Standards

This chapter list standards such as (STIX, TAXII, IODEF) and describes their role in supporting effective DFIR/Response operations. It provides a short overview and provides pointers to more extensive resources.

Atomic Network Indicators

The CTI-SIG is proposing the use of the following field names for the atomic network indicators:

• feed_name: name of the provider
• ip_as_name: The autonomous system name from which the indicator originated
• ip_asn: The autonomous system number from which the indicator originated
• type: the original atomic indicator data type (url, fqdn, ip):
  • url: url (if reported by the source)
  • domain: fqdn (if reported by the source)
  • ip: ip
• geolocation_cc: Country code denoted for the ip
• network: BGP prefix.
• first_seen: first time the feed distributed the atomic indicator
• last_seen: last time the feed distributed the atomic indicator

• Cyber Threat Intelligence SIG
  • Curriculum
    • Introduction
    • Introduction to CTI as a General topic
    • Methods and Methodology
    • Priority Intelligence Requirement (PIR)
    • Source Evaluation and Information Reliability
    • Machine and Human Analysis Techniques (and Intelligence Cycle)
    • Threat Modelling
    • Training
    • Standards
    • Glossary
    • Communicating Uncertainties in CTI Reporting
  • Webinars and Online Training
  • Building a CTI program and team
    • Program maturity stages
      • CTI Maturity model - Stage 1
      • CTI Maturity model - Stage 2
      • CTI Maturity model - Stage 3
    • Program Starter Kit
    • Resources and supporting materials