Introduction to STIX 101
-
Upload
stixproject -
Category
Technology
-
view
335 -
download
2
Transcript of Introduction to STIX 101
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
STIX IntroductionWhat is STIX and why is it relevant?
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Balance of Inward & Outward Focus
Traditional approach to security has been inward focused– Understand ourselves: find all vulnerabilities, fix all
vulnerabilities, et voila we are magically “secure”– This is based on a fallacy that we can know and/or fix all
vulnerabilities
– Inward focus (hygiene) is necessary but inadequate. Need for a balancing outward focus on understanding the
adversary, their motivation, tactics, activity to make intelligent and realistic defense decisions.
| 2 |
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Proactive & Reactive Actions Needed
Many attacks today are increasingly complex and multistage.
Current visibility and ability to act is typically after exploit has occurred– Response is important but inadequate alone
Need to balance response with proactive detection and prevention of pre-exploit activity
| 3 |
Recon
Weaponize
Deliver
Exploit
Control
Execute
Maintain
Kill Chain or Cyber Attack Lifecycle
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Need for Holistic Threat Intelligence
Effective understanding, decision-making and action require a holistic picture of both ourselves and the adversary.– What are our assets? What are our missions and activities? What is
our attack surface? Where are we vulnerable?
– Who is the adversary? Where are they acting? How are they acting? What does it look like when they act? What are they targeting? What actions should we take to mitigate their actions?
This is holistic threat intelligence | 4 |
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Need for Information Sharing
Holistic threat intelligence is not a single player sport It depends on access to a wide range of information and no
single entity, no matter how large, has the full picture to be consistently predictive or effective in prevention.
It requires sharing of information between interested parties.– Sharing applies both internally and externally
– Sharing is not completely new but is typically focused on very atomic, limited-sophistication indicators (IP lists, file hashes, URLS, email addresses, etc.)
– Most sharing is unstructured and human-to-human
– There is a need to share more sophisticated behavioral and contextual information
How can my detection today aid your prevention tomorrow?| 5 |
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Cost to Adversary
Trivial/cheap to hop between IP addresses
Slightly more
expensive to hop between
domains
Difficult & expensive: Changing tactics and procedures to evade behavioral detection
| 6 |
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Need for Automation
Massive amounts of information, diverse sharing partners, rapid tempo of attack and need to respond at machine speed require automation
Human interpretation and decision will always be involved but we need to assist them in this by letting machines do what machines do well.
| 7 |
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Pulling it All Together
Pursuing holistic threat intelligence Sharing of information among a diverse set of players Leveraging automation throughout
Standardized Representation of Cyber Threat Information
STIX is intended to address this issue
| 8 |
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
What is STIX?
A language for the characterization and communication of cyber threat information– NOT a sharing program, database, or tool
…but supports all of those uses and more
Developed with open community feedback
Supports– Clear understandings of cyber threat information– Consistent expression of threat information– Automated processing based on collected intelligence– Advance the state of practice in threat analytics
| 9 |
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Analyzing Cyber Threats Specifying Indicator Patterns for Cyber Threats Managing Cyber Threat Operations/Response Activities– Cyber Threat Prevention– Cyber Threat Detection– Incident Response (investigation, digital forensics, malware
analysis, etc.) Sharing Cyber Threat Information (internally and
externally)
| 10 |
Use Cases
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
STIX provides a common mechanism for addressing structured cyber threat information across and among this full range of use cases improving consistency, efficiency, interoperability,
and overall situational awareness.
STIX Use Cases Cover a Broad Spectrum
| 11 |
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
What is “Cyber (Threat) Intelligence?”
Consider these questions: What activity are we seeing?
What threats should I look for on my networks and systems and why?
Where has this threat been seen?
What does it do?
What weaknesses does this threat exploit?
Why does it do this?
Who is responsible for this threat?
What can I do about it?| 12
|
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
STIX Architecture
| 13 |
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
| 14 |
Observable Primary intent:
Primary content:– Title/Description– Information source
Who, when, where, how (tools), etc.– Object, Event or Composition
Object– Description– Properties (extensible with
different object types)» Each property can
express observed value or rich patterning for potential observations
– Location– Related Objects
Event
– Type– Description– Actions
» Type» Name» Arguments» Location» Associated objects» Related actions
– Location Composition
– Observables combined using logical operators (And/Or)
– Convey specific instances of cyber observation (either static or dynamic) or patterns of what could potentially be observed.
