Threat intelligence has been a very important asset to cybersecurity- knowing in advance some properties of malicious actors is key for preventing security incidents. Most typically these properties are IP addresses, domains, emails and file hashes, and being able to compare them to what’s happening in your infrastructure allows for quick response and prevention.
How does threat intelligence sharing work?
But how to benefit from threat intelligence and to contribute to the process? It’s a complicated process of assessing a lot of data (e.g. coming from real-world alerts) and reporting malicious indicators). Different threat feeds work with different methodologies so it’s not easy to explain it in one sentence. But to put it simply, organizations and individuals compile these feeds and publish them, for free or for a fee, for others to consume.
When you get targeted by a malicious actor and are able to block the attack after being alerted by your SIEM, you can choose to publish the information about the threat (at least that’s what we allow with LogSentinel SIEM). That way you are forming your own threat feed and the information can either be consumed by others or pushed to a centralized repository.
How is cyber threat intelligence shared?
Unfortunately, there are a lot of ways that threat intelligence is shared – through custom formats, RSS feeds, plaintext files and even email lists and chat rooms. SIEM products have to support all of these variations in order to improve visibility on the current threats.
But there is also a standard way to exchange threat intelligence. And recently around the world, there have been new regulations that require support for that particular standard for consuming threat information as well as sharing it with a central feed (typically managed by a government or central bank).
That standard is TAXII 2.0/2.1. It defines a formal way for the above processes – consuming and publishing threat data. TAXII relies on another standard, STIX, to describe the threat information. That’s why both have a shared homepage, which we recommend going through. It tries to capture all the complexities of threat intelligence, and is therefore not trivial at first (e.g. compared to “one IP address per line” feeds), but if your SIEM supports it, it allows for much richer data to be consumed.
In short, TAXII is about how parties communicate to exchange threat intelligence and STIX is about describing that threat intelligence in a structured way.
Why should you care?
Cyber threat intelligence sharing is important for organizations for several reasons. First, threat detection and prevention. By tapping into the experience of others, we are all better protected. One of the things we learned from Solorigate is that we may not be sharing threat intelligence enough.
Second, for compliance reasons. If a standard or regulation requires threat sharing, it’s most likely that TAXII and STIX are required. So you must get your security tools to support those standards.
And third, because it’s the right thing to do. We are all in this digital world together and an attack against our partner can become an attack against us tomorrow. And vice versa.
That’s why threat intelligence sharing is built-in our product; we consume many open-source feeds and allow our customers to add any custom feed. But we also allow publishing any threats detected by our SIEM – to our own TAXII 2 feeds, or to a central entity.
Are you looking for a solution to simplify TAXII and STIX compliance? Request a demo today, and see how LogSentinel SIEM can help you to cover threat intelligence sharing requirements.
Bozhidar Bozhanov is co-founder and the CEO at LogSentinel. He is a senior software engineer and solution architect with 15 years of experience in the software industry. Bozhidar has been a speaker at numerous conferences and is among the popular bloggers and influencers in the technical field. He’s also a former government advisor on e-government, transparency and information security.