1、 ETSI TR 103 331 V1.1.1 (2016-08) CYBER; Structured threat information sharing TECHNICAL REPORT ETSI ETSI TR 103 331 V1.1.1 (2016-08) 2 Reference DTR/CYBER-0009 Keywords security, threat analysis, threat intelligence ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92
2、94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made available in ele
3、ctronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing
4、document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI docum
5、ents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any
6、 form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction
7、 in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP O
8、rganizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 103 331 V1.1.1 (2016-08) 3 Contents Intellectual Property Rights 4g3Foreword . 4g3Modal verbs terminology 4g3Executive summary 4g3Introduction 4g31 Scope 6g32 References 6g32.1 Norm
9、ative references . 6g32.2 Informative references 6g33 Definitions and abbreviations . 8g33.1 Definitions 8g33.2 Abbreviations . 8g34 Means for exchanging structured cyber threat intelligence 9g34.1 Introduction 9g34.2 OASIS Cyber Threat Intelligence Technical Committee (TC CTI) . 10g34.2.1 Introduct
10、ion. 10g34.2.2 CTI STIX Subcommittee 10g34.2.3 CTI TAXII Subcommittee 12g34.2.4 CTI CybOX Subcommittee . 13g34.2.5 CTI Interoperability Subcommittee 14g34.3 IETF Managed Incident Lightweight Exchange Working Group (mile) 14g34.4 CSIRTGadgets Collective Intelligence Foundation (CIF) 15g34.5 EU Advanc
11、ed Cyber Defence Centre (ACDC) 15g34.6 AbuseHelper . 15g34.7 OMG Threat Modelling Working Group . 15g34.8 ITU-T SG17 . 16g34.9 Open Threat Exchange (OTX) 17g34.10 OpenIOC Framework . 17g34.11 VERIS Framework . 17g34.12 ETSI ISI (Information Security Indicators) ISG 17g3Annex A: Bibliography 19g3Hist
12、ory 20g3ETSI ETSI TR 103 331 V1.1.1 (2016-08) 4 Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be
13、found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR
14、 Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Some material
15、 contained herein is the copyright of, or has been supplied by OASIS and the United States Government. Figures 1, 2, 3, 4, 5, 6, 7 copyright OASIS Open 2016. All Rights Reserved. Figures 1, 2, 3, 4, 5, 6, 7 copyright United States Government 2012-2015. All Rights Reserved. Used by permission. Forewo
16、rd This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER). Modal verbs terminology In the present document “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting
17、Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. Executive summary Cyber threat information sharing - often described as threat intelligence sharing - is one of the most important components of an o
18、rganizations cyber security program. It can be obtained internally and from external trusted sources. It is collected, analysed, shared, and leveraged. The present document provides a survey of ongoing activities and the resulting platforms that are aimed at structuring and exchanging cyber threat i
19、nformation. These activities range from those developed among the Computer Emergency Response Teams in the 1990s in the IETF, to cutting-edge new initiatives being advanced in OASIS. Some of the platforms are semi-open commercial product communities. It is possible that the OASIS CTI work could brin
20、g about significant interoperability if not integration in this area. Introduction The importance of cyber threat information sharing has been underscored recently by the European Union and North America enacting into organic law, combined with major executive level and national initiatives. These a
21、ctions extend across all information, and infrastructure sectors. Some of the more prominent of these recent actions include: EU Network Information Security Directive, approved 18 December 2015 i.1. Cybersecurity Information Sharing Act of 2015 (18 December 2015) i.2. CPNI, Threat Intelligence: Col
22、lecting, Analysing, Evaluating, 23 March 2015 i.3. Launch of the Canadian Cyber Threat Exchange, 11 December 2015. ETSI ETSI TR 103 331 V1.1.1 (2016-08) 5 Against this backdrop of initiatives that included the scaling of Financial Services Information Sharing and Analysis Center (FS-ISAC) and The De
