[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Common repository for STIX CTI objects
Many entities in cyber threat intelligence are common and having many duplicate STIX objects to represent the same concept has always been seen as wasteful and problematic. Several decisions made when writing
the STIX specification tried to take this into account. This includes: specification defined instances of TLP data markings, kill chain phases referred to by their names and deterministic identifiers for STIX cyber objects (SCOs). However, having an easily
available repository of common CTI objects has always been on the âwish listâ of members of the CTI-TC. DHS has tasked MITRE with investigating creating such a repository.
MITRE has already started a similar repository of STIX objects to represent both the ATT&CK and CAPEC frameworks. It is available at https://github.com/mitre/cti.
It certainly is the case that other organizations might want to do something similar with their cyber threat intellectual property. However, there are other STIX objects that are general enough to be hosted in a common repository, defined once and re-used
by the broader STIX community. Such a repository would foster consistency across STIX threat sharing efforts. In creating and using this repository, the amount of data transmitted over the wire could be reduced because only identifier references would need
to be shared.
Some of the objects types that immediately come to mind to include in this repository are locations (e.g., countries) and identities (e.g., industry sectors). Others types, like software (e.g., Microsoft Word
â version x) or tools (e.g., RDP) might be useful. Objects like IP addresses, which already can be considered unique if using deterministic identifiers, could be âstoredâ in this repository, so they need not be shared. Vulnerability objects representing
each CVE could be housed there also. Iâm sure there are other objects that could be included.
There are many issues to be discussed as part of setting up such a repository:
If you would like to be involved in making this happen, or just have some ideas, please get in touch. We can have a kickoff discussion at a future working call. Rich P. -- Rich Piazza Lead Cyber Security Engineer The MITRE Corporation 781-271-3760
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]