Cyberattack Analysis and Information Sharing in the …– Some stateful properties: MD5 hash of a...
Transcript of Cyberattack Analysis and Information Sharing in the …– Some stateful properties: MD5 hash of a...
© 2013 The MITRE Corporation. All rights reserved.
Sean Barnum
February 2013
Sponsored by the US Department of Homeland Security
Cyberattack Analysis and Information Sharing in the U.S.
Promoting the sharing and utilization of the Analyzed Information
© 2013 The MITRE Corporation. All rights reserved.
Recon
Weaponize
Deliver
Exploit
Control
Execute
Maintain
Diverse and evolving threats
Need for holistic threat intelligence
Proactive & reactive actions
Balance inward & outward focus
Information sharing
© 2013 The MITRE Corporation. All rights reserved.
► Sharing is always possible but “active and effective” sharing requires overcoming some challenges
► Social Challenges
► Who do you trust? (sharing in and sharing out)
► The value of sharing even with competitors
► Legal/Regulatory Challenges
► Privacy, secret government info, international sharing, etc.
► Technical Challenges (“useful and usable” info sharing) ► Tower of Babel (many different formats) ► Automation (machine speed) ► Deconflate sensitive info from shareable info ► How to actually share what you want to share
Challenges of Cyber Threat Information Sharing
Standardized Threat
Representation
© 2013 The MITRE Corporation. All rights reserved.
Cyber threat information (particularly indicators) sharing is not new
Typically very atomic and very limited in sophistication IP lists, File hashes, URLs, email addresses, etc.
Most sharing is unstructured & human-to-human
Recent trends of machine-to-machine transfer of simple/atomic indicators
STIX aims to enable sharing of more expressive indicators as well as other full-spectrum cyber
threat information.
Cyber Threat Information Sharing
© 2013 The MITRE Corporation. All rights reserved.
Cost to Adversary
Trivial/cheap to hop between IP addresses
Slightly more expensive to hop
between domains
Difficult & expensive: Changing tactics and procedures to evade behavioral detection
| 5 |
© 2013 The MITRE Corporation. All rights reserved.
Vulnerabilities
Weaknesses
Attack Patterns
Malware Behavior Cyber Observables
Threat Indicators ?
Evolution of Standardized Representations for Threat
IDXWG community of Threat Intel and Incident Response experts begins working on defining a standard representation for cyber threat indicators
Based on
What is an Indicator?
Community iterated on scope
Defined Indicator scope as a part of broader cyber threat information architecture
Structured threat information architecture evolved into STIX
| 6 |
© 2013 The MITRE Corporation. All rights reserved.
What is STIX?
Support automation Consistency Clarity
Language
Specify
Cyber Threat Information
Community-driven
Capture Characterize Communicate
| 7 |
© 2013 The MITRE Corporation. All rights reserved.
STIX provides a common mechanism for addressing structured cyber threat information across and among this full range of use cases improving
consistency, efficiency, interoperability, and overall situational awareness.
STIX Use Cases
© 2013 The MITRE Corporation. All rights reserved.
What is “Cyber (Threat) Intelligence?”
Consider these questions: What activity are we seeing?
What threats should I look for on my networks and systems and why?
Where has this threat been seen?
What does it do?
What weaknesses does this threat exploit?
Why does it do this?
Who is responsible for this threat?
What can I do about it? 9
| 9 |
© 2013 The MITRE Corporation. All rights reserved.
| 10 |
© 2013 The MITRE Corporation. All rights reserved.
| 11 |
© 2013 The MITRE Corporation. All rights reserved. © 2013 The MITRE Corporation. All rights reserved
A measurable event or stateful property in the cyber domain
– Some measurable events: a registry key is created, a file is deleted, an http GET is received, …
– Some stateful properties: MD5 hash of a file, value of a registry key, existence of a mutex, …
Cyber Observable eXpression (CybOX) is a standardized language for encoding and communicating information about cyber observables (http://cybox.mitre.org)
What is a cyber observable?
| 12 |
© 2013 The MITRE Corporation. All rights reserved.
Almost every field is optional. This means you can use whatever is appropriate and ignore the rest. Layered typing structure enabling flexible use Built in extensibility mechanisms Can specify and characterize a wide range of cyber objects Can specify and characterize dynamic cyber events & actions Can specify and characterize complex actions Can define relational and logical compositions of multiple
objects, actions, events and/or observables Define a wide myriad of potential observable pattern variations
– at the logical composition level or
– utilizing patterns at the Object attribute level including Equals, Contains, IsInRange, IsInSet, Regex, etc.
all of which allow the user to define an almost infinitely variable set of patterns and filters
What sort of basic things can you do with CybOX?
© 2012 The MITRE Corporation. All rights reserved.
| 13 |
© 2013 The MITRE Corporation. All rights reserved.
