Soltra edge open cyber intelligence platform report

Soltra edge open cyber intelligence platform report Prepared By: Alan Magar Sphyrna Security 340 Ridgeside Farm Drive Kanata, Ontario K2W 0A1 PWGSC Contract Number: W7714-08FE01/001/ST Task 33 CSA: Melanie Bernier, Defence Scientist, 613-996-3937 Scientific Authority: Melanie Bernier Defence Scientist DRDC CORA Research Centre The scientific or technical validity of this Contract Report is entirely the responsibility of the Contractor and the contents do not necessarily have the approval or endorsement of the Department of National Defence of Canada. Contract Report DRDC-RDDC-2015-C204 March 2015

This Contract Report was produced for the Cyber Decision Making and Response project (05ac) under the DRDC Cyber Operations S&T program. Her Majesty the Queen in Right of Canada, as represented by the Minister of National Defence, 2015 Sa Majesté la Reine (en droit du Canada), telle que représentée par le ministre de la Défense nationale, 2015

Soltra Edge Open Cyber Intelligence Platform Report prepared for Defence Research and Development Canada prepared by

Bell Canada 160 Elgin Street 17th Floor Ottawa, Ontario Sphyrna Security 340 Ridgeside Farm Drive Kanata, Ontario K2W 0A1 K1S 5N4 March 2015 March 2015 Bell Canadaa ii

Confidentiality This document is UNCLASSIFIED. Authors Bell / Sphyrna Team Role Alan Magar Security Architect Revision Control Revision Date Modifications 0.1 12 March 2015 Draft Report 1.0 27 March 2015 Final Report March 2015 Bell Canada iii

Table of Contents 1.0 INTRODUCTION... 1 1.1 BACKGROUND... 1 1.2 PURPOSE... 1 1.3 DOCUMENT STRUCTURE... 2 2.0 TECHNICAL OVERVIEW... 3 2.1 ARCHITECTURE... 3 2.2 STANDARDS... 4 2.2.1 STIX... 6 2.2.2 TAXII... 7 2.2.3 TLP... 8 2.3 CAPABILITIES... 8 3.0 PRODUCT EVALUATION... 10 3.1 DEPLOYED ENVIRONMENT... 10 3.2 CONFIGURED FEEDS... 11 3.3 ADAPTERS... 19 3.4 ASSESSMENT... 22 3.4.1 Release Cycle... 22 3.4.2 User Community... 23 3.4.3 Functionality... 23 3.4.4 Alternatives... 24 4.0 CONCLUSION & RECOMMENDATIONS... 26 5.0 ACRONYMS & ABBREVIATIONS... 27 March 2015 Bell Canada iv

List of Figures Figure 1 Soltra Edge Cyber Intelligence Platform... 4 Figure 2 Soltra Edge Upgrade... 10 Figure 3 Adding a Site... 11 Figure 4 Site Added... 12 Figure 5 Unconfigured Feeds... 13 Figure 6 Configure Feed... 14 Figure 7 Configured Feed... 14 Figure 8 Downloaded Feed... 15 Figure 9 Indicator Catalog... 16 Figure 10 Specific Indicator... 17 Figure 11 Observable Catalog... 18 Figure 12 Specific Observable... 19 Figure 13 Adapters Installed... 20 Figure 14 CSV Indicators Import... 21 Figure 15 CSV Indicators Preview... 22 Figure 16 Soltra Edge STIX/TAXII Integrations... 24 March 2015 Bell Canada v

