In 490 B.C. an important battle was fought between the Athenians and the powerful and seemingly unconquerable Persians: The Battle of Marathon. Going it alone, without the help of the Spartans, the Athenian army of about 10,000 men defeated King Darius’ army of about 35,000.
Knowledge of the local geography, technological advantage and tactical skill allowed the Athenians to surround and overwhelm their enemy. A recent history by Lacey and Williamson characterizes this battle as one of the key turning points in world history (2013). They conjecture that, if the Persians had won this battle, the “advancement of the ideas on which democracy, free markets and other defining attributes of Western civilization would have ceased to exist.”
Today, cybersecurity specialists working to protect the global critical infrastructure are like these ancient Athenians: defenders of a liberal society under existential attack. In the case of the Athenians, the technological advantage included metal shields, disciplined organization and loyal commitment – what Strand et al might have considered offensive countermeasures (2013).
One important strategy for an offensive countermeasure against modern day attackers is real-time information sharing of machine readable threat intelligence (MRTI). To effectively share MRTI, a common ontology characterizing each of the data elements must be agreed upon by all parties. This is foundational for the design and deployment of all products in the cyber threat analysis and sharing ecosystem.
In July, the Cyber Threat Intelligence Technical Committee (CTI TC) of the Organization for the Advancement of Structured Information Systems (OASIS) approved a Committee Specification for STIX 2.0 that provides such an ontology. The CTI TC is comprised of over 280 representatives from companies and organizations around the world that are fully engaged in protecting the world’s communications systems and other critical infrastructures. Members include risk management professionals, threat analysts, malware analysts, incident response professionals, remedial action engineers, data architects, digital forensics specialists, and software engineers.
STIX 2.0 is a conceptual data model that is used to characterize indicators of compromise (IOCs) and makes explicit the various other elements that can affect the technology stack during a cyber-attack sequence. These other elements include the tactics, techniques, and procedures (TTPs) used by the attacker(s); the potential motivations and intents of the threat actor(s); the attributes of the malware; various characteristics of the victim targeting; and other elements.
STIX 2.0 provides for the fusion of disparate data sources about these elements into a single data set used to evaluate correlations. Correlations through time and across a malicious physical and digital infrastructure can help analysts tease out patterns and establish working theories about the attackers and their motivations and intent.
To aid this process, a new category of intelligence products called Threat Intelligence Platforms (TIPs) has emerged to manage these data streams. A typical TIP allows for:
- Query of aggregate data sets to test analyst hypotheses regarding potential correlations;
- Enrichment of raw data with secondary and tertiary correlations that reveal more about the threat actors’ motivations and intent;
- Storage of raw and processed data for easy access, comparison, and correlation;
- Processing of data for analytical and reporting services; and
- Analysis of data for furthering the testing of hypotheses regarding potential threat actor activity.
Organizations around the world are building internal cyber threat analysis teams and joining formal information-sharing trust communities that use these TIPs. Sharing of IOCs within these communities is giving modern-day defenders a tactical and strategic advantage against the plethora of attackers from diverse geographies with diverse motivations.
STIX 2.0 is the technologically superior metal shield of the modern defender. It updates the 1.x XML-based version with a streamlined JSON-based framework that is performance oriented, fully vetted by the global community, and easily integrated into existing workflows and technologies, thus allowing organizations to share not only basic IOCs but also more complex higher-order intelligence. Descriptions of attackers, targets, campaigns, and intrusion sets are easily encoded into machine-readable format to help defenders prioritize and respond to incidents with the maximum amount of information at their disposal.
To return to our analogy, the numerically inferior but organizationally superior Athenians outsmarted and outflanked the Persians at the Battle of Marathon. And with the sound of a bugle, they stuck their shields together, advanced, and won.
When it became apparent that the Athenians had indeed won the Battle of Marathon, legend has it that the messenger Pheidippides ran 42 kilometers (about 26 miles) from Marathon to Athens to announce Νενικήκαμεν! (We were victorious!). Immediately thereafter, he died of exhaustion.
The modern-day Marathon is a reenactment of this run.
And so, we begin the STIX 2.0 Marathon.
Drink plenty of water.
Lacy, J. and Williamson, M. (2013). Moment of Battle: The Twenty Clashes that Changed the World. NY, NY: Bantam Books
Strand, J., Asadoorian, P., Robish, E., Donnelly, B. (2013). Offensive Countermeasures: The Art of Active Defenses. San Bernardino, CA: PaulDotCom.
About the Author: Jane Ginn has over 30 years of international business experience in engineering consulting, information technology, and cyber security threat intelligence. She serves as Secretary of the OASIS Cyber Threat Intelligence – Technical Committee (CTI-TC) on STIX/TAXII 2.x standards development. She is also an adviser to the European Network Information & Security Agency (ENISA) Threat Landscape Stakeholders’ Group. She is an Adjunct Faculty member for the Ridge College of Intelligence Studies at Mercyhurst University. She holds a Master of Science in Information Assurance (MSIA) from Norwich University. She also holds a Masters in Environmental Science & Regional Planning (MRP) from Washington State University.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.