CTI has been a topic of discussion in the past few years, we heard about various threat actors influencing national elections, taking down power grids, stealing Intellectual property rights, credit card data theft etc. So there has been an urge to share threat intelligence and follow adversaries in real time to counter them.
When it comes to CTI sharing it’s important to agree a data model to share a rich set of data.
The CTI (Cyber Threat intelligence) data models has been evolving for quite some time now and the cyber communities are still developing an understanding around common data model and the data exchange frameworks for sharing CTI.
- Data models : Threat information needs to be expressed in a structured way, below are few such modelsOASIS (previously MITRE) working group’s – Cybox/STIX/TAXII.
- MILE working group’s IODEF/IODEF-SCI/RID.
- Fireeye’s (now Mandiant) – OpenIOC.
- Alienvault’s – OTX
- REN-ISAC group’s – CIF
2. Data Exchange Models : These models facilitate exchange of CTI between parties.
- TAXII ( Trusted automated exchange of indicator information)
- CIF ( Collective intelligence framework)
- OTX ( Open Threat exchange)
Benefits
A standard representation can help correlate data from different sources and effectively querying and analysis of threats.
Conclusion
An organisation can choose either of the above models however it is advisable to stick to one group, example: OASIS group’s STIX/TAXII set rather than mixing data models across different groups.
Cyber Vyber 
Leave a comment