Eric W. Burger
Michael D. Goodman
ABSTRACT
The cyber threat intelligence information exchange ecosystem is a holistic approach to the automated sharing of threat intelligence. For automation to succeed, it must handle tomorrow's attacks, not just yesterday's. There are numerous ontologies that attempt to enable the sharing of cyber threats, such as OpenIOC, STIX, and IODEF. To date, most ontologies are based on various use cases. Ontology developers collect threat indicators that through experi-ence seem to be useful for exchange. This approach is pragmatic and offers a collection of useful threat indicators in real-world scenarios. However, such a selection method is episodic. What is useful today may not be useful tomorrow. What we consider to be chaff or too hard to share today might become a critically im-portant piece of information. Therefore, in addition to use case-based ontology, ontologies need to be based on first principles. In this document we propose taxonomy for classifying threat-sharing technologies. The purpose of this taxonomy is to classify existing technologies using an agnostic framework, identify gaps in existing technologies, and explain their differences from a sci-entific perspective. We are currently working on a thesaurus that will describe, compare, and classify detailed cyber security terms. This paper focuses on the classification of the ontologies them-selves.
- Barnum, S., Standardizing Cyber Threat Intelligence Information with the Structured Threat Information eXpression (STIX™), http://stix.mitre.org/about/documents/STIX_Whitepaper_v1.0.pdf, page 11. Accessed: July 16, 2014.Google Scholar
- Cain, P., APWG Adventures In Information Sharing: Now and For the Future, http://scap.nist.gov/events/2011/itsac/presentations/day2/Cain%20-%20Advenures%20in%20Info%20Sharing.pdf. Accessed: July 16, 2014.Google Scholar
- Claise, B., Trammell, B., Aitken, P., Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information, IETF RFC 7011, September 2013.Google Scholar
- Danyliw, R., Meijer, J., Demchenko, Y., The Incident Object Description Exchange Format, IETF RFC5070, December 2007.Google Scholar
- DHS, DHS Sensitive Systems Policy Directive 4300A, Ver-sion 8.0, DHS, March 14, 2011.Google Scholar
- Davidson, M. and Schmidt, C., The TAXII Default Query Specification: Version 1.0, MITRE, January 13, 2014.Google Scholar
- Farsight Security, https://github.com/farsightsec/nmsg, Accessed July 30, 2014.Google Scholar
- Field, J., Resource-Oriented Lightweight Indicator Ex-change, IETF Internet Draft draft-field-mile-rolie-02, August 15, 2013, work in progress (expired).Google Scholar
- Hefczyc, A. et al., XEP-0268: Incident Handling, XMPP Standards Foundation draft XEP-0268. May 29, 2012. Work in progress.Google Scholar
- Herzberg, D. and Marburger, A., "The use of layers and planes for architectural design of communication systems," in Proceedings Fourth ISORC, May 2001, pp. 235--242. Google ScholarDigital Library
- ICASI, "The Common Vulnerability Reporting Framework," http://www.icasi.org/cvrf. Accessed: July 16, 2014Google Scholar
- Kampanakis, P., Survey: Security Automation and Threat Information Sharing Options, to appear in IEEE Security and Privacy Magazine, September/October 2014.Google Scholar
- MANDIANT, "OpenIOC," http://www.openioc.org/. Accessed: July 22, 2014.Google Scholar
- MITRE, "Common Vulnerabilities and Exposures," https://cve.mitre.org/. Accessed: July 23, 2014.Google Scholar
- MITRE, "Cyber Observable eXpression," http://cybox.mitre.org/, Accessed July 16, 2014.Google Scholar
- MITRE, "Malware Attribute Enumeration and Characterization," https://maec.mitre.org, Accessed: July 16, 2014.Google Scholar
- MITRE, "Open Vulnerability and Assessment Language," https://oval.mitre.org, Accessed: July 16, 2014.Google Scholar
- MITRE, "Structured Threat Information eXpression," http://stix.mitre.org/. Accessed: July 16, 2014.Google Scholar
- MITRE, "Trusted Automated eXchange of Indicator Information," https://taxii.mitre.org. Accessed: July 16, 2014.Google Scholar
- Moriarty, K., Real-time Inter-network Defense (RID), IETF RFC6545, April 2012. Accessed July 22, 2014.Google Scholar
- OASIS, OASIS Customer Information Quality (CIQ) Technical Committee, https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ciq. Accessed: July 16, 2014.Google Scholar
- OUSD, "Information Assurance Vulnerability Management," http://www.prim.osd.mil/cap/iavm_req.html?p=1.1.1.1.3, Accessed: July 29, 2014.Google Scholar
- Parnas, D., "On the criteria to be used in decomposing systems into modules," in Communications of the ACM, v. 15 n. 12, December 1972, pp. 1053--1058. Google ScholarDigital Library
- Savolainen, J. and Myllarniemi, V., "Layered architecture revisited -- Comparison of research and practice," in WICSA/ECSA 2009, September 2009, pp. 317--320.Google Scholar
- Struse, R., Release of STIX 1.0 and CybOX 2.0, email dated 10 April 2013 to the MITRE STIX discussion list.Google Scholar
- http://en.wikipedia.org/wiki/Five_Ws, Accessed: July 23, 2014.Google Scholar
- Takahashi, T., Landfield, K, and Kadobayashi, Y, An Incident Object Description Exchange Format (IODEF) Extension for Structured Cybersecurity Information, IETF RFC 7203, April 2014.Google Scholar
- Trammel, B., Transport of Real-time Inter-network Defense (RID) Messages over HTTP/TLS, IETF RFC6546, April 2012. Accessed July 22, 2014.Google Scholar
- VERIZON, Verizon Enterprise Risk And Incident Sharing Metrics Framework, https://www.verizonenterprise.com/resources/whitepapers/wp_verizon-incident-sharing-metrics-framework_en_xg.pdf, Accessed: July 16, 2014Google Scholar
- YARA, http://plusvic.github.io/yara/. Accessed: July 16, 2014.Google Scholar
Index Terms
- Taxonomy Model for Cyber Threat Intelligence Information Exchange Technologies
Recommendations
Taxonomy of cyber attacks and simulation of their effects
MMS '11: Proceedings of the 2011 Military Modeling & Simulation SymposiumDue to an increasing level of reliance on computer network technology, military organizations are increasingly vulnerable to cyber attacks. Cyber attacks take a variety of forms and have a broad spectrum of effects. In order to facilitate military cyber ...
Data-driven analytics for cyber-threat intelligence and information sharing
Efficient analysis of shared Cyber Threat Intelligence (CTI) information is crucial for network risk assessment and security hardening. There is a growing interest in implementing a proactive line of defense through threat profiling. However, ...
Ontology-based Cyber Risk Monitoring Using Cyber Threat Intelligence
ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and SecurityEfficient cyber risk assessment needs to consider all security alerts provided by cybersecurity solutions deployed in a network. To build a reliable overview of cyber risk, there is a need to adopt continuous monitoring of emerged cyber threats related ...
Comments