Threat Intelligence Sharing in a Connected World

Transcription

1 a Cohort plc company Threat Intelligence Sharing in a Connected World Mass Consultants Ltd November 2015 Prepared by: MASS Enterprise House Great North Road Little Paxton St Neots Cambridgeshire PE19 6BN Tel: +44 (0) E: cyberessentials@mass.co.uk

2 Copyright 2015 Mass Consultants Limited. All Rights Reserved. The copyright and intellectual property rights in this work are vested in Mass Consultants Limited. This document is issued in confidence for the sole purpose for which it is supplied and may not be reproduced, in whole or in part, or used for any other purpose, except with the express written consent of Mass Consultants 2

3 Contents 1 EXECUTIVE SUMMARY 4 2 CURRENT SHARING LANDSCAPE 5 3 EMERGING STANDARDS OpenIOC (Mandiant Corperation) IODEF/RID (IETF) STIX/TAXII (Mitre Corporation) 6 4 CREATING A SHARING ECOSYSTEM 7 5 EFFICIENT STORAGE AND SHARING 9 6 BIG DATA DEVELOPMENTS 11 7 SUMMARY 12 8 REFERENCES 13 MASS 2015 All rights reserved WHP003/1 3

4 1 Executive Summary Over the last five years, cyber attackers have consistently achieved their objectives by re-using infrastructure and tools. Although their tactics, techniques and procedures (TTPs) are often well understood and documented, there has been no easy or consistent way to promulgate that information to network defenders. In response to this seemingly bleak picture, we have seen the emergence of number of communities where threat information is shared between those who observe attacks, and those who seek to defend against them. Unfortunately these communities often operate in isolation of each other, meaning that some network defenders spend their time de-duplicating information which is delivered in a variety of incompatible formats. The adoption of a common language to describe attacks, with a standardised mechanism for exchanging intelligence in real-time across organisational, product and security boundaries, will transform the UK s response to the growing barrage of threats from cyberspace. The challenges of sharing threat information safely and quickly are not unique to cyber intelligence, and have already been successfully overcome in other domains. MASS experience in the field of Electronic Warfare data management can be built upon to provide quick-wins and technology pull-through to the cyber domain. 4

5 2 Current Sharing Landscape Cyber threat intelligence expressed purely as atomic signatures or selectors can no longer provide adequate protection for network defenders. The sheer volume of new malware, the use of disposable infrastructure and increased use of anti-detection techniques (e.g. polymorphism) mean that these traditional, simple methods for describing and sharing threats are no longer viable. Early attempts at sharing enriched threat information have had mixed results.initiatives such as the Cyber-Security Information Sharing Partnership (CiSP ) have highlighted a clear desire from organisations to consume context-rich threat information, as witnessed by higher-than-anticipated enrolment (over 750 organisations and over 2000 individuals by December 2014). However, the CiSP environment does not lend itself to real-time information sharing. Users must log into a web-based portal and search for nuggets of actionable information buried within verbose prose. Whilst this approach does provide a mechanism to enrich atomic signatures with context and comment, there is no automated way of consuming information from CiSP, or sharing observations back to that community. CiSP is not alone in this regard. Globally there are a growing number of portals where network defenders are able to consume or share threat intelligence information, including CPNI Information Exchanges, MACCSA, Ops-T, nsp-security, InfraGard, NCFTA, ICASI, ISACs and Usual5. The mechanisms for sharing, the format in which information is presented and the ways in which it can be used, can vary greatly from portal to portal. Advisories and bulletins from vendors and CERTs are also inconsistent in their use of formatting, naming conventions, and descriptive vocabulary. Separately, within the intelligence community, multiple overlapping societies of trust exist, operating at a variety of classification levels and caveats, with disparate data often dispersed across multiple systems. This complex web of data sources and incompatible formats can lead to vital intelligence being missed, and network defenders not having the information required to protect against known threats. In order to ensure that the UK is one of the most secure places in the world to do business in cyberspace, Government needs to ensure it is able to share threat intelligence with network defenders and partners in a prompt, efficient manner, providing as much context and enrichment as possible to each distinct audience This can only be achieved by implementing a standard language to represent structured cyber threat information, together with a safe, secure, automated method for sharing and collaboration. MASS 2015 All rights reserved WHP003/1 5

