In our recent three-part series, Keeping the RATs Out (Part 1, Part 2, Part 3), I tried to provide analysis offering you an end-to-end scenario wherein we utilized more than one tool to solve a problem. I believe this to be very useful particularly when making use of threat intelligence. Following is a partial excerpt from my toolsmith column, found monthly in the ISSA Journal, wherein I built on the theme set in the RATs series. I'm hopeful Threats & Indicators: A Security Intelligence Lifecycle helps you build or expand your threat intelligence practice.
I receive and review an endless stream of threat intelligence from a variety of sources. What gets tricky is recognizing what might be useful and relevant to your organizations and constituencies. To that end Iâll take one piece of recently received intel and work it through an entire lifecycle. This intel came in the form of an email advisory via the Cyber Intelligence Network (CIN) and needs to remain unattributed. The details, to be discussed below, included malicious email information, hyperlinks, redirects, URL shorteners, ZIP archives, malware, command and control server (C2) IPs and domain names, as well as additional destination IPs and malicious files. Thatâs a lot of information but sharing it in standards-based, uniform formats has never been easier. Herein is the crux of our focus for this month. Weâll use Mandiantâs IOCe
to create an initial OpenIOC
definition, Mitreâs OpenIOC to STIX
, a Python utility to convert OpenIOC to STIX, STIXviz
to visualize STIX results, and STIX to HTML
, an XSLT stylesheet that transforms STIX XML documents into human-readable HTML. Sounds like a lot, but youâll be pleasantly surprised how bang-bang the process really is. IOC represents I
ompromise (in case you just finally just turned off your vendor buzzword mute button) and STIX stands for S
pression. STIX, per Mitre, is a âcollaborative community-driven effort to define and develop a standardized language to represent structured cyber threat information.â Itâs well worth reading the STIX use cases
. You may recall that Microsoft recently revealed the Interflow
project which incorporates STIX, TAXII (Trusted Automated eXchange of Indicator Information), and CybOX (Cyber Observable eXpression standards) to provide âan automated machine-readable feed of threat and security information that can be shared across industries and community groups in near real-time.â Interflow is still in private preview but STIX, OpenIOC, and all these tools are freely and immediately available to help you exchange threat intelligence...
Keep reading Threats & Indicators: A Security Intelligence Lifecycle here
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.