March 2015 Bell Canada vi

1.0 Introduction Cyber threat intelligence has received a great deal of publicity of late. This is not surprising given the number of high profile cyber attacks that have figured prominently in the news over the past year. President Obama recently (February 2015) signed an executive order to improve the sharing of cyber threat information within the private sector and between the private sector and government. Specifically, the executive order enables the Department of Homeland Security (DHS) to share classified intelligence with the private sector and to develop standards to facilitate the sharing of cyber threat information. 1 Later the same month, President Obama announced the establishment of a cyber threat intelligence integration center aimed at coordinating ongoing federal efforts to counter hackers and other cyber threats aimed at the U.S. government and private industry. 2 1.1 Background The Centre for Operational Research and Analysis (CORA), which is a Defence Research & Development Canada (DRDC) research centre for systems analysis and operational research, is in the process of characterizing threat and building a Department of National Defence (DND) specific cyber threat model. The aggregation of cyber threat intelligence information from a variety of reputable sources and the ability to act on this information are likely to be important aspects of the overall cyber threat model being developed. 1.2 Purpose Soltra Edge is intended to serve as the intelligence hub for an organization, connecting to all threat intelligence communities and providing actionable data back to the organization s environment for integration with internal security tools/appliances. The intent is that Soltra Edge will allow organizations to receive, store and send cyber security threat intelligence automatically, allowing these organizations to better deploy safeguards against a potential cyber attack. 1 This announcement is mentioned in numerous locations including http://www.politico.com/story/2015/02/obama cyberthreat executive order 115187.html 2 This announcement is mentioned in numerous locations including http://www.washingtontimes.com/news/2015/feb/25/obama create new cyber threat center March 2015 Bell Canada 1

The purpose of this report is to review and analyze the Soltra Edge Open Cyber Intelligence Platform and its components (Structured Threat Information expression (STIX)/Trusted Automated exchange of Indicator Information (TAXII)). 1.3 Document Structure This report consists of the following sections: Section 1.0 Introduction: provides an overview of the report; Section 2.0 Technical Overview: provides a high level overview of Soltra Edge including its architecture, standards and capabilities; Section 3.0 Product Evaluation: documents the evaluation of the platform, including the deployed environment, configured feeds, adapters and an assessment of the product; Section 4.0 Conclusions & Recommendations: summarizes the conclusions and recommendations derived from the development of this report; and Section 5.0 Acronyms & Abbreviations: lists the acronyms and abbreviations used throughout this report. March 2015 Bell Canada 2

2.0 Technical Overview The Security Automation Working Group (SAWG) within the Financial Services Information Sharing and Analysis Center (FS ISAC) initiated a project code named Avalanche to champion the use of standards based cyber threat intelligence sharing. In September 2014, FS ISAC and the Depository Trust & Clearing Corporation (DTCC) announced a joint effort to develop and market automation solutions that advance cyber security capabilities and the resilience of critical infrastructure organizations. The resulting solution, Soltra Edge, is based on the requirements, standards and overall roadmap from the SAWG group within FS ISAC. This section of the report will provide a technical overview of the product, including an examination of its architecture, standards and capabilities. 2.1 Architecture Soltra Edge, which runs on CentOS 6.5 3 and utilizes MongoDB 4 for storage, is administered through a web interface. In terms of cyber threat intelligence services, Soltra Edge can be configured to accept structured (e.g., STIX/TAXIII) threat intelligence feeds and other file types through adapters. The threat information can be managed and then exported in STIX format to various STIXcompatible security tools/appliances including firewalls or proxy servers, Mail Transfer Agents (MTAs) and Security Incident and Event Management (SIEMs). It is the security appliances that are responsible for taking the threat information provided by Soltra Edge and acting upon it. For example, a list of malicious URLs could be sent to firewalls/proxy servers, which would then proceed to block traffic originating from those network addresses. The Soltra Edge Cyber Intelligence Platform is illustrated in Figure 1. 3 CentOS is an open source Linux distribution derived from the sources of Red Hat Enterprise Linux (RHEL). Additional information on CentOS can be found at http://www.centos.org 4 MongoDB (from humongous ) is an open source document database, and the leading NoSQL database. Additional information on MongoDB can be found at http://www.mongodb.org March 2015 Bell Canada 3

Figure 1 Soltra Edge Cyber Intelligence Platform 2.2 Standards Soltra Edge is intended to support a variety of open standards for cyber threat information sharing. Specifically, it currently supports the following standards: Structured Threat Information expression (STIX); Trusted Automated exchange of Indicator Information (TAXII); and Traffic Lightweight Protocol (TLP). Note Other Cyber Threat Standards It should be noted that there are other cyber threat standards that are supported to varying degrees by Soltra Edge. While there are likely many such standards, a few were identified during the development of this report. Interestingly enough, most of these standards have originated in private companies and then transitioned to the open source community to various degrees. The other standards identified include the following: Common Attack Pattern Enumeration and Classification (CAPEC) CAPECC is a comprehensive dictionary and classification taxonomy off known attacks that can be used by analysts, developers, testers, and educators to advance community understanding and enhancee defences; March 2015 Bell Canadaa 4

