Conference PaperPDF Available

MISP -The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform

Authors:
Conference Paper

MISP -The Design and Implementation of a Collaborative Threat Intelligence Sharing Platform

Abstract and Figures

The IT community is confronted with incidents of all kinds and nature, new threats appear on a daily basis. Fighting these security incidents individually is almost impossible. Sharing information about threats among the community has become a key element in incident response to stay on top of the attackers. Reliable information resources, providing credible information, are therefore essential to the IT community, or even at broader scale, to intelligence communities or fraud detection groups. This paper presents the Malware Information Sharing Platform (MISP) and threat sharing project, a trusted platform, that allows the collection and sharing of important indicators of compromise (IoC) of targeted attacks, but also threat information like vulnerabilities or financial indicators used in fraud cases. The aim of MISP is to help in setting up preventive actions and countermeasures used against targeted attacks. Enable detection via collaborative-knowledge-sharing about existing malware and other threats.
Content may be subject to copyright.
MISP - The Design and Implementation of a Collaborative
Threat Intelligence Sharing Platform
Cynthia Wagner
Fondation RESTENA
2, avenue de l’Université
L-4365 Esch-sur-Alzette,
Luxembourg
cynthia.wagner@restena.lu
Alexandre Dulaunoy
CIRCL - Computer Incident
Response Center Luxembourg
41, Avenue de la Gare
L-1611 Luxembourg,
Luxembourg
alexandre.dulaunoy@circl.lu
Gérard Wagener
CIRCL - Computer Incident
Response Center Luxembourg
41, Avenue de la Gare
L-1611 Luxembourg,
Luxembourg
gerard.wagener@circl.lu
Andras Iklody
CIRCL - Computer Incident
Response Center Luxembourg
41, Avenue de la Gare
L-1611 Luxembourg,
Luxembourg
andras.iklody@circl.lu
ABSTRACT
The IT community is confronted with incidents of all kinds
and nature, new threats appear on a daily basis. Fighting
these security incidents individually is almost impossible.
Sharing information about threats among the community
has become a key element in incident response to stay on
top of the attackers. Reliable information resources, pro-
viding credible information, are therefore essential to the IT
community, or even at broader scale, to intelligence commu-
nities or fraud detection groups.
This paper presents the Malware Information Sharing Plat-
form (MISP) and threat sharing project, a trusted platform,
that allows the collection and sharing of important indica-
tors of compromise (IoC) of targeted attacks, but also threat
information like vulnerabilities or financial indicators used in
fraud cases. The aim of MISP is to help in setting up preven-
tive actions and counter-measures used against targeted at-
tacks. Enable detection via collaborative-knowledge-sharing
about existing malware and other threats.
Keywords
Threat intelligence management; IT security; collaborative
information sharing; trust; incident response
Permission to make digital or hard copies of all or part of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for components of this work owned by others than the
author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or
republish, to post on servers or to redistribute to lists, requires prior specific permission
and/or a fee. Request permissions from permissions@acm.org.
WISCS’16, October 24 2016, Vienna, Austria
c
2016 Copyright held by the owner/author(s). Publication rights licensed to ACM.
ISBN 978-1-4503-4565-1/16/10. . . $15.00
DOI: http://dx.doi.org/10.1145/2994539.2994542
1. INTRODUCTION
The number of new threats and incident indicators are
constantly increasing and there is no indication that this
trend will stop soon. Detecting and handling these threats
individually has become almost impossible, since accurate
classification or reliable taxonomies of threats differ within
existing solutions and often the distribution of information
is limited or restricted to selected users. This poses major
constraints.
In the era of ‘generation Y’ or ‘generation social media’,
individuals who grew up with technologies to become so-
called digital natives, sharing and collaboration within a
community has become an attitude towards life. Recently,
this trend of sharing all kind of information within a com-
munity can also be observed for the IT-community. Pro-
moting collaboration and information sharing is critical in
community driven domains such as IT. On one hand due
to the sensitiveness of data, and on the other by sharing
information, new threats can be identified more quickly in
a joint-effort and response can be adequately coordinated
throughout the whole community. Therefore, the need for
having reliable information sharing platforms in place will
be a key to successful collaboration and incident response in
the near future.
This paper presents the Malware Information Sharing Plat-
form, also called MISP, and provides an overview of its tech-
nical implementation. The aim of this project is to provide a
platform, where actors of private or public IT-communities
can share information and IoCs about existing threats from
various domains. Such as cyber security, finance, etc., to
contribute to a better over-all security understanding.
The paper is organized as follows: Section 2 discusses re-
cent works that deal with the handling of threat intelligence
collection and sharing. Section 3 provides the motivation for
MISP, describes the most important technical modules like
the sharing models and the synchronization process. In sec-
tion 4 the actual MISP platform is briefly described. Section
5 shows the actual results about usage and relevant statis-
tics. Some future work and conclusions are given in section
6.
2. RELATED WORK
Information sharing is a major asset in the IT world and
has gained significant importance in the area of research
too. Large companies selling threat intelligence within their
commercial solutions have gained a large market share, as
for example IBM, Dell secure Works, Crowdstrike, McAfee,
CISCO, CheckPoint and many more.
Dandurand et al. [5] explain that the most important re-
quirement for a successful threat intelligence system is the
facility to share information, automate information sharing
and the ability to generate, refine and control data. In [5],
these requirements were extended by defining a concept of
knowledge management for the area of cyber security by
adding needs. These include the ability for collaboration
and human and/or machine interfaces for automation, to
cite only a few. In [15], the difficulty and motivation for
information sharing is discussed; like trust issues and the
problem to keep the online community active to contribute.
[3] gives an overview about challenges encountered in the
domain of threat intelligence and tries to summarize the re-
quirements and needs to build successful threat intelligence
platforms. It is also highlighted that there are some re-
quirements discussing the added valued of shared data and
privacy, respectively law issues for these systems.
For sharing information, a lot of effort has already been
put in structuring information by introducing different kinds
of data formats and transport mechanisms. For example in
[2], STIX/TAXII has been introduced to combine human
to machine data to share information. In [6] the Incident
Object Description Exchange Format, IODEF is described.
It provides a data sharing framework for computer security
incident teams by combining text with structured data. A
similar approach is introduced in [14].
