ETSI TR 103 331 V1.1.1 (2016-08)

ETSI TR 103 331 V1.1.1 (2016-08)






TECHNICAL REPORT
CYBER;
Structured threat information sharing

---------------------- Page: 1 ----------------------
2 ETSI TR 103 331 V1.1.1 (2016-08)



Reference
DTR/CYBER-0009
Keywords
security, threat analysis, threat intelligence
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2016.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI TR 103 331 V1.1.1 (2016-08)
Contents
Intellectual Property Rights . 4
Foreword . 4
Modal verbs terminology . 4
Executive summary . 4
Introduction . 4
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 6
3 Definitions and abbreviations . 8
3.1 Definitions . 8
3.2 Abbreviations . 8
4 Means for exchanging structured cyber threat intelligence . 9
4.1 Introduction . 9
4.2 OASIS Cyber Threat Intelligence Technical Committee (TC CTI) . 10
4.2.1 Introduction. 10
4.2.2 CTI STIX Subcommittee . 10
4.2.3 CTI TAXII Subcommittee . 12
4.2.4 CTI CybOX™ Subcommittee . 13
4.2.5 CTI Interoperability Subcommittee . 14
4.3 IETF Managed Incident Lightweight Exchange Working Group (mile) . 14
4.4 CSIRTGadgets Collective Intelligence Foundation (CIF) . 15
4.5 EU Advanced Cyber Defence Centre (ACDC) . 15
4.6 AbuseHelper . 15
4.7 OMG Threat Modelling Working Group . 15
4.8 ITU-T SG17 . 16
4.9 Open Threat Exchange™ (OTX™). 17
4.10 OpenIOC Framework . 17
4.11 VERIS Framework . 17
4.12 ETSI ISI (Information Security Indicators) ISG . 17
Annex A: Bibliography . 19
History . 20


ETSI

---------------------- Page: 3 ----------------------
4 ETSI TR 103 331 V1.1.1 (2016-08)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Some material contained herein is the copyright of, or has been supplied by OASIS and the United States Government.
Figures 1, 2, 3, 4, 5, 6, 7 copyright © OASIS Open 2016. All Rights Reserved.
Figures 1, 2, 3, 4, 5, 6, 7 copyright © United States Government 2012-2015. All Rights Reserved. Used by permission.
Foreword
This Technical Report (TR) has been produced by ETSI Technical Committee Cyber Security (CYBER).
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Executive summary
Cyber threat information sharing - often described as threat intelligence sharing - is one of the most important
components of an organization's cyber security program. It can be obtained internally and from external trusted sources.
It is collected, analysed, shared, and leveraged. The present document provides a survey of ongoing activities and the
resulting platforms that are aimed at structuring and exchanging cyber threat information. These activities range from
those developed among the Computer Emergency Response Teams in the 1990s in the IETF, to cutting-edge new
initiatives being advanced in OASIS. Some of the platforms are semi-open commercial product communities. It is
possible that the OASIS CTI work could bring about significant interoperability if not integration in this area.
Introduction
The importance of cyber threat information sharing has been underscored recently by the European Union and North
America enacting into organic law, combined with major executive level and national initiatives. These actions extend
across all information, and infrastructure sectors. Some of the more prominent of these recent actions include:
• EU Network Information Security Directive, approved 18 December 2015 [i.1].
• Cybersecurity Information Sharing Act of 2015 (18 December 2015) [i.2].
• CPNI, Threat Intelligence: Collecting, Analysing, Evaluating, 23 March 2015 [i.3].
• Launch of the Canadian Cyber Threat Exchange, 11 December 2015.
ETSI

---------------------- Page: 4 ----------------------
5 ETSI TR 103 331 V1.1.1 (2016-08)
Against this backdrop of initiatives that included the scaling of Financial Services Information Sharing and Analysis
Center (FS-ISAC) and The Depository Trust & Clearing Corporation (DTCC) activities, the OASIS Cyber Threat
Intelligence Technical Committee was formed in 2015 to bring together a broad and rapidly growing array of public and
private sector organizations to advance a global set of standards for structured threat information sharing.
The present document describes the known array of existing structured threat information sharing work in diverse
bodies, including the developments underway in OASIS TC CYBER which can form the basis for expanded
cooperation based on existing ETSI and OASIS collaborative agreements and working relationships among Technical
Committees.

