Threat Intelligence: STIX and Stones Will Break Your Foes

Copyright 2014 Splunk Inc. Threat Intelligence: STIX and Stones Will Break Your Foes Fred Wilmot Director, Global Security PracCce Brad Lindow a.k.a. Superman Global Security Strategist, Splunk

Disclaimer During the course of this presentacon, we may make forward looking statements regarding future events or the expected performance of the company. We caucon you that such statements reflect our current expectacons and escmates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward- looking statements, please review our filings with the SEC. The forward- looking statements made in the this presentacon are being made as of the Cme and date of its live presentacon. If reviewed ater its live presentacon, this presentacon may not contain current or accurate informacon. We do not assume any obligacon to update any forward looking statements we may make. In addicon, any informacon about our roadmap outlines our general product direccon and is subject to change at any Cme without nocce. It is for informaconal purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligacon either to develop the features or funcconality described or to include any such feature or funcconality in a future release. 2

Fred Wilmot Director, Global Security PracCce (fred Securityczar)@splunk.com Electric Mayhem @fewdisc Strategy Drives Security PracCce Strategy globally Works on Splunk s hardest Security Use Cases VisualizaCon and AnalyCcs using Splunk Solves strategic product/implementacon challenges Research Digital Forensics /Assessment Tools Social Risk/User behavior modeling ML/Advanced StaCsCcal Analysis Threat Intelligence Product Influence product strategy for security content and features in the field and through the factory. 3

Brad Lindow Global Security Strategist blindow@splunk.com Minister of JusCce a.k.a Superman Former aeorney, current aeending SecPrax Legal Dr.Strangepork Worked with some of the largest compucng environments in the world: Orbitz, Department of Commerce, ConsulCng organizacon, and Sears Global Security Strategist for Splunk Drive customer success and security innovacon around Splunk s products, customers, partners and the worldwide security community. Research Threat Intelligence Enterprise Security Hadoop Security Use Cases 4

Agenda " Threat intelligence today " Challenges with today s threat intelligence " What should next generacon threat intelligence look like? " How can you uclize these threat intelligence sources despite their complexity? " SPLICE - Splunk s solucon for IOC threat intelligence " SPLICE Demo 5

Today s Threat Landscape " You ve all heard this many Cmes before (and you probably live it) but: Bad guys are genng more sophisccated and organized Its genng increasingly more difficult to defend Tools, tacccs and procedures change during the course of campaign aeacks " We need to move quicker and share informacon Bad guys are watching us and we need to be watching them Threat Intelligence is old in a week Triaging mulcple sources of Threat Intel makes them hard to accon on YOUR data This is where Threat Intelligence comes in 6

Current Threat Intelligence " Some intelligence sharing is happening but: Limited in detail and simpliscc (lists, spreadsheets) Human readable only Derived from various sources (.xls,.pdf,rss, XML objects,e- mail) Intel Not leveraged fast enough in the SOC Not leveraged historically AND in real- Cme Requires manicuring (watchlists aren t good forever) No context to any other indicator Shortage in talented analysts reduces kill chain visibility Watchlists of 10,000 IP addresses or Hashes are not enough, we need context 7

External Threat Intelligence Sources Open- Source & Commercial Offerings " OSINT " Dell SecureWorks " Verisign idefense " Symantec Deepsight " McAfee Threat Intelligence " SANS " CVEs, CWEs, OSVDB (Vulns) " isight Partners " ThreatStream " OpenDNS " Palo Alto Wildfire " Crowdstrike " AlienVault OTX " RecordedFuture " Team Cymru " ISACs / US- CERT " FireEye/Mandiant " Vorstack " cyberunited " Norse IPViking/Darklist 8

Internal Threat Intelligence Sources Providing Context for Security " Directory user informacon (personal e- mail, access, user privilege, start/end date) " Proxy informacon (content) " DLP & business unit risk (trade secrets / IP sensicve docs) " IT Case history / Ccket tracking " Malware deteccon / AV alerts " SensiCve business roles " ApplicaCon usage & consumpcon events (in- house) " Database usage / access monitoring (privileged) " EnCtlements / access outliers (in- house) " User behavior associacon based on geography, frequency, uniqueness, and privilege 9

Challenges InteracCng with Threat Intel Most complete Least Complete 10

Next GeneraCon Threat Intelligence " In today s threat landscape, threat intelligence using structured indicators of compromise (IOC) should enable: AutomaCc consumpcon and parsing (at least largely) Shareable IOCs, internally and externally NormalizaCon of key indicators Contextual enrichment for data in Splunk CreaCon of STIX objects from internal Threat Intelligence and Incidents Efficient use of Internal Threat Intelligence as context sources MulCple chains of indicators increase urgency for invescgacon Indicators with Deeper Meaning than a list of IP addresses 11

Threat Intelligence Standards " STIX - Structured Threat InformaEon expression " A standardized language uclizing XML to represent structured cyber threat informacon. Conveys the full range of potencal cyber threat informacon and strives to be fully expressive, flexible, extensible, automatable, and as human- readable as possible. " TAXII - Trusted Automated exchange of Indicator InformaEon " Transport mechanism for cyber threat informacon represented as STIX. Through the use of TAXII services, organizacons can share cyber threat informacon in a secure and automated manner. " OpenIOC Open sourced schema from Mandiant " An extensible XML schema that enables you to describe the technical characterisccs that idencfy a known threat, an aeacker s methodology, or other evidence of compromise. 12

