This presentation forms part of the CTA's Threat Intelligence Practitioners' Summit
Thursday 3 October 15:00 - 15:30, Small Talks room
Linda Beverly (Cyber Threat Alliance)
In the rapidly evolving field of cybersecurity, the efficient and secure sharing of threat intelligence is crucial for enhancing organizational resilience against cyber threats. This presentation outlines the development of a cyber threat intelligence sharing style guide based on the Structured Threat Information Expression (STIX) 2.1 standard. Leveraging a data-driven and data-informed approach from 18 months of empirical intelligence and data science, the guide aims to standardize practices and improve collaborative security efforts.
The primary objective is to design a comprehensive style guide that utilizes the STIX 2.1 framework to standardize threat intelligence reporting, communication protocols, and terminology. Key questions addressed include: What are the essential components of a threat intelligence sharing style guide based on STIX 2.1? How can a combined data-driven and data-informed approach using empirical intelligence and data science enhance collaborative efforts and resilience against cyber threats?
This study involves a rigorous analysis of 18 months of empirical threat intelligence data, driven by data science techniques for pattern recognition and trend analysis. The development process was guided by quantitative insights from the data (data-driven), supplemented by expert feedback and qualitative analysis of industry best practices (data-informed).
The developed cyber threat intelligence sharing style guide includes standardized labels, normalization of labels, naming conventions, extensible templates for automated intelligence sharing, clear definitions of STIX 2.1 objects and properties, and adaptable protocols for evolving community needs. Implementation of the guide has resulted in a decrease in data error and uncertainty and an increase in the accuracy and efficiency of threat intelligence dissemination within Magellan, the CTA automated threat intelligence exchange platform. Overall, these improvements have led to a significant enhancement in the security posture of participating member organizations and their customers.
The findings highlight that a well-structured threat intelligence sharing style guide based on STIX 2.1, informed by both empirical data and expert insights, enhances both the efficiency and security of intelligence exchanges. This combined approach improves communication, reduces misunderstandings, and facilitates quicker and more effective responses to emerging threats. Continuous updates and training, guided by ongoing data analysis and expert feedback, are essential to maintain the relevance and effectiveness of the guide.
A comprehensive cyber threat intelligence sharing style guide based on STIX 2.1, driven by data and informed by expert insights, is crucial for improving the security and efficiency of threat intelligence exchanges. By standardizing practices and protocols using the STIX 2.1 framework, orgnizations can enhance their collaborative efforts and build greater resilience against cyber threats.
1. **STIX 2.1 Documentation**. (n.d.). Retrieved from [OASIS STIX](https://oasis-open.github.io/cti-documentation/stix/intro.html)
 |
Linda Beverly Linda leads the Data and Analysis Team and the Analysis & Intelligence Committee of the Cyber Threat Alliance (CTA), a not-for-profit membership association that enables cyber threat information sharing among cybersecurity organizations. Linda designs new methods to incorporate, augment and standardize threat intelligence, threat data and metadata. Prior to CTA, Linda has held roles as a senior infosec data science engineer and in security engineering and has supported research funded by the Computer Research Association's Committee on the Status of Women in Computing Research (CRA-W), Lawrence Berkeley National Laboratory and Lawrence Livermore National Laboratory. |
Back to VB2024 conference page