FIRST is an international confederation of trusted computer incident response teams who cooperatively handle computer security incidents and promote incident prevention programs.

Come hear Allan Thomson on the topic: “Why is CTI Automation harder than it needs to be.. and what can security teams do about it.

Threat Intelligence is well known as an important part of CERT and Incident Responders toolkit.

However, sharing of intelligence across heterogeneous tools and environments that different organizations and groups (e.g. security operations vs threat research vs incident responders) use is a real challenge to the successful use and impact threat intelligence can have. When you expand those problems within a single organization to across different companies, CERTs and countries then the complexity and variability increases significantly.

If you then try to drive automation using threat intelligence, such as a firewall or web gateway, in an automated manner then the problems of inconsistent data sets, inconsistent semantics and unexpected behaviors results in significant headaches for security practitioners downstream from the providers of the data.

This presentation will cover some real-world problems of Threat Intelligence sharing in heterogeneous environments and provide some insights on how some of the new standards STIXv2/TAXIIv2 and OpenC2 are solving those problems for many of the use cases across a single organization and multiple organizations alike.

As part of the recommendations and insights, we will present on what OASIS Cyber Threat Intelligence Interoperability program has defined, what were some of the key CERT & Incident Responder use cases that the program supports and some thoughts for future adoption of the program to future use cases of Threat Intelligence and Automation. We will also include some lessons learned from recent Interoperability plugfest. Finally, we will wrap up with key Interoperability standards aspects that CERTs and other users of Threat Intelligence should consider leveraging in their environments before making decision on threat intelligence data and tool providers.

More Information

STIX2/TAXII2 workshop (2:45)

  • Overview of STIX2 Domain Objects
  • Overview of STIX2 Graph Model
  • Brief background on what changed and why from STIX1
  • Overview of TAXII2
  • Brief background on what changed and why from TAXII1
  • Interactive threat report modeling exercises
  • STIX Indicator Patterning exercises
  • Tour of STIX2/TAXII2 open-source libraries and tools
  • Hands-on coding exercises (using cloud-based Python Jupyter notebooks):
    • How to interact with a TAXII2 server
    • How to generate STIX2 indicators, sightings, etc
    • i18n and intra-lingual analyst workflow (ie, how to use STIX2 to collaborate with teams using other languages)

About the Speakers

  • Allan Thomson

    Allan Thomson
    Chief Technology Officer, LookingGlass Cyber Solutions

    Allan Thomson is LookingGlass Chief Technology Officer (CTO) responsible for technology product vision, strategy & architecture across Threat Intelligence Management, Threat Mitigation & Response product lines. Allan is currently serving as the Co-Chair of the Interoperability Subcommittee for the Cyber Threat Intelligence Technical Committee at OASIS as well as lead contributor on OpenC2 automation standards. He was recently recognized by OASIS as Distinguished Contributor for his work on standards at OASIS. Previously, he was Principal Engineer and Architect for Threat Defense products at Cisco Systems with active involvement in standards for security (IETF/IEEE) and distributed systems.

  • Rich Struse

    Richard Struse
    Chief Strategist, The MITRE Corporation, US

    Richard Struse is the Chief Strategist for Cyber Threat Intelligence (CTI) at The MITRE Corporation, leading the effort to improve cyber defense by better understanding the adversary’s tactics and techniques. In addition, he is the chair of the Cyber Threat Intelligence Technical Committee within OASIS, an international standards development organization. Previously, Mr. Struse served as the Chief Advanced Technology Officer for the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) where he was responsible for technology vision, strategy and implementation in support of the NCCIC’s mission. Mr. Struse is the creator of the STIX and TAXII automated information sharing initiatives which have been widely adopted across the public and private sectors. In October 2014, Secretary of Homeland Security Jeh Johnson presented Mr. Struse with one of the department’s highest honors, the Secretary’s Award for Excellence, in recognition of his pioneering work on STIX and TAXII. Prior to joining DHS, Mr. Struse was Vice President of Research and Development at VOXEM, Inc., where he was responsible for the architecture, design and development of a high-performance, extreme high- reliability communications software platform that is in use in telecommunications systems around the world. He began his technical career at Bell Laboratories where his work focused on tools to automate software development and the UNIX operating system. In 2015 Mr. Struse was named by Federal Computer Week as one of the “Federal 100” in recognition of his leadership role in the development of cyber threat intelligence technology standards. In 2016, OASIS selected Mr. Struse to receive their “Distinguished Contributor” award for his work as “a pioneer in the development of the STIX, TAXII, and CybOX standards and was instrumental in successfully transitioning the CTI work to OASIS.”

  • trey-darley

    Trey Darley
    Director of Standards Development, New Context, BE

    Trey Darley currently serves as Director of Standards Development at New Context. He's been working in infosec for years, including stints at NATO and Splunk's Security Practice. Trey is actively developing security-focused open standards, serving as a co-chair within the OASIS Cyber Threat Intelligence (CTI) Technical Committee responsible for STIX/TAXII and heavily engaged with the OpenC2 Technical Committee. Trey's articles have been featured in publications such as IEEE Security and Privacy and USENIX ;login:. He has presented at a number of security conferences, including O'Reilly Security, BruCON, USENIX LISA, and various FIRST events. Trey is a FIRST Liaison Member, official liaison between OASIS and FIRST, a long-time member of the BruCON organizing committee, OASIS Technical Advisory Board member, Technical Director of the IoT ISAO, and a CISSP.