TR 103 331 - V1.2.1 - CYBER; Structured Threat Information .

3y ago
47 Views
2 Downloads
767.90 KB
19 Pages
Last View : 4d ago
Last Download : 5m ago
Upload by : Lilly Andre
Transcription

ETSI TR 103 331 V1.2.1 (2019-09)TECHNICAL REPORTCYBER;Structured threat information sharing

2ETSI TR 103 331 V1.2.1 (2019-09)ReferenceRTR/CYBER-0032Keywordssecurity, threat analysis, threat intelligenceETSI650 Route des LuciolesF-06921 Sophia Antipolis Cedex - FRANCETel.: 33 4 92 94 42 00 Fax: 33 4 93 65 47 16Siret N 348 623 562 00017 - NAF 742 CAssociation à but non lucratif enregistrée à laSous-Préfecture de Grasse (06) N 7803/88Important noticeThe present document can be downloaded from:http://www.etsi.org/standards-searchThe present document may be made available in electronic versions and/or in print. The content of any electronic and/orprint versions of the present document shall not be modified without the prior written authorization of ETSI. In case of anyexisting or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSIdeliverable is the one made publicly available in PDF format at www.etsi.org/deliver.Users of the present document should be aware that the document may be subject to revision or change of status.Information on the current status of this and other ETSI documents is available .aspxIf you find errors in the present document, please send your comment to one of the following pportStaff.aspxCopyright NotificationNo part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopyingand microfilm except as authorized by written permission of ETSI.The content of the PDF version shall not be modified without the written authorization of ETSI.The copyright and the foregoing restriction extend to reproduction in all media. ETSI 2019.All rights reserved.DECT , PLUGTESTS , UMTS and the ETSI logo are trademarks of ETSI registered for the benefit of its Members.3GPP and LTE are trademarks of ETSI registered for the benefit of its Members andof the 3GPP Organizational Partners.oneM2M logo is a trademark of ETSI registered for the benefit of its Members andof the oneM2M Partners.GSM and the GSM logo are trademarks registered and owned by the GSM Association.ETSI

3ETSI TR 103 331 V1.2.1 (2019-09)ContentsIntellectual Property Rights .4Foreword.4Modal verbs terminology.4Executive summary .4Introduction .51Scope .62References 4.34.44.54.64.74.84.94.104.114.124.13Normative references . 6Informative references . 6Definition of terms, symbols and abbreviations .7Terms. 7Symbols . 8Abbreviations . 8Means for exchanging structured cyber threat intelligence .9Introduction . 9OASIS Cyber Threat Intelligence Technical Committee (TC CTI) . 9Introduction. 9STIX 2.0 . 10STIX 2.1 . 11Adversarial Tactics, Techniques and Common Knowledge in STIX 2.0 . 12TAXII 2.0 . 12IETF Managed Incident Lightweight Exchange Working Group (mile) . 13CSIRTGadgets Collective Intelligence Foundation (CIF). 14EU Advanced Cyber Defence Centre (ACDC) . 14AbuseHelper . 15OMG Threat Modelling Working Group . 15ITU-T SG17 . 15Open Threat Exchange (OTX ). 16OpenIOC Framework . 16VERIS Framework . 16ETSI ISI (Information Security Indicators) ISG . 16OASIS Common Security Advisory Framework (CSAF) Technical Committee . 17Annex A:Bibliography .18History .19ETSI