Beside the various existing data formats and transport
mechanisms, several technical implementations of threat in-
telligence platforms exist. In [10], a model to represent the
topology of sharing by using a graph model is introduced
that applies parameters like added-value of information and
trust/repudiation. In [12], a new method to assess the threat
level for a piece of malware is presented, where scoring fac-
tors weigh the malware to evaluate its level of threat. An-
other method is presented in [1], where a threat intelligence
platform is designed that uses a publish-subscribe commu-
nication model by combining STIX to the Extensible Mes-
saging and Presence Protocol (XMPP).
Evaluating and representing large quantities of informa-
tion is also a major problem in the daily management of
information sharing platforms. In [20] for example, a data
mining approach based on similarity metrics is presented
to identify statistical patterns and other relations in shared
information as for example real incident tickets.
Another important point in information sharing is the
usability and user experience (UX) for existing platforms.
In [17], a systematic study is presented that highlights hu-
man elements, while using information sharing platforms.
Therein it discusses major user experience requirements for
improving the usability of this kind of platforms.
Recently, many guidelines, best practices and summaries
on existing platforms have been published. In [11], guide-
lines for information sharing as well as the benefits and chal-
lenges of information sharing are discussed. In [18], a survey
on the implementation and organization of information shar-
ing platforms was realized to discuss the overall dimension of
information sharing. It was concluded that the effectiveness
of the platforms could be increased by having a strongly
active sector-oriented community; within which incidents
could be shared rapidly with experience reports. In [8], a
case study for information sharing has been performed in or-
der to identify issues and hurdles in organizational, technical
and legal domains. An outcome of this survey indicated that
information sharing remains a group activity and that there
is a real need to reduce the number of false positives. In [9]
by ENISA, a summary on the threat landscape is provided.
It discusses and encourages both, secure communication and
information sharing between CERTs.
3. OVERVIEW OF MISP
The following section describes the motivation for the
sharing model as well as the major technical modules. Among
others the graph modular approach and the redundancies
that were implemented for the MISP platform.
Before focussing on the technical side of the platform,
the term ‘information’ in the context of the MISP platform
should be defined. In this paper, information that can be
shared is defined as any kind of relevant indicator for threats,
IoCs, and all other kinds of information from various do-
mains such as cyber security, finance, etc.
3.1 Data model
The data model describes the standard description for-
mat for creating events in MISP. The main motivation was
to have a simple and convenient format while at the same
time enabling more complex requirements. An advantage of
this simple approach is that a user can decide him-/herself
the level of granularity of information that he/she wants
to share. For example, a user can describe an event with
multiple attributes while providing as much information as
possible, or he/she can only put a minimum of information
for an event.
Another reason for this model was to have a flat model
to ease the work of parsing and to avoid ambiguity (e.g.
STIX). Composite observables in STIX are very often flat-
tened and neglected by the parser which introduces rejected
observables to be included. The main objective is to rely
on a minimum viable data format and extend it as the need
for additional complexity arises instead of trying to capture
all possible future requirements in advance. A new entry in
MISP is called an event object. An event can be defined
as a set of characteristics and all kinds of descriptions for
an IoC, including attachments, etc. These characteristics
and relevant information are called attributes. Event at-
tributes for example are IoC date, threat level, comments,
organisation,...
Attributes can be divided into mainly two distinct classes,
category and type. The main difference is that a cate-
gory attribute holds more general information, such as tar-
geting data, network activity, type of fraud, etc. whereas
atype attribute includes information like the checksums
(md5, sha1), filename, hostname, ip-address, email source
and destination, etc. Furthermore, an event can also have
tags. A simplified representation of this data model is given
in Figure 1.
Figure 1: Simplified event representation in MISP
3.2 Sharing models
The motivation for sharing information can be manifold,
since humans have contradicting needs in a sense of ‘security
versus relatedness’. On one side, people that share informa-
tion about occurred threats and incidents within a commu-
nity would prefer keeping it secret. On the other side, by
sharing information, new insights or similar information, as
well as possible response actions, can be extracted from this
community.
Intrinsic motivation, as described in the self-determination
theory, [7] explains that humans can perform or initiate ac-
tions without the need of external, but for internal rewards.
In this case this means, people explicitly share information
about threats or incidents within a community (relatedness)
in order to gain information about new threats that are pub-
lished by others (security).
3.2.1 Sharing levels
MISP relies on the voluntary action of its community to
share information and indicators. Furthermore, the level of
reach of the content is left to the sharer, who can select
various sharing scenarios, as described below:
organization only: Only members of an organization
are allowed to see an event.
community only: Users of the MISP community can
see the event, including organizations that run MISP
servers that synchronize with that server.
connected communities: Users of the MISP com-
munity, including organizations on this MISP server,
as well as MISP servers synchronizing that server. This
also includes hosting organizations of servers that con-
nect to these servers.
all the shared content is shared within the whole MISP
communities.
3.2.2 Proposals
In order to ensure the integrity and veracity of the data
distributed by MISP, the modification of events is only per-
mitted to members of the creating organisation. However,
one of the key aspects of successful information sharing is
a focus on collaboration and providing the user base with a
feedback loop. Proposals allow users to make suggestions for
changes to an event, created by another organisation. Pro-
posals are an integral part of data that is distributed among
MISP instances and will be further described in the pull
and push mechanism section. A user can suggest a proposal
to an event that was created by a different organisation on
a remote instance. This proposal is reported back to the
original creator of the event, who may accept or discard it.
Either way, the outcome of this decision will be propagated
back to all interconnected instances.
Typical uses of this feature are for example the notifi-
cation of false positives to an event creator, asking for an
error correction, or simply completing an existing event by
additional findings.
3.3 Taxonomies
User experience collected from older MISP versions showed
that people do not want to spend too much time to fill in
fields in web forms or to copy and paste information. A
complicated user interface was one limiting factor of infor-
mation sharing. Hence, the free text importer feature was
introduced. A user can copy and paste raw data into a sin-
gle field that is then fed through an algorithm relying on
heuristics to match the attributes. The resulting attributes
are presented to the user who has to validate the matchings.
Interactions with MISP can be done with a REST (REp-
resentational State Transfer) interface. A Python library
(PyMISP)1is available and allows to interact with MISP
APO. Tools like Cuckoo sandbox2and Viper analysis3sup-
ports MISP to allow a bidirectional (pushing and/or pulling)
information.
