Integrating with the Australian Signals Directorate’s Cyber Threat Intelligence Sharing Service

The Australian Signals Directorate’s (ASD’s) Cyber Threat Intelligence Sharing (CTIS) service is a two-way threat intelligence (TI) sharing platform that enables government and industry partners to both receive and share information with other ACSC partner organisations about malicious cyber activity.

Splunk Enterprise Security (ES) supports integration with the CTIS service using the TAXII and STIX standards. Splunk ES integration with CTIS supports both ingestion of IOC's telemetry from CTIS service as well as the ability for partners to also share IOC reports back to the CTIS service as outlined below:

1. Ingestion of indicator of comprise (IOCs) telemetry: This enables support for the detection of potentially malicious activity by matching IOCs values from the CTIS service (IP addresses, file hashes, URLs, fully qualified hostnames, PKI certificates, etc.) with values in log data ingested into Splunk ES. This integration is supported natively with the ES Threat Intelligence Framework (TIF).
2. Sharing of IOC reports with CTIS: This enables partners to share previously unknown IOC observations of potentially malicious activity with others in the CTIS community through an open source Splunk-developed IOC reporting app. These IOC reports are then published back to the CTIS community via the service enabling other ACSC partners to consume and use these newly sighted IOCs. This open-source IOC reporting app is available in this Splunk GitHub repository and is designed to work with Splunk ES for both Splunk Cloud Platform and customer managed deployments.

CTIS provides support for multiple discrete IOC feeds using what are known as collections. Each CTIS collection provides a feed of IOC telemetry for a specific category of indicators, generally based on their type, quality, criticality and/or their source. Customers can choose and configure the specific collections they would like to ingest based on their specific requirements and customise a range of configuration options for each individual collection feed.

Details outlining the different CTIS collections and what the type of telemetry they provide are covered in the ACSC CTIS documentation which is available on the Australian Cyber Security Centre (ACSC) Partner Portal. Access to this portal requires organisations to complete and submit a partnership application with acceptance of specific ACSC terms for the use CTIS service. Any Australian-based organisation who is not currently an ACSC partner and would like to use this CTIS can find further information on applying on the ACSC website.

In addition to the TIF ingestion option outlined in point 1, Splunk Enterprise Security also includes an alternative capability for IOC ingestion which is referred to as the Threat Intelligence Management (TIM) service. TIM provides a simplified and less flexible method for configuring ingestion of a range of preconfigured public, open source, and commercial IOC telemetry sources along with custom TAXII sources. Currently the use of TIM with CTIS is possible but is not recommended due to various limitations. 

Unification of TIF and TIM into a single framework is a high priorty with the first phase of this work being completed with the release of ES 8.4 and work planned to continue as part of the immeidate ES roadmap. The primary consideration to be aware of during the unification phase will be differences of user interface and workflows as the unification work is completed. For example, in ES 8.4 different terminlogy is introduced that differentaties the two features as ES Native (TIF) and TIM Cloud given the configuration for both is unified into the one location. This is shown with the below image of the unified configuration page for TIF and TIM in ES 8.4.