Putting The ‘Intel’ Back Into Intelligence
Cyber threat intelligence is a phrase which, up until now, had been relegated to use in hindsight. This is because most did not have access to information regarding cyber threats until after they were attacked. And after the attack, no other entities had access to that newly acquired information. Unfortunately this means that, for the most part, we, as a collective victim, have gathered very little intelligence about the umbrella strategies and techniques used by hackers worldwide.
Now industry leaders have come to realize that attacks are inevitable and that it is just as important to learn from these attacks as it is to mitigate the risk associated with getting hacked in the first place.
This marks the difference between threat information and intelligence: threat intelligence is gathered a priori, while threat information might only exist after the fact. Now, imagine a system where threat intelligence was shared automatically in the event of an attack. We would then be collectively moving away from unorganized sets of threat information, and towards a structured network of threat intelligence.
On December 18, 2015, The Cybersecurity Act of 2015 was signed into law. This legislation promotes information sharing between previously disparate sources of threat intelligence, such as InfraGard, FS-ISAC, and HPE Threat Central. More exciting is that the private sector will have access to this information sharing network as well. At the very least, this new strategy means that the same strategies used to hack an organization should never work twice. Attackers will be forced to constantly reevaluate their approach in order to stay off the global threat sharing network. Furthermore, it will increase the cost and complexity associated with carrying out any form of cyberattack.
Though the sharing network itself is in its infancy, there already exists a matured standard for representing threat information. The Structured Threat Information eXpression (STIX) is a language used to describe various threat observables. These could include the IP origin of an attack, the MD5 hash of an infected email attachment, or the domain name of a known malware distributor. Now that standards exist for representing these threats, they can be shared across software platforms. The primary method for sharing this information is known as the Trusted Automated eXchange of Indicator Information (TAXII), which is a communication protocol specifically designed for sharing STIX information. These two standards come together to create an extremely powerful information sharing protocol.
Organizations all over the world are standing up their own TAXII servers, to which they can upload their own threat intelligence. Once uploaded, that information becomes available to other users who can poll the TAXII server for updated information on current cyber threats. So, if you have concerns regarding the myriad of attack vectors putting your organization at risk, set up your own TAXII server and start getting educated!