The MITRE Corporation Federated Analysis of Cyber Threats (FACT) · 2015-09-03 · MITRE, cyber...
Transcript of The MITRE Corporation Federated Analysis of Cyber Threats (FACT) · 2015-09-03 · MITRE, cyber...
© 2015 The MITRE Corporation. All rights reserved.
Jackson Wynn
Federated Analysis of Cyber Threats (FACT)Capstone Overview
The MITRE Corporation
July 2015
One of five U.S. Air Force Air and Space Operations Centers (AOCs)
http://www.mitre.org/publications/project-stories/smaller-computer-footprint-
in-air-force-operations-centers-boosts-effectiveness
Approved for Public Release: 15-2008. Distribution Unlimited.
| 2 |
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release
Federated Analysis of Cyber Threats (FACT)
Explores the exchange of cyber threat intelligence developed
from cyber incident analysis and response
– Exchange of threat indicators and adversary TTPs among mission
partners
– Cyber incident reporting
– Mitigation best practices released to acquisition organizations
– Distribution of cyber playbook and mission model data
Imports and exports cyber threat intelligence in an industry-
standard XML format (STIXTM)
Approved for Public Release: 15-2008
Distribution Unlimited.
| 3 |
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release
Modeling the Decision Lifecycle:Observe, Orient, Decide, Act (OODA)1 Loop
The time from initial indicator to response is a Key Performance Parameter (KPP)
“In order to win, we should operate at a faster tempo or rhythm than our
adversaries...” Col John Boyd2
2Boyd, J., “Patterns of Conflict”, presentation, December 1986. http://www.dnipogo.org/boyd/patterns_ppt.pdf
1Observe, Orient, Decide, Act (OODA) loop: https://en.wikipedia.org/wiki/OODA_loop
| 4 |
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release
OODA Loops in Cyber Incident Handling
CJCSM 6510.01B
NIST SP800-61r2
Short turn
OODA Loop
Long turn
OODA Loop
Automated response: milliseconds, seconds, minutes
Operations response: hours, days, weeks
Acquisition response: months, years, decades
OODA Loop
Response
Timeframes
| 5 |
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release
FACT Tool Use Cases
Tool support for Information Security Analysis Teams (ISATs)
– Support identification of TTPs and potential mission impacts with a tempo
that allows mitigations to be enacted without disrupting mission operations
– Respond to intrusions more effectively using team structures that leverage
federated analysis capabilities, enabled through information sharing
Reachback to leverage national assets that provide malware analysis and
reverse engineering, coordinated response, etc.
http://cybersecuritydojo.com/2015/03/28/
U.S. Army Cyber CommandNavy Cyber Defense Operations Command
http://www.defense.gov/news/newsarticle.aspx?id=119470
| 6 |
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release
FACT Operational Context
Audit and Logging Cyber Incident Analysis
and Response
Trouble ticketing
and IT Support
SIEM repository
of alert and
event infoRemedyFACT
Continuous Monitoring
Cyber Threat
Intelligence Sharing
Threat
Indicators
Mitigation Best
Practices
FACT Capstone ScopeIncident Data
| 7 |
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release
MITRE-Developed Tools Integrated into FACT:CRITS, CyCS, and TARA
CRITS CyCS TARA Playbook
Collaborative
Research into Threats
(CRITS) Used to analyze SIEM and
sensor data to identify and
correlate cyber threat
indicators with campaigns
(intrusion sets) and threat
actors
Cyber Command
System (CyCS)Used to assess mission
impact based on a mission
model reflecting the
mission’s functional
decomposition and
allocation to cyber
resources
Threat Assessment
and Remediation
Analysis (TARA)
Used to store cyber threat
indicators, adversary TTPs,
and defensive
countermeasures to
support analysis of threats
and selection of alternative
Courses of Action (COAs)
in response to cyber
incidents
| 8 |
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release
Tool Functional Integration
CRITS
Playbook
CyCS
View
transition
Data
exchange
Denotes
Incident
Analysis
Incident
Response
Indicator
Adversary
TTPs
COAs
Playbook
Training
Event containing
indicators,
IP addresses,
campaign, etc.
| 9 |
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release
FACT “As Is” Architecture
CRITSCyCS
TARA
Operator Browser
Ubuntu VM Windows VMOpen
LDAP
Events
Threat indicators
Adversary TTPs, Courses
of Action (COAs)
PlaybookMongo
DB
https
Mission and
resource
dependencies,
etc.
Adversary TTPs,
COAsCOA Best
Practices
Mission
ModelIncidents
Incident dataThreat
indicators,
actors,
campaigns,
events, etc.
| 10 |
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release
STIXTM as a Unifying Data Model
The STIXTM Data Modelhttp://stix.mitre.org/
Maintained, imported,
exported in CRITS
Maintained, exported
from CyCS
Maintained, imported,
exported in TARA
Legend
CRITS, CyCS, and TARA each support subsets of the STIXTM data model,
making STIXTM a unifying influence in the integration of these tools
| 11 |
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release
Benefits
Faster operator response to cyber-attack, with better understanding of mission impacts and mitigations
– Use of CRITS facilitates correlation of threat indicators with known bad actors and targeted cyber resources.
– Integration of CRITS with CyCS expands awareness of the potential mission impact(s) resulting from compromise of cyber resources.
– Use of a playbook promotes systematic analysis of alternative courses of actions (COAs) when responding to cyber threats
Long term objective to establish a federated repository of cyber threat intelligence that can be shared within the DoD community
– Sharing of cyber threat intelligence with mission partners is prerequisite to development of proactive cyber defensive strategies
– Use of industry standard data models and exchange formats (STIXTM) promotes interoperability with commercial products
Acquisition of more resilient systems that implement “tried and true” mitigations for real-world cyber attacks
– Mitigation best practices applied operationally can inform acquisition community of potential gaps and areas for improvement
| 12 |
© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release
CyCS
ISAT Use of FACT Tools in Cyber Incident Analysis and Response
CRITS
CRITS
Cyber Threat
IntelligenceFiltered SIEM log data
Cyber
Playbook
Intelligence analyst
Watch List
Maintenance
Mission ModelMission and resource
dependencies
Campaign data Threat indicators,
campaigns, threat actors
Incident Management
Targeted resource(s)
Tradecraft details, e.g., threat
indicators, attribution, etc.
Adversary TTP(s)
Mission Impacts
Alternative COAs
COA selected
Cyber security analyst
Threat Data Correlation
and Attribution
SIEM
Continuous Monitoring Function
Remedy
Intelligence analyst
Cyber Threat
Sharing
Cyber security analyst
Root cause analysis,
Mission impact analysis,
Forensic analysis
Incident Manager
COA Selection and
Incident Report
Production
Cyber security analyst
Mission Dependency
AnalysisIncident Manager
Trouble Ticket
Creation
Guidance for
Acquisitions
Incident Manager
Incident Trends
Analysis
Threat Model Indicators,
Adversary TTPs,
Countermeasures
Cyber security analyst
Cyber Threat Modeling
CRITS
CRITS
Indicator Watch List