In January of 2015, New Context was commissioned by a client to perform a review of existing machine readable threat feed frameworks. The customer, a user of Industrial Control System (ICS) hardware, is looking years into the future in hopes to forge a path in which complex patterns of attacks against ICS devices could be described and shared automatically among machines.

Our employees are no strangers to standards development work, the world of ICS and complex malware research.

In our study we analyzed more than a dozen frameworks. We retrieved information from trusted resources and conducted an evaluation based upon decades of industry experience and expertise. The evaluation process and ranking system included agreed upon requirements, use cases and metrics.

We performed our analysis using a standard set of requirements that included:

  • Ability to express complex Indicators of Compromise (IOC).

  • Ability to express complex remediation steps

  • The frameworks must be in a machine readable format.

  • The frameworks were evaluated against our client’s defined use cases.

While the details of our study are confidential to our customer, we can say that our on going involvement in STIX for the past 2 years has been at least partially because of our participation within the California Energy Systems for the 21st Century (CES-21) project. As part of this project, a more expressive indicator language was desired to allow for the description of complex and involved indicators, such as those required by ICS, using STIX to help protect California’s electrical grid.

Development of an industry-wide standards framework for Cyber Threat Intelligence (CTI) is crucial for the information security industry to be able to define and share threats. By using a machine readable format, cybersecurity analysis will be able to collaborate more quickly to detect and address threats.  New Context is a proud sponsor of OASIS and believes strongly in open and transparent standards frameworks.

New Context also added 4 rating metrics in order help provide a quantitative scoring to aid the research. Those metrics were:

  • Flexible: A metric signifying the ability to support a wide range of use cases and information of varying levels of fidelity.

  • Extensive: A metric signifying the ability to take future growth into consideration

  • Readable: A metric signifying the ability to be read easily by a human.

  • Pervasive: A metric signifying a measure of the acceptance and reputation within the security community.

We offer full stack platform development using our Lean Security methodology

We are are expert integrators of STIX and TAXII for IT and OT ecosystems

We have deep experience in automation and orchestration

In February, STIX version 2.0 was made available for review. The comment period is open through April 6th. For more details, see the announcement and the documentation.

Currently, over 50 open source and commercial tools use STIX and/or TAXII standards, a number that is expected to grow.

Momentum is building for global threat sharing programs and automated threat response. The OASIS CTI Technical Committee has expanded to include a large variety of organizations and industries around the world, and an increasing number of businesses and governments across the globe are seeing the value of this collaborative approach. Using machine-to-machine cybersecurity threat feeds, we will continue to build automated threat response within customer networks using STIX and TAXII open standards. We feel strongly that these standards remain the future of CTI.

STIX 2.0 Patterning

John-Mark Gurney a Principal Security Architect at New Context and primary author of STIX 2.0 Part 5: STIX Patterning standard, will be giving a talk at the upcoming ICSJWG Spring meeting.

The talk will give an overview of the STIX Patterning Language in STIX 2.0. It will give real world examples of observables using the patterning language along with brief discussion and sample of existing libraries for validating patterns and matching patterns against STIX Observed Data SDOs.