© 2013 The MITRE Corporation. All rights reserved. Sean Barnum March 2013 https://stix.mitre.org Sponsored by the US Department of Homeland Security Enabling.

Slides:



Advertisements
Similar presentations
1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Advertisements

Database Planning, Design, and Administration
Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
Digital Preservation - Its all about the metadata right? “Metadata and Digital Preservation: How Much Do We Really Need?” SAA 2014 Panel Saturday, August.
© 2013 The MITRE Corporation. All rights reserved. Sean Barnum Nov Sponsored by the US Department of Homeland Security PRACTICAL.
S&I Framework Provider Directories Initiative esMD Work Group October 19, 2011.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.
L4-1-S1 UML Overview © M.E. Fayad SJSU -- CmpE Software Architectures Dr. M.E. Fayad, Professor Computer Engineering Department, Room #283I.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,
IBM Security Network Protection (XGS)
Lecture Nine Database Planning, Design, and Administration
Maintaining and Updating Windows Server 2008
Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
MSF Testing Introduction Functional Testing Performance Testing.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
TESTING STRATEGY Requires a focus because there are many possible test areas and different types of testing available for each one of those areas. Because.
Chapter 9 Database Planning, Design, and Administration Sungchul Hong.
Database System Development Lifecycle © Pearson Education Limited 1995, 2005.
Overview of the Database Development Process
CTI STIX SC Kickoff Meeting July 16, 2015.
ITEC224 Database Programming
Supplied on \web site. on January 10 th, 2008 Reducing Risk Through Incremental Malware Detection January 2008.
©2014 Bit9. All Rights Reserved Endpoint Threat Prevention Charles Roussey | Sr. Sales Engineer Detection and Response in Seconds.
© 2008 IBM Corporation ® Atlas for Lotus Connections Unlock the power of your social network! Customer Overview Presentation An IBM Software Services for.
Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz
1 © 2004 Cisco Systems, Inc. All rights reserved. Case Study Cisco Unity Voice Messaging Deployment: Communications Strategy November.
UW Parkside Automated Distribution Lists Tutorial & Usage Guidelines C ampus T echnology S ervices.
1 Knowledge & Knowledge Management “Knowledge is power” to “Sharing K is power” Yaseen Hayajneh, PhD.
CTI STIX SC Monthly Meeting August 19, 2015.
Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.
Requirements as Usecases Capturing the REQUIREMENT ANALYSIS DESIGN IMPLEMENTATION TEST.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Unified Modeling Language* Keng Siau University of Nebraska-Lincoln *Adapted from “Software Architecture and the UML” by Grady Booch.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 9 Performing Vulnerability Assessments.
L6-S1 UML Overview 2003 SJSU -- CmpE Advanced Object-Oriented Analysis & Design Dr. M.E. Fayad, Professor Computer Engineering Department, Room #283I College.
1 What is OO Design? OO Design is a process of invention, where developers create the abstractions necessary to meet the system’s requirements OO Design.
.  Define risk and risk management  Describe the components of risk management  List and describe vulnerability scanning tools  Define penetration.
National Information Exchange Model (NIEM) Executive Introduction November 29, 2006 Thomas O’Reilly NIEM Program Management Office.
Conficker Update John Crain. What is Conficker? An Internet worm  Malicious code that is self-replicating and distributed over a network A blended threat.
Metadata By N.Gopinath AP/CSE Metadata and it’s role in the lifecycle. The collection, maintenance, and deployment of metadata Metadata and tool integration.
E-BILLING MOTIVATION. Introduction  E-billing is the electronic delivery of financial documents to the customer, that represents and replaces the conventional.
CTI STIX SC Monthly Meeting October 21, 2015.
CTI CybOX SC Meeting November 19, 2015.
Name Project Management Symposium June 8 – 9, 2015 Slide 1 Susan Hostetter, Reed Livergood, Amy Squires, and James Treat 2015 Project Management Symposium.
CTI STIX SC Status Report October 22, 2015.
CTI STIX SC Monthly Meeting December 23, 2015.
Role Of Network IDS in Network Perimeter Defense.
ICS Area Managers Training 2010 ITIL V3 Overview April 1, 2010.
© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited: The MITRE Corporation TAXII: An Overview.
ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
How to Make Cyber Threat Intelligence Actionable
Proactive Incident Response
Cybersecurity Information Sharing Act of 2015(CISA) and Automated Indicator Sharing (AIS) Presentation is about 45 minutes with 15 Q&A.
Understanding and Utilizing the ISP Analysis Process
Cyber Threat Intelligence Sharing Standards-based Repository
Modeling Cyberspace Operations
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Chapter 1 Database Systems
Briefing on STIX | TAXII
Data Model.
Database Systems Instructor Name: Lecture-3.
CVE.
Coordinated Security Response
Chapter 1 Database Systems
CTI STIX SC Monthly Meeting
Fortify YOUR Defense with CyberSponse Adaptive Security
Presentation transcript:

