© 2013 The MITRE Corporation. All rights reserved. Sean Barnum Nov 2013 Sponsored by the US...
-
Upload
phoebe-hopkins -
Category
Documents
-
view
223 -
download
0
Transcript of © 2013 The MITRE Corporation. All rights reserved. Sean Barnum Nov 2013 Sponsored by the US...
© 2013 The MITRE Corporation. All rights reserved.
Sean Barnum
Nov 2013
https://stix.mitre.org
Sponsored by the US Department of Homeland
Security
PRACTICAL CYBER THREAT INTELLIGENCE WITH STIX
© 2013 The MITRE Corporation. All rights reserved.
Recon
Weaponize
Deliver
Exploit
Control
Execute
Maintain
Diverse and evolving threats
Need for holistic threat intelligence
Proactive & reactive actions
Balance inward & outward focus
Information sharing
Standardized
Threat Representati
on
© 2013 The MITRE Corporation. All rights reserved.
Cyber threat information (particularly indicators) sharing is not new
Typically very atomic and very limited in sophistication IP lists, File hashes, URLs, email addresses, etc.
Most sharing is unstructured & human-to-human
Recent trends of machine-to-machine transfer of simple/atomic indicators
STIX aims to enable sharing of more expressive indicators as well as other
full-spectrum cyber threat information.
Information Sharing
© 2013 The MITRE Corporation. All rights reserved.
A language for the characterization and communication of cyber threat information– NOT a sharing program, database, or tool
…but supports all of those uses and more
Developed with open community feedback
Supports– Clear understandings of cyber threat information– Consistent expression of threat information– Automated processing based on collected intelligence– Advance the state of practice in threat analytics
What is STIX?
© 2013 The MITRE Corporation. All rights reserved.
STIX provides a common mechanism for addressing structured cyber threat information across and among this full range of use cases improving consistency, efficiency,
interoperability, and overall situational awareness.
STIX Use Cases
© 2013 The MITRE Corporation. All rights reserved.
What is “Cyber (Threat) Intelligence?”
Consider these questions: What activity are we seeing?
What threats should I look for on my networks and systems and why?
Where has this threat been seen?
What does it do?
What weaknesses does this threat exploit?
Why does it do this?
Who is responsible for this threat?
What can I do about it?6
| 6 |
© 2013 The MITRE Corporation. All rights reserved.
What you are looking forWhy were they doing it?
Who was doing it? What were they
looking to exploit?
What should you do about
it?
Where was it seen?
What exactly were they
doing?
| 16 |
Why should you care about it?
Expressing Relationships
17
“Bad Guy”
ObservedTTP
Backdoor
Infrastructure
Badurl.com, 10.3.6.23, …
“BankJob23”
RelatedTo
Indicator-985
Observables
MD5 hash…
RelatedTo
RelatedTo
CERT-2013-03…
Indicator-9742Observables
Malware
Email-Subject: “Follow-up”
Pamina Republic Army
Unit 31459
Associated ActorLeet
Electronic Address
Initial Compromise
Indicator Observable
Spear Phishing Email
Establish FootholdObserved TTP
Observed TTP
WEBC2
MalwareBehavior
Escalate PrivilegeObserved TTP
Uses Tool
Uses Tool
cachedump
lslsass
MD5:d8bb32a7465f55c368230bb52d52d885
Indicator
Observed TTP
InternalReconnaissance
Attack Patternipconfignet view net group “domain admins”
Observed TTP
ExfiltrationUses Tool
GETMAIL
Targets
KhaffeineBronxistanPerturbiaBlahniks. . .
LeveragesInfrastructure
IP Range:172.24.0.0-112.25.255.255
C2 Servers
Observable
Sender: John SmithSubject: Press Release
Expressing Relationships in STIX
| 19 |
Data Markings, Profiles and Privacy
STIX leverages an abstract data markings approach
– Enables marking of content data down to the field level with any number of custom marking models
– Current default model implementations exist for Traffic Light Protocol (TLP) and Enterprise Data Header (EDH)
Profiles can be defined to specify relevant subsets of the language
– Can be used to scope what information is exchanged between parties, what capabilities a tool or service provides, or to support differential policies on different types of information
Addressing privacy with STIX
– Structured representation assists in explicitly delineating types of information
– Profiles assist in explicit design-time specification of scoping policy around data with potential privacy implications
– Data markings assist in explicit implementation-time labeling of content based on policy around potential privacy implications
© 2013 The MITRE Corporation. All rights reserved.
© 2013 The MITRE Corporation. All rights reserved.
Initial implementation has been done in XML Schema Ubiquitous, portable and structured
Concrete strawman for community of experts
Practical structure for early real-world prototyping and POC implementations
Plan to iterate and refine with real-world use
Next step will be a formal implementation-independent specification Will include guidance for developing XML, JSON, RDF/OWL,
or other implementations
Implementations
© 2013 The MITRE Corporation. All rights reserved.
Utilities to enable easier prototyping and usage of the language.
Utilities consist of things like: Language (Python) bindings for STIX, CybOX, MAEC, etc. High-level programmatic APIs for common needs/activities Conversion utilities from commonly used formats & tools Comparator tools for analyzing language-based content STIX-to-HTML Stixviz (simple visualization tool) Utilities supporting common use cases
E.g. Email_to_CybOX utility supporting phishing analysis & management
Open communities on GitHub (STIXProject, CybOXProject & MAECProject)
Enabling Utilities
© 2013 The MITRE Corporation. All rights reserved.