These features, in conjunction with the steadily increasing
number of users, overwhelmed some others which lead to the
requirement of filtering events. This requirement is also use-
ful for handling information classification. The classification
is often bound to internal, community or national classifica-
tion schemes. Another common problem is the description
of the events or the mapping of events into categories. This
is a complex task since the number of categories is not al-
ways known in advance. A typical example here is; the types
of attack as they evolve and change quickly.
Experience has shown that these challenges are often re-
lated to the context and thus, the users of the MISP soft-
ware. A centralized pre-defined set of definitions that sat-
isfying all the potential users is a hard challenge and so, a
distributed approach based on machine tags was introduced.
Tags can be defined per MISP instance and are exportable.
This allows the reusing of tags from other MISP instances.
The freedom of defining tags quickly lead to a situation
where tags were redefined making filtering complicated. To
overcome this problem, a new concept of tagging was intro-
duced, the taxonomies.
A taxonomy is based on the triple tag solution that was in-
troduced by Flickr[19]. The triple tag structure has a names-
pace, predicate and value. In the example :
{admirality-scale :source-reliability =’fair’},
admirality-scale is the namespace, source-reliability is the
predicate and ’fair’ the value. A clear advantage of this con-
cept is the still human readable format of the machine tags.
The repository of taxonomies for the open source commu-
nity4includes taxonomies modeling national, intelligence,
law enforcement, csirt classifications and many others do-
mains. In case that none of the predefined taxonomies fits
the description of an event, the user can formulate his/her
1https://github.com/CIRCL/PyMISP
2https://www.cuckoosandbox.org/
3https://github.com/viper-framework/viper
4https://github.com/MISP/misp-taxonomies
own taxonomy. This introduces a notion of folksonomy into
MISP and keeps the tagging structure more organic.
3.4 Synchronization protocol
In the following section, the synchronization protocol will
be further explained. The algorithm used in MISP is based
on a trial-and-error approach, where the main focus was put
on efficiency, accuracy and scalability. The final algorithm
implemented in MISP resulted in simple models called pull,
push and cherry-pick technique.
As MISP is a distributed set of instances, events are as-
signed a universally unique identifier (UUID) each. Beside
this, events may contain one or more attributes, which also
have uniquely assigned UUIDs.
3.4.1 Pull
The pull mechanism allows a MISP instance to discover
available (and accessible as defined by the distribution rules)
events on a connected instance and download any new or
modified events.
During the entire synchronisation procedure, events are con-
verted into a JSON representation for transfer, which con-
sists of a set of events with the associated meta data. A
quick run-through of the major logical steps of the algorithm
is as follows (additional tasks such as access right checks are
omitted for simplicity’s sake):
1. Create a filter list based on the synchronisation filter
rules to be passed to the remote instance.
2. Request the JSON output of the event index from the
remote instance and pass along the generated filter pa-
rameters.
3. The remote instance will generate this list taking into
account any filter rules that the administrators of the
remote instance may have created to filter the data
outgoing to the instance that, in this case, is initiating
the pull. This means that the list of events ends up
being filtered by both the content consumer and the
content provider.
4. Compare each event by its UUID to a potentially ex-
isting local copy. If no local copy exists or the local
copy is out of date, add the UUID to the list of events
to be pulled.
5. For each of the events to be pulled do the following:
(a) Fetch the event JSON using its UUID from the
remote instance.
(b) If a local version of the event already exists, do
the following as an edit, if not as a new event
creation.
(c) Capture or update the related objects (such as re-
lated tags, sharing groups, organisations involved
with either the event directly or the attached shar-
ing groups, etc.).
(d) Save each of the attributes attached to the event.
If an event is being edited, update attributes with
the new data only if the local version is older.
(e) Finally publish the event, which will notify users
and propagate it further to interconnected instances
(if applicable according to the event distribution
settings and the synchronisation rules of the in-
stance).
6. Once all events have been pulled, the second phase
of the synchronisation begins, the synchronisation of
proposals.
7. Request a JSON containing all proposals from the re-
mote instance.
8. The remote instance will compile a JSON with all pro-
posals that have been made to events visible to the
requestor instance and return it.
9. Loop through each proposal and do the following:
(a) Check if the proposal already exists locally. If it
does and the local version is not outdated then
the next proposal is processed.
(b) If the proposal does not exist locally, a new pro-
posal will be created, otherwise the existing pro-
posal gets edited.
(c) Capture or update the creator organisation of the
proposal.
(d) Once a proposal is saved, members of the event
creator organisation are notified via e-mail.
10. If no more proposals are left to be processed then the
pull procedure terminates.
3.4.2 Push
The push mechanism of MISP allows one instance to con-
vert an event or a list of events to a JSON format that is
then sent to a remote instance. This can be triggered either
by initiating a full push of all applicable events to a single
instance or simply by publishing an event, which would trig-
ger a push for that specific event alone, but to all connected
and eligible instances. The algorithm works as follows:
1. Fetch the version number from the remote instance and
if the remote instance is at least a minor version be-
hind, block the push and log an error message. MISP
cannot ensure that the remote instance is capable of
handling the event.
2. Generate a list of events that are eligible to be pushed
to the remote instance (based on the distribution set-
tings and the filter rules on the synchronisation link).
3. Iterate through each of the event IDs that are eligible,
convert them to MISP’s JSON format and POST them
to the event creation API of the remote end.
4. At this point, there are several possible outcomes for
the POST request:
(a) If the event does not exist on the remote end and
can be created, the remote instance returns the
newly created event and the push of the next item
commences.
(b) The event already exists and can be edited, the
remote side will match the event by UUID to a
local event and return the URL that is to be used
to update the event. The instance initiating the
push can then push the event to the new URL
which will result in an event edit.
(c) The remote instance blocks the event (for exam-
ple if the event is already up to date, is blocked
by a local filter or blacklist, etc.)
5. If an event is saved, the remote MISP will capture all
related objects and create them locally or update any
eligible objects (organisations, sharing groups, tags,
proposals) that exist already.
6. After saving an event, be it from a creation or an up-
date, applicable users will get notified about it by e-
mail and MISP will initiate a push towards each inter-
connected instance that is eligible for the event.
3.4.3 Cherry Picking
MISP also provides an alternate pull method that allows
users to selectively pick and choose events that should be
pulled to the local instance. To facilitate this, administra-
tors can browse interconnected instances using a similar UI
to the local event index, explore individual events using a
view similar to the event view and download specific events.
