The STIX standard defines a rich data model, shown in Figure 1, for representing threat information. Looking at how each component of this data model applies to the Computer Network Defense (CND) functions helps to identify how threat intelligence can be incorporated into an organization’s CND activities.
First, let’s start by looking at the main components of the STIX data model [STIX]:
- Campaign – represents a set of activities or mission that a threat actor(s) carries out to achieve a desired effect
- Course of Action – represents a set of activities that may be taken either in response to an attack or as a preventative measure prior to an attack
- Exploit Target – contains information about a technical vulnerability, weakness, or misconfiguration in software, systems, or networks that may be targeted for exploitation by a threat actor
- Incident – describes a cyber security incident, e.g. what occurred, the impact of the incident on systems and information, the incident timeline, points of contact, and other descriptive information
- Indicator – contains information on observable patterns of entities, events, behaviors of interest, etc. within a cyber security context. It relates these observable patterns to particular TTPs that threat actors employ and provide additional information such as confidence in the indicator’s assertion, handling restrictions, valid time windows, likely impact, sightings of the indicator, structured test mechanisms for detection, related campaigns, suggested courses of action, related indicators, the source of the Indicator, etc. Indicators are the most common piece of information that’s provided in threat intelligence today.
- Observable – represents information about stateful properties or measurable events pertinent to the operation of computers and networks. Information about a file (name, hash, size, etc.), a registry key value, a service being started, or an HTTP request being sent are all simple examples of observables
- Threat Actor – characterizes or identifies the attacker or adversary. Provides information such as identifying characteristics, sophistication of the threat actor, its motivations and desired effects, and historically observed behavior.
- TTP – borrowed from a military term “Tactics, Techniques, Procedures” to represent the adversary’s behavior or modus operandi when executing the attack. A TTP may contain information such as what victims the threat actor targets, what attack patterns and malware they use, and what resources (infrastructure, tools, personas) they leverage.
Now let’s look at how these core components of the STIX data model apply to Computer Network Defense, shown in Figure 2, to gain an understanding of which pieces of threat intelligence and the STIX standard can be used to support the CND functions.
Computer Network Defense can be used in the generic sense to refer to the set of activities that are undertaken to protect an organization’s networks against cyber attack but the DoD also has a more precise definition specified in policy [DOD 8530.01-M]. Our discussion here will be based on the DoD’s formal definition.
The “Protect” function refers to the set of proactive actions that are undertaken to modify an information system or computer network configuration or assurance posture in response to an alert or threat information. It also includes activities such as vulnerability analysis and assessment; patching; external assessments (e.g. pen testing); malware protection support; and cyber security training, education, and awareness. Components from STIX that may be applied to the “Protect” function include the following:
- TTP – The objective of the protect function is to prevent adversaries from being able to successfully execute their TTPs on your systems and networks. Thus information on those TTPs should be used to direct and prioritize the protect activities. For example, an external assessment can be conducted utilizing those same TTPs to see if the organization is vulnerable and then to remediate the findings from that assessment. Or as another example, knowledge that a particular attack utilizes a phishing technique can be used to develop an awareness and training campaign to educate personnel on what to look out for and how to respond if they’re targeted by that technique.
- Exploit Target – Protect activities such as vulnerability assessments, patching, and system hardening should take advantage of information on exploit targets as much as possible. For example, if a particular attack is known to exploit a certain vulnerability, then vulnerability scans should be conducted to identify which assets are vulnerable and then patch those assets. Or if an attack exploits a certain weakness or misconfiguration, then assessments need to be conducted to identify which systems have those weaknesses or misconfigurations and they should remediated accordingly.
- Observable – Observables provide the specific technical information or artifacts such as malware file hashes or bad IPs or URLs that can be used to configure the systems and tools that provide protective functions such as malware detection, content filtering, network access control, firewalls, etc.
- Course of Action – The course of action may provide some information on specific preventative measures that can be taken to thwart the attack such as how to remedy the exploit targets.