23、pository Trust draft Specifications STIX 2.0, TAXII 2.0, CybOX 3.0; draft CybOX 3.0 Roadmap, CybOX 3.0 Visualization. NOTE 1: Available at https:/www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti. NOTE 2: See also, OASIS Cyber Threat Intelligence (CTI) TC Wiki, https:/wiki.oasis-open.org/cti/;
24、 Sean Barnum, Standardizing Cyber Threat Intelligence Information with the Structured Threat Information eXpression (STIX), MITRE (February 20, 2014). i.5 OASIS. Cyber Threat Intelligence (CTI) TC Meeting Notes, OASIS Cyber Threat Intelligence (CTI) TC Documents. NOTE: Available at https:/www.oasis-
25、open.org/apps/org/workgroup/cti/documents.php?folder_id=2978. i.6 Internet Engineering Task Force (IETF): “Managed Incident Lightweight Exchange (mile) Working Group“. NOTE: Available at https:/datatracker.ietf.org/wg/mile/documents/. ETSI ETSI TR 103 331 V1.1.1 (2016-08) 7 i.7 Recommendation ITU-T
26、X.1500-Series: “Cybersecurity information exchange“. NOTE: Available at https:/www.itu.int/itu-t/recommendations/index.aspx?ser=X. i.8 ETSI ISG ISI (Information Security Indicators) initial Terms of Reference. NOTE: Available at https:/portal.etsi.org/ISI/ISI_ISG_ToR_Sep2011.pdf. i.9 ETSI GS ISI 001
27、-1: “Information Security Indicators (ISI); Indicators (INC); Part 1: A full set of operational indicators for organizations to use to benchmark their security posture“. i.10 ETSI GS ISI 001-2: “Information Security Indicators (ISI); Indicators (INC); Part 2: Guide to select operational indicators b
28、ased on the full set given in part 1“. i.11 ETSI GS ISI 002: “Information Security Indicators (ISI); Event Model A security event classification model and taxonomy“. i.12 ETSI GS ISI 003: “Information Security Indicators (ISI); Key Performance Security Indicators (KPSI) to evaluate the maturity of s
29、ecurity event detection“. i.13 ETSI GS ISI 004: “Information Security Indicators (ISI); Guidelines for event detection implementation“. i.14 ETSI GS ISI 005: “Information Security Indicators (ISI); Guidelines for security event detection testing and assessment of detection effectiveness“. i.15 IETF
30、RFC 5070: “The Incident Object Description Exchange Format“. i.16 IETF RFC 6545: “Real-time Inter-network Defense (RID)“. i.17 IETF RFC 6546: “Transport of Real-time Inter-network Defense (RID) Messagesover HTTP/TLS“. i.18 IETF RFC 6684: “Guidelines and Template for Defining Extensions to the Incide
31、nt Object Description Exchange Format (IODEF)“. i.19 IETF RFC 6685: “Expert Review for Incident Object Description Exchange Format (IODEF) Extensions in IANA XML Registry“. i.20 IETF RFC 7203: “An Incident Object Description Exchange Format (IODEF) Extension for Structured Cybersecurity Information“
32、. i.21 IETF RFC 7495: “Enumeration Reference Format for the Incident Object Description Exchange Format (IODEF)“. i.22 IETF RFC 6046: “Transport of Real-time Inter-network Defense (RID) Messages“. i.23 draft-ietf-mile-implementreport-09: “MILE Implementation Report“. i.24 draft-ietf-mile-iodef-guida
33、nce-06: “IODEF Usage Guidance“. i.25 draft-ietf-mile-rfc5070-bis-25: “The Incident Object Description Exchange Format v2“. i.26 draft-ietf-mile-rolie-03: “Resource-Oriented Lightweight Information Exchange“. i.27 draft-ietf-mile-xmpp-grid-00: “XMPP Protocol Extensions for Use with IODEF“. i.28 ISO/I
34、EC 27001: “Information technology - Security techniques - Information security management systems - Requirements“. i.29 ISO/IEC 27002: “Information technology - Security techniques - Code of practice for information security controls“. i.30 ISO/IEC 27004: “Information technology - Security technique
35、s - Information security management - Measurement“. i.31 ETSI TR 103 305: “CYBER; Critical Security Controls for Effective Cyber Defence“. ETSI ETSI TR 103 331 V1.1.1 (2016-08) 8 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the following terms and definit
