Introduction to STIX 101

HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)The HS SEDI FFRDC is managed and operated by The MITRE Corporation for

DHS

STIX IntroductionWhat is STIX and why is it relevant?


DHS

Balance of Inward & Outward Focus

Traditional approach to security has been inward focused– Understand ourselves: find all vulnerabilities, fix all

vulnerabilities, et voila we are magically “secure”– This is based on a fallacy that we can know and/or fix all

vulnerabilities

– Inward focus (hygiene) is necessary but inadequate. Need for a balancing outward focus on understanding the

adversary, their motivation, tactics, activity to make intelligent and realistic defense decisions.

| 2 |


DHS

Proactive & Reactive Actions Needed

Many attacks today are increasingly complex and multistage.

Current visibility and ability to act is typically after exploit has occurred– Response is important but inadequate alone

Need to balance response with proactive detection and prevention of pre-exploit activity

| 3 |

Recon

Weaponize

Deliver

Exploit

Control

Execute

Maintain

Kill Chain or Cyber Attack Lifecycle


DHS

Need for Holistic Threat Intelligence

Effective understanding, decision-making and action require a holistic picture of both ourselves and the adversary.– What are our assets? What are our missions and activities? What is

our attack surface? Where are we vulnerable?

– Who is the adversary? Where are they acting? How are they acting? What does it look like when they act? What are they targeting? What actions should we take to mitigate their actions?

This is holistic threat intelligence | 4 |


DHS

Need for Information Sharing

Holistic threat intelligence is not a single player sport It depends on access to a wide range of information and no

single entity, no matter how large, has the full picture to be consistently predictive or effective in prevention.

It requires sharing of information between interested parties.– Sharing applies both internally and externally

– Sharing is not completely new but is typically focused on very atomic, limited-sophistication indicators (IP lists, file hashes, URLS, email addresses, etc.)

– Most sharing is unstructured and human-to-human

– There is a need to share more sophisticated behavioral and contextual information

How can my detection today aid your prevention tomorrow?| 5 |


DHS

Cost to Adversary

Trivial/cheap to hop between IP addresses

Slightly more

expensive to hop between

domains

Difficult & expensive: Changing tactics and procedures to evade behavioral detection

| 6 |


DHS

Need for Automation

Massive amounts of information, diverse sharing partners, rapid tempo of attack and need to respond at machine speed require automation

Human interpretation and decision will always be involved but we need to assist them in this by letting machines do what machines do well.

| 7 |


DHS

Pulling it All Together

Pursuing holistic threat intelligence Sharing of information among a diverse set of players Leveraging automation throughout

Standardized Representation of Cyber Threat Information

STIX is intended to address this issue

| 8 |


DHS

What is STIX?

A language for the characterization and communication of cyber threat information– NOT a sharing program, database, or tool

…but supports all of those uses and more

Developed with open community feedback

Supports– Clear understandings of cyber threat information– Consistent expression of threat information– Automated processing based on collected intelligence– Advance the state of practice in threat analytics

| 9 |


DHS

Analyzing Cyber Threats Specifying Indicator Patterns for Cyber Threats Managing Cyber Threat Operations/Response Activities– Cyber Threat Prevention– Cyber Threat Detection– Incident Response (investigation, digital forensics, malware

analysis, etc.) Sharing Cyber Threat Information (internally and

externally)

| 10 |

Use Cases


DHS

STIX provides a common mechanism for addressing structured cyber threat information across and among this full range of use cases improving consistency, efficiency, interoperability,

and overall situational awareness.

STIX Use Cases Cover a Broad Spectrum

| 11 |


DHS

What is “Cyber (Threat) Intelligence?”

Consider these questions: What activity are we seeing?

What threats should I look for on my networks and systems and why?

Where has this threat been seen?

What does it do?

What weaknesses does this threat exploit?

Why does it do this?

Who is responsible for this threat?

What can I do about it?| 12

|


DHS

STIX Architecture

| 13 |


DHS

| 14 |

Observable Primary intent:

Primary content:– Title/Description– Information source

Who, when, where, how (tools), etc.– Object, Event or Composition

Object– Description– Properties (extensible with

different object types)» Each property can

express observed value or rich patterning for potential observations

– Location– Related Objects

Event

– Type– Description– Actions

» Type» Name» Arguments» Location» Associated objects» Related actions

– Location Composition

– Observables combined using logical operators (And/Or)

– Convey specific instances of cyber observation (either static or dynamic) or patterns of what could potentially be observed.


