Cyberattack Analysis and Information Sharing in the …– Some stateful properties: MD5 hash of a...

© 2013 The MITRE Corporation. All rights reserved.

Sean Barnum

February 2013

Sponsored by the US Department of Homeland Security

Cyberattack Analysis and Information Sharing in the U.S.

Promoting the sharing and utilization of the Analyzed Information


Recon

Weaponize

Deliver

Exploit

Control

Execute

Maintain

Diverse and evolving threats

Need for holistic threat intelligence

Proactive & reactive actions

Balance inward & outward focus

Information sharing


► Sharing is always possible but “active and effective” sharing requires overcoming some challenges

► Social Challenges

► Who do you trust? (sharing in and sharing out)

► The value of sharing even with competitors

► Legal/Regulatory Challenges

► Privacy, secret government info, international sharing, etc.

► Technical Challenges (“useful and usable” info sharing) ► Tower of Babel (many different formats) ► Automation (machine speed) ► Deconflate sensitive info from shareable info ► How to actually share what you want to share

Challenges of Cyber Threat Information Sharing

Standardized Threat

Representation


Cyber threat information (particularly indicators) sharing is not new

Typically very atomic and very limited in sophistication IP lists, File hashes, URLs, email addresses, etc.

Most sharing is unstructured & human-to-human

Recent trends of machine-to-machine transfer of simple/atomic indicators

STIX aims to enable sharing of more expressive indicators as well as other full-spectrum cyber

threat information.

Cyber Threat Information Sharing


Cost to Adversary

Trivial/cheap to hop between IP addresses

Slightly more expensive to hop

between domains

Difficult & expensive: Changing tactics and procedures to evade behavioral detection

| 5 |


Vulnerabilities

Weaknesses

Attack Patterns

Malware Behavior Cyber Observables

Threat Indicators ?

Evolution of Standardized Representations for Threat

IDXWG community of Threat Intel and Incident Response experts begins working on defining a standard representation for cyber threat indicators

Based on

What is an Indicator?

Community iterated on scope

Defined Indicator scope as a part of broader cyber threat information architecture

Structured threat information architecture evolved into STIX

| 6 |


What is STIX?

Support automation Consistency Clarity

Language

Specify

Cyber Threat Information

Community-driven

Capture Characterize Communicate

| 7 |


STIX provides a common mechanism for addressing structured cyber threat information across and among this full range of use cases improving

consistency, efficiency, interoperability, and overall situational awareness.

STIX Use Cases


What is “Cyber (Threat) Intelligence?”

Consider these questions: What activity are we seeing?

What threats should I look for on my networks and systems and why?

Where has this threat been seen?

What does it do?

What weaknesses does this threat exploit?

Why does it do this?

Who is responsible for this threat?

What can I do about it? 9

| 9 |


| 10 |


| 11 |

© 2013 The MITRE Corporation. All rights reserved. © 2013 The MITRE Corporation. All rights reserved

A measurable event or stateful property in the cyber domain

– Some measurable events: a registry key is created, a file is deleted, an http GET is received, …

– Some stateful properties: MD5 hash of a file, value of a registry key, existence of a mutex, …

Cyber Observable eXpression (CybOX) is a standardized language for encoding and communicating information about cyber observables (http://cybox.mitre.org)

What is a cyber observable?

| 12 |


Almost every field is optional. This means you can use whatever is appropriate and ignore the rest. Layered typing structure enabling flexible use Built in extensibility mechanisms Can specify and characterize a wide range of cyber objects Can specify and characterize dynamic cyber events & actions Can specify and characterize complex actions Can define relational and logical compositions of multiple

objects, actions, events and/or observables Define a wide myriad of potential observable pattern variations

– at the logical composition level or

– utilizing patterns at the Object attribute level including Equals, Contains, IsInRange, IsInSet, Regex, etc.

all of which allow the user to define an almost infinitely variable set of patterns and filters

What sort of basic things can you do with CybOX?


| 13 |


■ Account ■ Address ■ API ■ Artifact ■ Code ■ Device ■ Disk ■ Disk Partition ■ DNS Query ■ DNS Record ■ DNS Cache ■ Email Message ■ File ■ GUI ■ GUI Dialog Box ■ GUI Window ■ HTTP Session ■ Library ■ Linux Package ■ Memory ■ Mutex ■ Network Connection ■ Network Flow ■ Network Packet ■ Network Route Entry ■ Network Route

■ Network Subnet ■ Pipe ■ Port ■ Process ■ Product ■ Semaphore ■ Socket ■ System ■ Unix File ■ Unix Network Route Entry ■ Unix Pipe ■ Unix Process ■ Unix User Account ■ Unix Volume ■ URI ■ User Account ■ User Session ■ Volume ■ Whois ■ Win Computer Account ■ Win Critical Section ■ Win Driver ■ Win Event ■ Win Event Log

