTP session, network connection, etc.) characterised by database types, properties and relations, using a predefined vocabulary.
- Lista of objects CybOX -
An example of an object that describes a link will take this form:
Structured Threat Expression (STIX)
This standard is relatively recent and presents a structured language for describing cyberthreats in a format that can be shared, stored and analysed in a consistent way. It provides organisation of information in a highly structured and interrelated manner in order to achieve high readability and easy comprehension.
STIX serialize data in JSON format and adopts a format based on graphs to offer a very intuitive representation of the objects and the relations among them. The objects are grouped into 9 key domains: observables, indicators, incidents, procedures, operating objectives, response actions, campaigns, acts and reports.
The STIX objects are indicators that are included in the referred domains and share a series of properties to present the data. There are also related objects that serve to establish links between the domains (nodes). It is a model that is becoming popular for its consistency and usability. Although it mainly comprises the CybOX scheme, it has extensions to include other standards and indicators such as TLP, OpenIOC, Snort and YARA.
- Graph model STIX. Observance of the dominions (nodes) and relations -
Trusted Automated eXchange of Indicator Information (TAXII)
TAXII, initially specified in 2012 and consolidated in 2014 provides specifications focused towards conforming a flexible mechanism for transporting cyberthreat information. TAXII focuses on the mechanisms of information distribution and adopts other standards for its format. This way, through the services defined by TAXII, organisations can exchange information safely and automatically with support for multiple formats of representation of cyberthreat information, especially STIX and CybOx. It supports different communication structures (Hub and Spoke, Peer to Peer and client/server).
- Integration CybOx(granular description)-STIX (global representation) -TAXII ( vehicle of exchanging information) -
These three standards, with the support of the OASIS consortium of standards, have become consolidated as the preferred choice of multiple manufacturers in order to format information in their intelligence products. Among them are the important multinationals such as IBM (IBM QRadar), Splunk (Splice) Intel Security (McAfee Advanced Threat Defence) , VeriSign (iDefence), etc.
Multiple standards, one target
We can not say that there is a single universally accepted procedure in Information Sharing, but we can conclude that the methods described in this article are emerging as the most used. Each one of these standards have their pros and cons, being finally a decision by the issuer of the information make the decision of which one to use. The following table shows some of the differences:
- Most widely used standards in Information Sharing -