InteracCng with IOCs in Splunk MILE VERIS 13

InteracCng with threat IOCs in Splunk (current) Predominant in confidencal informacon- sharing associacons Predominant in vendor and researcher world lots of useful data available on the public internet Start with the most widely adopted 14

15

Example of STIX object... <stix:observables cybox_major_version="2" cybox_minor_version="1"> <cybox:observable id="mandiant:observable-b7013416-7e77-4078-a0bd-a33b49c7cb2f"> <cybox:object> <cybox:properties xsi:type="fileobj:fileobjecttype"> <FileObj:Hashes> <cyboxcommon:hash> <cyboxcommon:type>md5</cyboxcommon:type> <cyboxcommon:simple_hash_value>b305b543da332a2fcf6e1ce55ed2ea79</cyboxcommon:simple_hash_value> </cyboxcommon:hash> </FileObj:Hashes> </cybox:properties> </cybox:object> </cybox:observable> <cybox:observable id="mandiant:observable-749eea4e-2812-4b4d-bba9-4292bedc05a2">... 16

17 Raw IOC

Splunking IOCs with SPLICE

What is SPLICE? SPLICE is a free Splunk App that enables you to easily consume IOCs (STIX, CybOX, OpenIOC) and use them to quickly evaluate your own environment for potencal security issues SPLICE easily installs like any other Splunk App and just requires an instance of MongoDB on the search head Splice is installed on Get Splice RIGHT NOW by following @SplunkSec at hpps://twiper.com/splunksec 19

How can SPLICE help you? " Facilitates automated IOC consumpcon " Provides you richer threat intelligence data " Provides the intel in Splunk to correlate with all of your other data " Provides searching, reporcng and visualizacon capabilices " Enables less experienced personnel to uclize the data " Reduces the complexity of IOCs to atomic, consumable indicators 20

How does it reduce the complexity? " Splunk has chosen to inically reduce the IOC surface area to atomic indicators for usability and to allow for more flexibility in IOC analyccs " Splunk has also partnered with FS- ISAC (who have also chosen the same approach) to integrate with their Avalanche product for IOC federacon and collaboracon 21

SPLICE Supported Indicators " Supports STIX 1.1 (more than 80 Objects!) FileObjectType (Hash values, File names) ê Examples: 64ef07ce3e4b420c334227eecb3b3f4c or virus.exe DomainNameObjectType (Domains, URLs) ê Examples: malicious1.example.com or h9p://malicious1.example.com/ clickme.html URIObjectType (Domains, URLs) ê Examples: h9p://malicious1.example.com/clickme.html or >p:// badfiles.example.com/data.txt AddressObjectType (IP Addresses) ê Example: 1.2.3.4 " (STIX 1.0 not supported) 22

SPLICE Supported Indicators " Supports CybOX 2.1 Same indicators as STIX " Supports OpenIOC 1.0, 1.1 23

SPLICE Architecture 1. SPLICE consumes IOCs (STIX, CybOX, OpenIOC) through either a monitored directory path or via TAXII (including Avalanche) 2. IOCs are parsed and the atomic indicators (along with the raw IOC) are stored in MongoDB 3. Security Analyst uses the Splice Splunk App to search, report, visualize and alert on the IOCs 24 *currently tested on Linux only

iocsearch Using SPLICE Searching Your Data sourcetype=access_combined_wcookie iocsearch map="cliencp:ipv4- addr search ioc_indicators_count>0 `parse_ioc_indicators_json` Screenshot here 25

Using SPLICE Searching IOCs iocfilter iocfilter regex= 1.2.3.4" Screenshot here 26

Using SPLICE Retrieve the full raw IOC data iocdisplay iocdisplay object_id="example:object- 12c760ba- cd2c- 4f5d- a37d- 18212eac7928" Screenshot here 27

Using SPLICE StaCsCcs about ingested IOCs iocstats iocstats stat=list Screenshot here 28

Using SPLICE Export atomic indicators as a CSV iocexportcsv iocexportcsv value_type="ipv4- addr" alias="ip" directory="/tmp" filename="myiplist.csv" Screenshot here 29

Demo Time! 30

SPLICE Challenges " SPLICE has been largely tested against public datasets, requires more sample data " Some IOCs cannot be converted due to parser errors " STIX libraries, framework, other standards are scll works in progress in the community 31

SPLICE Future " Next Steps: Support addiconal indicators Improved dashboards and default searches Export Splunk content as a STIX object UClize TAXII to serve IOC data FROM Splunk Beeer Enterprise Security integracon Improved features around how closely data matches IOCs Improved support for addiconal indicators 32

How you can get involved We are looking for feedback to further enhance SPLICE " Download Splice and play with it! Tell us what you want and how you want Splice or IOCs to interoperate with your data. " Get a demo of how Splice works from the Security PracCce " GIVE US FEEDBACK! security@splunk.com is a perfect way! " Support the STIX community heps://github.com/stixproject 33

Summary " Threat Landscape is rapidly changing, threat data from yesterday, may not be valuable today " Threat Intelligence provides context, but formats, diversity limit adopcon to lowest common denominator " TradiConal things like IP lists are ineffeccve without context " IOCs through STIX gives us context " SPLICE gives you a way to uclize IOCs across your Splunk data today " Get Splice RIGHT NOW by following @SplunkSec at hpps://twiper.com/splunksec 34

QuesCons? THANK YOU