Cyber Threat Intelligence Information Sharing
Cyber Threat Intelligence InformationSharingEdilson ArenasSchool of Engineering and TechnologyCQUniversity, Australiae.arenas@cqu.edu.auAbstractToday, the socio-political and technological transformation of mankind is being challengedby a series of sophisticated cybersecurity threats and technology-enabled crimes.Governments, academics, industry groups, and business organisations are actively engagedlooking for cost-effective solutions to prevent, detect and protect against this malpractice.Unfortunately, there is a list of factors that have hindered the prosperity of these efforts withthe sharing of clean data and cyber intelligence at the top of that list. Sensitive legal, ethicaland business issues make it difficult to share and find good reliable sanitised data forresearch, development, and testing in cybersecurity. To address this problem, it is necessarya global collaborative effort to standardise the sharing and structure of cyber threatintelligence information. The standard will lead to the research and development ofinnovative knowledge-based strategies with much higher levels of action possibilities andautomation to create stronger reliable and efficient layers of security. In this regard, thisresearch paper discusses a new approach to cyber intelligence information exchange basedon current research frameworks including NIST Cybersecurity, Intrusion Kill Chains, andSTIX Cyber Threat Intelligence Reference Model.Keywords — cybersecurity, intrusion detection, kill chains, machine learning, STIXIntroductionIn hindsight, the vast majority of information security challenges we face today are the resultof serendipitous and naive decisions made in the early stages of the Internet. Theopportunity to leverage such a technological breakthrough gave rise to the information agethat radically transformed the human behaviour socially, economically, and politically.Regardless, it is fair to say that since its inception, the benefits of having the Internet haveoutweighed the drawbacks.Over the years, driven by a sense of collaboration and shared responsibility, the securitycommunity has produced sound and cost effective solutions to achieve a secure, stable andresilient Internet. These days, however, such solutions are being challenged. Ourunrestrained appetite to push the Internet to its boundaries has brought about a tremendousgrowth in Internet applications, in ways never seen before. The Internet of Things (IoT),cyber physical systems (CPS), and critical infrastructure, are some examples of the latestdevelopments leveraging the Internet. These systems are far from being bullet proof and
introduce new vulnerabilities and exposures that once uncovered and exploited bycybercriminals and cyber warfare experts give them the opportunity of materialising highlysophisticated computer network intrusions. The reality is that conventional forms of defenceare no longer adequate to counteract this new category of advanced persistent threats(APT). It is necessary to investigate more innovative knowledge strategies that automaticallyequip cyber threat analysts and those interested in cybersecurity with far superior levels ofintelligence for the creation of stronger and more effective and efficient layers of security.Moreover, these strategies require a global collaborative and concerted approach towardsthe standardisation of the sharing and structure of cyber threat intelligence information. Inthe same vein, the security community has produced a cluster of promising intelligent-basedcybersecurity collaborative research with particular focus on gathering, sharing and analyticsof cyber threat intelligence. Unfortunately, these efforts have been disjointed, proprietary,atomic and hindered by the lack of a globally coordinated front including governments,business organisations, institutions and the public in general to tackle the root cause of theproblem. From the perspective of cybersecurity, there appear to be interoperability issuesand a disconnection between research and development frameworks, businessorganisations’ attitudes towards security, and the research strategies put in place. It isnecessary the adoption of a standard holistic approach to share and analyse cyber threatdata more effectively and possibly in real time. This research paper proposes a newapproach to cyber intelligence information exchange based on current research frameworksincluding NIST Cybersecurity, Intrusion Kill Chain, and STIX Cyber Threat IntelligenceReference Model.The paper is structured as follows. The first part sets the scene with a brief description of theabovementioned research frameworks. The second part of the paper discusses theproposed research approach to cyber intelligence information exchange. The paper endswith a section on future directions and the conclusion.NIST Cybersecurity FrameworkAmongst the many security risk management frameworks in existence today (AustralianPlan, 2013; NIST, 2014; NITRD, 2016), the NIST cybersecurity framework has gainedpopularity owing to its focus on critical infrastructure systems and the new realities ofcybersecurity threats affecting the normal operation of business organisations (Perakslis &Stanley, 2016; Shackelford, Proia, Martell, & Craig, 2015).The NIST cybersecurity framework (CSF) was introduced as part of a strategy to improvecritical infrastructure (i.e. systems and assets in both public and private sectors supported byinformation and communication technology, and industrial control systems) linked to nationaland economic security (NIST, 2014). In line with this framework, organisations responsiblefor critical infrastructure are required to be proactive and socially responsive towards‘identifying, assessing, and managing cybersecurity risk’ (NIST, 2014, p. 3). The CSFrecognises that each organisation uses its systems differently and produces a set of risksunique to the organisation. The CSF is flexible enabling its applicability to any organisation.The framework also acknowledges that its purpose does not go beyond the limits thatprotect privacy and civil liberties and that it should be considered as a complement and notas a replacement of an organisation’s security risk management practices (NIST, 2014).
