RedSocks_Stix-Taxii

RedSocks adopting the STIX and TAXII standards

Here at RedSocks one of our main subjects during conversations, development discussions and at the board level is about the subject privacy. Since the appearance of Edward Snowden, privacy is the main subject that is changing the build fundamentals of the internet. Fundamental parts of the internet get rebuilt, rechecked and new (mainly encryption) standards get adopted very quickly. Where as a messenger service in the past had to be reliable and quick, it now has to be reliable, quick ánd encrypted.

At RedSocks we built an appliance that works for everyone, wherever you place it. Because of privacy concerns we decided that our intelligence team will not get any feedback from the appliances positioned at our customers. Our vision is that the malware our appliance finds in your network, is your malware. And you are the person to decide what to do and how to deal with it.

An important part of our appliance is the intelligence it is fed. Our RedSocks Malware Intelligence Team (RS-MIT) gathers this information and feeds it to the appliance. Our team has one focus: we want all information possible, directly when available, straight into the appliance. In order to achieve this goal we needed to find a structured way of working. Hence is why we found the STIX and TAXII standards and decided to adopt both. By adopting those standards we basically create a feed of intelligence and give our customers the ability to use this feed for their own benefits. For us it is now possible to quickly process large amounts of intelligence data and feed it to the appliance.

Within the information security community there are lots of efforts to share intelligence. Banks for example have different sharing platforms (ISF-CCSA) as several CERTs do. One of our main focuses is protection against current, real-time and predictable threat actors. Within these intelligence sharing communities intelligence is shared that won’t be accessible for the RS-MIT at our preferred time schedule, which is: directly when available. Because of this reason we have decided to implement a feature in our appliance that is able to import malware intelligence that is structured according to the STIX and TAXII format. This way we give any company the ability to feed our appliance their own custom malware intelligence feed. In such a way that our RedSocks appliance functions the way we want it to function!

What is STIX? (form their website)
STIX™ is a collaborative community-driven effort to define and develop a standardized language to represent structured cyber threat information. The STIX Language intends to convey the full range of potential cyber threat information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible. All interested parties are welcome to participate in evolving STIX as part of its open, collaborative community.

What is TAXII? (from their website)
TAXII™ defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries. TAXII, through its member specifications, defines concepts, protocols, and message exchanges to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats. TAXII is not a specific information sharing initiative or application and does not attempt to define trust agreements, governance, or other non-technical aspects of cyber threat information sharing. Instead, TAXII empowers organizations to achieve improved situational awareness about emerging threats, enabling organizations to share the information they choose with the partners they choose.

Geplaatst door Rickey Gevers

Back to overview