The actual mechanism for fetching events this way is the
pull mechanism described earlier, but with an event ID set
as a target parameter.
Since this creates an issue in regards to keeping the cherry
picked events up to date, a sync update function allows ad-
ministrators to restrict the data pulled to a subset contain-
ing only events that already exist locally, ignoring all new
events. This again uses the default pull mechanism, but all
event UUIDs that do not exist locally get discarded during
the filter process.
3.4.4 Feed system
The synchronisation system works well for interconnected
MISPs, but there are scenarios when a direct link between
MISP instances is not feasible (for example when dealing
with air-gapped systems) and in some cases content providers
might want to share their data either indirectly to clients or
open it up to a wider audience. To support these use-cases,
MISP has a built-in Feed functionality.
A configurable feed generator script generates a dump of
the selected events in separate JSON files along with a man-
ifest file that includes the metadata of each event contained
in the feed dump. The output can be simply served via a
web server and other MISP’s can browse the contents via
the UI similarly to how the cherry picking works. Adminis-
trators can then choose to pull the feed, create filter rules to
pull a subset of the feed or simply cherry-pick data that they
deem useful for their instance. Alternatively for air-gapped
systems, the feed dump can be distributed out-of-bound and
served locally by the recipient for ingestion by their own in-
ternal, air-gapped MISP.
4. MISP - THE TOOL
The following section briefly describes the interface of
MISP and provides some additional information. Figure 2
shows the login interface to the MISP Platform that can
be accessed by the link https://mispriv.circl.lu, but new
users need to register at CIRCL first to get access to the
platform. The platform is meant for private sector compa-
nies including; ICT, antivirus, industrial, financial and other
sectors [4].
The index page, similar to a dashboard, represents a rel-
evant part for the MISP user experience. It shows an index
Figure 2: The login screen of MISP
Figure 3: The MISP events index page - the default
view after login
of all recent activities and events that were submitted in-
cluding the corresponding status. Figure 3 shows the index
page after login. It regroups the different events and pro-
vides a menu bar to the user to select actions, such as add an
event, list attributes, export information, etc. An extended
user guide [13] describes the use of MISP and explains the
different steps to share information on the platform.
5. USAGE AND STATISTICS
In the following section, some statistics and usage will be
presented. The numbers presented in Table 1 reflects a snap-
shot from 16th June 2016 of one MISP instance dedicated to
the private sector [4] regrouping mostly private companies
willing to share information.
N Description Number of instances
1 Events 3 769
2 Attributes 421 868
3 Correlations found 151 209
4 Proposals active 36 569
5 Users 797
6 Organisations 409
7 Discussion threads 159
8 Discussion posts 280
Table 1: MISPpriv sharing information in the pri-
vate sector
It can be observed that on that date more than 3 700
events have already been created in the MISP database.
These events refer to a set with more than 420k attributes.
It can also be observed that this large number of events is
generated out of a community of 400 organisations.
0
50
100
150
200
250
300
350
Number of events
Month
Event distribution over time
2014
2016
Figure 4: Distribution of events per month from
2013 to 2016
In 2013 and 2104, 50 events per month were quite com-
mon. In 2015 and 2016, these rates significantly increased
to peak rates of 300 events per month. Figure 4 shows that
over time, MISP has become more popular and more people
and organisations are ready to share IoCs and other relevant
threat information.
0
50
100
150
200
250
300
Number of attributes per event over time
2013
2014
2015
2016
Figure 5: Average number of attributes per event
per month
Figure 5 shows the number of attributes affiliated to an
event. The number of attributes for an event is not fixed,
but adaptive. The user can choose for himself the number of
attributes, depending on the state of the event or knowledge
about the event, for a precise description. This explains the
variation of attributes for the events.
In the MISP instance for the private sector [4], 65 at-
tribute types are used. Most of the threats are related to
malware such as hashes and host names, helping users to
detect malware samples.
Attribue type frequency
md5 99446
hostname 67313
ip-dst 40040
sha256 33887
sha1 26501
domain 25761
url 23585
link 21441
ip-src 137277
filename 3804
filename|sha256 3683
filename|sha1 3620
text 3614
malware-sample 3475
mutex 3452
comment 2003
filename|md5 1486
email-src 912
yara 678
Table 2: Top 20 used attribute types
Due to space constraints not all of them can be described
in detail, but Table 2 shows the top 20 attributes used to
describe an event.
However, additional requests of attributes can be submit-
ted to the open source development community5. Recently,
non technical attributes are emerging such as IBAN num-
bers and other information about threat actors. For exam-
ple, IBAN numbers of money mules involved in financial
abuse are shared. These IBAN numbers are mainly inter-
esting for banks and accountants, who could block or check
wire transfers to these accounts often executed by attackers
using financial malware.
In order to show the large usage of CIRCL’s MISP private
sector on a daily base, a heat map of the activities in MISP
is represented in Figure 6. This heat map shows the overall
activity of MISP for a period of 4.5 months, from February
to June 16th, 2016. Each calendar day is represented by a
square in a green color.
The five different gradients of green color represent the
number of instances added to MISP on a given day. The
lightest gradient of green represents less than 5 items added
a day. The next one, 5 to 10 items, followed by 10 to 50
items. The second darkest green represents 50 and 100 items
and the last, the darkest green, more than 100 items that
were added on a day.
From the heat map can be concluded that the MISP in-
stance is continuously used during 2016 with some excep-
tions. For squares represented in gray there are no events
existing. Less activity can be observed end of March for the
Easter weekend. The same can be said for the weekend of
May 1st, which is a national holiday in most european coun-
tries and for the weekend of Whitsun.
5https://github.com/MISP/MISP
Figure 6: Misppriv activity heat map until June 16, 2016
.
0
20
40
60
80
100
120
140
160
180
200
11/03/2016
31/03/2016
20/04/2016
10/05/2016
30/05/2016
19/06/2016
09/07/2016
Number of unique IPs over time (March to July 2016)
Number of unique IPs
Date
Figure 7: Distribution of MISP installations per day
When a MISP server is installed, the instance does not
include any information that could be shared and therefore
starting out for new users is often hard. To ease the usage
of MISP, CIRCL provides a feed of events that can be eas-
ily shared; such as OSINT events and/or attributes that are
classified as TLP:white6, unclassified information that can
be distributed without any restrictions. Hence, the informa-
tion in this feed is already on the Internet.