Cyber Information Sharing and Collaboration Program (CISCP) 5 The Critical Infrastructure and Key Resource (CIKR) CISCP is a DHS program to improve the security posture of organizations by providing threat data in the form of indicator bulletins, analysis bulletins, alert bulletins and recommended practices to participating organizations. It should be noted that Soltra Edge supports the conversion of CISCP indicators to a STIX list through the use of an adapter; Cyber Observable expression (CybOX) 6 CybOX is a standardized schema for the specification, capture, characterization, and communication of events or stateful properties that are observable in the operational domain. It should be noted that STIX uses CybOX language to describe observables; alware Attribute Enumeration and Characterization (MAEC) 7 MAEC is a standardized language for encoding and communicating high fidelity information about malware based upon attributes such as behaviours, artefacts, and attack patterns. It should be noted that STIX can describe malware using MAEC characterizations through the use of the MAEC schema extension; OpenIOC 8 9 OpenIOC is an extensible XML schema for the description of technical characteristics that identify a known threat, an attacker s methodology, or other evidence of compromise. It should be noted that STIX provides a default extension for OpenIOC; and Open Threat exchange (OTX) 10 OTX is an open threat information sharing and analysis network that provides real time, actionable cyber threat information. 5 Additional information on CISCP can be found at http://csrc.nist.gov/groups/sma/ispab/documents/minutes/2013 06/ispab_june2013_menna_ciscp_one_pager.pdf 6 Additional information on CybOX can be found at https://cybox.mitre.org and https://github.com/cyboxproject 7 Additional information on MAEC can be found at http://maec.mitre.org and http://maecproject.github.io 8 IOC stands for Indicators of Compromise 9 Additional information on OpenIOC can be found at http://www.openioc.org 10 Additional information on OTX can be found at https://www.alienvault.com/open threatexchange March 2015 Bell Canada 5

2.2.1 STIX STIX 11 is a collaborative community driven effort to define and develop a standardized language to represent structured cyber threat information. STIX characterizes an extensive set of cyber threat information, to include indicators of adversary activity (e.g., IP addresses and file hashes) as well as additional contextual information regarding threats (e.g., adversary Tactics, Techniques and Procedures [TTPs]; exploitation targets; Campaigns; and Courses of Action [COA]) that together more completely characterize the cyber adversary s motivations, capabilities, and activities, and thus, how to best defend against them. 12 STIX, which is XML based, is sponsored by the office of Cybersecurity and Communications at the DHS. Soltra Edge supports the latest version (version 1.1.1) of STIX, including all 1.1.1 objects. Since STIX basically provides a common language for describing cyber threat information so that it can be automatically shared, stored and used consistently, the following STIX definitions 13 have been included in the report: Observable An Observable is an event or stateful property that is observed or may be observed in the operational cyber domain, such as a registry key value, an IP address, deletion of a file, or the receipt of an http GET. STIX uses Cyber Observable expression (CybOX) to represent Observables; Indicator An Indicator is a pattern of relevant observable adversary activity in the operational cyber domain along with contextual information regarding its interpretation (e.g., this domain has been compromised, this email is spoofed, this file hash is associated with this trojan, etc.), handling, etc. An Observable pattern captures what may be seen; the Indicator enumerates why this is Observable pattern is of interest; 11 Additional information on STIX can found at https://stix.mitre.org and https://github.com/stixproject Samples of STIX content can be found at https://stix.mitre.org/language/version1.0.1/samples.html 12 https://stix.mitre.org/about/faqs.html#a1 13 These definitions are STIX language definitions that were taken directly from http://stix.mitre.org/about/faqs.html#b1 March 2015 Bell Canada 6

