New Lingua Franca For Exchanging Cyberattack Intelligence

Free, open-source framework from Mandiant aimed at simplifying the sharing of attack information technical details among victim organizations

Its not easy for organizations to share firsthand attack intelligence in a confidential or even meaningful way, so many dont bother, which gives the bad guys another leg up. But tools to facilitate the sharing of attack information are gradually emerging: most recently, a new open-source framework for describing the technical earmarks of a specific threat.
The so-called Open Indicators of Compromise (OpenIOC) released last week by Mandiant is one layer of facilitating the anonymous sharing of attack intelligence among victim organizations. Mandiant originally built the technology in-house for its homegrown tools and forensics engagements, and is now offering it in the public domain.
Theres no single, standardized way for how people to share attack intelligence, says Dave Merkel, CTO at Mandiant. The technologies used to deploy are varied and not consistent in a way to take intelligence and boil it down to something ... actionable. Its fragmented, he says.
Mandiant originally created IOC for its internal use. We needed a way to bridge technology and intelligence. Thats important because we have services and products, Merkel says. And Mandiants clients started asking if they could use IOC as well.
Merkel says the idea is to offer security vendors a standardized way to represent intelligence for their products to consume and share, but for now, most of the early OpenIOC adopters are organizations in the government, defense, and energy industries.
Mitre also offers a similar open schema, with its
Malware Attribute Enumeration and Characterization (MAEC)
, which provides a standard language for encoding and communicating information -- specifically about malware.
The characterization of malware using such abstract patterns offers a wide range of benefits over the usage of physical signatures. Namely, it allows for the accurate encoding of how malware operates and the specific actions that it performs. Such information can not only be used for malware detection but also for assessing the end-goal the malware is pursuing and the corresponding threat that it represents, according to the Mitres description of MAEC.
The idea is to hone in on the malwares behavior and features to help detect threats that bypass existing security products, and to get rid of the confusion with existing malware descriptions and identification.
Mandiants Merkel says some vendors have their own ways of representing threat intelligence information, and Mitres MAEC is the closest thing to addressing what OpenIOC does. Weve talked and exchanged [information]. We are not solving the same problem the same way, though, but its the closest thing Ive seen to what OpenIOC [is], he says.
OpenIOC
is an XML-based standard, and Mandiant also is offering for free its IOC Finder tool for incident responders to share threat intelligence in a machine-readable format. OpenIOC also provides a format for describing an attackers methodology, according to Mandiant. It currently has more than 500 indicator definitions.
Over the long term, wed like to build a community around it, sharing techniques in how they are using the schema, Merkel says. I could see vendors supporting it, he says.
But the big hurdle continues to be organizations that are wary, or unable to, share intelligence. While the defense industry and some government organizations have done so for some time, theres no go-to place for all organizations to share attack intelligence.
Verizon Business
last year took a stab at helping to build out such a destination by releasing its Verizon Incident-Sharing (VerIS) framework
for gathering and analyzing forensics data from a data breach that is the basis for its comprehensive annual data breach reports. The hope was that the framework would facilitate more cooperation and data-sharing among breach victim organizations. Its basically a tool for describing security incidents in a consistent way, according to Verizon executives.
Merkel says OpenIOC could serve as a subset of VERIS, for example. This is solving a lower-order problem than VERIS, he says.
The importance of intelligence-sharing among victim organizations is not lost on forensics experts. According to Verizon, as many as half of the security breaches it investigates are related to another attack in some way. So sharing that attack information in a way that can be incorporated into their security tools would help block future attacks, and help victims better understand the threats.
The short-term benefit [of OpenIOC] is its a consistent way to capture that information and apply it again and again in a tactical way, Merkel says.
Long term, Merkel says he hopes more industries will build their own intelligence-exchange communities like the defense contractor community has done.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New Lingua Franca For Exchanging Cyberattack Intelligence