The rash of recent government breaches and continued cyberthreats have accelerated the need for the exchange of information related to these and other known incidents. For many years, DHS has been working with industry and other federal agencies to provide more standardization of content so that security practitioners (and anyone else for that matter) are speaking the same language across multiple vendor platforms as it pertains to software, configurations and vulnerabilities, to name a few. An early example that pre-dates DHS was the Common Vulnerability Enumeration (CVE) that Mitre launched in 1999. These efforts can be challenging because gathering consensus and buy-in is never easy across a diverse set of organizations and so finding entities that can shepherd these specifications is key to wide spread adoption.
This makes DHS’s announcement last week regarding the STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Indicator Information) specifications exciting. In case you didn’t see it, both specifications are moving to OASIS (Organization for the Advancement of Structured Information Standards). OASIS is a non-profit consortium with members in over 65 countries that focuses on the adoption of open standards globally. Within OASIS, STIX/TAXII will be overseen by the Cyber Threat Intelligence Technical Committee.
STIX/TAXII, are a set of specifications that focus on cyberthreat information and their associated transfer. STIX has nine constructs that fit together to represent a threat including indicators, exploit target and course of action amongst others. TAXII defines the way threat intelligence data is shared and is the preferred way to share STIX insights. This includes transport over HTTP/HTTPS.
Many consider enriching log data with threat intelligence to be an important capability. Threat Intelligence offers a neighborhood watch effect to your log data by providing insights into threats that others may have seen or detected, as well as enhancing your situational awareness. More recently, greater emphasis has been put on providing insights into indicators of compromise (IOCs). The key is that there needs to be standard means to characterize and transport this threat intelligence.
This is where STIX and TAXII come in. Starting with the Splunk App for Enterprise Security (ES), v3.3, Splunk has added the ability to ingest STIX documents and leverage TAXII feeds for threat intelligence. Artifacts extracted from the STIX documents include:
- X509 Certificates
- Files names/hashes
- Registry entries
Once these threat artifacts have been extracted, they can be correlated with the logs that were previously collected to determine if any of these indicators currently exist within the enterprise and if so, when were they first seen. The power of Splunk’s search engine coupled with the STIX/TAXII integration assists analysts in looking back over their historical data to better answer the question, when did this (IP|Domain|Registry Setting|etc) first appear? From there, analysts can then start working on applying mitigation strategies to the threat.
Looking back through logs retrospectively is important, but there still is the need to identify these artifacts as they appear in the present. Enterprise Security’s correlation search can also flag these logs as notable events for an analyst when correlated with these indicators as logs are being collected.
The Splunk App for Enterprise Security comes with a number of threat sources including examples from the STIX site relating to APT1 and Poison Ivy as well as a malware domain list from hailataxi.com. If you have access to threat intelligence via a TAXII server, adding this data is as easy as specifying the website and credentials for the TAXII server.
STIX/TAXII specifications are important as the need to share threat intelligence in real-time continues to increase. The Splunk App for Enterprise Security provides the ability to easily gather these artifacts and do something actionable with them. If you are going to be at BlackHat next week, stop by and see us (booth #347) and learn about how we are integrating STIX/TAXII.
Security Strategist, Public Sector