Government organisations have been told to use two sets of open standards in exchanging intelligence on threats to cyber security.
The Open Standards Board, which provides advice to the Cabinet Office on a range of relevant issues, has selected the Structured Threat Information Expression (STIX 2) and Trusted Automation eXchange of Indicator Information (TAXII 2) standards.
Its newly published guidance on the issue says the two standards must be used in analysing and sharing intelligence on cyber threats by government departments, industry and international partners.
The guidance is directed primarily at analysts involved in threat intelligence and security operations centres, and operators and administrators of security enforcing technology.
Open source
Details of both set of standards are available on GitHub. STIX 2 is a language and serialisation format used to exchange cyber threat intelligence, running as open source and allowing those using it to contribute and ask questions.
It involves categorising each piece of information with specific attributes to be populated and uses 12 domain objects, including attack patterns, intrusion sets, malware and threat actor. This makes it possible to assemble multiple pieces of intelligence in a chain and develop a broader picture of a threat.
TAXII 2 is an open transport mechanism that can support different models of sharing information – such as hub and spoke, source to subscriber and peer to peer – and is designed to integrate with existing sharing agreements and support automated information sharing.
The board’s guidance says the standards provide a way of linking evidence of a cyber attack to tactics, techniques and procedures to identify the source of attack, increase the view of any threats and link it all with any previously unassociated events.
It makes the point that, while they can be used in increasing automation, this should not be used to fully replace human intervention as the risks can increase with full automation.
Image from iStock, dra schwarz