One sourcing area that has become quite popular with organizations of every size is OSINT providers. Community groups, and even commercial enterprises, make threat intelligence available to the general public free of charge. Groups such as SANS and US-CERT provide specific information about threats and vulnerabilities. Commercial providers such as AlienVault provide an Open Threat Exchange (OTX) that allows a user community to share threat intelligence such as IOCs and TTPs. Other commercial organizations will provide whitepapers and reports on APT groups or strategic threat intelligence on emerging trends within the information security industry. Depending on the organization, OSINT is often very useful and provides a low-cost alternative to commercial services.
The widespread use of OSINT has led to various organizations creating methods to share threat intelligence across organizations. Depending on the source, the actual way that an organization can obtain threat intelligence is dependent on how it is configured.
While not a completely exhaustive list, the following are some of the formats of cyber threat OSINT that is available:
- OpenIOC: OpenIOC was first developed so that Mandiant products, such as the Redline application utilized in Chapter 6, Forensic Imaging, could ingest threat intelligence and utilize it to search for evidence of compromise on the systems analyzed. It has evolved into an XML schema that describes the technical IOCsĀ that an incident responder can use in determining whether a system has been compromised.
- STIX: The Structured Threat Information Exchange (STIX) is a product of the OASIS consortium. This machine-readable format allows organizations to share threat intelligence across various commercial and freeware threat intelligence aggregation platforms.
- TAXII: The Trusted Automated Exchange of Intelligence Information (TAXII) is an application layer protocol that shares threat intelligence over HTTPS. TAXII defines an API that can be utilized to share threat intelligence in the STIX format.
- VERIS: The Vocabulary for Event Recording and Incident Sharing (VERIS) is a comprehensive schema for standardizing the language of cybersecurity incidents. The one key problem that the VERIS schema attempts to solve is the lack of a standard way to document security incidents. VERIS provides a structure in which organizations have a defined way to categorize the variety of attacks that may occur. The VERIS schema also serves as the collection point of data provided by organizations that is incorporated into the Verizon Data Breach Study.
With a variety of intelligence sources available, one challenge that presents itself is the ability for organizations to aggregate, organize, and utilize threat intelligence. In the next section, a discussion of threat intelligence platforms will provide an insight into solving these issues.