In previous blogs and the recent RSA Perspective paper, I have emphasized the need to work through use cases, requirements, and sharing models before thinking about which standards best fit a use case and where they are necessary. As the co-chair of the Internet Engineering Task Force (IETF) Managed Incident Lightweight Exchange (MILE) working group, I’m often asked about the use of standards for information sharing, so let’s dive in!
The types of sharing between entities should be limited to what is useful and effective to assess and address threats, or provide proactive defense capabilities. The figure below depicts a few information exchange scenarios between small, medium, and large organizations (green and red circles), and analysis centers (blue circles), building from the groupings of who shares data in my previous blog.
The analysis centers in the figure may include consortiums, Internet service providers, threat intelligence feed service providers, and industry focused Information Sharing and Analysis Centers (ISACs). The analysis centers are usually interested in varied, large, and sometimes complex data sets. Additionally, the data may be focused on a specific use case or problem area of business value and importance to a specific user group, such as distributed denial of service (DDoS) or advanced persistent threats (APTs) that combine multiple attack vectors. In these instances, the analysis centers will often benefit from the use of standards to automate their information exchanges (depicted with the grey arrows).
The organizations (Org.) depicted in the figure may include large, medium, and small enterprises. Larger enterprises with sophisticated capabilities are typically interested in actionable data, whereas medium and small organizations are interested in having inherently secure systems with prioritized and sometimes automated remediation options. The larger organizations will have use cases for which they will benefit from the use of standards (depicted with green arrows). The smaller and medium sized organizations may receive protections directly from vendors or threat intelligence providers with or without the use of standards (depicted with blue and red arrows) in this evolved eco-system.
Since the useful data to exchange varies between user groups and use case cases, it may only make sense to standardize formats for the data most commonly exchanged or at least often enough where there is a benefit from automation. Information that is less common to exchange and may vary over time, can be handled through unstructured data or formats and extensions that may not be standardized formally (private) or even proprietary. Developing a trusted ecosystem that is limited to the exchange of meaningful and actionable data between research analysis centers, members of a research analysis center, and customers of service provider intelligence threat feeds is a complex problem with promising solutions that continue to emerge and evolve.
The RSA Perspective outlined a few effective sharing models, let’s expand on the Anti-Phishing Working Group (APWG) example and think about where standards are important. In the figure below, think of the Cyber Crime Data Clearinghouse as an example analysis center.
In this sharing model, the APWG analyzed the anti-phishing use case and determined what information was important to exchange. Reports of anti-phishing incidents are aggregated into their repository, or Cyber Crime Clearinghouse, using the IODEF data format either through a web form or the receipt of formatted IODEF documents. The IODEF data model plus the anti-phishing extension defined in RFC5901 meet their requirements for the information needed in this use case and enable interoperable exchanges in and out of their repository. The recent move to full automation enabled consistent exchanges of information, such that the receiver is able to parse and interpret exactly what was intended by the sender. That is where standards are important, and there is no shortage of them!
You will see that APWG vendor members, such as the browser vendors, have access to the repository or receive feeds of data in an IODEF format. The RSA Anti-Fraud Command Center is an example of a member exchanging data with the APWG in IODEF formatted documents. RSA assists with the takedown of malware distribution servers or other compromised systems working through a mature process including law enforcement, who also work closely with the APWG exchanging IODEF formatted data. The browser vendors exchange information such as URLs for malicious web sites from repositories, including the APWG, to maintain URL block lists in browsers. Since each vendor that maintains this service for their browsers, they are responsible for updating the block lists within their product eco-system; therefore proprietary formats are actually preferred! Why? Well, it is pretty simple; they have the flexibility to format the data and deliver it using secure protocols that exactly meet their needs, which may evolve over time. Since the list is a focused set of data and includes a small number of elements, it only makes sense to use a proprietary format. The same is true for other threat intelligence providers or vendor solutions that exchange information within their product eco-system.
I’m hearing the acronyms IODEF/RID, STIX/TAXII, CybOX, CVF, CVRF, OVAL, etc. what does this mean and should I care?
If you are designing the information exchanges in a sharing model, then yes, otherwise, no! We need to advance the conversation to center around use cases and automate effective sharing to the point that this just works. End users should not have to be aware of data formats, they should only be aware that their needs are met in data exchanges, products, and protections offered.
How do I decide what to use?
The data formats and transports are typically suited to different use cases. Evaluating what you need to share with whom for a particular use case may result in using a focused data format with some partners and a more comprehensive set of data formats with others. This answer really depends upon the objectives for the sharing model.
Does one size fit all?
No. In the RSA Perspective paper, the mail abuse operators use their own format standardized through the IETF, the Abuse Reporting Format (ARF), because it meets their needs. The APWG uses IETF’s IODEF standard with extensions as it suits their needs. The Financial Services Information Sharing and Analysis Center (FS-ISAC) has decided to use MITRE’s STIX as they are interested in exchanging the threat information covered by that specification. And the list continues…