ETSI

---------------------- Page: 5 ----------------------
6 ETSI TR 103 331 V1.1.1 (2016-08)
1 Scope
The present document provides an overview on the means for describing and exchanging cyber threat information in a
standardized and structured manner. Such information includes technical indicators of adversary activity, contextual
information, exploitation targets, and courses of action. The existence and creation of organizations for the exchange of
this information are out of scope the present document.
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] Directive of the European Parliament and of the Council concerning measures with a view to
achieving for a high common level of security of network and information security systems across
the Union, Brussels, 21 April 2016 (5581/16).
[i.2] Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures
with Federal Entities under the Cybersecurity Information Sharing Act of 2015 (June 2016).
NOTE: Available at https://www.us-cert.gov/sites/default/files/ais_files/Non-
Federal_Entity_Sharing_Guidance_%28Sec%20105%28a%29%29.pdf.
[i.3] Center for the Protection of National Infrastructure (CPNI): "Threat Intelligence: Collecting,
Analysing, Evaluating".
NOTE: Available at https://www.cpni.gov.uk/Documents/Publications/2015/23-March-2015-
MWR_Threat_Intelligence_whitepaper-2015.pdf.
[i.4] OASIS Specifications, STIX 1.2.1, TAXII 1.1.1, CybOX 2.1.1; draft Specifications STIX 2.0,
TAXII 2.0, CybOX 3.0; draft CybOX 3.0 Roadmap, CybOX 3.0 Visualization.
NOTE 1: Available at https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti.
NOTE 2: See also, OASIS Cyber Threat Intelligence (CTI) TC Wiki, https://wiki.oasis-open.org/cti/; Sean Barnum,
Standardizing Cyber Threat Intelligence Information with the Structured Threat Information eXpression
(STIX™), MITRE (February 20, 2014).
[i.5] OASIS. Cyber Threat Intelligence (CTI) TC Meeting Notes, OASIS Cyber Threat Intelligence
(CTI) TC Documents.
NOTE: Available at https://www.oasis-open.org/apps/org/workgroup/cti/documents.php?folder_id=2978.
[i.6] Internet Engineering Task Force (IETF): "Managed Incident Lightweight Exchange (mile)
Working Group".
NOTE: Available at https://datatracker.ietf.org/wg/mile/documents/.
ETSI

---------------------- Page: 6 ----------------------
7 ETSI TR 103 331 V1.1.1 (2016-08)
[i.7] Recommendation ITU-T X.1500-Series: "Cybersecurity information exchange".
NOTE: Available at https://www.itu.int/itu-t/recommendations/index.aspx?ser=X.
[i.8] ETSI ISG ISI (Information Security Indicators) initial Terms of Reference.
NOTE: Available at https://portal.etsi.org/ISI/ISI_ISG_ToR_Sep2011.pdf.
[i.9] ETSI GS ISI 001-1: "Information Security Indicators (ISI); Indicators (INC); Part 1: A full set of
operational indicators for organizations to use to benchmark their security posture".
[i.10] ETSI GS ISI 001-2: "Information Security Indicators (ISI); Indicators (INC); Part 2: Guide to
select operational indicators based on the full set given in part 1".
[i.11] ETSI GS ISI 002: "Information Security Indicators (ISI); Event Model A security event
classification model and taxonomy".
[i.12] ETSI GS ISI 003: "Information Security Indicators (ISI); Key Performance Security Indicators
(KPSI) to evaluate the maturity of security event detection".
[i.13] ETSI GS ISI 004: "Information Security Indicators (ISI); Guidelines for event detection
implementation".
[i.14] ETSI GS ISI 005: "Information Security Indicators (ISI); Guidelines for security event detection
testing and assessment of detection effectiveness".
[i.15] IETF RFC 5070: "The Incident Object Description Exchange Format".
[i.16] IETF RFC 6545: "Real-time Inter-network Defense (RID)".
[i.17] IETF RFC 6546: "Transport of Real-time Inter-network Defense (RID) Messagesover
HTTP/TLS".
[i.18] IETF RFC 6684: "Guidelines and Template for Defining Extensions to the Incident Object
Description Exchange Format (IODEF)".
[i.19] IETF RFC 6685: "Expert Review for Incident Object Description Exchange Format (IODEF)
Extensions in IANA XML Registry".
[i.20] IETF RFC 7203: "An Incident Object Description Exchange Format (IODEF) Extension for
Structured Cybersecurity Information".
[i.21] IETF RFC 7495: "Enumeration Reference Format for the Incident Object Description Exchange
Format (IODEF)".
[i.22] IETF RFC 6046: "Transport of Real-time Inter-network Defense (RID) Messages".
[i.23] draft-ietf-mile-implementreport-09: "MILE Implementation Report".
[i.24] draft-ietf-mile-iodef-guidance-06: "IODEF Usage Guidance".
[i.25] draft-ietf-mile-rfc5070-bis-25: "The Incident Object Description Exchange Format v2".
[i.26] draft-ietf-mile-rolie-03: "Resource-Oriented Lightweight Information Exchange".
[i.27] draft-ietf-mile-xmpp-grid-00: "XMPP Protocol Extensions for Use with IODEF".
[i.28] ISO/IEC 27001: "Information technology -- Security techniques -- Information security
management systems -- Requirements".
[i.29] ISO/IEC 27002: "Information technology -- Security techniques -- Code of practice for
information security controls".
[i.30] ISO/IEC 27004: "Information technology -- Security techniques -- Information security
management -- Measurement".
[i.31] ETSI TR 103 305: "CYBER; Critical Security Controls for Effective Cyber Defence".
ETSI