Incident An Incident is a set of related system and network activity that is associated with the same adversary activity and/or attack along with contextual information such as who is involved, when it occurred, what was affected, what was the impact, what actions were taken in response, etc.; TTP Tactics, Techniques and Procedures are a representation of the behaviour or modus operandi of a cyber adversary including the use of particular attack patterns, malware, exploits, tools, infrastructure, or the targeting of particular victims; ExploitTarget An ExploitTarget is something about a potential victim that may make them susceptible to a particular adversary TTP (e.g., a system vulnerability, weakness or configuration issue); CourseOfAction A CourseOfAction captures a particular action that could be taken to prevent, mitigate or remediate the effects of a given cyber threat. These actions could be remedial to proactively address known issues a priori or could be responses to specific adversary activity; Campaign A Campaign is a set of related adversary activity, to include TTPs, indicators, exploit targets, and incidents. It characterizes the modus operandi of a particular adversary in executing a particular intent; and ThreatActor A ThreatActor is a cyber adversary and his or her known characteristics. It is who is perpetrating the cyber attacks. 2.2.2 TAXII TAXII 14 defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries. Specifically, TAXII defines an XML data format and message protocols (Hypertext Transfer Protocol (HTTP)/Hypertext Transfer Protocol Secure (HTTPS)) for transporting STIX information. TAXII is 14 Additional information on TAXII can be found at https://taxii.mitre.org and https://github.com/taxiiproject March 2015 Bell Canada 7

sponsored by the office of Cybersecurity and Communications at the DHS. Soltra Edge supports the latest version (version 1.1) of TAXII. 2.2.3 TLP TLP 15, which was developed by the U.S. Computer Emergency Readiness Team (US CERT), is a simple standard that is used to control the dissemination of shared data. It uses four distinct colours to distinguish how the information may be shared. Data that is tagged white can be distributed without restriction. Data that is tagged green can be shared within the community, but not publicly. Data that is tagged amber can only be shared within an organization. Data that is tagged red cannot be shared. TLP has been adopted within Soltra Edge to allow automated filtering of data by sensitivity level and for user access control. 2.3 Capabilities Soltra Edge is intended to be an aggregator of cyber threat intelligence information and the primary data store for structured intelligence within an organization. Consequently, it is intended to accept cyber intelligence feeds, in the form of STIX/TAXII feeds, from a variety of sources including the following: Commercial Feeds Commercial feeds are feeds that are purchased from professional intelligence providers; Organizational Feeds Organizational feeds are feeds that exist within the organizational environment; Open Source Feeds Open source feeds are Open Source Intelligence (OSINT) feeds provided by the open source community; Community Feeds Community feeds are feeds provided by business partners, associates, sharing communities or Information Sharing and Analysis Centers (ISACs); and Government Feeds Government feeds are typically provided by the federal government for the benefit of private industry. Soltra Edge is also capable of manually importing threat information using the web interface from a Comma Separated Values (CSV) file, a STIX file or CISCP indicators. In addition, organizations can export data from Soltra Edge in STIX formatted XML. Soltra has also demonstrated the creation of 15 Additional information on TLP can be found at https://www.us cert.gov/tlp March 2015 Bell Canada 8

SNORT 16 rules from threat intelligence data. This was accomplished using a SNORT adapter that has yet to be released. 16 SNORT is an open source, lightweight network intrusion detection system. Additional information on SNORT can be found at https://www.snort.org March 2015 Bell Canada 9

3.0 Product Evaluation This section will document the results of the product evaluation performed. Specifically, this section will describe the deployed environment, configuring feeds, installing adapters, and an assessment of the solution. 3.1 Deployed Environment Soltra Edge was downloaded and deployed as a VMware Virtual Machine (VM) in a virtualized lab environment. The initial evaluation was of Soltra Edge 2.1, which was available for download as of 6 February 2015. However, version 2.1.1 of Soltra Edge was released on 24 February 2015. The deployed environment was upgraded to this version so that the evaluation could be completed on the latest release. Version 2.1. 1 contains many security updates as well as fixes from member identified bugs. It is worth mentioning that the upgrade process, which is accomplished using yum, was seamless. The successful upgrade of the Soltra Edgee can be seen as Figure 2. Figure 2 Soltra Edge Upgrade March 2015 Bell Canadaa 10

