STIX & TAXII Analyzing and Sharing Cyber Threat Intelligence

Similar documents
Attackers are reusing attacks (because they work)

Standardizing Cyber Threat Intelligence Information with the Structured Threat Information expression (STIX )

The Third Rail: New Stakeholders Tackle Security Threats and Solutions

Common Attack Pattern Enumeration and Classification CAPEC A Community Knowledge Resource for Building Secure Software

Cyber Security Summit 2015

Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D.

Sample Usage of TAXII

A Funny Thing Happened On The Way To OASIS: From Specifications to Standards

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Software & Supply Chain Assurance: Mitigating Risks Attributable to Exploitable ICT / Software Products and Processes

The MANTIS Framework Cyber-Threat Intelligence Mgmt. for CERTs Siemens AG All rights reserved

Automate the Hunt. Rapid IOC Detection and Remediation WHITE PAPER WP-ATH

The New ROI: Results Oriented Intel. David Amsler, Founder

SHARING THREAT INTELLIGENCE ANALYTICS FOR COLLABORATIVE ATTACK ANALYSIS

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

Threat Intelligence: An Essential Component of Cyber Incident Response. Jeanie M Larson, CISSP-ISSMP, CISM, CRISC

Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC

After the Attack: RSA's Security Operations Transformed

81% of participants believe the government should share more threat intelligence with the private sector.

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

cyber Threat Intelligence - A Model for the 21st Century

Where every interaction matters.

Threat Intelligence is Dead. Long Live Threat Intelligence!

Threat Intelligence UPDATE: Cymru EIS Report. cymru.com

Information Security Services

Obtaining Enterprise Cybersituational

Cloud Services Prevent Zero-day and Targeted Attacks Tom De Belie Security Engineer. [Restricted] ONLY for designated groups and individuals

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Symantec Cyber Security Services: DeepSight Intelligence

Security Analytics for Smart Grid

ESG Threat Intelligence Research Project

Cyber Threat Intelligence: Has to Be a Better Way

Threat Intelligence Buyer s Guide

The Department of Homeland Security The Department of Justice

Cloud Services Prevent Zero-day and Targeted Attacks

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

PENETRATION TESTING GUIDE. 1

A Funny Thing Happened On The Way To OASIS: From Specifications to Standards

US-CERT Year in Review. United States Computer Emergency Readiness Team

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

Post-Access Cyber Defense

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

All about Threat Central

The session is about to commence. Please switch your phone to silent!

Protecting Your Organisation from Targeted Cyber Intrusion

Department of Homeland Security

WHITE PAPER: THREAT INTELLIGENCE RANKING

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Threat Intelligence: Friend of the Enterprise

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

Presented by Evan Sylvester, CISSP

OpenTPX 2015 LookingGlass Cyber Solutions Inc.

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

RSA Security Anatomy of an Attack Lessons learned

DYNAMIC DNS: DATA EXFILTRATION

SOLUTION PRIMER. Rafal Los Director, Solutions Research Office of the CISO, Accuvant. James Robinson Director, Information Security, Accuvant

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Cisco Advanced Malware Protection for Endpoints

How To Mitigate A Ddos Attack

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

Enhancing Security for Next Generation Networks and Cloud Computing

Soltra edge open cyber intelligence platform report

3-5 Cybersecurity Information Exchange Techniques: Cybersecurity Information Ontology and CYBEX

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Bad Romance: Three Reasons Hackers <3 Your Web Apps & How to Break Them Up

Improving Cyber Security Risk Management through Collaboration

Analyzing Targeted Attacks through Hiryu An IOC Management and Visualization Tool. Hiroshi Soeda Incident Response Group, JPCERT/Coordination Center

Science of Cybersecurity

Cisco Advanced Malware Protection for Endpoints

Cyber Security Management

SPEAR-PHISHING ATTACKS

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

How To Test For Security On A Network Without Being Hacked

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Proactive Vulnerability Management Using Rapid7 NeXpose

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Managed Incident Lightweight Exchange (MILE)

Fostering Incident Response and Digital Forensics Research

Backoff: New Point of Sale Malware. 31 July National Cybersecurity and Communications Integration Center

An Enterprise Continuous Monitoring Technical Reference Architecture

Analysis of Network Beaconing Activity for Incident Response

Management (CSM) Capability

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Advancing Cyber Security Using System Dynamics Simulation Modeling for System Resilience, Patching, and Software Development

I N T E L L I G E N C E A S S E S S M E N T

A New Approach to Assessing Advanced Threat Solutions

Security Intelligence Services.