Monitor, Analyze, & Detect
The “Monitor, Analyze, & Detect” functions refer to the set of activities to gather and analyze information to provide situational awareness, determine indications and warnings, detect anomalies and incidents, evaluate system status, identify root cause, define Courses of Action (COA), and prioritize response and recovery actions. They include use of intrusion, misuse, and anomaly detection systems, supporting data fusion and analysis, diagnostics, long-term trend and pattern analysis, and warning communication channels and procedures. Components from STIX that may be applied to the “Monitor, Analyze, & Detect” functions include the following:
- Threat Actor – “Monitor, Analyze, & Detect” is essentially the recon and surveillance piece in the traditional intelligence sense (amongst other things) so monitoring the activities of adversaries is a key component of this function. Having information on the threat actor helps to select and prioritize what intelligence to act on, e.g. if a particular piece of intelligence is associated with a threat actor that’s a known adversary, then obviously it will get higher priority. Conversely, a particular threat actor may not be a known adversary but if you start to detect a recurring pattern of anomalies, indications, and warnings that can be attributed to that threat actor then they probably should be added to your list of known adversaries.
- Campaign – The objective of the monitor and analyze functions is to collect and analyze data to detect if the observed events, anomalies and incidents are part of on-going campaigns that are directed against your organization. To accomplish this, available information on the campaigns such as intended effects, related incidents, TTPs that are used, observed indicators, and attribution to the threat actors provide the context for the analysis of the collected data to determine if the organization is under attack.
- Indicator – While information on threat actors and campaigns are helpful for the situational awareness and analysis activities, indicators will provide the actual actionable information that can be used for the more tactical technical activities such as malware analysis, indicator/signature development,and malware cataloging to support detection. Indicators define the patterns of observables that form the rulesets for event correlation capabilities to be able to detect anomalous or malicious activity.
- Observable – Observables provide the specific technical details, e.g. information about a file (name, hash, size, etc.), a registry key value, a service being started, an HTTP request, IP addresses, URLs, etc. that network and endpoint monitoring devices, IDS/IPS, and other sensors will need to be configured to monitor, detect, and send alerts when there’s a match.
The “Respond” function refers to the set of activities taken to mitigate the operational impact of an attack, damage, or other incapacitation of an information system, e.g. incident reporting, incident response, incident analysis, forensics. It also includes “restoration” – the prioritized return of essential information systems, elements of systems, or services to pre-event capability. Components from STIX that may be applied to the “Respond” function include the following:
- Incident – Incidents provide information on discrete instances of indicators affecting an organization along with information discovered or decided during an incident response investigation. They consist of data such as time-related information, parties involved, assets affected, impact assessment, related Indicators, related Observables, leveraged TTP, attributed Threat Actors, intended effects, nature of compromise, response Course of Action requested, response Course of Action taken, confidence in characterization, handling guidance, source of the Incident information, log of actions taken, etc. Within the context of threat intelligence, this is information on incidents that have previously occurred that the organization may use in its “respond” activities to report, respond, and analyze its own incidents.
- Course of Action – If it’s determined that the incidents the organization is dealing with are related to other previous incidents, then information on the courses of action that were previously used to respond to those incidents may provide helpful guidance as the organization is dealing with its own incidents.
For those organizations that are trying to determine how to incorporate threat intelligence into their cyber defense activities, starting with the STIX data model can be helpful as it provides a well-defined and comprehensive model of the kinds of information that may be provided with threat intelligence. In addition, the CND framework defined by the DoD provides a comprehensive taxonomy of cyber defense functions that are typically employed today. Thus by mapping components of the STIX data model to these CND functions, organizations can get a better sense of how to leverage information from threat intelligence into their day-to-day operations to improve the effectiveness of their defense activities. Although here we’ve described a clear delineation of which components of the data model apply to which functions, in practice things are much more integrated. An organization’s defense activities aren’t neatly separated into “Protect”, “Monitor, Analyze, & Detect”, and “Respond” functions – they’re seamlessly integrated (or at least they should be) and usually performed by the same teams. In addition, the components of the STIX data model are very integrated and interdependent, i.e. they contain and/or reference each other. So if there’s a component from the STIX data model that we haven’t mapped to a particular CND function here, it doesn’t mean that it can’t be used or doesn’t apply to that function. And finally how much of this can actually be implemented depends on the quality and completeness of the threat intelligence – which is probably one of the biggest challenges.
- [STIX] Structured Threat Information eXpression – A Structured Language for Cyber Threat Intelligence Information.
- [DOD 8530.01-M] Department of Defense Computer Network Defense (CND) Service Provider Certification and Accreditation Program.