---------------------- Page: 7 ----------------------
8 ETSI TR 103 331 V1.1.1 (2016-08)
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply. Reference figure 2, below.
campaign: STIX Campaign represents a set of TTPs, Incidents, or Threat Actors that together express a common intent
or desired effect [i.4]
course of action: STIX Course of Action (COA) is used to convey information about courses of action that may be
taken either in response to an attack or as a preventative measure prior to an attack [i.4]
exploit target: STIX Exploit Target conveys information about a vulnerability, weakness, or misconfiguration in
software, systems, networks, or configurations that may be targeted for exploitation by an adversary [i.4]
incident: STIX Incident corresponds to sets of related security events affecting an organization, along with information
discovered or decided during an incident response investigation [i.4]
indicators: STIX Indicator data model conveys specific Observable patterns combined with contextual information
intended to represent artifacts and/or behaviors of interest within a cyber security contex [i.4]
observables: STIX Observable represents stateful properties or measurable events pertinent to the operation of
computers and networks, and may consist of Observable instances and Observable Patterns [i.4]
observable instances: represent actual specific observations that took place in the cyber domain [i.4]
observable patterns: represent conditions for a potential observation that may occur in the future or may have already
occurred and exists in a body of observable instances [i.4]
report: STIX Report defines a contextual wrapper for a grouping of STIX content, which could include content
specified using any of the other eight top-level constructs, or even other related Reports [i.4]
Tactics, Techniques and Procedures (TTP): STIX Tactics, Techniques, and Procedures (TTP) are used to represent
the behavior or modus operandi of cyber adversaries [i.4]
threat actor: STIX Threat Actor is a characterization of malicious actor (or adversary) representing a cyber attack
threat including presumed intent and historically observed behavior [i.4]
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
ACDC Advanced Cyber Defence Centre
AS Autonomous System
CERT Computer Emergency Response Team
CIF Collection Intelligence Framework
COBIT Control OBjectives for Information and related Technology
CPNI Centre for the Protection of National Infrastructure
CSIRT Computer Security Incidence Response Team
CTI Cyber Threat Intelligence
CYBEX Cybersecurity Information Exchange
CybOX™ Cyber Observable Expression
DHS Department of Homeland Security
DoS Denial of Service
DTCC Depository Trust & Clearing Corporation
ENISA European Union Agency for Network and Information Security
EU European Union
FIRST Forum of Incident Response and Security Teams
FS-ISAC Financial Services ISAC
GS Group Specification
HTTP Hypertext Transfer Protocol
ETSI