4ETSI TR 103 331 V1.2.1 (2019-09)Intellectual Property RightsEssential patentsIPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The informationpertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be foundin ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI inrespect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Webserver (https://ipr.etsi.org/).Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guaranteecan be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Webserver) which are, or may be, or may become, essential to the present document.TrademarksThe present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys noright to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document doesnot constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.Some material contained herein is the copyright of, or has been supplied by OASIS.Figures 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7 copyright OASIS Open 2017. All Rights Reserved.Figures 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7 copyright United States Government 2016-2018. All Rights Reserved. Usedby permission.ForewordThis Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER).Modal verbs terminologyIn the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to beinterpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions)."must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.Executive summaryCyber threat information sharing - often described as threat intelligence sharing - is one of the most importantcomponents of an organization's cyber security program. It can be obtained internally and from external trusted sources.It is collected, analysed, shared, and leveraged. The present document provides a survey of ongoing activities and theresulting platforms that are aimed at structuring and exchanging cyber threat information. These activities range fromthose developed among the Computer Emergency Response Teams in the 1990s in the IETF, to cutting-edge newinitiatives being advanced in OASIS. Some of the platforms are semi-open commercial product communities. It ispossible that the OASIS CTI work could bring about significant interoperability if not integration in this area.ETSI

5ETSI TR 103 331 V1.2.1 (2019-09)IntroductionThe importance of cyber threat information sharing has been underscored recently by the European Union and NorthAmerica enacting into organic law, combined with major executive level and national initiatives. These actions extendacross all information, and infrastructure sectors. Some of the more prominent of these recent actions include: EU Network Information Security Directive, approved 18 December 2015 [i.1]. Cybersecurity Information Sharing Act of 2015 (18 December 2015) [i.2]. CPNI, Threat Intelligence: Collecting, Analysing, Evaluating, 23 March 2015 [i.3]. Launch of the Canadian Cyber Threat Exchange, 11 December 2015.Against this backdrop of initiatives that included the scaling of Financial Services Information Sharing and AnalysisCenter (FS-ISAC) and The Depository Trust & Clearing Corporation (DTCC) activities, the OASIS Cyber ThreatIntelligence Technical Committee was formed in 2015 to bring together a broad and rapidly growing array of public andprivate sector organizations to advance a global set of standards for structured threat information sharing.The present document describes the known array of existing structured threat information sharing work in diversebodies, including the developments underway in OASIS TC CYBER which can form the basis for expandedcooperation based on existing ETSI and OASIS collaborative agreements and working relationships among TechnicalCommittees.ETSI

61ETSI TR 103 331 V1.2.1 (2019-09)ScopeThe present document provides an overview on the means for describing and exchanging cyber threat information in astandardized and structured manner. Such information includes technical indicators of adversary activity, contextualinformation, exploitation targets, and courses of action. The existence and creation of organizations for the exchange ofthis information are out of scope the present document.2References2.1Normative referencesNormative references are not applicable in the present document.2.2Informative referencesReferences are either specific (identified by date of publication and/or edition number or version number) ornon-specific. For specific references, only the cited version applies. For non-specific references, the latest version of thereferenced document (including any amendments) applies.NOTE:While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guaranteetheir long term validity.The following referenced documents are not necessary for the application of the present document but they assist theuser with regard to a particular subject area.[i.1]Directive of the European Parliament and of the Council concerning measures with a view toachieving for a high common level of security of network and information security systems acrossthe Union, Brussels, 21 April 2016 (5581/16).[i.2]Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measureswith Federal Entities under the Cybersecurity Information Sharing Act of 2015 (June :[i.7]NOTE:Available at https://www.us-cert.gov/sites/default/files/ais files/NonFederal Entity Sharing Guidance %28Sec%20105%28a%29%29.pdf.National Cyber Security Centre: "Threat Intelligence: Collecting, Analysing, Evaluating", October2016.Available athttps://www.ncsc.gov.uk/content/files/protected files/guidance files/MWR Threat Intelligence whitepaper-2015.pdf.OASIS Specifications, STIX 2.0, TAXII 2.0.Available at https://www.oasis-open.org/committees/tc home.php?wg abbrev cti.Internet Engineering Task Force (IETF): "Managed Incident Lightweight Exchange (mile)Working Group".Available at commendation ITU-T X.1500-Series: "Cybersecurity information exchange".Available at px?ser X.ETSI ISG ISI (Information Security Indicators) initial Terms of Reference.Available at https://portal.etsi.org/ISI/ISI ISG ToR Sep2011.pdf .ETSI