Figure 7 represents the number of unique IP addresses
that installed MISP on a daily base. In general, 20 to 40
unique IP addresses can be observed daily. The peaks can
be explained by the fact that MISP was discussed on twitter
and a large armada of bots tried to access the feed.
6. FUTURE WORK AND CONCLUSIONS
Nowadays, sharing information has become a precious re-
source of information within the IT-community, but not re-
stricted to, since attackers share information among their
peers too, therefore it is essential as an IT-community to
share information in order to stay informed on new emerg-
ing threats.
6TLP: Traffic Light Protocol, is a protocol for the classifi-
cation and distribution level for sensitive information
In this paper, a threat intelligence sharing platform has
been presented, where users from the IT community and
other communities at large, can share their information on
incidents or other artifacts in a trusted environment.
Future work is manyfold. In a future iteration process,
the MISP replication and synchronization protocol will be
analyzed for its efficiency. Another step is the information
quality of the shared information, respectively information
classified as false-positives or false-negatives.
To deal with these issues, MISP should not only be a vast
platform with information, but also include quality require-
ments, therefore, future work is the implementation of a
correlation evaluation system. A possible quality evaluation
method could be for example scoring from the crowd [16].
In order to evaluate the large datasets that are generated
by MISP, data mining techniques for structured data can
be used in a future step to evaluate the shared information
efficiently to observe local trends and improve MISP.
MISP is a tool that should meet the permanently changing
and evolving requirements of the IT-community and should
be considered a useful support for incident analysis, mitiga-
tion and response and thus evolve over time.
7. ACKNOWLEDGMENTS
We would like to express our deepest acknowledgments to
all involved parties for supporting this initiative and their
motivation to actively contribute to the evolution of the
Malware Information Sharing Platform initiative. Special
thanks to Rapha¨
el Vinot and the whole CIRCL-team for
reviewing this paper.
8. REFERENCES
[1] S. Appala, N. Cam-Winget, D. McGrew, and
J. Verma. An actionable threat intelligence system
using a publish-subscribe communications model. In
Proceedings of the 2Nd ACM Workshop on
Information Sharing and Collaborative Security,
WISCS ’15, pages 61–70, New York, NY, USA, 2015.
ACM.
[2] S. Barnum. Standardizing cyber threat intelligence
information with the structured threat information
expression (stix). Technical report, MITRE
Corporation, 2012.
[3] S. Brown, J. Gommers, and O. Serrano. From cyber
security information sharing to threat management. In
Proceedings of the 2Nd ACM Workshop on
Information Sharing and Collaborative Security,
WISCS ’15, pages 43–49, New York, NY, USA, 2015.
ACM.
[4] CIRCL. Misppriv. https://misppriv.circl.lu, 2016.
[5] L. Dandurand and O. Serrano. Towards improved
cyber security information sharing. In Cyber Conflict
(CyCon), 2013 5th International Conference on, pages
1–16, 2013.
[6] R. Danyliw, J. Meijer, and Y. Demchenko. The
incident object description exchange format, 2007.
IETF, RFC5070.
[7] E. Deci and R. M. Ryan. Intrinsic motivation and
self-determination in human behavior. In Perspectives
in Social Psychology, pages 11–40, 1985.
[8] J. C. Haass, G.-J. Ahn, and F. Grimmelmann. Actra:
A case study for threat information sharing. In
Proceedings of the 2Nd ACM Workshop on
Information Sharing and Collaborative Security,
WISCS ’15, pages 23–26, New York, NY, USA, 2015.
ACM.
[9] U. Helmbrecht, S. Purser, G. Cooper, D. Ikonomou,
L. Marinos, E. Ouzounis, M. Thorbrugge,
A. Mitrakas, and S. Capogrossi. Cybersecurity
cooperation: Defending the digital frontline. Technical
report, ENISA, October 2013.
[10] J. Hernandez-Ardieta, J. E. Tapiador, and
G. Suarez-Tangil. Towards improved cyber security
information sharing. In Cyber Conflict (CyCon), 2013
5th International Conference on, pages 1–28, 2013.
[11] C. Johnson, L. Badger, and D. Waltermine. Guide to
cyber threat information sharing [draft]. Technical
report, NIST, April 2016. NIST Special Publication.
[12] M. Maasberg, M. Ko, and N. L. Beebe. Exploring a
systematic approach to malware threat assessment. In
49th Hawaii International Conference on System
Sciences (HICSS), pages 5517–5526, 2016.
[13] MISP-Contributors. User guide of misp malware
information sharing platform, a threat sharing
platform. https://www.circl.lu/doc/misp/book.pdf,
2016.
[14] K. Moriarty. Real-time inter-network defense (rid),
2012. IETF, RFC6545.
[15] S. Murdoch and N. Leaver. Anonymity vs. trust in
cyber-security collaboration. In Proceedings of the 2Nd
ACM Workshop on Information Sharing and
Collaborative Security, WISCS ’15, pages 27–29, New
York, NY, USA, 2015. ACM.
[16] M. Noll and C. Meinel. Design and anatomy of a
social web filtering service. In Proceedings of the 4th
International Conference on Cooperative Internet
Computing, CIC, pages 35–44, 2006.
[17] T. Sander and J. Hailpern. Ux aspects of threat
information sharing platforms: An examination and
lessons learned using personas. In Proceedings of the
2nd ACM Workshop on Information Sharing and
Collaborative Security, WISCS ’15, pages 51–59, New
York, NY, USA, 2015. ACM.
[18] F. Skopik, G. Settanni, and R. Fiedler. A problem
shared is a problem halved: A survey on the
dimensions of collective cyber defense through security
information sharing. Computers & Security, 60:154 –
176, 2016.
[19] A. Straup Cope. Machine tags. flickr. https://www.
flickr.com/groups/api/discuss/72157594497877875/,
2007.
[20] B. Woods, S. Perl, and B. Lindauer. Data mining for
efficient collaborative information discovery. In
Proceedings of the 2Nd ACM Workshop on
Information Sharing and Collaborative Security,
WISCS ’15, pages 3–12, New York, NY, USA, 2015.
ACM.

