Original reference Link: How to use STIX for automated sharing and graphing of Cyber Threat Data
This article is not intended for translation operations, only focus and my personal views. The original text is the most clear idea in the article I have read recently, or the most I can read ...
STIX Overview
STIX itself is a set of XML schemas which together comprise a language for describing cyber threat information in a Standa rdized manner. This is important because cyber threat sharing currently occurs manually between trusted parties; With a standardized the describing the data, automated threat sharing becomes possible. For this purpose MITRE have also developed TAXII to share STIX data over HTTP and HTTPS.
The concept of STIX/TAXII is presented for the existence of sharing. The threat intelligence format varies between agencies, and if you want to share it, you have to have a set of standards that everyone can read. On the other hand, the establishment of standards contributes to 机读,自动化分析存储
the completion.
In general, the standard is proposed for two purposes, almost similar to the agreement:
- Shares
- Computer Automation operations
If Stix as a data structure, then TAXII is the way these shells are transmitted, on the haliataxii.com
only use http
of transmission, but this is only a demo
test, so for the sake of security, is certainly https
the world.
STIX Benefits
STIX can used to characterize indicators, TTPS, exploit targets, and other aspects of a cyber threat. STIX takes advantage of another MITRE schema, Cybox, to represent observables, and can is extended to utilize existing Sch EMAS, such as Capec or OPENIOC.
In the STIX data structure, the representation feature (Obsevables) is used CybOX
to describe. But not the same stix==Cybox
. There is a need to be able to convert between different threat intelligence protocols, and github
many open source tools are available.
In fact there are many times when data processing is used json
, simple and efficient. But as information analysis, sometimes the data description is very complex, the use of the json
opposite, but xml
has the advantage.
For more advanced applications, it is often used python对应的框架如python-stix
to describe intelligence content, and the framework automates the storage of XML formats. If the user needs to interpret, use the corresponding method to read the data from the file. This avoids the xml
complexity of man-made operations.
STIX can also is converted to HTML with the use of an XSLT transform
All in all, stix
organizations are doing a lot to support the implementation of standards, as MITRE
github
can be seen from the number of open source tools on the go. However, these frameworks are validated demos, and companies are going to have a long way to go if they want to implement them.
STIX Example
Use stix-viz
to implement. The advent of this tool is also inevitable, from the current trend, it is necessary to visualize the emergence of the help of people to interpret. This program exists on GitHub and is now very simple to install and run with the JRE configured. In this case, the author's chart structure is really not good to see.
The personal stix-viz
view is that this tool is only to calculate the embryonic, in the operation of the process has a lot of inconvenience, such as the HTML version of the text is too small, the options are not many. But also basically has completed the visualization request.
STIX and Recorded Future
Recorded The title to the future.
Documenting the future is exactly what all security threat intelligence is going to do.
By managing information security threat indicators in structured formats, like STIX, defenders can automate the process of Finding connections between internal incidents and external sources. This can work bidirectionally:searching Recorded to more context around internally observed indicators, or testin G trending indicators from open source reporting against internal datasets.
Threats can be avoided or mitigated through an analysis of threat signs. How to correlate analysis is stix
the thing to do.
- From the internal observation of the evidence to study, such as in the past whether such behavior occurred and so on.
- Check if there are any such information from the external Goodwill Threat Intelligence Office to see if there is a record in the knowledge base.
- Once the process is complete, the new threat requires that the information be written and shared.
STIX/TAXII Threat Intelligence Analysis 2 (working mode)