36、ions apply. Reference figure 2, below. campaign: STIX Campaign represents a set of TTPs, Incidents, or Threat Actors that together express a common intent or desired effect i.4 course of action: STIX Course of Action (COA) is used to convey information about courses of action that may be taken eithe
37、r in response to an attack or as a preventative measure prior to an attack i.4 exploit target: STIX Exploit Target conveys information about a vulnerability, weakness, or misconfiguration in software, systems, networks, or configurations that may be targeted for exploitation by an adversary i.4 inci
38、dent: STIX Incident corresponds to sets of related security events affecting an organization, along with information discovered or decided during an incident response investigation i.4 indicators: STIX Indicator data model conveys specific Observable patterns combined with contextual information int
39、ended to represent artifacts and/or behaviors of interest within a cyber security contex i.4 observables: STIX Observable represents stateful properties or measurable events pertinent to the operation of computers and networks, and may consist of Observable instances and Observable Patterns i.4 obse
40、rvable instances: represent actual specific observations that took place in the cyber domain i.4 observable patterns: represent conditions for a potential observation that may occur in the future or may have already occurred and exists in a body of observable instances i.4 report: STIX Report define
41、s a contextual wrapper for a grouping of STIX content, which could include content specified using any of the other eight top-level constructs, or even other related Reports i.4 Tactics, Techniques and Procedures (TTP): STIX Tactics, Techniques, and Procedures (TTP) are used to represent the behavio
42、r or modus operandi of cyber adversaries i.4 threat actor: STIX Threat Actor is a characterization of malicious actor (or adversary) representing a cyber attack threat including presumed intent and historically observed behavior i.4 3.2 Abbreviations For the purposes of the present document, the fol
43、lowing abbreviations apply: ACDC Advanced Cyber Defence Centre AS Autonomous System CERT Computer Emergency Response Team CIF Collection Intelligence FrameworkCOBIT Control OBjectives for Information and related Technology CPNI Centre for the Protection of National Infrastructure CSIRT Computer Secu
44、rity Incidence Response Team CTI Cyber Threat Intelligence CYBEX Cybersecurity Information Exchange CybOX Cyber Observable Expression DHS Department of Homeland Security DoS Denial of Service DTCC Depository Trust develop standardized representations for campaigns, threat actors, incidents, tactics
45、techniques and procedures (TTPs), indicators, exploit targets, observables, and courses of action; develop formal models that allow organizations to develop their own standards-based sharing architectures to meet specific needs. TC CTI consists of a significant number of companies, government agenci
46、es, and institutes from around the world. New OASIS versions of the three initial platforms (STIXTM, TAXIITM, and CybOX) were produced and next generation versions being produced. Rather considerable material including running code is hosted on multiple design GitHubs. (https:/ https:/ https:/ https
47、:/ It is expected that MAEC will be conflated into the TAXIITM. As of June 2016, the deliverables consist of: STIX 1.2.1 Specification, August 2016. STIX 2.0 Specification target Q1 2017. TAXII 1.1.1 Specification, August 2016. TAXII 2.0 Specification target Q1 2017. CybOX 2.1.1 Specification, Septe
48、mber 2016. CybOX 3.0 Specification target Q1 2017. CybOX 3.0 Roadmap. CybOX 3.0 Visualisation. Interoperability Guidelines. Interoperability Demonstration Policy. The platforms have significant potential use within Network Functions Virtualization environments. The degree of activity and importance
49、of this work merits more detailed treatment of the principal CTI subcommittees and their work. It presently has four active subcommittees dedicated to specific deliverables that are described below. There is an additional Marketing Group within the TC as well as several informal ad hoc “mini working groups“. 4.2.2 CTI STIX Sub