Supplementary resource (1)

... Additionally, it attributed the reluctance of organisations to share threat information to the following factors: trust issues, privacy concerns particularly regarding classified and personal data, lack of automated and interoperable sharing mechanisms, the asymmetric relationship between CTI publisher and consumer, reliability of shared information, regulation, and traceability issues. Among the mentioned obstacles, interoperability, trusted relationships, privacy issues, the integrity of information and accountability have been drawing significant attention and thus have been addressed in many research works [20][21][22]. ...
Article
Full-text available
In recent years, sharing threat information has been one of the most suggested solutions for combating the ever-increasing number of cyberattacks, which stem from the system-wide adoption of Information and Communication Technology (ICT) and consequently endangers the digital and physical assets of organizations. Several solutions, however, were proposed to facilitate data exchange between different systems, but none were able to address the main challenges of threat sharing such as trust, privacy, interoperability, and automation in a single solution. To address these issues, this paper presents a secure and efficient threat information sharing system that leverages Trusted Automated Exchange of Intelligence Information (TAXIITM) standard and private blockchain technology to automate the threat sharing procedure while offering privacy, data integrity, and interoperability. The extensive evaluation of the solution implementation indicates its capability to offer secure communication between participants without sacrificing data privacy and overall performance as opposed to existing solutions.
... Artificial intelligence (AI) and statistical methods are used to analyse real-time threat event data and convert them into actionable information while considering the unified platforms for trusted partners to share their threat information in an automated and timely manner [28]. MISP is an open-source platform for collecting, storing, analysing, and sharing malware threat information [36]. It used to be called the Malware Information Sharing Platform [37]. ...
Article
Full-text available
Historically, threat information sharing has relied on manual modelling and centralised network systems, which can be inefficient, insecure, and prone to errors. Alternatively, private blockchains are now widely used to address these issues and improve overall organisational security. An organisation’s vulnerabilities to attacks might change over time. It is utterly important to find a balance among a current threat, the potential countermeasures, their consequences and costs, and the estimation of the overall risk that this provides to the organisation. For enhancing organisational security and automation, applying threat intelligence technology is critical for detecting, classifying, analysing, and sharing new cyberattack tactics. Trusted partner organisations can then share newly identified threats to improve their defensive capabilities against unknown attacks. On this basis, organisations can help reduce the risk of a cyberattack by providing access to past and current cybersecurity events through blockchain smart contracts and the Interplanetary File System (IPFS). The suggested combination of technologies can make organisational systems more reliable and secure, improving system automation and data quality. This paper outlines a privacy-preserving mechanism for threat information sharing in a trusted way. It proposes a reliable and secure architecture for data automation, quality, and traceability based on the Hyperledger Fabric private-permissioned distributed ledger technology and the MITRE ATT&CK threat intelligence framework. This methodology can also be applied to combat intellectual property theft and industrial espionage.
... Artificial intelligence (AI) and statistical methods are used to analyse real-time threat event data and convert them into actionable information while considering the unified platforms for trusted partners to share their threat information in an automated and timely manner [28]. MISP is an open-source platform for collecting, storing, analysing, and sharing malware threat information [36]. It used to be called the Malware Information Sharing Platform [37]. ...
Article
Full-text available
Historically, threat information sharing has relied on manual modelling and centralised network systems, which can be inefficient, insecure, and prone to errors. Alternatively, private blockchains are now widely used to address these issues and improve overall organisational security. An organisation’s vulnerabilities to attacks might change over time. It is utterly important to find a balance among a current threat, the potential countermeasures, their consequences and costs, and the estimation of the overall risk that this provides to the organisation. For enhancing organisational security and automation, applying threat intelligence technology is critical for detecting, classifying, analysing, and sharing new cyberattack tactics. Trusted partner organisations can then share newly identified threats to improve their defensive capabilities against unknown attacks. On this basis, organisations can help reduce the risk of a cyberattack by providing access to past and current cybersecurity events through blockchain smart contracts and the Interplanetary File System (IPFS). The suggested combination of technologies can make organisational systems more reliable and secure, improving system automation and data quality. This paper outlines a privacy-preserving mechanism for threat information sharing in a trusted way. It proposes a reliable and secure architecture for data automation, quality, and traceability based on the Hyperledger Fabric private-permissioned distributed ledger technology and the MITRE ATT&CK threat intelligence framework. This methodology can also be applied to combat intellectual property theft and industrial espionage.
... Artificial intelligence (AI) and statistical methods are used to analyse real-time threat event data and convert them into actionable information while considering the unified platforms for trusted partners to share their threat information in an automated and timely manner [28]. MISP is an open-source platform for collecting, storing, analysing, and sharing malware threat information [36]. It used to be called the Malware Information Sharing Platform [37]. ...
Article
Full-text available
Historically, threat information sharing has relied on manual modelling and centralised network systems, which can be inefficient, insecure, and prone to errors. Alternatively, private blockchains are now widely used to address these issues and improve overall organisational security. An organisation’s vulnerabilities to attacks might change over time. It is utterly important to find a balance among a current threat, the potential countermeasures, their consequences and costs, and the estimation of the overall risk that this provides to the organisation. For enhancing organisational security and automation, applying threat intelligence technology is critical for detecting, classifying, analysing, and sharing new cyberattack tactics. Trusted partner organisations can then share newly identified threats to improve their defensive capabilities against unknown attacks. On this basis, organisations can help reduce the risk of a cyberattack by providing access to past and current cybersecurity events through blockchain smart contracts and the Interplanetary File System (IPFS). The suggested combination of technologies can make organisational systems more reliable and secure, improving system automation and data quality. This paper outlines a privacy-preserving mechanism for threat information sharing in a trusted way. It proposes a reliable and secure architecture for data automation, quality, and traceability based on the Hyperledger Fabric private-permissioned distributed ledger technology and the MITRE ATT&CK threat intelligence framework. Th
... Current efforts for sharing cyber threat intelligence, CTI, (e.g., the Malware Information Sharing Platform, MISP 4 [40]), work on a centralized or replicated database, where all the participating organizations have to upload their threat data. As cyber information is often extremely sensitive and confidential, such efforts introduce a trade-off between the benefits of improved threat response capabilities and the drawbacks of disclosing national-security-related information to foreign agencies or institutions. ...