© 2013 The MITRE Corporation. All rights reserved. Sean Barnum March Sponsored by the US Department of Homeland Security Enabling Structured Cyber Threat Intelligence and Information Sharing

© 2013 The MITRE Corporation. All rights reserved. Recon Weaponize Deliver Exploit Control Execute Maintain Diverse and evolving threats Need for holistic threat intelligence Proactive & reactive actions Balance inward & outward focus Information sharing

© 2013 The MITRE Corporation. All rights reserved. Cyber threat information (particularly indicators) sharing is not new Typically very atomic and very limited in sophistication IP lists, File hashes, URLs, addresses, etc. Most sharing is unstructured & human-to-human Recent trends of machine-to-machine transfer of simple/atomic indicators STIX aims to enable sharing of more expressive indicators as well as other full- spectrum cyber threat information. Information Sharing

© 2013 The MITRE Corporation. All rights reserved. Cost to Adversary Trivial/cheap to hop between IP addresses Slightly more expensive to hop between domains Difficult & expensive: Changing tactics and procedures to evade behavioral detection | 4 || 4 |

© 2013 The MITRE Corporation. All rights reserved. What is STIX? Support automationConsistencyClarity Language Specify Cyber Threat Information Community-driven CaptureCharacterizeCommunicate | 5 || 5 |

© 2013 The MITRE Corporation. All rights reserved. STIX provides a common mechanism for addressing structured cyber threat information across and among this full range of use cases improving consistency, efficiency, interoperability, and overall situational awareness. STIX Use Cases

© 2013 The MITRE Corporation. All rights reserved. What is “Cyber (Threat) Intelligence?” Consider these questions:  What activity are we seeing?  What threats should I look for on my networks and systems and why?  Where has this threat been seen?  What does it do?  What weaknesses does this threat exploit?  Why does it do this?  Who is responsible for this threat?  What can I do about it? 7 | 7 || 7 |

© 2013 The MITRE Corporation. All rights reserved. | 8 || 8 |

| 9 || 9 |

| 10 |

© 2013 The MITRE Corporation. All rights reserved. | 11 |

© 2013 The MITRE Corporation. All rights reserved. | 12 |

© 2013 The MITRE Corporation. All rights reserved. | 13 |

© 2013 The MITRE Corporation. All rights reserved. | 14 |

© 2013 The MITRE Corporation. All rights reserved. | 15 |

© 2013 The MITRE Corporation. All rights reserved. | 16 |

© 2013 The MITRE Corporation. All rights reserved. What you are looking for Why were they doing it? Who was doing it? What were they looking to exploit? What should you do about it? Where was it seen? What exactly were they doing? | 17 | Why should you care about it?

© 2013 The MITRE Corporation. All rights reserved.  Initial implementation has been done in XML Schema  Ubiquitous, portable and structured  Concrete strawman for community of experts  Practical structure for early real-world prototyping and POC implementations  Plan to iterate and refine with real-world use  Next step will be a formal implementation-independent specification  Will include guidance for developing XML, JSON, RDF/OWL, or other implementations Implementations

© 2013 The MITRE Corporation. All rights reserved.  Utilities to enable easier prototyping and usage of the language.  Utilities consist of things like:  Language (Python) bindings for STIX, CybOX, MAEC, etc.  High-level programmatic APIs for common needs/activities  Conversion utilities from commonly used formats & tools  Comparator tools for analyzing language-based content  Utilities supporting common use cases  E.g. _to_CybOX utility supporting phishing analysis & management  Open communities on GitHub (STIXProject, CybOXProject & MAECProject) Enabling Utilities

© 2013 The MITRE Corporation. All rights reserved. Still in its early stages but already generating extensive interest and initial operational use Adoption & Usage

© 2013 The MITRE Corporation. All rights reserved.  Trusted Automated eXchange of Indicator Information  The goal of TAXII is to facilitate the exchange of structured cyber threat information  Designed to support existing sharing paradigms in a more automated manner  TAXII is a set of specifications defining the network-level activity of the exchange  Defines services and messages to exchange data  Does NOT dictate HOW data is handled in the back-end, WHAT data is shared or WHO it is shared with  TAXII is NOT a sharing program What is TAXII?