3.2 Configured Feeds Soltra recommends configuringg two STIX/TAXII feeds in order to start experimenting with their product. Unfortunately, one of the two recommended feeds, FS ISAC intelligence, is only available to the FS ISAC membership. The remaining feed, Hail a TAXII.com, is a repository of Open Source Cyber Threat Intelligence feeds in STIX format. This section of the report will document the steps necessary to configure this feed on Soltra Edge. The first step in the process of configuring a feed is to add a site. In this case, the Hailataxii.com site was added as illustrated in Figure 3. The Addd Site windoww is accessiblee through Admin Sites Add Site. Figure 4 shows that the site has been added but that no feeds from the site have been configured. Figure 3 Adding a Site March 2015 Bell Canadaa 11

Figure 4 Site Added The next step is to configure feeds from the remote site. Figure 5 shows the ten unconfigured feeds available from the hailataxii site. One merely clicks to configure the feed of choice. In this case, the emerging threats feed was selected for configuration. Feeds can be set to update automatically or manually. This is illustrated in Figure 6. March 2015 Bell Canadaa 12

Figure 5 Unconfiguredd Feeds March 2015 Bell Canadaa 13

Figure 6 Configure Feed The configured feed can be seen in Figure 7. By clicking on poll now the latest threat intelligence information can be downloadedd for this feed. The successful completion of this operation can be seen in Figure 8. Figure 7 Configuredd Feed March 2015 Bell Canadaa 14

Figure 8 Downloaded Feed Once a site has been added, a feed configured and the threat intelligence information dowloaded for the feed, an examination of the threat intelligence information is possible. Soltra Edge allows administrators to browse the catalog of objects by any off the STIX parameters (discussed in Section 2.2.1) including campaigns, courses of action, exploit targets, incidents, indicators, observables, packages, threat actors and TTPs. For example, the indicator catalog, which is simply a list of indicators from the configured feeds, can be seen in Figure 9. The reader will note that of the indicators listed in Figure 9, all but one are domain watchlist, URL watchlistt indicators. The remaining indicator is an IP watchlist, URL watchlist indicator. Most indicators are used to denote domains orr IPs that have been compromised. Consequently, this information could be used to update firewalls and proxy servers. For each of the indicators listed in the catalog, there is additional information available. A specific indicator can be seen in Figure 10. Apparently, this site is being used as a command and control site for Athena malware. 17 The observable catalog, which is simply a list of observables from the configured feeds, can be seen in Figure 11. The reader will note that there are three types of observables listed in Figure 11; DomainNameObjectType, URIObjectType and AddressObjectType. Most observables are used to denote observed events in the operational cyber domain. A specific observable can be seen in Figure 12. Unfortunately, aside from a domain name for a botnet site there is no additional information available. This lack of additional informationn was standard across the observables listed in the catalog from the Hail a TAXII.com feed. 17 A description of the Athena malware is available at http:/ //www.arbornetworks.com/asert/2013/11/athena a ddos malware odyssey March 2015 Bell Canadaa 15

Figure 9 Indicator Catalog March 2015 Bell Canadaa 16

Figure 10 Specific Indicator March 2015 Bell Canadaa 17

Figure 11 Observable Catalog March 2015 Bell Canadaa 18

Figure 12 Specific Observable 3.3 Adapters Soltra has made available two adapters for download on their site. One adapter supports the conversion of CISCP indicators to a STIX list, while the other allows forr the import of CSV based threatt information. The two adapters were both installedd successfully (see Figure 13). However, we were unable to test the CISCP adapter as no CISCP indicator file has been made available for testing. Apparently, US Cert files are classified TLP Amber meaning that they cannot be shared publicly. In addition, the CSV adapter failed to import the CSV test file provided. It resulted in an adapter error. Although this problem has been reported to Soltra (by three other members of the forum under two separate forums), at the time of writing this problem hadd yet to be resolved by Soltra staff. The lack of resolution for this issue is somewhat surprising given that Soltra staff are usually extremely responsive in resolving outstanding issues. The import and preview of the CSV indicators test file can be seen in Figure 14 and Figure 15 respectively. March 2015 Bell Canadaa 19