Structurally, the CSF comprises a set of standards, processes, procedures, andmethodologies aimed to guide policy makers, industry, business organisations, vendors andmanufacturers with strategies and approaches to counteract cybersecurity issues. Theframework itself calls for cybersecurity risks to be considered as an integral, ongoing andformal component of any organisational risk management process to identify, assess, andrespond to risks. The most significant aspect of the CSF is that organisations should align allits ‘business requirements, risk tolerances, and resources’ (NIST, 2014, p. 1) from acybersecurity perspective for business success. The CSF has an international appeal for it isbased on standards for cybersecurity, guidelines, and practices that work effectively inindustry today globally; however, it is not bullet proof. Its only intention is ‘at reducing andbetter managing cybersecurity risks’ (NIST, 2014, p. 2).Technically, the CSF is composed of three parts, namely, Framework Core, FrameworkImplementation Tiers, and Framework Profiles. The Framework Core consists of fiveconcurrent and continuous Functions—Identify, Protect, Detect, Respond, Recover. Theframework matches each function with informative references including existing standards,guidelines and practices.In the Identify function of the Framework Core, the organisation develops a completeunderstanding of business domain and resources to manage cybersecurity risk to systems,assets, data and capabilities. The Protect function helps the organisation to develop andimplement the appropriate controls and safeguards to ensure confidentiality, integrity andavailability of critical infrastructure services. Examples of these safeguards include accesscontrol, cybersecurity awareness and training, data security, information protection processand procedures, maintenance and protective technology. The Detect function supports theorganisation to develop and implement the appropriate activities aimed to the timely andreliable prevention and discovery of any cybersecurity event. Examples of the Detectfunction activities include anomalies and events, security continuous monitoring, anddetection processes. Within this function, there is provision for event detection informationsharing with appropriate parties, a central point of discussion in this research project. TheResponse function of the Framework Core helps the organisation to develop and implementthe appropriate activities to take action in regard to a detected cybersecurity event.Examples of these activities include response planning, communications, analysis, mitigationand improvements. Like Detect function, within this function, there is provision forinformation sharing from internal or external stakeholders to achieve broader cybersecuritysituational awareness. Finally, the Recovery function in the Framework supports theorganisation to develop and implement the appropriate resilience plan to restore anycapabilities or services that were compromised as a result of a successful cyber securityattack. Some categories within this function are recovery planning, improvements andcommunications. In the communication category of the Recovery function, there is provisionfor communicating the recovery activities to internal and internal stakeholders asappropriate.The Framework Implementation Tiers describe the degree to which an organisation’scybersecurity risk management practices exhibit the characteristics defined within theFramework, from a low tier to a higher tier level of implementation. The Framework Profilescan be characterized as the alignment of standards, guidelines, and practices to the
Framework Core in a particular implementation scenario. This part of the framework helpsorganisations to assess the level of security they currently have compared to an optimumprofile called a Target Profile (NIST, 2014).Since its release in 2014, the CSF has been used as an internal reference tool forcoordinating cybersecurity at a high level across a variety of industries and businessorganisations of all sizes including critical infrastructure areas like energy, chemical, finance,healthcare, manufacturing, public safety, communications and information technology (NIST,2016). The framework has also received worldwide adoption as a risk assessment tool andvehicle to communicate organisations’ cybersecurity requirements to vendors, serviceproviders and partners. In terms of communication, the framework has a great potential fororganisations to leverage external guidance from and information exchange withcybersecurity agencies, government departments, network analysis centres and thecybersecurity community, in general, to assist them in identifying, detecting, protecting,responding and recovering from cybersecurity events (NIST, 2016). A number of gaps havealso been identified though.In the 2016 Cybersecurity Framework Workshop organised by NIST (NIST, 2016), theframework was criticised by the lack of guidance on how to operationalise the frameworkwithin their organisations and the lack of case studies and sample profiles to facilitate thetransition. The workshop concluded that the widespread adoption of the frameworkdepended on the strategy to share and distribute practices and lessons learned across thesectors. The framework was also found to be deficient in terms of guidance about theintegration of cyber threat intelligence, particularly automated indicators and