Efficient Incident Response System on Shared Cyber Threat Information Using SDN and STIX

Cyber threat information sharing is an effective action to detect cyber attacks, especially against sophisticated attackers. For this reason, some organizations related to cyber security, such as ISACs, set up information-sharing schemes. These schemes provide cyber threat information (IP addresses or domains about malicious hosts) to critical infrastructure companies. When a company receives the shared information called indicators, it checks whether its employees' computers are communicating to the mentioned malicious hosts or not. If the communication to malicious hosts is found, it should be blocked to prevent further damage. Usually, this security workflow (receiving indicators, checking communication, and blocking malicious communication) is often done manually. Thus, the workload of the procedure becomes heavier as the number of indicators increases. In this paper, we propose an automated system for efficient indicator handling by combining Software Defined Networking (SDN) and STIX. When the system receives indicators in STIX format, it parses them and changes network configuration dynamically to block communication to malicious hosts. We also compare the required time for handling indicators manually and by using the proposed automated system to show the system's efficiency.