6 3 Emerging Standards The challenge of sharing cyber threat information is no longer a problem faced by Governments, or the intelligence community, in isolation. In recent years, a number of separate projects have emerged to address this issue, and three open standards have risen to prominence. They are:. 3.1 OpenIOC (Mandiant Corporation) Originally developed as a proprietary schema by Mandiant, to allow their products to codify intelligence, OpenIOC was standardised and released under an open-source licence in November Whilst the extensible XML schema provides mechanisms to describe the technical characteristics of threats, methodologies, or evidence of compromise, there have been relatively few OpenIOC-compliant tools released to date. 3.2 IODEF/RID (IETF) The Incident Object Description Exchange Format (IODEF) was first defined by the Internet Engineering Task Force in RFC5070, published in Thus far it has had a limited adoption, the most high profile user being the Anti-Phishing Working Group (APWG) who implemented IODEF with specific anti-phishing extensions (as defined in RFC5901 ). 3.3 STIX/TAXII (Mitre Corporation) Overseen by the not-for-profit Mitre Corporation, Structured Threat Information expression (STIX) and Trusted Automated exchange of Indicator Information (TAXII) are standards specifically designed to enable automated information sharing for cybersecurity situational awareness, real-time network defence and sophisticated threat analysis. STIX (and its constituent components) is under active consideration for use and initial prototyping among a large variety of different public-public, public-private and private-private cyber threat information sharing communities and by several vendors supporting the domain. Of the three, the STIX/TAXII family of interrelated technical specifications are quickly becoming the de-facto standard for threat intelligence sharing. They are already being used to share operational data within the Financial Services sector, and have recently been incorporated into commercial offerings from HP (ThreatCentral ), Microsoft (MAPP ), FOX-IT (InTELL ), Bromium (LAVA ) and Lockheed Martin (Suricata ). By adopting an industry standard, rather than creating something bespoke, Government could leverage commercial off-the-shelf (COTS) tools for elements of cyber threat analysis and intelligence management. A standard structured format also provides opportunities to share threat data more easily, including automatic ingestion from trusted sources and vendors. 6

7 4 Creating a Sharing Ecosystem The ambitious goals set by the UK Cyber Security Strategy will only be achieved if numerous strands of cyber intelligence which exist across GCHQ, the wider security/intelligence community, UK industry and academia, can be pulled together to create a sharable coherent threat picture. By utilising STIX, intelligence would be presented in a common language and be easily understood (by humans and security technologies) thus reducing the time required to turn security intelligence into beneficial action. It is likely that some sources and legacy stores of intelligence will need to be translated into STIX format; this is a relatively simple task, as the XML schema for STIX is well documented and highly expansive. By translating legacy and bespoke formats, data obtained from multiple sources would become more synergistic and complementary, increasing the value of intelligence sharing. STIX achieves this by providing a unifying architecture, tying together a diverse set of cyber threat information including: Cyber Observables Indicators Incidents Adversary Tactics, Techniques, and Procedures (including attack patterns, malware, exploits, kill chains, tools, infrastructure, victim targeting, etc.) Exploit Targets (e.g., vulnerabilities, weaknesses or configurations) Courses of Action (e.g., incident response or vulnerability/weakness remedies or mitigations) Cyber Attack Campaigns Cyber Threat Actors Whilst each of these components exists independently of others, they are reusable and inter-relatable, with the ability to enhance content in detail within the XML schema. Figure 1 - STIX architecture (from STIX Project Documentation) MASS 2015 All rights reserved WHP003/1 7

