Cyber Intelligence Threat Analysis

Cyber intelligence — or the collecting, analyzing and countering of cyber security threat information — is an essential capability in defending against today’s agile cyber adversaries. Cyber intelligence begins with gathering detailed information about attacks, such as spear-phishing email header and content, urls to malicious links, and malware analysis-derived artifacts like Command and Control (C2) domain names and IP addresses. With a corpus of threat data, skilled cyber analysts then group patterns of similar activity, attribute activity to certain threat actors, quickly identify and implement mitigation strategies, and anticipate the launch of similar attacks in the future.

The Structured Threat Information eXpression (STIX) language helps analysts represent cyber threat information in a structured manner. STIX builds on "cyber observables," that is, operational cyber events or stateful properties such as registry keys, email, and network flow data, as defined in the Cyber Observable eXpression (CybOX) language.

The Common Vulnerability Enumeration (CVE), Common Platform Enumeration (CPE), Common Weaknesses Enumeration (CWE), and Malware Attribute Enumeration and Characterization (MAEC) are also building blocks used within the STIX framework to capture standard vulnerability, platform, weakness, and malware information. The attacks seen can be specified using the Common Attack Pattern Enumeration and Classification (CAPEC).

Furthermore, STIX indicator information can be used to generate queries to look for particular cyber observables, using the Open Vulnerability and Assessment Language (OVAL), the Open Indicators of Compromise (OpenIOC), SNORT rules, or YARA rules.