■ Account ■ Address ■ API ■ Artifact ■ Code ■ Device ■ Disk ■ Disk Partition ■ DNS Query ■ DNS Record ■ DNS Cache ■ Email Message ■ File ■ GUI ■ GUI Dialog Box ■ GUI Window ■ HTTP Session ■ Library ■ Linux Package ■ Memory ■ Mutex ■ Network Connection ■ Network Flow ■ Network Packet ■ Network Route Entry ■ Network Route
■ Network Subnet ■ Pipe ■ Port ■ Process ■ Product ■ Semaphore ■ Socket ■ System ■ Unix File ■ Unix Network Route Entry ■ Unix Pipe ■ Unix Process ■ Unix User Account ■ Unix Volume ■ URI ■ User Account ■ User Session ■ Volume ■ Whois ■ Win Computer Account ■ Win Critical Section ■ Win Driver ■ Win Event ■ Win Event Log
CybOX v1.0 Objects ■ Win Executable File ■ Win File ■ Win Handle ■ Win Kernel ■ Win Kernel Hook ■ Win Mailslot ■ Win Memory Page Region ■ Win Mutex ■ Win Network Route Entry ■ Win Pipe ■ Win Network Share ■ Win Prefetch ■ Win Process ■ Win Registry Key ■ Win Semaphore ■ Win Service ■ Win System ■ Win System Restore ■ Win Task ■ Win Thread ■ Win User Account ■ Win Volume ■ Win Waitable Timer ■ X509 Certificate (more on the way)
© 2012 The MITRE Corporation. All rights reserved.
| 14 |
© 2013 The MITRE Corporation. All rights reserved.
| 15 |
© 2013 The MITRE Corporation. All rights reserved.
| 16 |
© 2013 The MITRE Corporation. All rights reserved.
| 17 |
© 2013 The MITRE Corporation. All rights reserved.
| 18 |
© 2013 The MITRE Corporation. All rights reserved.
| 19 |
© 2013 The MITRE Corporation. All rights reserved.
| 20 |
© 2013 The MITRE Corporation. All rights reserved.
| 21 |
© 2013 The MITRE Corporation. All rights reserved.
What you are looking for Why were they doing it?
Who was doing it?
What were they looking to exploit?
What should you do about
it?
Where was it seen?
What exactly
were they doing?
| 22 |
Why should you care about it?
© 2013 The MITRE Corporation. All rights reserved.
Initial implementation has been done in XML Schema Ubiquitous, portable and structured
Concrete strawman for community of experts
Practical structure for early real-world prototyping and POC implementations
Plan to iterate and refine with real-world use
Next step will be a formal implementation-independent specification Will include guidance for developing XML, JSON, RDF/OWL, or other
implementations
Implementations
© 2013 The MITRE Corporation. All rights reserved.
Utilities to enable easier prototyping and usage of the language.
Utilities consist of things like: Language (Python) bindings for STIX, CybOX, MAEC, etc.
High-level programmatic APIs for common needs/activities
Conversion utilities from commonly used formats & tools
Comparator tools for analyzing language-based content
Utilities supporting common use cases
E.g. Email_to_CybOX utility supporting phishing analysis & management
Open communities on GitHub (STIXProject, CybOXProject & MAECProject)
Enabling Utilities
© 2013 The MITRE Corporation. All rights reserved. © 2013 The MITRE Corporation. All rights reserved.
Still in its early stages but already generating extensive interest and initial operational use
► How to actually share what you want to share
Adoption & Usage
© 2013 The MITRE Corporation. All rights reserved. © 2013 The MITRE Corporation. All rights reserved.
► Trusted Automated eXchange of Indicator Information
► The goal of TAXII is to facilitate the exchange of structured cyber threat information
► Designed to support existing sharing paradigms in a more automated manner
► TAXII is a set of specifications defining the network-level activity of the exchange ► Defines services and messages to exchange data
► Does NOT dictate HOW data is handled in the back-end, WHAT data is shared or WHO it is shared with
► TAXII is NOT a sharing program
What is TAXII?
© 2013 The MITRE Corporation. All rights reserved.
| 27 |
© 2012 The MITRE Corporation. All rights reserved.
TAXII Services Specification
• Defines TAXII Services • Defines TAXII Message Types • Defines TAXII Message
Exchanges
TAXII Protocol Binding Specifications
• Define requirements for network transport of TAXII messages
TAXII Message Binding Specifications
• Define TAXII Message format bindings
TAXII Specifications
© 2013 The MITRE Corporation. All rights reserved. © 2013 The MITRE Corporation. All rights reserved.
Still in its early stages but already generating extensive interest and initial operational use
► Actively being considered by several information sharing communities
► Active interest from several large “user” organizations
► Active interest from some service/product vendors
Adoption & Usage
© 2013 The MITRE Corporation. All rights reserved.
A sampling of some of the organizations contributing to the STIX conversation includes:
| 29 |
© 2013 The MITRE Corporation. All rights reserved.
Make it easier for people to understand and use STIX
Improve documentation
Develop supporting utilities
Provide collaborative guidance
Gather feedback
Refine and extend the language based on feedback and needs
Current Focus
© 2013 The MITRE Corporation. All rights reserved. © 2013 The MITRE Corporation. All rights reserved.
► STIX Website (whitepapers, documentation, schemas, etc.)
► http://stix.mitre.org
► STIX GitHub site (bindings, APIs, utilities)
► https://github.com/STIXProject
► STIX Discussion List ► http://stix.mitre.org/community/registration.html
► TAXII Website (whitepapers, specifications, etc.)
► http://taxii.mitre.org
► TAXII Discussion List ► http://taxii.mitre.org/community/registration.html
► TAXII GitHub site (bindings, APIs, utilities, implementations)
► https://github.com/TAXIIProject
► CybOX Website (whitepapers, specifications, etc.)
► http://cybox.mitre.org
► CybOX Discussion List ► http://cybox.mitre.org/community/registration.html
► CybOX GitHub site (bindings, APIs, utilities, implementations)
► https://github.com/CybOXProject
► Questions
Where to Learn More
© 2013 The MITRE Corporation. All rights reserved.
We want you to be part of the conversation.
Orient on the Adversary! | 32 |