Palo Alto Networks. October 6

Enterprise Security Platform for Government

Penetration Testing Guidelines For the Financial Industry in Singapore. 31 July 2015

IBM Security Strategy

How Attackers are Targeting Your Mobile Devices. Wade Williamson

Testimony of Matthew Rhoades Director Cyberspace & Security Program Truman National Security Project & Center for National Policy

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

EEI Business Continuity. Threat Scenario Project (TSP) April 4, EEI Threat Scenario Project

Transcription:

STIX & TAXII Analyzing and Sharing Cyber Threat Intelligence

What are STIX and TAXII? A language for modeling and representing cyber threat intelligence. A protocol for exchanging cyber threat intelligence. 1

STIX and TAXII are International Standards STIX and TAXII were developed by DHS and MITRE in conjunction with major collaboration partners from: US Government Financial Sector Critical Infrastructure Sector International industry and government As of 2015, both have transitioned to OASIS in the newly formed Cyber Threat Intelligence Technical Committee 2

Structured Threat Information Expression Structured language for automation A language for modeling and representing cyber threat intelligence. Designed for sharing and analysis Active community of developers and analysts International standard in OASIS 3

Current Status STIX 1.2 is the latest published version Published by DHS/MITRE XML Schemas STIX 1.2.1 will be published by OASIS Nearly identical to STIX 1.2 Will include text specifications, UML, and XML schemas STIX 2.0 is currently in development JSON-based Published by OASIS Will include more comprehensive text specifications and UML 4

STIX 1.2 Architecture 5

STIX 1.2 Architecture - ZOOM 6

7 Observable Instances of events and objects that have been seen in cyberspace (and) Patterns for events and objects that might be seen in cyberspace

8 Observable 90+ Object Types Files (names, hashes, ) Addresses (IP, e-mail, domains, ) E-mails (subject, sender, attachments,...) Registry Keys Patterning support Wildcards Compositional logic Events (e.g. File A downloads File B)

9 Examples IP 192.168.1.4 Hash d99a74fbe169e3eba0 Traffic 192.168.1.4 -> 10.10.1.1 Filename Pattern Email Regex File/File_Name [Contains] bad.exe Email/Subject [Matches] BAD.+STUFF

10 XML IP Address: Email Subject Pattern:

11 Indicator Pattern* for something you might see and what it means if you see it Patterns are represented using CybOX What it means is represented via a TTP or Campaign Also includes context, such as potential courses of action, timeframes, and likely impact

12 Examples C2 Malware Phishing 1.2.3.x = C2 for Actor Z h99a74 = PIVY v423 E-mail from x@x = phishing

13 XML

14 Incident Information about a cybersecurity investigation or incident. Victim identity Impacted assets and business functions Attribution to a threat actor or campaign Leveraged TTPs (malware, attack patterns, etc) Indicators that detected it Exploit targets that were used to gain entry Times and actions

15 Examples Basic APT System XYZ has PIVY Systems 3,4,7 owned by ACME, Inc. have malware. APT31 is suspected.

16 XML

17 Tactics, Techniques, and Procedures (TTP) Adversary behavior and resources, including malware, attack patterns, exploits, infrastructure, tools, personas, & targeting. Includes information about intended effect Malware is extensible via MAEC Though all used through the TTP construct, should only be used individually i.e. do not combine one TTP with both a malware instance and an attack pattern