© 2013 The MITRE Corporation. All rights reserved. Still in its early stages but already generating extensive interest and initial operational use ► Actively being considered by several information sharing communities ► Active interest from several large “user” organizations ► Active interest from some service/product vendors Adoption & Usage

© 2013 The MITRE Corporation. All rights reserved. A sampling of some of the organizations contributing to the STIX conversation includes: | 23 |

© 2013 The MITRE Corporation. All rights reserved.  Make it easier for people to understand and use STIX  Improve documentation  Develop supporting utilities  Provide collaborative guidance  Gather feedback  Refine and extend the language based on feedback and needs Current Focus

© 2013 The MITRE Corporation. All rights reserved.  CybOX v2.0, STIX v1.0 & TAXII v1.0 coming early April  DHS CISCP plans to output content in STIX/CybOX by late March  Conducting sharing pilots utilizing STIX/TAXII to gain operational feedback | 25 | Coming Milestones

© 2013 The MITRE Corporation. All rights reserved.  Currently phishing analysis is very slow and manual  Limits the volume of that can be analyzed  Slows ability to respond to high-risk threats  Limits the ability to share information in an actionable form  Structuring the information enables more automation  Significantly increase analysis volume  Ability to respond to high-risk threats at machine speed  Enable active sharing of actionable information  Free the human analyst to focus on the “harder” stuff Phishing Use Case Example

© 2013 The MITRE Corporation. All rights reserved. 1. A suspicious is received by an individual within organization XXX. 2. The recipient forwards it to for analysis by the XXX.YYY threat analysis 3. The received in the Inbox is automatically processed with the _to_CybOX utility in the  A comprehensive package of structured CybOX content is generated which characterizes the suspicious including some derivative automated background analysis. Potential STIX-enabled Phishing Analysis

© 2013 The MITRE Corporation. All rights reserved.  The package includes the following Observable Objects with all of the appropriate defined relationships between them:  a fully structured representation of the itself (CybOX _Message object)  for each attachment:  a structured capture of the raw file itself (CybOX Artifact object)  a structured characterization of the properties of the file (CybOX File object)  for each URL/link embedded in the itself:  a structured capture of the URL (CybOX URI object)  a structured capture of the domain name of the URL (CybOX URI object)  a structured capture of the results of a WHOIS lookup performed on the domain name (CybOX WHOIS object)  a structured capture of a DNS Queries (Type A & AAAA Records) run on the domain name (CybOX DNSQuery objects)  a structured capture of the DNS Records (Type A & AAAA Record) resulting from the DNS Queries run on the domain name (CybOX DNSRecord objects)  a structured capture of the resolving IP addresses for the domain name resulting from the DNS Queries (CybOX Address object) _to_CybOX Structured Output

© 2013 The MITRE Corporation. All rights reserved. Fw:Draft US-China Joint Statement T12:48:50+08:00 multipart/mixed; boundary=90e6ba10b0e7fbf25104cdd9ad Microsoft CDO for Windows Message Object

© 2013 The MITRE Corporation. All rights reserved. Message Object (cont.)

© 2013 The MITRE Corporation. All rights reserved. MD5 cf2b3ad32a8a4cfb05e9dfc45875bd70 JVBERi0xLjUNCiW1tbW1DQoxIDAgb2JqDQo8PC9UeXBlL0NhdGFsb2cvUGFnZXMgMiAwIFIvTGFuZyhlbi1VUykgL1N0cnVjdFRyZWVSb290IDEwNyAwIFIvTWFya0l uZm88PC9NYXJrZWQgdHJ1ZT4+Pj4NCmVuZG9iag0KMiAwIG9iag0KPDwvVHlwZS9QYWdlcy9Db3VudCAyMC9La … Artifact Object

© 2013 The MITRE Corporation. All rights reserved. Joint_Statement.pdf pdf MD5 cf2b3ad32a8a4cfb05e9dfc45875bd70 File Object