DHS

■ Account■ Address■ API■ Archive File■ ARP Cache Entry■ Artifact■ Autonomous System■ Code■ Custom■ Device■ Disk■ Disk Partition■ DNS Query■ DNS Record■ DNS Cache■ Domain Name■ Email Message■ File■ GUI■ GUI Dialog Box■ GUI Window■ Hostname■ HTTP Session■ Image■ Library■ Link■ Linux Package■ Memory■ Mutex■ Network Connection

■ Network Flow■ Network Packet■ Network Route Entry■ Network Route■ Network Subnet■ PDF File■ Pipe■ Port■ Process■ Product■ Semaphore■ SMS■ Socket■ Socket Address■ System■ Unix File■ Unix Network Route Entry■ Unix Pipe■ Unix Process■ Unix User Account■ Unix Volume■ URI■ URL History■ User Account ■ User Session■ Volume■ Whois■ Win Computer Account■ Win Critical Section■ Win Driver

CybOX v2.1 Objects■ Win Event■ Win Event Log■ Win Executable File■ Win File■ Win Filemapping■ Win Handle■ Win Hook■ Win Kernel■ Win Kernel Hook■ Win Mailslot■ Win Memory Page Region■ Win Mutex■ Win Network Route Entry■ Win Pipe■ Win Network Share■ Win Prefetch■ Win Process■ Win Registry Key■ Win Semaphore■ Win Service■ Win System■ Win System Restore■ Win Task■ Win Thread■ Win User Account■ Win Volume■ Win Waitable Timer■ X509 Certificate(more on the way)

| 15 |


DHS

| 16 |

Observable

Simple examples

– A file with particular MD5 hash is seen

– An incoming network connection is seen from a particular IP address

– A particular registry key is modified

– A particular process is killed

– A pattern that might be seen for an email with a particular subject line and with a .PDF file attached

– A pattern for an HTTP Get with a particular user agent


DHS

| 17 |

Indicator

Primary intent:

Primary content:– Title/Description/

ShortDescription– Type of Indicator– Valid time range– Observable pattern– Indicated TTP– Test mechanisms

Non-CybOX pattern representation (e.g. Snort, Yara, OpenIOC)

– Suggested course of action– Confidence– Sightings– Kill chain phases– Handling– Information source

– Convey specific Observable patterns with contextual information intended to represent artifacts and/or behaviors of interest (“indicated” TTPs) within a cyber security context


DHS

| 18 |

Indicator

Simple examples

– If network traffic is seen from a particular range of IP addresses it indicates a DDoS attack

– If a file is seen with a particular SHA256 hash it indicates the presence of Poison Ivy

– If an email is seen with an attached file that has a particular string in the filename and has a particular MD5 hash it indicates a phishing attack associated with a particular campaign

– If an outgoing network connection to 218.077.079.034 is seen within the next week there is a medium confidence that it indicates exfiltration from a Zeus infection

– If HTTP traffic is seen with particular characteristics including a particular user agent it indicates a particular form of data exfiltration is occuring.


DHS

Primary intent:


ShortDescription– Granular milestone

timestamps– Categories– Role identities (CIQ extensible)

Reporter/Responder/Coordinator– Victim identity (CIQ extensible)– Affected assets – Impact assessment– Status– Related Indicators– Related Observables– Leveraged TTPs

| 19 |

Incident

– Attributed Threat Actor– Intended effect– Security compromise– Course of Action requested/taken– Confidence– Contact information– History

Action entries Journal entries

– Handling– Information source

– Convey details of specific security events affecting an organization(s) along with information discovered or decided during an incident response investigation


DHS

Simple example

– A laptop assigned to Joe Smith was found on 4/30/14 to

be infected with a specific variant of Zeus using a

specific range of IPs for C2.

– The investigation coordinated by Jane Jones found that

the initial infection came from a phishing attack with

malicious attachment on 4/28/14.

– Authentication credentials to the FooBar system were

found to be compromised and exfiltrated to

123.54.33.234 on 4/29/14.

| 20 |

Incident


DHS

Primary intent:


ShortDescription– Intended effect– Behavior

Attack patterns (CAPEC extensible)

Malware (MAEC extensible) Exploits

– Resources Tools Infrastructure Personas (CIQ extensible)

| 21 |

Tactics, Techniques & Procedures (TTP)

– Victim targeting Identity (CIQ extensible) Targeted systems Targeted information Technical targeting

– Exploit targets– Related TTP– Kill chains– Handling– Information source

– Convey details of the behavior or modus operandi of cyber adversaries (e.g. what do they do, what do they use to do it, who do they target, what do they target)


DHS

Simple examples– Characterization of a particular variant of Zeus– Characterization of a particular attack pattern leveraging

a particular form of system misconfiguration for post-exploit lateral movement and privilege escalation

– Characterization of particular range of IP address used for C2 infrastructure

– Characterization of LOIC as a tool used for DoS attacks– Characterization of project managers on a particular

defense program being targeted– Characterization of HR information on Oracle 10i systems

being targeted

| 22 |

Tactics, Techniques & Procedures (TTP)