observables,into the framework. Participants to the workshop talked about the need of a threatstandardisation model like STIX to support the exchange of cyber threat intelligence. Therewere also concerns that the framework did not inform in the automation process for thedevelopment, sorting and implementation of automatic threat indicators and observables.In summary, despite its wide acceptance, the CSF appears to be deficient in terms of thepractice and guidance for the automation, sharing and distribution of cyber threatintelligence, which according to research in the field are important factors in counteractingand deterring cybercriminals and their actions (MITRE, 2012; Gartner, 2014 ).Intrusion Kill Chain FrameworkRecently, the analysis of indicators and observables of compromise is attracting a lot ofattention from the security sector as the basis for the intelligence process. The Kill ChainFramework (KCF), is an example of such process, and as an adversary-centric intelligencedriven computer network defence is used in this research paper to frame the discussion forcyber threat information sharing and automation (Gartner, 2014; Hahn et al., 2015; Hutchinset al., 2011). The KCF is usually seen as a complementary approach to perimeter-centricsecurity approaches, which despite providing a solid security foundation, are mainly focusedon network security, host security, and identity security (Gartner, 2014). According toGartner (2014), the understanding of TTP (tactics, techniques and procedures) used byadversaries is an additional cybersecurity strategy to face the challenges of today’s powerfuladvanced persistent threats. Such adversary-centric approach to cybersecurity is also
consistent with a recent report on cybersecurity research by the National Academy ofSciences, Engineering and Medicine (NASEM, 2017). The report suggests that anytechnological approach to cyber security in itself cannot be effective unless it iscomplemented with analysis tools and methods from the social and behavioural sciences.The main argument here is that information and communication technology systems arebuilt, deployed, and used by humans, and that paradoxically, humans are also theadversaries acting against the normal operation of those systems (NASEM, 2017).The KCF expands on a military systematic approach referred to as find, fix, track, target,engage, assess (F2T2EA) to target and engage an adversary (Tirpak, 2000). KCF is aframework often criticised for focusing on intrusions and limited to malware prevention,however, the model is well known and often cited as a critical approach to cyber securitywhen combined with knowledge based systems, advanced analytics and predictivemodelling leveraging machine learning algorithms. This combination of systems enhancesthe chances to mitigate the risks and, particularly, to speed up the recovery and businesscontinuity processes in the event of a successful attack.The KCF consists of seven sequential phases defined as Reconnaissance, Weaponisation,Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives(Gartner, 2014; Hutchins et al., 2011). Reconnaissance is the phase where the adversariesresearch, identify and select targets by looking into organisations’ details, Internet websites,mailing lists, information on specific technologies, social networking activity or any other typeof information that might provide them with the best approach to conducting an attack withthe minimum set of resources. During the Weaponisation phase, the adversary typically usesan automated tool to produce a weapon, for example, in the form of a remote access Trojancoupled with and exploit that is delivered usually by client application data files like PDFs orMicrosoft Office documents. Once the weapon is encapsulated into a payload, is transmitted(delivered) to the target host. This can be either target-initiated, (for example when a userbrowses to a malicious Web site), or attacker-initiated (for example when the attacker usesSQL injection). According to Hutchins et al. (2011), the delivery mainly occurs via emailattachments, websites and USB removable pen drives. Exploitation takes advantage of acompromised host as a result of an operating system or application software vulnerability. Inthis phase, the malware delivered to the host exploits the vulnerability by triggering theintruder’s code. After the intruder’s code is triggered, a stealth application usually in the formof a remote-access Trojan or backdoor is installed. In this Installation phase, the installedmalware allows the adversary to maintain persistence inside the host and take control of itwithout alerting the organisation. Command and Control is perhaps the most crucial anddetrimental phase in the KCF. This is the phase where the attacker sets up a channel to gainfull control of organisations’ assets. In this phase, the adversary might use a number ofmethods to gather information including screen captures, password cracking, keystrokemonitoring, and network monitoring for credentials amongst others. Action on Objectives isthe phase where the intruders make the decision on what to do next on their objectives.These objectives are likely to be data exfiltration, data integrity alterations or data availabilitydisruptions. The intruder may also decide to use the controlled host to perpetrate additionalattacks inside the compromised network in a persistent manner (Gartner, 2014; Hutchins etal., 2011).