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
■ Account■ Address■ API■ Archive File■ ARP Cache Entry■ Artifact■ Autonomous System■ Code■ Custom■ Device■ Disk■ Disk Partition■ DNS Query■ DNS Record■ DNS Cache■ Domain Name■ Email Message■ File■ GUI■ GUI Dialog Box■ GUI Window■ Hostname■ HTTP Session■ Image■ Library■ Link■ Linux Package■ Memory■ Mutex■ Network Connection
■ Network Flow■ Network Packet■ Network Route Entry■ Network Route■ Network Subnet■ PDF File■ Pipe■ Port■ Process■ Product■ Semaphore■ SMS■ Socket■ Socket Address■ System■ Unix File■ Unix Network Route Entry■ Unix Pipe■ Unix Process■ Unix User Account■ Unix Volume■ URI■ URL History■ User Account ■ User Session■ Volume■ Whois■ Win Computer Account■ Win Critical Section■ Win Driver
CybOX v2.1 Objects■ Win Event■ Win Event Log■ Win Executable File■ Win File■ Win Filemapping■ Win Handle■ Win Hook■ Win Kernel■ Win Kernel Hook■ Win Mailslot■ Win Memory Page Region■ Win Mutex■ Win Network Route Entry■ Win Pipe■ Win Network Share■ Win Prefetch■ Win Process■ Win Registry Key■ Win Semaphore■ Win Service■ Win System■ Win System Restore■ Win Task■ Win Thread■ Win User Account■ Win Volume■ Win Waitable Timer■ X509 Certificate(more on the way)
| 15 |
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
| 16 |
Observable
Simple examples
– A file with particular MD5 hash is seen
– An incoming network connection is seen from a particular IP address
– A particular registry key is modified
– A particular process is killed
– A pattern that might be seen for an email with a particular subject line and with a .PDF file attached
– A pattern for an HTTP Get with a particular user agent
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
| 17 |
Indicator
Primary intent:
Primary content:– Title/Description/
ShortDescription– Type of Indicator– Valid time range– Observable pattern– Indicated TTP– Test mechanisms
Non-CybOX pattern representation (e.g. Snort, Yara, OpenIOC)
– Suggested course of action– Confidence– Sightings– Kill chain phases– Handling– Information source
– Convey specific Observable patterns with contextual information intended to represent artifacts and/or behaviors of interest (“indicated” TTPs) within a cyber security context
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
| 18 |
Indicator
Simple examples
– If network traffic is seen from a particular range of IP addresses it indicates a DDoS attack
– If a file is seen with a particular SHA256 hash it indicates the presence of Poison Ivy
– If an email is seen with an attached file that has a particular string in the filename and has a particular MD5 hash it indicates a phishing attack associated with a particular campaign
– If an outgoing network connection to 218.077.079.034 is seen within the next week there is a medium confidence that it indicates exfiltration from a Zeus infection
– If HTTP traffic is seen with particular characteristics including a particular user agent it indicates a particular form of data exfiltration is occuring.
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Primary intent:
Primary content:– Title/Description/
ShortDescription– Granular milestone
timestamps– Categories– Role identities (CIQ extensible)
Reporter/Responder/Coordinator– Victim identity (CIQ extensible)– Affected assets – Impact assessment– Status– Related Indicators– Related Observables– Leveraged TTPs
| 19 |
Incident
– Attributed Threat Actor– Intended effect– Security compromise– Course of Action requested/taken– Confidence– Contact information– History
Action entries Journal entries
– Handling– Information source
– Convey details of specific security events affecting an organization(s) along with information discovered or decided during an incident response investigation
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Simple example
– A laptop assigned to Joe Smith was found on 4/30/14 to
be infected with a specific variant of Zeus using a
specific range of IPs for C2.
– The investigation coordinated by Jane Jones found that
the initial infection came from a phishing attack with
malicious attachment on 4/28/14.
– Authentication credentials to the FooBar system were
found to be compromised and exfiltrated to
123.54.33.234 on 4/29/14.