---------------------- Page: 8 ----------------------
9 ETSI TR 103 331 V1.1.1 (2016-08)
IANA Internet Assigned Numbers Authority
IDS Identification Detection System
IETF Internet Engineering Task Force
INC INdiCators
INCH INCident Handling
IODEF Incident Object Description Exchange Format
IP Internet Protocol
ISAC Information Sharing and Analysis Center
ISACA Information Systems Audit and Control Association
ISG Industry Specification Group
ISI Information Security Indicators
IT Information Technology
ITU-T International Telecommunication Union Telecommunication Standardization
JSON JavaScript Object Notation
KPSI Key Performance Security Indicators
MAEC™ Malware attribute enumeration and characterization
MILE Managed Incident Lightweight Exchange
NIS Network and Information Security
NREN National Research and Education Network
OASIS Organization for the Advancement of Structured Information Standards
OMG Object Management Group
OSSIM Open Source Security Information Management
OTX Open Threat eXchange
RID Real-time Inter-network Defense
STIX™ Structured Threat Information Expression
TAXII™ Trusted Automated Exchange of Indicator Information
TTP Tactics, Techniques and Procedures
US United States
VERIS Vocabulary for Event Recording and Incident Sharing
XML Extensible Markup Language
XMPP Extensible Messaging and Presence Protocol
NOTE: CybOX™, MAEC™, STIX™ and TAXII™ are trademarks of The MITRE Corporation operating as a
non-profit Federally Funded Research and Development Center (FFRDC) of the U.S. Department of
Homeland Security. See http://stixproject.github.io/legal/. This information is given for the convenience
of users of the present document and does not constitute an endorsement by ETSI of the product named.
Equivalent products may be used if they can be shown to lead to the same results.
4 Means for exchanging structured cyber threat
intelligence
4.1 Introduction
The need for the exchange of structured cyber threat intelligence grew in the 1990s in conjunction with increasing
numbers of discovered exploits of network vulnerabilities and attacks. This led to a diverse array of initiatives and
projects to develop structured expressions and associated protocols for the trusted exchange of information concerning
those vulnerabilities and attacks, and remediation steps - which are described in the following clauses. These efforts and
the resulting platforms have moved forward (or not) at significantly different scales, and involve specialized and
sometimes vendor-oriented communities. The Financial Services Information Sharing and Analysis Center (FS-ISAC)
and The Depository Trust & Clearing Corporation (DTCC) communities are especially significant and one of the EU
NIS essential services sectors. The largest related standards activity - now consists of OASIS Technical Committee on
Cyber Threat Intelligence (TC CTI) - and is still rapidly growing and evolving.
ETSI

---------------------- Page: 9 ----------------------
10 ETSI TR 103 331 V1.1.1 (2016-08)
4.2 OASIS Cyber Threat Intelligence Technical Committee
(TC CTI)
4.2.1 Introduction
The OASIS Cyber Threat Intelligence (CTI) TC was chartered to define a set of information representations and
protocols to address the need to model, analyze, and share cyber threat intelligence. In the initial phase of TC work,
three specifications were transitioned from the US Department of Homeland Security (DHS) for development and
TM
standardization under the OASIS open standards process: STIX (Structured Threat Information Expression),
TM TM
TAXII (Trusted Automated Exchange of Indicator Information), and CybOX (Cyber Observable Expression). The
OASIS CTI Technical Committee remit includes:
• define composable information sharing services for peer-to-peer, hub-and-spoke, and source subscriber threat
intelligence sharing models;
• develop standardized representations for campaigns, threat actors, incidents, tactics techniques and procedures
(TTPs), indicators, exploit targets, observables, and courses of action;
• develop formal models that allow organizations to develop their own standards-based sharing architectures to
meet specific needs.
TC CTI consists of a significant number of companies, government agencies, and institutes from around the world. New
TM TM
OASIS versions of the three initial platforms (STIX , TAXII , and CybOX™) were produced and next generation
versions being produced. Rather considerable material including running code is hosted on multiple design GitHubs.
(https://github.com/STIXProject, https://github.com/TAXIIProject, https://github.com/CybOXProject,
TM
https://github.com/MAECProject/. It is expected that MAEC™ will be conflated into the TAXII . As of June 2016,
the deliverables consist of:
• STIX™ 1.2.1 Specification, August 2016.
• STIX™ 2.0 Specification [target Q1 2017].
• TAXII™ 1.1.1 Specification, August 2016.
• TAXII™ 2.0 Specification [target Q1 2017].
• CybOX™ 2.1.1 Specification, [September 2016].
• CybOX™ 3.0 Specification [target Q1 2017].
• CybOX™ 3.0 Roadmap.
• CybOX™ 3.0 Visualisation.
• Interoperability Guidelines.
• Interoperability Demonstration Policy.
The platforms have significant potential use within Network Functions Virtualization environments. The degree of
activity and importance of this work merits more detailed treatment of the principal CTI subcommittees and their work.
It presently has four active subcommittees dedicated to specific deliverables that are described below. There is an
additional Marketing Group within the TC as well as several informal ad hoc "mini working groups".
4.2.2 CTI STIX Subcommittee
The objective of the Structured Threat Information Expression (STIX™) effort is to specify, characterize, and capture
cyber threat information. STIX addresses a full range of cyber threat use cases - including threat analysis, capture and
specification of indicators, management of response activities, and information sharing - to improve consistency,
efficiency, interoperability, and overall situational awareness.
ETSI