8 STIX also leverages an abstract data-marking approach which cuts across all components. By enabling marking of content down to the field level, granular security labelling can be applied to data, including handling guidance or context tagging. The current STIX default model implements the Traffic Light Protocol (TLP ), Intelligence Community Enterprise Data Header (EDH ) and Terms of Use. This could easily be expanded to implement UK Government Security Classifications or any other protective markings and caveats as required. Alongside STIX, TAXII delivers a secure transport mechanism which standardises the automated exchange of threat information. By traversing organisational and product/service boundaries, TAXII offers an elegant solution for sharing information with a number of diverse communities whilst leveraging existing relationships and technologies. Implemented together, STIX and TAXII could help accelerate security intelligence sharing, improve threat prevention controls, and even automate defences. Other emerging standards including Cyber Observable Expressions (CybOX ) and the Malware Attribute Enumeration and Characterization (MAEC ) language would provide an additional level of granularity for describing specific elements of observed threats. Work is also ongoing to merge the existing Digital Forensics XML (DFXML ) standard into CybOX. 8

9 5 Efficient Storage and Sharing Once cyber threat intelligence is stored in a standardised format (STIX, additionally enriched with CybOX, MAEC or DFXML descriptions as necessary) the challenge of real-time, large-scale sharing becomes a more manageable undertaking. The issues of data management and secure sharing are certainly not unique to cyber intelligence. MASS have decades of experience in the Electronic Warfare (EW) domain, where the THURBON next-generation data management system provides an internationally-connected, flexible, scalable, XML-based platform. THURBON was designed to deliver high levels of automation, ease of use and integration with existing tools, fully supporting the drive for increased efficiency and reduced operating costs. These drivers are equally present within the cyber domain. 2 nd /3 rd parties Other sources Collection Fleet Industry relationships Cyber threat analysis (CDO) Cyber threat information Observables and context Courses of action and context Operational cyber threat observations Cyber Analyst signatures Create signatures/ selectors for cyber threats signatures Sharing communities Protect Detect TAXII Cyber threat database Policy / Equities Respond CDO/GovCertUK Internal to GCHQ Figure 2 - Proposed UK cyber threat sharing Building on lessons learnt from EW operations, the implementation of a master cyber threat database (or multiple federated databases), using STIX for description and TAXII for transport, could provide the UK with a world-leading cyber threat information sharing ecosystem. GCHQ is the natural location to house such a database in the UK, due to its ability to enrich cyber threat information with observations from other sources and wider collection. The multi-stakeholder model in the UK allows the same cyber threat information to be shared directly, or out via numerous channels (CPNI, CERT-UK, CiSP, Cyber Streetwise, etc) to different audiences at differing levels of classification. Access to the same threat information data could be made available to second and third parties, as well as national and international partners. By replicating the successful THURBON EW model and using Oracle Label Security (OLS) to provide multi-level access to the same data source, the current issues of creating multiple separate ad-hoc data exports would be avoided. OLS mediates users access to data via their assigned authorities and labels allowing data separation by sensitivity within a single database. This approach could allow a single authoritative database of cyber threat information to be exposed across multiple domains, with each consumer receiving access only to a permitted subset of threat information. MASS 2015 All rights reserved WHP003/1 9

10 Figure 3 - threat information context Threat intelligence data becomes more useful as the amount of context and detail increases. This typically corresponds to increases in protective marking the further up the pyramid (Figure 3) you go, the more highly protected that information becomes. The adoption of a standardised STIX/TAXII format would increase the usefulness of information shared at all levels, but particularly at the lower tiers where current threat intelligence products are difficult to digest and consume automatically. It is at these tiers where the vast majority of network defenders operate. 10