| 20 |
Incident
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Primary intent:
Primary content:– Title/Description/
ShortDescription– Intended effect– Behavior
Attack patterns (CAPEC extensible)
Malware (MAEC extensible) Exploits
– Resources Tools Infrastructure Personas (CIQ extensible)
| 21 |
Tactics, Techniques & Procedures (TTP)
– Victim targeting Identity (CIQ extensible) Targeted systems Targeted information Technical targeting
– Exploit targets– Related TTP– Kill chains– Handling– Information source
– Convey details of the behavior or modus operandi of cyber adversaries (e.g. what do they do, what do they use to do it, who do they target, what do they target)
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Simple examples– Characterization of a particular variant of Zeus– Characterization of a particular attack pattern leveraging
a particular form of system misconfiguration for post-exploit lateral movement and privilege escalation
– Characterization of particular range of IP address used for C2 infrastructure
– Characterization of LOIC as a tool used for DoS attacks– Characterization of project managers on a particular
defense program being targeted– Characterization of HR information on Oracle 10i systems
being targeted
| 22 |
Tactics, Techniques & Procedures (TTP)
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Primary intent:
Primary content:– Title/Description/
ShortDescription– Vulnerability (CVRF extensible)
Title/Description/ShortDescription CVE ID OSVDB ID Source CVSS score Discovered date/time Published date/time Affected software
| 23 |
Exploit Target
– Weakness– Configuration– Potential Courses of Action– Handling– Information source
– Convey vulnerabilities or weaknesses in software, systems, networks or configurations that may be targeted for exploitation by the TTP of a ThreatActor
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Simple example– CVE-2014-0160 (Heartbleed vulnerability in OpenSSL)– Characterization of a 0-day vulnerability in a particular
Industrial Control System valve actuator– Characterization of a system design weakness enabling
asymmetric resource consumption (amplification) attacks (CWE-405)
– Characterization of a particular configuration of MongoDB that makes its management console vulnerable to particular injection attacks
| 24 |
Exploit Target
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Primary intent:
Primary content:– Title/Description/
ShortDescription– Names– Intended effect– Status– Related TTPs– Related Incidents
| 25 |
Campaign
– Attribution (Threat Actor(s))– Associated Campaigns– Confidence– Handling– Information source
– Convey perceived instances of Threat Actors pursuing an intent, as observed through sets of Incidents and/or TTP, potentially across targeted organizations
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Simple example– Characterization of the Operation Aurora campaign
including Its victim targeting of Google, Adobe, Juniper, Rackspace, etc. Specific Incidents in the campaign Particular malware and attack pattern TTPs leveraged Particular IP addresses and Domain Names used infrastructure
(TTP) Asserted attribution to particular Chinese Threat Actors with ties
to the PLA Asserted intent/motivation to access and potentially modify
source code repositories
| 26 |
Campaign
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Primary intent:
Primary content:– Title/Description/
ShortDescription– Identity (CIQ extensible)– Type of actor– Motivation– Sophistication– Intended effect– Planning and operational
support
| 27 |
Threat Actor
– Observed TTPs– Associated Campaigns– Associated Threat Actors– Confidence– Handling– Information source
– Convey characterizations of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behavior
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Simple example– Characterization of Mandiant-dubbed APT1 including
Assertions of it identity as Unit 61398 within the Chinese PLA Assertions to specific locations associated (address in
Shanghai) Assertions to region (China), languages (Chinese&English),
targeted qualifications, etc. Assertions that it is the same Threat Actor also known by the
names Comment Crew, Comment Group and Shady Rat Assertions identifying particular individual Threat Actors
associated with APT1 Asserted characterization of the intent/motivation oriented
around trade secrets and business advantage Assertions of particular TTP observed leveraged by APT1
| 28 |
Threat Actor
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Primary intent:
Primary content:– Title/Description/
ShortDescription– Stage (preventative or
responsive)– Type of action to be taken– Parameter Observables
Structured parameters for the action
– Objective
| 29 |
Course of Action
– Impact– Cost– Efficacy– Handling– Information source
– Convey specific actions to address threat whether preventative to address Exploit Targets, or responsive to counter or mitigate the potential impacts of Incidents
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Simple examples
– Block outgoing network traffic to 218.077.079.034
– Redirect network traffic to/from 218.077.079.034 to denial/deception network
– Quarantine system containing file with MD5 = 2d75cc1bf8e57872781f9cd04a529256
– Reimage system to baseline
| 30 |
Course of Action
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Expressing Relationships
“Bad Guy”
ObservedTTP
Backdoor
Infrastructure
Badurl.com, 10.3.6.23, …
“BankJob23”
RelatedTo
Indicator-985
Observables
MD5 hash…
RelatedTo
RelatedTo
CERT-2013-03…
Indicator-9742Observables
Malware
Email-Subject: “Follow-up”
| 31 |
HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for
DHS
Pamina Republic Army
Unit 31459
Associated ActorLeet
Electronic Address
Initial Compromise
Indicator Observable
Spear Phishing Email
Establish FootholdObserved TTP
Observed TTP
WEBC2
MalwareBehavior
Escalate PrivilegeObserved TTP
Uses Tool
Uses Tool
cachedump
lslsass
MD5:d8bb32a7465f55c368230bb52d52d885
Indicator
Observed TTP
InternalReconnaissance
Attack Patternipconfignet view net group “domain admins”
Observed TTP
ExfiltrationUses Tool
GETMAIL
Targets
KhaffeineBronxistanPerturbiaBlahniks. . .
LeveragesInfrastructure
IP Range:172.24.0.0-112.25.255.255
C2 Servers
Observable
Sender: John SmithSubject: Press Release
Expressing Relationships in STIX
| 32 |