Cyberattack Analysis and Information Sharing in the U.S.

Size: px

Start display at page:

Download "Cyberattack Analysis and Information Sharing in the U.S."

Hope Brooks
5 years ago
Views:

1 Cyberattack Analysis and Information Sharing in the U.S. Promoting the sharing and utilization of the Analyzed Information Sean Barnum February 2013 Sponsored by the US Department of Homeland Security 2013 The MITRE Corporation. All rights reserved.

2 Diverse and evolving threats Balance inward & outward focus Proactive & reactive actions Recon Deliver Control Maintain Weaponize Exploit Execute Information sharing Need for holistic threat intelligence 2013 The MITRE Corporation. All rights reserved.

Challenges of Cyber Threat Information Sharing Sharing is always possible but active and effective sharing requires overcoming some challenges Social Challenges Who do you trust?

3 Challenges of Cyber Threat Information Sharing Sharing is always possible but active and effective sharing requires overcoming some challenges Social Challenges Who do you trust? (sharing in and sharing out) The value of sharing even with competitors Legal/Regulatory Challenges Privacy, secret government info, international sharing, etc. Technical Challenges ( useful and usable info sharing) Tower of Babel (many different formats) Automation (machine speed) Deconflate sensitive info from shareable info How to actually share what you want to share 2013 The MITRE Corporation. All rights reserved. Standardized Threat Representation

4 Cyber Threat Information Sharing Cyber threat information (particularly indicators) sharing is not new Typically very atomic and very limited in sophistication IP lists, File hashes, URLs, addresses, etc. Most sharing is unstructured & human-to-human Recent trends of machine-to-machine transfer of simple/atomic indicators STIX aims to enable sharing of more expressive indicators as well as other full-spectrum cyber threat information The MITRE Corporation. All rights reserved.

5 5 Cost to Adversary Slightly more expensive to hop between domains Difficult & expensive: Changing tactics and procedures to evade behavioral detection Trivial/cheap to hop between IP addresses 2013 The MITRE Corporation. All rights reserved.

6 Evolution of Standardized Representations for Threat 6 Vulnerabilities Weaknesses Attack Patterns? Malware Behavior Cyber Observables Threat Indicators Based on IDXWG community of Threat Intel and Incident Response experts begins working on defining a standard representation for cyber threat indicators What is an Indicator? Community iterated on scope Defined Indicator scope as a part of broader cyber threat information architecture Structured threat information architecture evolved into STIX 2013 The MITRE Corporation. All rights reserved.

8 STIX Use Cases STIX provides a common mechanism for addressing structured cyber threat information across and among this full range of use cases improving consistency, efficiency, interoperability, and overall situational awareness The MITRE Corporation. All rights reserved.

Where has this threat been seen? What does it do? What weaknesses does this threat exploit?

9 9 What is Cyber (Threat) Intelligence? Consider these questions: What activity are we seeing? What threats should I look for on my networks and systems and why? Where has this threat been seen? What does it do? What weaknesses does this threat exploit? Why does it do this? Who is responsible for this threat? What can I do about it? 2013 The MITRE Corporation. All rights reserved. 9

12 12 What is a cyber observable? A measurable event or stateful property in the cyber domain Some measurable events: a registry key is created, a file is deleted, an http GET is received, Some stateful properties: MD5 hash of a file, value of a registry key, existence of a mutex, Cyber Observable expression (CybOX) is a standardized language for encoding and communicating information about cyber observables ( The MITRE Corporation. All rights reserved.

13 13 What sort of basic things can you do with CybOX? Almost every field is optional. This means you can use whatever is appropriate and ignore the rest. Layered typing structure enabling flexible use Built in extensibility mechanisms Can specify and characterize a wide range of cyber objects Can specify and characterize dynamic cyber events & actions Can specify and characterize complex actions Can define relational and logical compositions of multiple objects, actions, events and/or observables Define a wide myriad of potential observable pattern variations at the logical composition level or utilizing patterns at the Object attribute level including Equals, Contains, IsInRange, IsInSet, Regex, etc. all of which allow the user to define an almost infinitely variable set of patterns and filters The MITRE Corporation. All rights reserved.