7ETSI TR 103 331 V1.2.1 (2019-09)[i.8]ETSI GS ISI 001-1: "Information Security Indicators (ISI); Indicators (INC); Part 1: A full set ofoperational indicators for organizations to use to benchmark their security posture".[i.9]ETSI GS ISI 001-2: "Information Security Indicators (ISI); Indicators (INC); Part 2: Guide toselect operational indicators based on the full set given in part 1".[i.10]ETSI GS ISI 002: "Information Security Indicators (ISI); Event Model A security eventclassification model and taxonomy".[i.11]ETSI GS ISI 003: "Information Security Indicators (ISI); Key Performance Security Indicators(KPSI) to evaluate the maturity of security event detection".[i.12]ETSI GS ISI 004: "Information Security Indicators (ISI); Guidelines for event detectionimplementation".[i.13]ETSI GS ISI 005: "Information Security Indicators (ISI); Guidelines for security event detectiontesting and assessment of detection effectiveness".[i.14]IETF RFC 5070: "The Incident Object Description Exchange Format".[i.15]IETF RFC 6545: "Real-time Inter-network Defense (RID)".[i.16]IETF RFC 6546: "Transport of Real-time Inter-network Defense (RID) Void.[i.20]Void.[i.21]IETF RFC 6046: "Transport of Real-time Inter-network Defense (RID) oid.[i.26]Void.[i.27]ISO/IEC 27001: "Information technology -- Security techniques -- Information securitymanagement systems -- Requirements".[i.28]ISO/IEC 27002: "Information technology -- Security techniques -- Code of practice forinformation security controls".[i.29]ISO/IEC 27004: "Information technology -- Security techniques -- Information securitymanagement -- Measurement".[i.30]ETSI TR 103 305: "CYBER; Critical Security Controls for Effective Cyber Defence".3Definition of terms, symbols and abbreviations3.1TermsVoid.ETSI

83.2ETSI TR 103 331 V1.2.1 (2019-09)SymbolsVoid.3.3AbbreviationsFor the purposes of the present document, the following abbreviations apply:ACDCASATT&CK CERTCIFCOBITCPNICSAFCSIRTCTICVRFCYBEXCybOX ODEFIPISACISACAISGISIITITU-TJSONKPSIMAEC MILENISOASISOMGOSSIMOTXRIDSTIX TAXII TTPUSVERISAdvanced Cyber Defence CentreAutonomous SystemAdversarial Tactics, Techniques and Common KnowledgeComputer Emergency Response TeamCollection Intelligence FrameworkControl OBjectives for Information and related TechnologyCentre for the Protection of National InfrastructureCommon Security Advisory FrameworkComputer Security Incidence Response TeamCyber Threat IntelligenceCommon Vulnerability Reporting FrameworkCybersecurity Information ExchangeCyber Observable ExpressionDepartment of Homeland SecurityDenial of ServiceDepository Trust & Clearing CorporationEuropean Union Agency for Network and Information SecurityEuropean UnionForum of Incident Response and Security TeamsFinancial Services ISACGroup SpecificationHypertext Transfer ProtocolIdentification Detection SystemInternet Engineering Task ForceINdiCatorsINCident HandlingIncident Object Description Exchange FormatInternet ProtocolInformation Sharing and Analysis CenterInformation Systems Audit and Control AssociationIndustry Specification GroupInformation Security IndicatorsInformation TechnologyInternational Telecommunication Union Telecommunication StandardizationJavaScript Object NotationKey Performance Security IndicatorsMalware attribute enumeration and characterizationManaged Incident Lightweight ExchangeNetwork and Information SecurityOrganization for the Advancement of Structured Information StandardsObject Management GroupOpen Source Security Information ManagementOpen Threat eXchangeReal-time Inter-network DefenseStructured Threat Information ExpressionTrusted Automated Exchange of Indicator InformationTactics, Techniques and ProceduresUnited StatesVocabulary for Event Recording and Incident SharingETSI

