Threat Intelligence
Threat intelligence is the process of investigating, collecting, analyzing, and disseminating information about emerging threats and threat sources.
- is the set of activities that an organization undertakes to educate itself about changes in the cybersecurity threat landscape, and adapt security controls based upon that information
- shares risk information and provides an anonymized way for organizations to share the nature and characteristics of attacks they experience.
- can be used strategically and operationally
- threat intelligence is often shared via Threat Feeds
Threat Indicators
Threat indicators are pieces of information or properties that describe or identify a threat.
- e.g.,
- IP addresses
- file signatures
- communications patterns
- etc
Threat Indicator Frameworks
- 3 frameworks work together
- community-driven effort, facilitated by DHS
Cyber Observable eXpression (CybOX)
Cyber Observable eXpression (CybOX) is a framework that provides a standardized schema for categorizing security observations.
Structured Threat Information eXpression
Structure Threat Information eXpression (STIX) is a standardized language used to communicate security information between systems and organizations.
- takes properties from the CybOX framework and gives it a language to describe the properties in a structure manner
Trusted Automated eXchange of Intelligence Information
Trusted Automated eXchange of Intelligence Information (TAXII) is a set of services that shares security information between systems and organizations.
- provides a technical framework for exchanging messages written in the STIX language