11 6 Big Data Developments Recent work by MASS has advanced the development of a STIX database using modern, low cost technology. Prototyping of a big data solution has confirmed that STIX can be implemented readily on a low cost database stack as a complement to a high-security Oracle installation. With the volume, origin, target and nature of attacks rapidly morphing over time, visualisation has become key to understanding and assessing the data gathered. The screenshots below show two possible views developed by MASS. The first (Figure 4) shows a view of data gathered over a year (left hand pie chart), and on the day of capture (right hand pie), the origin (inner pie), target (outer target), and nature of attacks (table). The second (Figure 5) shows a colour-defined heat map, indicating the number of vulnerabilities for given products running on given platforms, over time. Figure 4 - visualisation of attack origins and targets over time Figure 5 - visualisation of attack types, weaknesses attacked and target operating systems Such a solution would be very suitable for use by, for example, the Home Office or Borders Agency, allowing a practical, heterogeneous implementation of STIX using homogeneous TAXII-based data sharing. MASS 2015 All rights reserved WHP003/1 11

12 7 Summary The sheer volume of cyber threat information being shared has increased exponentially over last five years. Unfortunately many network defenders still find themselves manually searching across multiple disparate data feeds, cutting and pasting items of interest into different security products, and dealing with a variety of different naming conventions. Initiatives such as CiSP have created an effective conduit to share with a wide variety of threat intelligence consumers, although typically at an unclassified level. Existing higher-classification sharing relationships with law enforcement, international intelligence community and industry partners must co-exist alongside this new audience. In order for threat information to flow effectively and efficiently, an interoperable, cross-domain solution for describing and sharing cyber threat intelligence is required. At the FIRST Conference in June 2014, Richard Struse, Chief Advanced Technology Officer at US Department of Homeland Security: Truly interoperable, automated information sharing is a key capability for our shared success as cybersecurity responders and defenders. While each organisation s circumstances will drive different implementations with unique features and restrictions, a common message exchange and representation language will allow every CSIRT and SOC to realize new opportunities for more advanced analysis, faster response, and most importantly, more chances to deploy preventative measures before new attacks affect your constituency. The rapidly maturing STIX and TAXII standards provide robust mechanisms to describe and transfer threat intelligence. By fusing operational experience gained in the Electronic Warfare domain, with Government s unrivalled threat intelligence data, an accreditable multi-domain sharing infrastructure could be quickly created in the UK. 12

13 8 References [1] Cyber-security Information Sharing Partnership - [2] CISP sharing environment [3] CPNI Information Exchanges - [4] Multinational Alliance for Collaborative Cyber Situational Awareness - [5] Operations Security Trust - [6] nsp-security - [7] InfraGard - [8] National Cyber-Forensics & Training Alliance - [9] Industry Consortium for Advancement of Security on the Internet - [10] Information Sharing and Analysis Centers - [11] Objective 1 of the UK Cyber Security Strategy - uploads/attachment_data/file/60961/uk-cyber-security-strategy-final.pdf [12] OpenIOC - [13] RFC5070: The Incident Object Description Exchange Format - [14] RFC5901: Extensions to the IODEF-Document Class for Reporting Phishing - [15] Mitre Corporation - [16] DTCC and FS-ISAC launch cyber threat beacon system - [17] All about Threat Central - [18] Microsoft Active Protections Program (MAPP) - [19] Fox-IT InTELL - [20] Bromium Live Attack Visualisation and Analysis (LAVA) - [21] Lockheed Martin Integrates Cyber Security Standards into Open Source Platform - [22] STIX Data Model - [23] Traffic Light Protocol [24] IC-Enterprise Data Header [25] UK Government Security Classifications - attachment_data/file/251480/government-security-classifications-april-2014.pdf [26] Cyber Observable expression (CybOX) - [27] Malware Attribute Enumeration and Characterisation (MAEC) - [28] Digital Forensics XML (DFXML) - [29] THURBON - Management.pdf [30] Centre for the Protection of National Infrastructure (CPNI) - [31] CERT-UK - [32] Cyber Streetwise - MASS 2015 All rights reserved WHP003/1 13

14 [33] Oracle Label Security (OLS) CESG EAL4 certification - [34] Implementers Workshop: Automated Information Sharing with TAXII and STIX - conference/2014/program#pimplementers-workshop-automated-information-sharing-with-taxii-and-stix [35] 14