Figure 13 Adapters Installed March 2015 Bell Canadaa 20

Figure 14 CSV Indicators Import March 2015 Bell Canadaa 21

Figure 15 CSV Indicators Preview 3.4 Assessment This section of the report will assess Soltra Edge in terms of the following: Release Cycle; User Community; Functionality; and Alternatives. 3.4..1 Release Cycle Soltra Edge will eventually be released in two versions; a free community version and a paid version. The free community version, which is the version that is currently available for download, will contain the features most needed by many organizations. This version of Soltra Edge has undergone a number of releasee cycles in a relatively short period of time, demonstrating Soltra s commitment to the product. Version 2.0 was released onn 4 December 2014, version 2.1 on 6 February 2015 and version 2.1. 1 on 24 February 2015. The paid version, which will be presumably released once the product has matured, willl support thee requirements of larger entities. In all March 2015 Bell Canadaa 22

likelihood this will create a two tiered solution in which users of the community version are forced to upgrade to the paid version to take advantage of additional functionality. 3.4.2 User Community The Soltra Edge user community currently has 1720 members who have made in excess of eight hundred posts on the Soltra forum. 18 Given the relative infancy of the product these numbers are quite impressive. Furthermore, the Soltra staff (technical and business) are quite responsive in addressing both technical problems and business related issues. 3.4.3 Functionality In terms of functionality, Soltra Edge is currently somewhat hindered at this point due to its close integration with STIX/TAXII due to the lack of available threat intelligence feeds in this format and the relative lack of availability of security tools/appliances supporting these standards. A list of intelligence providers and security tool vendors that have validated STIX/TAXII implementations and integration with Soltra Edge is available on the Soltra site. 19 Unfortunately, the list, which was last updated on 18 December 2014, is not extensive. The list has also been included as Figure 16. However, it is worth mentioning that what current functionality is provided by Soltra Edge in terms of supporting/configuring STIX/TAXII feeds and aggregating/storing threat intelligence information seems to work quite well. Furthermore, the product is quite stable and quite easy to use. 18 The Soltra Edge forum is available at https://forums.soltra.com 19 The Soltra Edge STIX/TAXII integrations list is available at https://forums.soltra.com/index.php?/topic/196 vendor stix taxii integrations/ March 2015 Bell Canada 23

Figure 16 Soltra Edge STIX/TAXII Integrationss 3.4..4 Alternatives This report would be remiss if it did not mention cyber threat intelligence platform alternatives. Specifically, this section of the report will provide a brief overview of the following alternatives to Soltra Edge: Microsoft Interflow; ThreatConnect; and Vorstack Automation and Collaboration Platform (ACP). 3..4.4.1 Microsoft Interflow Microsoft announced 20 their security and threat information exchange platform for professionals working in cybersecurity, called Microsoft Interflow 21, in June 2014. Unfortunately, since that date there has been very little additional information providedd except thatt the platform is currently 20 This announcement can be found in many places including http:/ //www.darkreading.com/analytics/threat intelligence/microsoft unveils new intelligence 21 Additional information on the Microsoft Interflow Platform can be found at sharing platform/d/d id/1278781 and http:/ //blogs.technet.com/b/msrc/archive/2014/06/23/announcing microsoft interflow.aspx https: ://technet.microsoft.com/en us/library/dn750892.aspx March 2015 Bell Canadaa 24

