Cyber threat intelligence

Note that the term cyber is arguably misused in the context of "Cyber Threat Intelligence" 1 and should be considered more as an equivalent for "Digital Threat Intelligence" or "Internet Threat Intelligence".

Terminology

Indicator

Cyber Threat Indicator: A set of cyber observables combined with contextual information intended to represent artifacts and/or behaviors of interest within a cyber security context. 2

TTP

TTP, in the context of cyber threat intelligence, is short for Tactics, Techniques and Procedures also sometimes referred to as Tools, Techniques, Procedures.

TTPs are representations of the behavior or modus operandi of cyber adversaries. It is a term taken from the traditional military sphere and is used to characterize what an adversary does and how they do it in increasing levels of detail. 3

Note that the abbreviation TTP is highly ambiguous, e.g. in another context it can mean Trusted Third Party.

Standards

• CAPEC
• IDMEF
• IODEF
• OpenIOC
• Oval
• Stix/Cybox/MAEC
• Veris
• Yara

OpenIOC

Cons:

• Highly Mandiant product centric standard, though seems to have digressed a bit from this since version 1.1

External Links

• Driving a Collectively Stronger Security Community with Microsoft Interflow, by Jerry Bryant, June 23, 2014
• NIST Special Publication 800-150 (Draft) - Guide to Cyber Threat 6 Information Sharing (Draft), by NIST

Feeds (or equivalent)

• Cyber Campaigns

CAPEC

• Common Attack Pattern Enumeration and Classification (CAPEC)

IODEF

• RFC 5070 - The Incident Object Description Exchange Format

OpenIOC

• The OpenIOC framework

Stix/Cybox/MAEC

• Cyber Observable eXpression
• Structured Threat Information eXpression
• Malware Attribute Enumeration and Characterization (MAEC)
• Standardizing Cyber Threat Intelligence Information with the Structured Threat Information eXpression (STIX™), by Sean Barnum, 2014

Tools

• Mantis