9NOTE:ETSI TR 103 331 V1.2.1 (2019-09)CybOX , STIX and TAXII are trademarks of the U.S. Government, licensed to OASIS. hp. MAEC is a trademark of The MITRE Corporationoperating as a non-profit Federally Funded Research and Development Center (FFRDC) of the U.S.Department of Homeland Security. See http://maecproject.github.io/Legal/.4Means for exchanging structured cyber threatintelligence4.1IntroductionThe need for the exchange of structured cyber threat intelligence grew in the 1990s in conjunction with increasingnumbers of discovered exploits of network vulnerabilities and attacks. This led to a diverse array of initiatives andprojects to develop structured expressions and associated protocols for the trusted exchange of information concerningthose vulnerabilities and attacks, and remediation steps - which are described in the following clauses. These efforts andthe resulting platforms have moved forward (or not) at significantly different scales, and involve specialized andsometimes vendor-oriented communities. The Financial Services Information Sharing and Analysis Center (FS-ISAC)and The Depository Trust & Clearing Corporation (DTCC) communities are especially significant and one of the EUNIS essential services sectors. The largest related standards activity - now consists of OASIS Technical Committee onCyber Threat Intelligence (TC CTI) - and is still rapidly growing and evolving.4.2OASIS Cyber Threat Intelligence Technical Committee(TC CTI)4.2.1IntroductionThe OASIS Cyber Threat Intelligence (CTI) TC was chartered to define a set

Cyber threat information sharing - often described as threat intelligence sharing - is one of the most important components of an organization's cyber security program. It can be obtained internally and from external trusted sources. It is collected, analysed, shared, and leveraged. The present document provides a survey of ongoing activities .

Related Documents:

331 031 271 520 0315 2.70 1.50 2.00 3500 331 031 321 515 0320 3.20 1.50 1.50 4500 331 041 402 053 0453 4.10 2.00 5.30 1500 331 051 472 057 0557 4.70 2.00 5.70 1500 331 061 603 010 0610 6.00 3.00 10.00 500 331 081 302 025 0825 3.00 2.00 2.50 5500 331 141 352 540 1440 3.50 2.50 4.00 2000

Prime VCE and PDF Exam Dumps from PassLeader 70-331 Exam Dumps 70-331 Exam Questions 70-331 PDF Dumps 70-331 VCE Dum

Example (of rounding). Suppose we wish to round .372648 103 and.372653 103 with k 4 and n 3, so 5 10n(k 1) 5 102 5 105 103 .00005 103.372648 103.372653 103.000050 103.00005

TABLE OF CONTENTS Introduction 102 Stress Echocardiography Methods 102 Haemodynamic Effects of Myocardial Stressors 103 Exercise 103 Dobutamine 103 Vasodilators 103 Stress Echocardiography Proto-cols 103 Treadmill 103 Bicycle 103 Dobutamine 107 Vasodilators 107 Image Acquisition 108 InterpretationoftheTest 108

70-331 Dumps, 70-331 Braindumps, 70-331 Real Exam Questions, 70-

331.70 Dispositions and Reviews 331.80 Records Retention 331.90 Violation of this Part Appendix A Types of Unusual Incidents AUTHORITY: Implementing the Abused and Neglected Child Reporting Act [325 ILCS 5] and Sec

2021 Latest certbus 70-331 PDF and VCE dumps Download Correct Answer: On-way forest trust Security groups web application policy QUESTION 9 You are configuring permission levels for two user groups named Managers and Editors. 70-331 VCE Dumps 70-331 Prac

EDUCATION SERVICES HANDBOOK TABLE OF CONTENTS Section 100 Introduction 101 Purpose of Handbook 102 Mission 103 Organization Charts 103.1 Federal Prison System 103.2 Correctional Programs Division 103.3 Inmate Programs Services Branch 103.4 Education Service