CybOX v1.0 Objects ■ Win Executable File ■ Win File ■ Win Handle ■ Win Kernel ■ Win Kernel Hook ■ Win Mailslot ■ Win Memory Page Region ■ Win Mutex ■ Win Network Route Entry ■ Win Pipe ■ Win Network Share ■ Win Prefetch ■ Win Process ■ Win Registry Key ■ Win Semaphore ■ Win Service ■ Win System ■ Win System Restore ■ Win Task ■ Win Thread ■ Win User Account ■ Win Volume ■ Win Waitable Timer ■ X509 Certificate (more on the way)


| 14 |


| 15 |


| 16 |


| 17 |


| 18 |


| 19 |


| 20 |


| 21 |


What you are looking for Why were they doing it?

Who was doing it?

What were they looking to exploit?

What should you do about

it?

Where was it seen?

What exactly

were they doing?

| 22 |

Why should you care about it?


Initial implementation has been done in XML Schema Ubiquitous, portable and structured

Concrete strawman for community of experts

Practical structure for early real-world prototyping and POC implementations

Plan to iterate and refine with real-world use

Next step will be a formal implementation-independent specification Will include guidance for developing XML, JSON, RDF/OWL, or other

implementations

Implementations


Utilities to enable easier prototyping and usage of the language.

Utilities consist of things like: Language (Python) bindings for STIX, CybOX, MAEC, etc.

High-level programmatic APIs for common needs/activities

Conversion utilities from commonly used formats & tools

Comparator tools for analyzing language-based content

Utilities supporting common use cases

E.g. Email_to_CybOX utility supporting phishing analysis & management

Open communities on GitHub (STIXProject, CybOXProject & MAECProject)

Enabling Utilities

© 2013 The MITRE Corporation. All rights reserved. © 2013 The MITRE Corporation. All rights reserved.

Still in its early stages but already generating extensive interest and initial operational use

► How to actually share what you want to share

Adoption & Usage


► Trusted Automated eXchange of Indicator Information

► The goal of TAXII is to facilitate the exchange of structured cyber threat information

► Designed to support existing sharing paradigms in a more automated manner

► TAXII is a set of specifications defining the network-level activity of the exchange ► Defines services and messages to exchange data

► Does NOT dictate HOW data is handled in the back-end, WHAT data is shared or WHO it is shared with

► TAXII is NOT a sharing program

What is TAXII?


| 27 |


TAXII Services Specification

• Defines TAXII Services • Defines TAXII Message Types • Defines TAXII Message

Exchanges

TAXII Protocol Binding Specifications

• Define requirements for network transport of TAXII messages

TAXII Message Binding Specifications

• Define TAXII Message format bindings

TAXII Specifications


Still in its early stages but already generating extensive interest and initial operational use

► Actively being considered by several information sharing communities

► Active interest from several large “user” organizations

► Active interest from some service/product vendors

Adoption & Usage


A sampling of some of the organizations contributing to the STIX conversation includes:

| 29 |


Make it easier for people to understand and use STIX

Improve documentation

Develop supporting utilities

Provide collaborative guidance

Gather feedback

Refine and extend the language based on feedback and needs

Current Focus


► STIX Website (whitepapers, documentation, schemas, etc.)

► http://stix.mitre.org

► STIX GitHub site (bindings, APIs, utilities)

► https://github.com/STIXProject

► STIX Discussion List ► http://stix.mitre.org/community/registration.html

► TAXII Website (whitepapers, specifications, etc.)

► http://taxii.mitre.org

► TAXII Discussion List ► http://taxii.mitre.org/community/registration.html

► TAXII GitHub site (bindings, APIs, utilities, implementations)

► https://github.com/TAXIIProject

► CybOX Website (whitepapers, specifications, etc.)

► http://cybox.mitre.org

► CybOX Discussion List ► http://cybox.mitre.org/community/registration.html

► CybOX GitHub site (bindings, APIs, utilities, implementations)

► https://github.com/CybOXProject

► Questions

► [email protected]



Where to Learn More

http://stix.mitre.org/

https://github.com/STIXProject

http://stix.mitre.org/community/registration.html

http://taxii.mitre.org/

http://taxii.mitre.org/community/registration.html


http://taxii.mitre.org/

http://taxii.mitre.org/community/registration.html


mailto:[email protected]




We want you to be part of the conversation.

Orient on the Adversary! | 32 |

Cyberattack Analysis and Information Sharing in the …– Some stateful properties: MD5 hash of a...

Documents

Transcript of Cyberattack Analysis and Information Sharing in the …– Some stateful properties: MD5 hash of a...