DHS

Primary intent:


ShortDescription– Vulnerability (CVRF extensible)

Title/Description/ShortDescription CVE ID OSVDB ID Source CVSS score Discovered date/time Published date/time Affected software

| 23 |

Exploit Target

– Weakness– Configuration– Potential Courses of Action– Handling– Information source

– Convey vulnerabilities or weaknesses in software, systems, networks or configurations that may be targeted for exploitation by the TTP of a ThreatActor


DHS

Simple example– CVE-2014-0160 (Heartbleed vulnerability in OpenSSL)– Characterization of a 0-day vulnerability in a particular

Industrial Control System valve actuator– Characterization of a system design weakness enabling

asymmetric resource consumption (amplification) attacks (CWE-405)

– Characterization of a particular configuration of MongoDB that makes its management console vulnerable to particular injection attacks

| 24 |

Exploit Target


DHS

Primary intent:


ShortDescription– Names– Intended effect– Status– Related TTPs– Related Incidents

| 25 |

Campaign

– Attribution (Threat Actor(s))– Associated Campaigns– Confidence– Handling– Information source

– Convey perceived instances of Threat Actors pursuing an intent, as observed through sets of Incidents and/or TTP, potentially across targeted organizations


DHS

Simple example– Characterization of the Operation Aurora campaign

including Its victim targeting of Google, Adobe, Juniper, Rackspace, etc. Specific Incidents in the campaign Particular malware and attack pattern TTPs leveraged Particular IP addresses and Domain Names used infrastructure

(TTP) Asserted attribution to particular Chinese Threat Actors with ties

to the PLA Asserted intent/motivation to access and potentially modify

source code repositories

| 26 |

Campaign


DHS

Primary intent:


ShortDescription– Identity (CIQ extensible)– Type of actor– Motivation– Sophistication– Intended effect– Planning and operational

support

| 27 |

Threat Actor

– Observed TTPs– Associated Campaigns– Associated Threat Actors– Confidence– Handling– Information source

– Convey characterizations of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behavior


DHS

Simple example– Characterization of Mandiant-dubbed APT1 including

Assertions of it identity as Unit 61398 within the Chinese PLA Assertions to specific locations associated (address in

Shanghai) Assertions to region (China), languages (Chinese&English),

targeted qualifications, etc. Assertions that it is the same Threat Actor also known by the

names Comment Crew, Comment Group and Shady Rat Assertions identifying particular individual Threat Actors

associated with APT1 Asserted characterization of the intent/motivation oriented

around trade secrets and business advantage Assertions of particular TTP observed leveraged by APT1

| 28 |

Threat Actor


DHS

Primary intent:


ShortDescription– Stage (preventative or

responsive)– Type of action to be taken– Parameter Observables

Structured parameters for the action

– Objective

| 29 |

Course of Action

– Impact– Cost– Efficacy– Handling– Information source

– Convey specific actions to address threat whether preventative to address Exploit Targets, or responsive to counter or mitigate the potential impacts of Incidents


DHS

Simple examples

– Block outgoing network traffic to 218.077.079.034

– Redirect network traffic to/from 218.077.079.034 to denial/deception network

– Quarantine system containing file with MD5 = 2d75cc1bf8e57872781f9cd04a529256

– Reimage system to baseline

| 30 |

Course of Action


DHS

Expressing Relationships

“Bad Guy”

ObservedTTP

Backdoor

Infrastructure

Badurl.com, 10.3.6.23, …

“BankJob23”

RelatedTo

Indicator-985

Observables

MD5 hash…

RelatedTo

RelatedTo

CERT-2013-03…

Indicator-9742Observables

Malware

Email-Subject: “Follow-up”

| 31 |


DHS

Pamina Republic Army

Unit 31459

[email protected]

Associated ActorLeet

Electronic Address

Initial Compromise

Indicator Observable

Spear Phishing Email

Establish FootholdObserved TTP

Observed TTP

WEBC2

MalwareBehavior

Escalate PrivilegeObserved TTP

Uses Tool

Uses Tool

cachedump

lslsass

MD5:d8bb32a7465f55c368230bb52d52d885

Indicator

Observed TTP

InternalReconnaissance

Attack Patternipconfignet view net group “domain admins”

Observed TTP

ExfiltrationUses Tool

GETMAIL

Targets

KhaffeineBronxistanPerturbiaBlahniks. . .

LeveragesInfrastructure

IP Range:172.24.0.0-112.25.255.255

C2 Servers

Observable

Sender: John SmithSubject: Press Release

Expressing Relationships in STIX

| 32 |

Introduction to STIX 101

Technology

Transcript of Introduction to STIX 101