© 2013 The MITRE Corporation. All rights
reserved.
Still in its early stages but already generating extensive interest and initial operational use
Actively being worked by numerous information sharing communities
Initial operational use by several large “user” organizations
Actively being worked by numerous service/product vendors
Adoption & Usage
© 2013 The MITRE Corporation. All rights reserved.
Make it easier for people to understand and use STIX
Improve documentation
Develop supporting utilities
Provide collaborative guidance
Gather feedback
Refine and extend the language based on feedback and needs
Recent Focus
© 2013 The MITRE Corporation. All rights reserved.
Current Versions
CybOX 2.0.1, MAEC 4.0.1, STIX 1.0.1 (Sep 2013)
Near Term
CybOX 2.1 (EOY 2013)
MAEC 4.1, STIX 1.1 (January 2014)
Mid Term
CybOX 3.0, MAEC 5.0, STIX 2.0 (Summer 2014)
Long Term
Transition to international standards bodies (EOY 2014-2015)
Timelines
© 2013 The MITRE Corporation. All rights reserved.
STIX Website– Contains official releases and other info– http://stix.mitre.org/
Sign up for the STIX Discussion and Announcement mailing lists– http://stix.mitre.org/community/registration.html
Open issues can be discussed on GitHub– https://github.com/STIXProject
STIX-related software can be found on GitHub– https://github.com/STIXProject/python- stix– https://github.com/STIXProject/ Tools
Related sites– https://cybox.mitre.org/– https://maec.mitre.org/– https://capec.mitre.org/– https://taxii.mitre.org/
For more information
© 2013 The MITRE Corporation. All rights reserved.
© 2013 The MITRE Corporation. All rights reserved.
https://stix.mitre.org
We want you to be part of the conversation.
Orient on the Adversary!| 28
|
© 2013 The MITRE Corporation. All rights reserved.
Trusted Automated eXchange of Indicator Information (TAXII)
Defines services and messages for sharing cyber threat info Not bound to one sharing architecture
– Composable TAXII services support many sharing models– Support push or pull sharing– Do not force data consumers to host network services
Enable (but don’t require) authentication/encryption Do not dictate data handling
– TAXII handles transport; storage & access control left to back-end
Core services and data models are protocol/format neutral– Binding specs standardize TAXII’s use of specific
protocols/formats– Users not forced to use one protocol or format
Convey any data (not just STIX)
© 2013 The MITRE Corporation. All rights reserved.
Open community led by DHS and coordinated by MITRE
© 2013 The MITRE Corporation. All rights reserved.
TAXII 1.0
TAXII 1.0 Specifications– TAXII Overview
Defines the primary concepts of TAXII
– TAXII Services Specification = core services and exchanges– TAXII Message Binding = how to express messages in a format
TAXII 1.0 has an XML Message Binding
– TAXII Protocol Binding = how to transmit message over the network TAXII 1.0 has an HTTP (and HTTPS) Message Binding
TAXII core services– Discovery – Indicates how to communicate with other services– Feed Management – Identify and manage subscriptions to data feeds– Poll – Support pull messaging– Inbox – Receive pushed messages
© 2013 The MITRE Corporation. All rights reserved.
© 2013 The MITRE Corporation. All rights reserved.
Research identified three primary sharing models:– Source/subscriber– Peer-to-peer– Hub and spoke
TAXII supports all three
Identified Sharing Models
© 2013 The MITRE Corporation. All rights reserved.
Source
Subscriber
Subscriber Subscriber
Subscriber
Peer E
Peer D Peer C
Peer B
Peer A
Hub
Spoke(Consumer only)
Spoke(Consumer &
Producer)
Spoke(Producer only)
Spoke(Consumer
& Producer)
© 2013 The MITRE Corporation. All rights reserved.
Simple Hub & Spoke Example
© 2013 The MITRE Corporation. All rights reserved.
PollInbox
HubSpoke 1
Spoke 2
Spoke 3
Spoke 4
Client
Push data to the hub
Pull data from the
hub
© 2013 The MITRE Corporation. All rights reserved.
Hub & Spoke Example
© 2013 The MITRE Corporation. All rights reserved.
Discovery PollInbox
Feed Manage
.
HubSpoke 1
Spoke 2
Spoke 3
Spoke 4
Get connection
info
Subscribe to data feeds
Client
Push new data to the
hub
Pull recent data from the
hub
Push recent data to a
spoke
© 2013 The MITRE Corporation. All rights reserved.
Peer-to-Peer Example
© 2013 The MITRE Corporation. All rights reserved.
Inbox
Client
Peer 1
Peer 5
Peer 2
Peer 4
Peer 3
© 2013 The MITRE Corporation. All rights reserved.
RID-T Example
© 2013 The MITRE Corporation. All rights reserved. For internal MITRE use
Peer 1
Peer 5
Peer 2
Peer 4
Peer 3
Inbox
Client
© 2013 The MITRE Corporation. All rights reserved.
TAXII Website– Contains official releases and other info– http://taxii.mitre.org/
Sign up for the TAXII Discussion and Announcement mailing lists– http://taxii.mitre.org/community/registration.html
Open issues can be discussed on GitHub– https://github.com/TAXIIProject/TAXII-Specifications
TAXII-related software can be found on GitHub– https://github.com/TAXIIProject
Related sites– https://stix.mitre.org/
For more information
© 2013 The MITRE Corporation. All rights reserved.