Interpretation of STIX/TAXII threat intelligence sharing mechanism (1)

The 73rd minute of the race, Chinese team 4:0 Bhutan. Take advantage of this time, while watching the ball, while summing up the recent work.

Cyber Threat Intelligence Network Threat Intelligence system, as the rsa2013+ has been noisy very hot topic, in the country unexpectedly find a lot of sources, no wonder that the domestic security sector from the overall backward two or three years abroad (is overall).

But it's not that there's no way. The major security manufacturers must fry very hot, after all, this is the market value-related parts. But relatively independent, there are several public platforms that do a great job. For example, the boss recommended to my sec-un.org, there are many big coffee has been concerned about the industry for a long time.

At this time the match 76 minutes, Yang Xu again next city, the score 5:0.

The boss told me on the first day that CIT was a great idea and valuable, and that's what we had to let it fall, not let him hang in the sky. In the evening I sent a post on the Freebuf, ask about threat intelligence system everyone's view, very miserable, basically no one, finally a netizen replied that this is old bottle of new wine, not, old bottles of old wine.

Race 83 minutes, the big treasure header ferry, the score 6:0.

stix/taxiiAs a standard, what it does. In fact, how to organize intelligence (Stix), and how the information is transmitted (TAXII). The following picture illustrates the work process well.

The color is a little shallow, I was directly from the Intelworks directly down.

Imagine, if the node bank encounters an attack, if the platform recorded a threat intelligence, then through the TAXII spread to the server up, and then the major league poll down, then equal to each alliance has a preventive needle.

In this case, there is a question of trust that has been mentioned all along. Because I also do not understand the trust between enterprises, the general speculation is interpreted as the following points:

• Vendor A was attacked and not shared to the TAXII server. Waiting for other allies to be attacked.
• Vendor A has been attacked and shared to the TAXII server, but has tampered with the blacklist and other information, passing on a forged message.

I think this is a very unusual idea, but the reality is that it has happened. This is why a standard through a number of vendors to participate in, do not be profitable, but at least will not be a knife behind.

That said, the threat-sharing mechanism did not exist before.
exist, the simplest virustotal, and the jade source of B-super, is such a reputation library, exactly, the above two sites mentioned are malicious code blacklist and C2 （command and control） malicious domain name server. It's just that they used to be a public service for a few of their vendors, and now we're all virustotal, using the collective power to share. VirusTotal uses a malicious service upload detection, but the intelligence between the enterprise is a live ammunition, the message is more accurate, the value of prevention is higher.

Every business is risky, but overall, these risks are the least costly. Since everyone wants to get someone else's lesson, but also to make their own skeletons in the outside of the preparation, of course, the STIX/TAXII agreement has been related to the privacy of the enterprise information has made provisions, basically will not expose this information. The reason why I do this, I personally feel for better, no scruples to share information. I'm for everyone, everybody for me.

Focus on CIT, it is better to pay attention to the major security vendors to sell services involved in those places, where the charges, from this point of view can know the value of intelligence.

However, there is a general problem to be solved to create the information sharing, which is timeliness. For example, see the previous example that there are 60 domain names in a small time to expire, such a reputation library for storage is not much significance. However, the threat intelligence did not solve the problem. For the information at that time is valid, after a period of invalid those, what to do, discard or record?

My personal idea is to build indexes and delete entities. Even if it is useful in the future, and then re-poll down, refer to the process of virtual memory file Exchange and the reasons for the proposed.

Originally wanted to tidy up the technical documents of these related architectures, and the result was arbitrarily pulled.

The game is over. Replace him 6:0 Bhutan. After the trough, people will always go forward, as long as you can raise your head, and dare to raise your head.

Interpretation of STIX/TAXII threat intelligence sharing mechanism (1)