18 Examples Malware PIVY Variant Attack SQL Injection Targeting Retail Sector Infrastructure C2 Server = 1.23.4.5

19 XML: Malware

20 XML: Targeting

21 Exploit Target Vulnerabilities, weaknesses, and misconfigurations in infrastructure that make it vulnerable to attack Includes references to CVE, CCE, and CWE Extension for CVRF Like TTP, only use it for one at a time

22 Examples Vulnerability Weakness Heartbleed (CVE-2014-0160) Improper String Handling (CWE-89)

23 XML

24 Campaign Pattern of ongoing activity with a common purpose or goal Pattern of ongoing activity is primarily via relationships Incidents Indicators TTPs Includes intended effect Distinct from threat actor

25 Examples APT Crime Campaign against U.S. industry Campaign against systems at big box retailers

26 XML

27 Threat Actor Information about threat actor groups and individuals Includes: Extensive identity information via OASIS CIQ Assessments of maturity, intent, and resources Distinct from campaign

28 Examples Individual Group ID Info KDZ-23, Amateur/Crime APT1, APT Nationality: American

29 XML

30 Course of Action Preventative or reactive responses to threat activity Includes: Assessments of cost, efficacy, etc. Structured COA to represent machine-readable courses of action Often used from incident or indicator Incident to represent

31 Examples Preventative Reactive Install patch MSKB-234 Clean the box and rebuild

32 XML

33 Report A collection of content related to a single subject Includes: References to the content included in the report Title, description, author, and other metadata Used to represent analysis reports and other types of threat reports

34 Examples Major Report Standard Report Mandiant s APT1 Report IB-4232

35 XML

Example: Retailer Malware You re a threat analyst at a major retailer, STB, Inc. One of your front line employees complains about weird errors. Upon investigating, IT finds BP.trojan on their system. Your CTI system pulls up a report from US-CERT attributing that variant to Ugly Duckling. They also indicate that BlackPOS is often used by that actor and give a file hash and response options. Your investigation with that data uncovers several more infestations. Additionally, you discover a new variant of BlackPOS with a different hash. 36

Information Sharing What do you share? STIX lets you choose what to share and what not to share and lets you relate it all together 37

Trusted, Automated Exchange of Indicator Information Automated machine-tomachine sharing over HTTP Supports a wide variety of sharing models Active community of developers and analysts A protocol for exchanging cyber threat intelligence. Becoming international standard in OASIS 38

39 What is TAXII? Standardizes exchange of cyber threat information A set of specifications any software can implement TAXII is NOT A specific sharing program but sharing programs can use it Software but software can use it to share information Mandate particular trust agreements or sharing instead, use it to share what you want with the parties you choose

40 Flexible Sharing Models Most sharing models are variants of these three basic models TAXII can support participation in any of these models or multiple models simultaneously Subscriber Subscriber Peer D Peer C Subscriber Source Subscriber Peer E Peer A Peer B Spoke (Consumer & Producer) Spoke (Producer only) Spoke (Consumer only) Hub Spoke (Consumer & Producer)

41 TAXII Features Minimal requirements imposed on data consumers Does not require data consumers to field internet services or establish a particular security capability Minimal data management requirements on data producers Does not require use of particular data management technologies or constrain how producers manage access to their data Flexible sharing model support Does not force a particular sharing model on users Appropriately secure communication Supports multiple security mechanisms without forcing adoption of unnecessary measures Push and Pull content dissemination Users can exchange data using either or both models Flexible protocol and message bindings Does not require a particular network protocol or message format

42 TAXII Services TAXII defines four Services Discovery A way to learn what services an entity supports and how to interact with them Collection Management A way to learn about and request subscriptions to Data Collections Inbox A way to receive pushed content (push messaging) Poll A way to request content (pull messaging) Each service is optional implement only the ones you wish You can have multiple instances of each service Services can be combined in different ways for different sharing models

43 Hub & Spoke Example Discovery Collect. Manage. Poll Inbox Client Get connection info Pull recent data from the hub Spoke 1 Subscribe to data collections Hub Push recent data to a spoke Spoke 4 Spoke 2 Push new data to the hub Spoke 3

STIX & TAXII Analyzing and Sharing Cyber Threat Intelligence

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information