---------------------- Page: 10 ----------------------
11 ETSI TR 103 331 V1.1.1 (2016-08)
The four active work products include STIX V1.2.1 language specifications, XML binding specification for STIX
V1.2.1, STIX and v2.0 language specifications, including the STIX 1.2.1 JSON Binding Specification 1.0 [i.4]. The
STIX use cases are depicted in figure 1, the intelligence model and expression groups in figure 2 and examples in
figure 3.

Figure 1: STIX use cases [i.4]

Figure 2: STIX Package encompasses the STIX individual component data models [i.4]
ETSI

---------------------- Page: 11 ----------------------
12 ETSI TR 103 331 V1.1.1 (2016-08)

Figure 3: STIX architecture [i.4]
STIX 2.0 features being considered include JSON expressions, Sightings/Observation/Indicator, Versioning, Indicator
Type Vocabulary, Common Object Properties, Packaging, Campaign, TTPs [i.5].
4.2.3 CTI TAXII Subcommittee
Trusted Automated eXchange of Indicator Information (TAXII™) defines a set of services and message exchanges that,
when implemented, sharing of actionable cyber threat information across organization and product/service boundaries.
TAXII, through its member specifications, defines concepts, protocols and messages to exchange cyber threat
information for the detection, prevention, and mitigation of cyber threats. The models supported by V1.1.1 as well as
the specification components are shown in figures 4 and 5.

Hub and Spoke Source/ Subscriber Peer to Peer
Figure 4: TAXII models supported [i.4]
ETSI

---------------------- Page: 12 ----------------------
13 ETSI TR 103 331 V1.1.1 (2016-08)

Figure 5: TAXII specification components [i.4]
TAXII 2.0 features being considered include: Publish and Subscribe model over an HTTP RESTful interface; TAXII
Servers are plumbing for CTI between TAXII Clients; each TAXII Server has some defined out-of-the box channels
that clients can publish or subscribe. The model is depicted in figure 6.

Figure 6: TAXII 2.0 proposed channel architecture [i.5]
4.2.4 CTI CybOX™ Subcommittee
CybOX™ provides a common structure for representing cyber observables across and among the operational areas of
enterprise cyber security that improves the consistency, efficiency, and interoperability of deployed tools and processes,
as well as increases overall situational awareness by enabling the potential for detailed automatable sharing, mapping,
detection, and analysis heuristics. The CybOX™ V2.1.1 objects and relationships are depicted in figure 7.

Figure 7: CybOX™ 2.1.1 objects and relationships [i.4]
CybOX™ 3.0 features being considered include: High-level Change to create: 1)a Core/Common set ( Separation of
Patterns and Instances, First-class Relationships, Cryptographic Hash Capture Refactoring) and 2) Object-related
Changes Object Refactoring for Semantic Accuracy, Expansion of "Atomic" Objects) [i.5].
ETSI

---------------------- Page: 13 ----------------------
14 ETSI TR 103
...