available for private preview. Interflow uses industry specifications to create an automated, machine readable feed of threat and security information that can be shared across industries and groups in near real time. The goal of the platform is to help security professionals respond more quickly to threats. It will also help reduce cost of defense by automating processes that are currently performed manually. 22 In terms of industry specifications, Interflow will support STIX, TAXII and CybOX. It will also provide a means to feed threat and security information into firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and SIEMS. Interflow will run on the Microsoft Azure public cloud. While the data feeds will be free, organizations will require an Azure subscription to receive them. 3.4.4.2 ThreatConnect ThreatConnect 23 is a threat intelligence platform that allows an organization to aggregate, analyze, and act on all of the threat intelligence data it receives. While ThreatConnect supports the ingest of multiple data formats, including emerging standards such as STIX, the focus seems to be on integration with commercial threat intelligence feeds (e.g., CrowdStrike s Falcon Intelligence, isight s ThreatScape, Wapack Labs ThreatRecon) and products. There is a free community version, along with three paid versions (basic, team and enterprise) of the product. ThreatConnect also supports a variety of deployment models, including on premises, private cloud and public cloud. 3.4.4.3 Vorstack ACP Vorstack ACP 24 connects to third party (e.g., HP ArcSight, IBM QRadar, RSA Security Analytics, Splunk) SIEM and security log management tools to automate the ingestion, querying and reporting of threat intelligence data. Specifically, Vorstack ACP can automate the queries against these log management and analytics tools and then correlate the responses against other data points. The product supports STIX/TAXII, even providing a bridge to other software (e.g., Hadoop) so that the software doesn t have to support the standards directly. 22 http://blogs.technet.com/b/msrc/archive/2014/06/23/announcing microsoft interflow.aspx 23 Additional information on ThreatConnect can be found at http://www.threatconnect.com 24 Additional information of Vorstack ACP can be found at https://vorstack.com March 2015 Bell Canada 25

4.0 Conclusion & Recommendations The Centre for Operational Research and Analysis (CORA), which is a Defence Research & Development Canada (DRDC) research centre for systems analysis and operational research, is in the process of characterizing threat and building a Department of National Defence (DND) specific cyber threat model. The aggregation of cyber threat intelligence information from a variety of reputable sources and the ability to act on this information are likely to be important aspects of the overall cyber threat model being developed. Soltra Edge is intended to serve as the intelligence hub for an organization, connecting to all threat intelligence communities and providing actionable data back to the organization s environment for integration with internal security tools/appliances. The intent is that Soltra Edge will allow organizations to receive, store and send cyber security threat intelligence automatically, allowing these organizations to better deploy safeguards against a potential cyber attack. To realize these goals, Soltra Edge has been designed to support the STIX/TAXII standards almost exclusively. While this may prove to be the prudent long term approach, as these standards seem to be getting a considerable amount of traction, it does limit what can be accomplished in the shortterm due to the lack of STIX/TAXII threat intelligence feeds and STIX/TAXII compliant security tools/appliances. It is anticipated that as Soltra Edge matures it will increase its support for commercial feeds and security tools/appliances, thus improving its overall utility as the central threat intelligence hub for an organization. This report makes the following recommendations: DRDC should continue to actively monitor Soltra Edge and STIX/TAXII development; DRDC should review and analyze the community version of ThreatConnect to ascertain how it compares to Soltra Edge; and DRDC should implement a virtualized, cyber threat intelligence proof of concept to demonstrate cyber threat intelligence capabilities and how they can be used to automatically configure an organization s security tools/appliances to thwart a cyber attack. March 2015 Bell Canada 26

5.0 Acronyms & Abbreviations ACP CAPEC CERT CIKR CISCP COA CORA CSV CyBOX DHS DRDC DTCC FS ISAC HTTP HTTPS IDS IOC IPS ISAC MAEC Automation and Collaboration Platform Common Attack Pattern Enumeration and Classification Computer Emergency Readiness Team Critical Infrastructure and Key Response Cyber Information Sharing and Collaboration Program Courses of Action Centre for Operational Research and Analysis Comma Separated Values Cyber Observable expression Department of Homeland Security Defence Research & Development Canada Depository Trust & Clearing Corporation Financial Services Information Sharing and Analysis Center Hypertext Transfer Protocol Hypertext Transfer Protocol Secure Intrusion Detection System Indicators of Compromise Intrusion Prevention System Information Sharing and Analytics Center Malware Attribute Enumeration and Characterization March 2015 Bell Canada 27

MTA OSINT OTX RHEL SAWG SIEM STIX TAXII TLP TTPs VM Mail Transfer Agent Open Source Intelligence Open Threat exchange Red Hat Enterprise Linux Security Automation Working Group Security Incident and Event Management Structured Threat Information expression Trusted Automated exchange of Indicator Information Traffic Lightweight Protocol Tactics, Techniques and Procedures Virtual Machine March 2015 Bell Canada 28