The Role of STIX in Strengthening Cyber Threat Intelligence within ISAOs

ByJane Ginn

January 30, 2021 ,

As more cyber threat intelligence teams become established, and members of Information Sharing and Analysis Organizations (ISAOs) begin to realize the benefits of threat intelligence sharing for fortifying their networks and reducing liabilities and risks associated with data breaches, there will be an increased need for individuals that understand how to interpret the indicators of compromise (IOCs), enrich the data, and know how to characterize the activity of threat actors that may be engaging in attacks on member networks. There are currently, in our view, very few threat analysts that understand how to use Threat Intelligence Platforms (TIPs), how to read STIX-related data, how to enrich IOCs, how to analyze the patterns in order to test various hypotheses on threat actor intent and motivation, how to make assertions on possible attribution, and how to represent the findings in a manner that will be helpful for decision-makers.

Poaching of cybersecurity talent is a growing concern.  As noted in Riley,

“In January 2015, MasterCard hit Nike with a $5M cyber talent poaching suit.  The suite noted that companies are desperate for information security talent amid highly publicized data breaches at Target Corp. and Home Depot Inc. While the area is fast growing skilled workers are limited and in demand” (2015).

Currently threat analysts are not only being poached, but they are also being recruited from the ranks of network engineers, database managers, ethical hackers, software developers, and other specialty disciplines that have bearing on the information technology and cybersecurity fields.  Even for these specialized workers, there is a steep learning curve to develop an understanding of the tools and techniques used to analyze attacks, to establish threat actor tactics, techniques and procedures (TTPs), and to develop application interfaces (APIs) between TIPs and existing in-house tools for monitoring networks and generating security metrics.

There is a role in workforce training for TIP-based instruction for workers seeking skills upgrades, such as the experienced professionals listed above. In addition, there is a also role for TIP-based training for new analysts seeking to develop a career dedicated to threat analysis.

author avatar
Jane Ginn CTIN President & Co-Founder
Jane Ginn ~ As the co-founder of the Cyber Threat Intelligence Network (CTIN), a consultancy with partners in Europe, Ms. Ginn has been pivotal in the development of the STIX international standard for modeling and sharing threat intelligence. She currently serves as the Secretary of the OASIS Threat Actor Context Technical Committee, contributing to the creation of a semantic technology ontology for cyber threat actor analysis. Her efforts in this area and her earlier work with the Cyber Threat Intelligence (CTI) TC earned her the 2020 Distinguished Contributor award from OASIS. In public service, she advised five Secretaries of the US Department of Commerce on international trade issues from 1994 to 2001 and served on the Washington District Export Council for five years. In the EU, she was an appointed member of the European Union's ENISA Threat Landscape Stakeholders' Group for four years. A world traveler and amateur photojournalist, she has visited over 50 countries, further enriching her global outlook and professional insights. Follow me on LinkedIn: www.linkedin.com/comm/mynetwork/discovery-see-all?usecase=PEOPLE_FOLLOWS&followMember=janeginn
Translate »