These days, the International Telecommunication Union is discussing making STIX 2.1 and TAXII 2.1 an international standard for exchanging information about cyber threats in communication networks. For Russia, this is only part of a complex process of accumulating effective analytics, information about attackers and their malicious activities, and forming a pool of correct solutions for countering cyber threats, according to Angara Security specialists.
"The format for exchanging indicators of compromise is certainly an important topic for discussion, especially considering the fact that there are still no generally accepted, industry-approved formats, and the community has yet to cope with this task. Many market players do use STIX, including us at Angara SOC, but in parallel, there are a significant number of other formats (proprietary or externally developed)," emphasizes Timur Zinnyatullin, Director of the Angara SOC Cyber Stability Center.
At the same time, this task is only part of a large and complex process of searching for and accumulating practical knowledge (i.e., effective analytics) and information about attackers and their malicious activities, allowing defenders and their organizations to reduce potential damage through more informed decision-making (hereinafter – Threat Intelligence – TI). And if a component of this complex process becomes formalized and standardized, it will certainly benefit the defense.
"However, it is important not to forget that any company that has formed a department responsible for information security needs to think first not about obtaining and processing TI, although this is also very important, but about generating its own internal TI. The results of responding to any incident, from notes in notebooks and various reports to indicators of compromise of any level of the Pyramid of Pain that were identified, should, to one degree or another, be transformed into TI and transmitted to the appropriate specialists," the expert continues.
Thus, it is necessary to ensure the formation of an internal knowledge base of already known threats, which should be immediately used in the processes of threat detection and response. "Any security operations and any incident response should generate TI, and TI should generate new security operations and incident response. Fitting into the general concepts of PDCA/PDAR, prevalent in information security," concludes Timur Zinnyatullin. The expert emphasizes that a unified, formalized data exchange format will accelerate and simplify the dissemination of knowledge and analytics not only within one company or sphere, but also within a sector of the economy, a country, or an association of countries.