This is the third of three posts describing CERT Australia’s experience in deploying an automated platform for cyber threat intelligence sharing, discussing lessons learned and exploring future opportunities. Read the first and second posts.
If you have a role in defending networks, tracking or analysing malicious activity or reverse engineering malware, get involved! It is probably not as difficult as you might expect.
There is a thriving and supportive community working this problem and new minds are always welcome. Carriage of the standards work has moved from Mitre Corporation to the OASIS cyber threat intelligence technical committee and there are numerous open source projects that you can be involved in here, here and here.
CERT Australia’s cyber threat intelligence toolkit
In the interests of priming the ecosystem and supporting our industry partners who do not yet have security platforms capable of interacting directly with TAXII servers, CERT Australia has developed a cyber threat intelligence toolkit (cti-toolkit).
The cti toolkit simplifies the consumption of STIX content from either a file or TAXII server, and supports the transformation of that content into a range of useful formats. Currently, the tool supports output in:
- Bro intelligence framework (intel format)
- submission of indicators to a configured MISP instance
- delimited text
- XML file
There are free TAXII servers sharing STIX content (eg Hail a TAXII and if you are in the US, the DHS automated indicator sharing program) and it is worth raising your interest in STIX/ TAXII with your vendors, national CERT, sector-specific security community or other community of interest.
Consider the limitation
While STIX and TAXII will transform how organisations automate the exchange of cyber threat intelligence, there are limitations to consider.
Unless you are part of an organisation that has the fundamentals right – operating on a segmented and segregated infrastructure that is well configured and managed, with end-points that implement effective controls such as the Australian Signals Directorate (ASD’s) top strategies – adding automated cyber threat intelligence sharing to the mix will be more distraction than help.
Furthermore, many elements of effective information sharing are non-technical. STIX and TAXII do not create trust, though they provide a mechanism for existing trust groups to exchange well-structured information more efficiently. STIX and TAXII do not articulate or enforce information sharing policies either (though they can refer to them). Rest assured there is work underway to address these broader issues.
On the assumption you are working from a reasonable base security posture and participate in a community that has established trust and policies around information sharing, you should start exploring automated cyber threat intelligence sharing and how it might benefit your organisation because…
“If not now, when? If not you, who?” –Hillel the Elder
Jason Smith is the Technical Director of CERT Australia, Australia’s national computer emergency response team.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.