I started getting involved in learning about the STIX and TAXII standards in earnest last year. These emerging standards enable effective sharing of cyber threat data in automated ways between different products, people and organizations. In many ways, that makes me a newcomer to these emerging standards; by that point in time The MITRE Corporation and DHS had completed much of the work of getting the standards in a usable state, and the FS-ISAC had already been sharing threat intelligence amongst their members using these standards for a while. I started reading about these standards, following discussion lists, and attending conferences, because I don’t think the security industry as a whole has ever done a very good job of sharing security data across organizations.
If we could meaningfully improve how we communicate with each other – between our peers in the security industry, between security products inter-operating with each other, and by leveraging the communities we already have – I believe we would all become more effective in protecting our customers.
I approached the idea of sharing cyber threat data from the viewpoint of our customers here at Tripwire. We have thousands of customers monitoring millions of systems with Tripwire’s products, and we already have a great team of researchers, VERT, that publishes both automated security intelligence to our products and “human readable” intelligence to our customers on an ongoing basis. So, why do we need to work with content from threat intelligence sources?
Well, maybe some companies don’t like to admit this fact, but we should realize that we don’t know everything – nobody does. Furthermore, if we only support a centralized corporate hub model of intelligence for our products, where everything has to flow through us, we eliminate the ability of our customers to collaborate with each other, to take advantage of what other opportunities for intelligence they have within their organizations, and to share that intelligence with their peers. Whether it’s Uber, Skype, or Bitcoin, technologies that enable new kinds of peer to peer connectivity and decentralized control have transformed many different areas of our lives already and we should take advantage of those concepts in security, too.
The value of taking advantage of shared cyber threat data was very clear to me for the Tripwire Enterprise product, which our customers use to detect changes on critical systems. Let me give a very simple example of how the combination of that change monitoring and threat intelligence works. Tripwire Enterprise will detect a new file being added to a system (in fact, basic file integrity monitoring is a fundamental system security control that Tripwire pioneered in the industry). Let’s also look at cyber threat intelligence; perhaps information has been gathered that there is an active threat campaign being waged today by a malicious threat actor, and it has been observed that one of the things being done as part of that campaign is dropping a new piece of malicious code on systems.
Although Tripwire would have detected that new file without any threat intelligence being known about it, and a security analyst could have received and read some information about this new threat campaign if they had access to the intelligence source, the combination of the two – leveraging STIX and TAXII – creates something more powerful than each of those pieces by themselves.
Now, the change being detected can be put in the context of the active threat environment, meaning that a security analyst can immediately and clearly see that this one particular change is a real indicator of compromise, and amongst a sea of normal acceptable changes going on, this is one that needs to be immediately escalated and investigated further. This saves security analysts’ time and makes them more effective in detecting breaches.
While very simple examples like file matching are a reality of the kind of threat intelligence that is commonly shared and can be taken advantage of in an automated way today, the real value of STIX shines when we start looking to a future where we are sharing much more sophisticated intelligence and getting into the techniques and tactics of cyber-attacks. The more sophisticated the analysis of attacks becomes, the more difficult it becomes for an attacker to change one part of what they are doing, like modifying a file hash, which is easily and commonly done as part of each iteration of advanced threat campaigns.
Today at Tripwire, we are actively working with customers and partners to connect threat intelligence sources they are creating and using to our products through the use of STIX and TAXII.