© 2013 The MITRE Corporation. All rights reserved. URL Object

© 2013 The MITRE Corporation. All rights reserved. state.gov Domain Name Object

© 2013 The MITRE Corporation. All rights reserved. state.gov AAAA IN DNS Query Object

© 2013 The MITRE Corporation. All rights reserved. state.gov 2001:428:d400:4:72:166:186:151 AAAA 8180 id opcode QUERY rcode NOERROR flags QR RD RA ;QUESTION state.gov. IN AAAA ;ANSWER state.gov. 5 IN AAAA 2001:428:d400:4:72:166:186:151 ;AUTHORITY ;ADDITIONAL DNS Record Object

© 2013 The MITRE Corporation. All rights reserved. 2001:428:d400:4:72:166:186:151 IP Address Object

© 2013 The MITRE Corporation. All rights reserved. state.gov OK WHOIS Object

© 2013 The MITRE Corporation. All rights reserved. 4. List of s submitted to are structured and prioritized (based on reputation analysis or other policy-driven maliciousness characterization) analysis results of the are presented to the Automates the first steps of analysis that must be performed on each and shortens response time for real threats by enabling the analyst to work on likely malicious issues first. 5. Analyst can leverage structured representations to quickly query if this or similar have been seen before or sent to others within XXX. 6. Analyst reviews suspicious and any related s (including shared Indicators), identifies unique characteristics, and captures them in an appropriate Observables (CybOX) pattern. In this example, the analyst creates a pattern for any from an address with the domain name “state.gov” and with a PDF file attached that has a size of bytes and an MD5 hash= cf2b3ad32a8a4cfb05e9dfc45875bd70. Potential STIX-enabled Phishing Analysis (Continued)

© 2013 The MITRE Corporation. All rights pdf MD5 cf2b3ad32a8a4cfb05e9dfc45875bd70 Observable Pattern

© 2013 The MITRE Corporation. All rights reserved.  Type  Name  Description  Valid Time Window  Observable Pattern  Indicated TTP  ExploitTarget  Kill Chains  Suggested Courses of Action (COAs)  Handling  Confidence  Sightings  Producer /Indicator:Indicator /Indicator:Indicator/Indicator:SuggestedCOAs/Indicator:Suggest Remedy Block Redirect and quarantine new matching Prevent future instances of similar phishing attempts from reaching targeted recipients in order to eliminate possibility of compromise from targeted recipient falling for phishing lure. … Response Malicious Cleanup Remove existing matching from the mail servers Cleanup any known malicious s from mail servers (potentially in Inboxes, Sent folders, Deleted folders, etc.) to prevent any future exploitation from those particular s. … MITRE T09:30:47Z T09:30:47Z T09:30:47Z This is a cyber threat indicator for instances of "US-China" phishing attempts. "US-China" Phishing Indicator Phishing Attempt Create STIX Indicator

© 2013 The MITRE Corporation. All rights reserved.  Time  Granular set of Incident lifecycle timestamps  Description  Roles (Reporter, Responder, Coordinator, Victim)  Affected Assets  Impact Assessment  Related Indicators  Leveraged TTP  Related Threat Actors  Intent  Discovery Method  Related Incidents  COA Requested / COA Taken  Confidence  Contact  History If Phishing Lure was Executed, Create a STIX Incident

© 2013 The MITRE Corporation. All rights reserved.  Campaign  Names  Intent  Related TTPs  Related Incidents  Related Indicators  Attribution  Associated Campaigns  Confidence  Activity  Information Source  ThreatActor  Identity  Intent  Observed TTPs  Historical Campaigns  Associated Actors  Handling  Confidence  Information Source Potentially Package with Content on Suspected Campaign & ThreatActor

© 2013 The MITRE Corporation. All rights reserved.  All of this information can then easily be shared with trusted partners via TAXII Sharing Phishing Information

© 2013 The MITRE Corporation. All rights reserved.  STIX Website (whitepapers, documentation, schemas, etc.)   STIX GitHub site (bindings, APIs, utilities)   STIX Discussion List   TAXII Website (whitepapers, specifications, etc.)   TAXII Discussion List   TAXII GitHub site (bindings, APIs, utilities, implementations)   Questions   Where to Learn More

© 2013 The MITRE Corporation. All rights reserved. We want you to be part of the conversation. Orient on the Adversary! | 46 |

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.