The cyber threat intelligence landscape is ever-increasing in sophistication as threat intelligence vendors continuously improve their products and user organisations are becoming more mature. To remain at the forefront of this evolution, Elemendar needs to constantly ensure that our CTI processing technology can perform in this changing threat intel landscape.
Elemendar’s READ. helps analysts transform unstructured CTI data into a structured STIX format at speed and at volume. READ. enables CTI analysts to process human authored, unstructured CTI data and translate it into a structured STIX format. It achieves this through machine learning models which help reduce the manual processing time required for an analyst to build STIX outputs from text-based documents, such as a report, blog or piece of news. Such documents are likely to contain a description of malicious cyber activity (for example, a table of suspicious IP addresses) and these provide valuable data on vulnerabilities and potential protective measures. The machine learning process trains READ. to understand and categorise particular ‘entities’ of interest, including ‘threat indicators’ in the STIX language.
During the initial development of READ. STIX 2.0 was the latest industry standard for CTI analysis, which supported JSON serialisation and enabled better sharing and automated processing of CTI than previous standards. STIX 2.0 was first to provide a vocabulary of both STIX ‘Domain Objects’ (SDOs) and STIX ‘Relationship Objects (SROs). Broadly, an SDO describes a unique concept in a CTI dataset, and an SRO describes the relationship that can occur between the SDOs used to describe the CTI dataset of interest.
As STIX has been updated over time, in 2019 we saw the release of STIX 2.1 which provides for more detail in describing CTI. STIX 2.1 features language meta-objects and five new SDOs that provide significant support for the human analyst. STIX 2.1 also features an improved Malware SDO and Malware analysis for both static and dynamic captures. Another addition which makes the STIX language more expressive is the confidence property to most SDOs, which makes explicit the CTI producer’s confidence in registering the reliability of their data source and interpretation of data.
With STIX 2.1 finally being adopted by more CTI analysts and organisations, Elemendar has updated READ. to support STIX 2.1 output as well. READ. can now output STIX 2.1 bundles which can be used by Threat Intelligence Platforms and other tools at the API level. Applying this update at the STIX bundle level allows us to automatically append all new and relevant SDO/SROs, enabling further analysis and input from CTI analysts. More importantly, our application of STIX 2.1 to the development READ. will ensure that the product remains true to its objective of producing effective intelligence.
In 2022, READ will also automatically extract and support the annotation of these new STIX 2.1 objects, to produce STIX outputs that optimally support CTI analysts with reliable data sources and the interpretation which makes the output more expressive. We can’t wait to hear from our users how STIX 2.1 is improving their analysis operations and how we can further support better automation and data standards in the industry.