Page 185 - ITU KALEIDOSCOPE, ATLANTA 2019
P. 185
ICT for Health: Networks, standards and innovation
Integrated Adaptive Cyber Defense (IACD) is a research Threat sharing has not been as effective as envisioned and
TM
effort jointly funded by the US Department of Homeland has run into obstacles [44]. The initial STIX version 1
Security (DHS) and the US National Security Agency (NSA), specification was not readily accepted by industry. Version
in collaboration with The Johns Hopkins University Applied 2 is now available with significant improvements addressing
Physics Lab (JHU/APL) and industry. IACD seeks "to many of the industry concerns and is gaining broader
revolutionize cybersecurity ... through the universal adoption. In the US, the passage of the Cybersecurity
automation and interoperability of cyber defenses" [40]. Information Sharing Act [45] incentivized sharing by
IACD is an effort to get humans from ‘in the loop’ to ‘on the removing certain liabilities. Significant progress has been
loop’. The focus is product agnostic interoperability by made in this area, particularly in certain industry groups
decoupling functions and standardizing interfaces. IACD working with their Information Sharing and Analysis
seeks to create an adaptable, extensible ecosystem “to Centers (ISACs).
dramatically change the timeline and effectiveness of cyber
defense via integration, automation, and information To maximize the benefit of STIX involves not only
TM
sharing.” This can be accomplished by decoupling the sharing ‘what happened’ but also deciding ‘what to do’,
functions and standardizing the interfaces between functions. called Courses of Action (CoAs). To effectively share CoAs,
IACD categorizes security functionality into: standards for both atomic actions and for a playbook
including the decision points and the flow of the atomic
• sensing: gathering all the data actions are required.
• sense-making: correlating and analyzing data,
transforming into information, knowledge and Another IACD objective is the standardization of the
intelligence command and control (C2) language for security
• decision-making: deciding what to do technologies, the atomic actions in a CoA. For example,
• acting: sending the actual commands. firewalls have existed for over 25 years yet the ‘word’ used
to prevent a packet passing through the firewall could be:
‘drop’, ‘deny’, ‘reject’, ‘block’, ‘blacklist’, etc. depending on
Gap analysis of the IACD work has led to standards activities which implementation is used. This is compounded across
in sharing threat intelligence, sharing courses of action, and many security technologies with new ones being
in a common command and control (C2) language. continuously added. This poses several problems for the user
community. It is hard to share CoAs when two organizations
One of the IACD objectives is the sharing of threat data use different vendor products. The cost of retooling
among interested, trusted parties. DHS started an industry disincentivizes changing vendors or adding alternative
forum on threat sharing that evolved and moved into OASIS, vendor products. This was less of an issue when security
a non-profit standards development organization. The technology was physical appliances. In today’s cloud/IoT
OASIS Cyber Threat Intelligence (CTI) Technical environment, switching vendors and/or adding new
Committee (TC) [41] created the Structured Threat technologies should be quicker and easier.
Information Expression (STIX ) [42] and the Trusted
TM
Automated Exchange of Intelligence Information (TAXII TM ) The OASIS Open Command and Control (OpenC2)
specifications [43] to address the need to model, analyze and Technical Committee was founded to standardize machine-
share cyberthreat intelligence. Figure 3 shows an example of to-machine command-and-control to enable cyber defense
STIX TM ontology. system interoperability at machine speed [46,47]. Just as
automation has a fundamental impact on attacker economics,
OpenC2 will have a fundamental impact on defender
economics [48,49].
The OASIS Collaborative Automated Course of Action
Operations (CACAO) for Cyber Security Technical
Committee [50] develops standards for implementing CoAs
including the decision points and playbooks mentioned
earlier.
Figure 3 – Example of STIX Ontology
TM
Figure 4 shows an automation flow including STIX TM ,
TAXII , OpenC2 and CACAO.
TM
– 165 –
