These days, the International Telecommunication Union is discussing making STIX 2.1 and TAXII 2.1 an international standard for sharing information about cyber threats in communication networks. According to Angara Security specialists, for Russia, this is only part of a complex process of accumulating effective analytics, information about attackers and their malicious activities, and forming a pool of correct solutions for repelling cyber threats.
"The format for exchanging indicators of compromise is certainly an important topic for discussion, especially considering that there are still no generally accepted, industry-approved formats, and the community has yet to cope with this task. Many market players do use STIX, including us at Angara SOC, but in parallel, there are a significant number of other formats (proprietary or externally developed)," emphasizes Timur Zinnyatullin, Director of the Angara Center for Cyber Resilience.
At the same time, this task is only part of a large and complex process of searching for and accumulating practical knowledge (i.e., effective analytics) and information about attackers and their malicious activities, allowing defenders and their organizations to reduce potential damage through more informed decision-making (hereinafter – Threat Intelligence – TI). And if a component of this complex process becomes formalized and standardized, it will certainly benefit the defense.
"But it is important to remember that any company that has formed a department responsible for information security needs to think first not about obtaining and processing TI, although this is also very important, but about generating its own internal TI. The results of responding to any incident, from notes in notebooks and various reports to indicators of compromise of any level of the Pyramid of Pain that were identified, should, to one degree or another, be transformed into TI and transmitted to the appropriate specialists," the expert continues.
Thus, it is necessary to ensure the formation of an internal knowledge base of already known threats, which should be immediately used in the processes of searching for and responding to threats. "Any security operations and any incident response should generate TI, and TI should generate new security operations and incident response, thereby fitting into the general concepts of PDCA/PDAR, prevalent in information security," concludes Timur Zinnyatullin. The expert emphasizes that a unified, formalized data exchange format will accelerate and simplify the dissemination of knowledge and analytics not only within one company or sphere but also within a sector of the economy, a country, or an association of countries.