Preprint
Full-text available
Cyber Threat Intelligence (CTI) sharing is an important activity to reduce information asymmetries between attackers and defenders. However, this activity presents challenges due to the tension between data sharing and confidentiality, that result in information retention often leading to a free-rider problem. Therefore, the information that is shared represents only the tip of the iceberg. Current literature assumes access to centralized databases containing all the information, but this is not always feasible, due to the aforementioned tension. This results in unbalanced or incomplete datasets, requiring the use of techniques to expand them; we show how these techniques lead to biased results and misleading performance expectations. We propose a novel framework for extracting CTI from distributed data on incidents, vulnerabilities and indicators of compromise, and demonstrate its use in several practical scenarios, in conjunction with the Malware Information Sharing Platforms (MISP). Policy implications for CTI sharing are presented and discussed. The proposed system relies on an efficient combination of privacy enhancing technologies and federated processing. This lets organizations stay in control of their CTI and minimize the risks of exposure or leakage, while enabling the benefits of sharing, more accurate and representative results, and more effective predictive and preventive defenses.
... In contrast to [9], proposal [10] utilises the existing CTI sharing platform MISP [15] data is maintained, a Trustworthy API for Threat Intelligence Sharing (TATIS) Reverse Proxy is used. This proxy uses ciphertext attribute-based encryption to restrict the access of sensitive data to trusted organisations. ...
Preprint
Full-text available
Cyber Threat Intelligence (CTI) is the knowledge of cyber and physical threats that help mitigate potential cyber attacks. The rapid evolution of the current threat landscape has seen many organisations share CTI to strengthen their security posture for mutual benefit. However, in many cases, CTI data contains attributes (e.g., software versions) that have the potential to leak sensitive information or cause reputational damage to the sharing organisation. While current approaches allow restricting CTI sharing to trusted organisations, they lack solutions where the shared data can be verified and disseminated `differentially' (i.e., selective information sharing) with policies and metrics flexibly defined by an organisation. In this paper, we propose a blockchain-based CTI sharing framework that allows organisations to share sensitive CTI data in a trusted, verifiable and differential manner. We discuss the limitations associated with existing approaches and highlight the advantages of the proposed CTI sharing framework. We further present a detailed proof of concept using the Ethereum blockchain network. Our experimental results show that the proposed framework can facilitate the exchange of CTI without creating significant additional overheads.
Article
The continuous strengthening of the security posture of Internet of Things (IoT) ecosystems is vital due to the increasing number of interconnected devices and the volume of sensitive data shared. Using Machine Learning (ML) capabilities to defend against IoT cyber attacks has many potential benefits. However, the currently proposed frameworks do not consider data privacy, secure architectures, and scalable deployments of IoT ecosystems. This paper proposes a hierarchical blockchain-based federated learning framework to enable secure and privacy-preserved collaborative IoT intrusion detection. We highlight and demonstrate the importance of sharing cyber threat intelligence among inter-organisational IoT networks to improve the model’s detection capabilities. The proposed ML-based intrusion detection framework follows a hierarchical federated learning architecture to ensure the privacy of the learning process and organisational data. The transactions (model updates) and processes will run on a secure blockchain, and the smart contract will verify the conformance of executed tasks. We have tested our solution and demonstrated its feasibility by implementing it and evaluating the intrusion detection performance using a key IoT data set. The outcome is a securely designed ML-based intrusion detection system capable of detecting a wide range of malicious activities while preserving data privacy.
Article
Today’s threats use multiple means of propagation, such as social engineering, email, and application vulnerabilities, and often operate in different phases, such as single device compromise, lateral network movement, and data exfiltration. These complex threats rely on advanced persistent threats supported by well-advanced tactics for appearing unknown to traditional security defenses. As organizations realize that attacks are increasing in size and complexity, cyber threat intelligence (TI) is growing in popularity and use. This trend followed the evolution of advanced persistent threats, as they require a different level of response that is more specific to the organization. TI can be obtained via many formats, with open-source intelligence one of the most common, and using threat intelligence platforms (TIPs) that aid organizations to consume, produce, and share TI. TIPs have multiple advantages that enable organizations to quickly bootstrap the core processes of collecting, analyzing, and sharing threat-related information. However, current TIPs have some limitations that prevent their mass adoption. This article proposes AECCP, a platform that addresses some of the TIPs limitations. AECCP improves quality TI by classifying it accordingly a single unified taxonomy , removing the information with low value, enriching it with valuable information from open-source intelligence sources, and aggregating it for complementing information associated with the same threat. AECCP was validated and evaluated with three datasets of events and compared with two other platforms, showing that it can generate quality TI automatically and help security analysts analyze security incidents in less time.
Book
I: Background.- 1. An Introduction.- 2. Conceptualizations of Intrinsic Motivation and Self-Determination.- II: Self-Determination Theory.- 3. Cognitive Evaluation Theory: Perceived Causality and Perceived Competence.- 4. Cognitive Evaluation Theory: Interpersonal Communication and Intrapersonal Regulation.- 5. Toward an Organismic Integration Theory: Motivation and Development.- 6. Causality Orientations Theory: Personality Influences on Motivation.- III: Alternative Approaches.- 7. Operant and Attributional Theories.- 8. Information-Processing Theories.- IV: Applications and Implications.- 9. Education.- 10. Psychotherapy.- 11. Work.- 12. Sports.- References.- Author Index.
Conference Paper
This paper initiates the systematic study of the human elements of participating in an information exchange using a Threat Information Sharing Platform (TISP). Much of the most valuable information to be shared within a TISP is created or validated by human security analysts. Thus getting UX design and the human motivations for a TISP right is crucial for its success. We approach this problem from one of the primary HCI and UX methods | personas. Our results allow TISP engineers and designers to understand and articulate the value propositions as well as the obstacles of a TISP for the CSIRT (Computer Security Incident and Response Team) of an organization. Second, we crafted a set of design requirements explicitly drawn from our personas. These design requirements explicitly highlight how TISPs can be improved, or needs that should be addressed to increase their value-add and usability. Our five personas were created from eight hour long interviews as well as over 20 hours of ethnographic observation of CSIRTs and Security Operations Centers (SOCs.)
