Organizations worldwide, from governments to public and corporate enterprises, are under constant threat by evolving cyber-attacks. The fact that there are literally billions of IoT devices globally, most of which are readily accessible and easily hacked, allows threat actors to use them as the cyber-weapon delivery system of choice in many today’s cyber-attacks, e.g., from botnet-building for launching distributed denial of service attacks, to malware spreading and spamming. The sooner an organization knows about emerging threats, the more efficiently cyber-defense mechanisms will be utilized. Therefore, the main challenge organizations face is the abundance of data and the lack of actionable intelligence.
Cyber-threat intelligence is any information that can help an organization identify, assess, monitor, and respond to cyber threats. Examples of such information include indicators (system artifacts or observables associated with an attack), security alerts, threat intelligence reports, as well as recommended security tool configurations. As most organizations already produce an enormous amount of cyber-threat information in multiple forms and types, it is crucial for effective cyber-defense to share both internally and externally the available data as part of their information technology and security operations efforts. The goal of the work carried out, and reflected in this deliverable, is to identify best practices in this area. Disseminating the details of identified vulnerabilities amongst the cyber-security experts, verifying their legitimacy (i.e., that they indeed pose a threat), and rating their impact is critical. This deliverable overviews and critically evaluates existing industry-wide vulnerability reporting and sharing sources, standards, frameworks and platforms in order to provide recommendations on the approach to be followed in the Cyber-Trust platform.
We begin by presenting the methodology of our analysis. Then, we review several data sources for threat information sharing systems categorized into internal, community, and external with the purpose of compiling a cataloging inventory that contains elements useful for the purposes of the project. Such elements include the type of exposed data (e.g., structured machine-readable or unstructured) and query languages, protocols, or services available for data retrieval.
Subsequently, we consider and report the appropriateness of different vulnerability frameworks for disseminating the identified cyber-threats across different organizations and promoting awareness about emerging cyber-threats. Moreover, issues pertaining to the basic structure, the key elements (i.e., expressiveness, flexibility, extensibility, automation, structuring), and prominent strengths/weaknesses of the presented frameworks are discussed and critically evaluated within the scope of the Cyber-Trust project. Frameworks and languages for supporting expressive content-based subscriptions in the context of specialized pub/sub services for cyber-threat information push are also considered.
Following, we illustrate how the presented frameworks and languages are realized in platform and tool implementations to provide the necessary functionality and enhance standard adoption. The mechanisms for handling structured cyber-threat information for a wide variety of use cases (including those outlined in the project) are also presented alongside important components that include the key characteristics of each platform, the supported observables and schemas, and the adopted standards.
Next, we review several prominent market solutions related to the discovery and management of cyber threat intelligence and categorize them into services, data feeds, platforms, and complete systems. The main features and characteristics with respect to a number of different facets -including architecture, offered services, standards’ adoption, and mode of operation- are critically compared for each category to highlight salient market practices that relate to the goals of the Cyber-Trust project.
Finally, based on our analysis, we present our recommendations for the Cyber-Trust project. In a nutshell, we propose to use STIX as the sharing mechanism and MISP as the sharing platform.