The ultimate goal of adversaries is to gain access to a secure trusted network and onceinside, perpetrate actions on their objectives. The use of the intrusion kill chain model, alongwith analytics and predictive cyber security tools, increases the chances of uncoveringindicators and observables of compromise (cyber threat intelligence) to help mitigate bothvulnerabilities and threat risks.Cyber Threat Intelligence (CTI) SharingThe success of any cybersecurity strategy is proportionate to the amount of rich and cyberthreat intelligence available for analysis and the speed intrusions are detected and blocked.In the process of improving security practices, worldwide cybersecurity centres, vendors,manufacturers, and institutions have gathered, compiled, and produced humongousamounts of cyber threat information. Currently, cyber threat analysts have at their disposalintelligence produced and maintained by a wide range of sources including cybersecurityresearch and information centres, information security companies, technical reports and postmortems, ontologies and vocabularies, reference models, knowledge bases, databases,system and application logs. Some of this cyber threat intelligence is made freely availablebut unfortunately unstructured, formatted differently and not easy to access. This isproblematic, particularly in the sharing of evidence-based knowledge about advancedpersistent threats, assets risk assessment, adversary strategies, security best practices, anddecision making (CSRIC, 2015). The problem is not the lack of intelligence but the lack ofinteroperable standard frameworks for information sharing and big data analytics. In thisregard, some collaborative efforts have been already put in place, for example, the CommonVulnerability Exposures (CVE) by Mitre.Mitre is a not-for-profit R&D organisation that has worked closely with US federal fundedsecurity centres to strengthen cyber defences for more than four decades (Mitre, 2017).Mitre is worldwide well-known for overseeing the industry standard for CVE. CVE is adictionary of common names or identifiers for publicly known cybersecurity vulnerabilities.CVE’s aim is to facilitate information sharing across separate network security databasesand tools (CVE, 2017).Related efforts to CVE include: Common Weakness Enumeration (CWE), a community-developed dictionary ofsoftware weakness types.Common Attack Pattern Enumeration and Classification, a community resource foridentifying and understanding attacks.Malware Attribute Enumeration and Characterisation (MAEC), a structured languagefor attribute-based malware characterisation.Since its release, the adoption of CVE and related resources have been widely spread andendorsed by institutions, industry, government,
a global collaborative effort to standardisethe sharing and structure of cyber threat intelligence information. The standard will lead to the research and development of
Shared third-party threat information via the Cyber Threat Alliance further enriches this knowledge base. The Cyber Threat Alliance is a consortium of 174 different threat intelligence and threat feed providers that crowdsource and share threat intelligence. Cyber Threat Alliance processes more than 500,000 file samples and 350,000 URLs daily.
a cyber threat intelligence capability. 2.0 Research Paper: Cyber Threat Intelligence 6 A detailed analysis summarising of key industry and academic research detailing the requirements for a collaborative and federated cyber threat intelligence capability. High Priority Targets 9 Data, Information & Intelligence 11 Big Data Analytics 12
fenders to explore threat intelligence sharing capabilities and construct effective defenses against the ever-changing cyber threat landscape. The authors in [17] and [18] identify gaps in existing technologies and introduce the Cyber Threat Intelli-gence model (CTI) and a related cyber threat intelligence on-tology approach, respectively.
This Act may be cited as the ''Cyber Intelligence Sharing and Protection Act''. SEC. 2. CYBER THREAT INTELLIGENCE AND INFORMATION SHARING. (a) IN GENERAL.—Title XI of the National Security Act of 1947 (50 U.S.C. 442 et seq.) is amended by adding at the end the following new section: ''CYBER THREAT INTELLIGENCE AND INFORMATION SHARING
This Act may be cited as the "Cyber Intelligence Sharing and Protection Act". SEC. 2. CYBER THREAT INTELLIGENCE AND INFORMATION SHARING. (a) IN GENERAL.-Title XI of the National Security Act of 1947 (50 U.S.C. 442 et seq.) is amended by adding at the end the following new section: "CYBER THREAT INTELLIGENCE AND INFORMATION SHARING "SEC. 1104.
This Act may be cited as the ''Cyber Intelligence Sharing and Protection Act''. SEC. 2. CYBER THREAT INTELLIGENCE AND INFORMATION SHARING. (a) IN GENERAL.—Title XI of the National Security Act of 1947 (50 U.S.C. 442 et seq.) is amended by adding at the end the following new section: ''CYBER THREAT INTELLIGENCE AND INFORMATION SHARING
Cyber threat intelligence itself poses a challenge in that no organization in and of itself has access to an adequate scope of relevant information for accurate situational awareness of the threat landscape. The way to overcome this limitation is via sharing of relevant cyber threat information among trusted partners and communities.
The Cyber Threat Framework supports the characterization and categorization of cyber threat information through the use of standardized language. The Cyber Threat Framework categorizes the activity in increasing “layers” of detail (1- 4) as available in the intelligence reporting.