Conference Paper
Across the world, organizations have teams gathering threat data to protect themselves from incoming cyber attacks and maintain a strong cyber security posture. Teams are also sharing information, because along with the data collected internally, organizations need external information to have a comprehensive view of the threat landscape. The information about cyber threats comes from a variety of sources, including sharing communities, open-source and commercial sources, and it spans many different levels and timescales. Immediately actionable information are often low-level indicators of compromise, such as known malware hash values or command-and-control IP addresses, where an actionable response can be executed automatically by a system. Threat intelligence refers to more complex cyber threat information that has been acquired or inferred through the analysis of existing information. Information such as the different malware families used over time with an attack or the network of threat actors involved in an attack, is valuable information and can be vital to understanding and predicting attacks, threat developments, as well as informing law enforcement investigations. This information is also actionable, but on a longer time scale. Moreover, it requires action and decision-making at the human level. There is a need for effective intelligence management platforms to facilitate the generation, refinement, and vetting of data, post sharing. In designing such a system, some of the key challenges that exist include: working with multiple intelligence sources, combining and enriching data for greater intelligence, determining intelligence relevance based on technical constructs, and organizational input, delivery into organizational workflows and into technological products. This paper discusses these challenges encountered and summarizes the community requirements and expectations for an all-encompassing Threat Intelligence Management Platform. The requirements expressed in this paper, when implemented, will serve as building blocks to create systems that can maximize value out of a set of collected intelligence and translate those findings into action for a broad range of stakeholders.
Conference Paper
With the growing threat from overseas and domestic cyber attacks inter-organization cyber-security information sharing is an essential contributor to helping governments and industry to protect and defend their critical network infrastructure from attack. Encouraging collaboration directly impacts the defensive capabilities of all organizations involved in any cyber-information sharing community. A barrier to successful collaboration is the conflicting needs of collaborators to be able to both protect the source of their information for sensitivity, legal, or public relations reasons, but also to validate and trust the information shared with them. This paper uses as an example the UK government's Cyber-Security Information Sharing Partnership (CiSP), an online collaboration environment created by Surevine for sharing and collaborating on cyber-security information across UK industry and government. We discuss the organization and operating principles of the collaboration environment, how the community is structured, and the barriers to participation caused by the conflict between the need for anonymity versus the need to trust the information shared.
Conference Paper
The cybersecurity community expends considerable effort on establishing protocols, data formats, and coordination centers for sharing operational security information. There is widespread agreement that sharing information should create value, but also that it is far from simple for one organization to use intelligence provided to it by another. Substantial work focuses on engineering ontologies and data formats to resolve syntactic, and to some extent semantic, differences. These solutions aim to create high quality low noise shared data resources, but require substantial commitments in technology, man hours, and inter-organizational relationship building. Such expenditures may be beyond the reach of many organizations, especially since a substantial portion of the resulting shared data will remain unused. We contend that applying data mining and statistical learning methods to more easily obtainable, inconsistently or entirely unstructured data can guide and prioritize effort. We demonstrate these ideas with a case study of the incident reports collected by US-CERT in the course of one year. We find that data mining techniques can identify subsets of the indicator and incident landscapes for which the exchange of complete incident information may be useful to analysts and decision makers. The techniques studied here may allow broader participation in information sharing efforts, and make better use of the valuable resources dedicated to collaborative cybersecurity information discovery.
Conference Paper
This paper provides a case study for information sharing within a public/private not-for-profit partnership organization called ACTRA -- Arizona Cyber Threat Response Alliance, Inc.. This initiative is comprised of public and private entities, with government agencies as invited guests, aligned around the goal of improved response to cyber security events. Technical, political, legal and organizational issues arise when multiple parties attempt to exchange information in a formal setting. Benefits and specific solutions developed are discussed. The study concludes with several areas for future improvement and investigation, as well as recommendations for newly forming sharing groups.
Conference Paper
We designed a system for securely distributing Threat Intelligence and recommended Courses of Action (CoAs), combining that information with local contextual information, determining which response system(s) can carry it out, and then putting the course of action into effect. Our system uses STIX to express threat information, including CoAs. We identified the problem of matching CoAs with the actions that a response system can carry out as a major design challenge, and found a robust and scalable decentralized solution to that challenge by adopting a publish-subscribe model. We built a solution based on the Extensible Messaging and Presence Protocol (XMPP) architecture and communications protocol as it provided the right security properties as well as the needed extensibility for both data model and transport protocols. We motivate and describe our system, and the use cases of Cyber Threat Prevention, Cyber Threat Detection, and Incident Response.
Article
The Internet threat landscape is fundamentally changing. A major shift away from hobby hacking toward well-organized cyber crime can be observed. These attacks are typically carried out for commercial reasons in a sophisticated and targeted manner, and specifically in a way to circumvent common security measures. Additionally, networks have grown to a scale and complexity, and have reached a degree of interconnectedness, that their protection can often only be guaranteed and financed as shared efforts. Consequently, new paradigms are required for detecting contemporary attacks and mitigating their effects. Today, many attack detection tasks are performed within individual organizations, and there is little cross-organizational information sharing. However, information sharing is a crucial step to acquiring a thorough understanding of large-scale cyber-attack situations, and is therefore seen as one of the key concepts to protect future networks. Discovering covert cyber attacks and new malware, issuing early warnings, advice about how to secure networks, and selectively distribute threat intelligence data are just some of the many use cases. In this survey article we provide a structured overview about the dimensions of cyber security information sharing. First, we motivate the need in more detail and work out the requirements for an information sharing system. Second, we highlight legal aspects and efforts from standardization bodies such as ISO and the National Institute of Standards and Technology (NIST). Third, we survey implementations in terms of both organizational and technological matters. In this regard, we study the structures of Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs), and evaluate what we could learn from them in terms of applied processes, available protocols and implemented tools. We conclude with a critical review of the state of the art and highlight important considerations when building effective security information sharing platforms for the future.
Article
It is becoming increasingly necessary for organizations to have a cyber threat intelligence capability and a key component of success for any such capability is information sharing with partners, peers and others they select to trust. While cyber threat intelligence and information sharing can help focus and prioritize the use of the immense volumes of complex cyber security information organizations face today, they have a foundational need for standardized, structured representations of this information to make it tractable. The Structured Threat Information eXpression (STIX™) is a quickly evolving, collaborative community-driven effort to define and develop a language to represent structured threat information. The STIX language is meant to convey the full range of cyber threat information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible. Though relatively new and still evolving, it is actively being adopted or considered for adoption by a wide range of cyber threat-related organizations and communities around the world. All interested parties are welcome to participate in evolving STIX as part of its open, collaborative community and leverage the upcoming STIX web site and collaborative forums.