14 14 CybOX v1.0 Objects Account Address API Artifact Code Device Disk Disk Partition DNS Query DNS Record DNS Cache Message File GUI GUI Dialog Box GUI Window HTTP Session Library Linux Package Memory Mutex Network Connection Network Flow Network Packet Network Route Entry Network Route The MITRE Corporation. All rights reserved. Network Subnet Pipe Port Process Product Semaphore Socket System Unix File Unix Network Route Entry Unix Pipe Unix Process Unix User Account Unix Volume URI User Account User Session Volume Whois Win Computer Account Win Critical Section Win Driver Win Event Win Event Log Win Executable File Win File Win Handle Win Kernel Win Kernel Hook Win Mailslot Win Memory Page Region Win Mutex Win Network Route Entry Win Pipe Win Network Share Win Prefetch Win Process Win Registry Key Win Semaphore Win Service Win System Win System Restore Win Task Win Thread Win User Account Win Volume Win Waitable Timer X509 Certificate (more on the way)

22 22 Why were they doing it? Why should you care about it? What you are looking for What exactly were they doing? Who was doing it? What should you do about it? Where was it seen? What were they looking to exploit? 2013 The MITRE Corporation. All rights reserved.

23 Implementations Initial implementation has been done in XML Schema Ubiquitous, portable and structured Concrete strawman for community of experts Practical structure for early real-world prototyping and POC implementations Plan to iterate and refine with real-world use Next step will be a formal implementation-independent specification Will include guidance for developing XML, JSON, RDF/OWL, or other implementations 2013 The MITRE Corporation. All rights reserved.

24 Enabling Utilities Utilities to enable easier prototyping and usage of the language. Utilities consist of things like: Language (Python) bindings for STIX, CybOX, MAEC, etc. High-level programmatic APIs for common needs/activities Conversion utilities from commonly used formats & tools Comparator tools for analyzing language-based content Utilities supporting common use cases E.g. _to_CybOX utility supporting phishing analysis & management Open communities on GitHub (STIXProject, CybOXProject & MAECProject) 2013 The MITRE Corporation. All rights reserved.

25 Adoption & Usage Still in its early stages but already generating extensive interest and initial operational use How to actually share what you want to share 2013 The MITRE Corporation. All rights reserved The MITRE Corporation. All rights reserved.

exchange of structured cyber threat information Designed to support existing sharing paradigms in

the exchange Defines services and messages to exchange data Does NOT dictate HOW data is handled

26 What is TAXII? Trusted Automated exchange of Indicator Information The goal of TAXII is to facilitate the exchange of structured cyber threat information Designed to support existing sharing paradigms in a more automated manner TAXII is a set of specifications defining the network-level activity of the exchange Defines services and messages to exchange data Does NOT dictate HOW data is handled in the back-end, WHAT data is shared or WHO it is shared with TAXII is NOT a sharing program 2013 The MITRE Corporation. All rights reserved The MITRE Corporation. All rights reserved.

27 TAXII Specifications TAXII Protocol Binding Specifications TAXII Services Specification Define requirements for network transport of TAXII messages Defines TAXII Services

27 27 TAXII Specifications TAXII Protocol Binding Specifications TAXII Services Specification Define requirements for network transport of TAXII messages Defines TAXII Services Defines TAXII Message Types Defines TAXII Message Exchanges TAXII Message Binding Specifications Define TAXII Message format bindings The MITRE Corporation. All rights reserved.

Adoption & Usage Still in its early stages but

communities Active interest from several large

28 Adoption & Usage Still in its early stages but already generating extensive interest and initial operational use Actively being considered by several information sharing communities Active interest from several large user organizations Active interest from some service/product vendors 2013 The MITRE Corporation. All rights reserved The MITRE Corporation. All rights reserved.

30 Current Focus Make it easier for people to understand and use STIX Improve documentation Develop supporting utilities Provide collaborative guidance Gather feedback Refine and extend the language based on feedback and needs 2013 The MITRE Corporation. All rights reserved.

31 Where to Learn More STIX Website (whitepapers, documentation, schemas, etc.) STIX GitHub site (bindings, APIs, utilities) STIX Discussion List TAXII Website (whitepapers, specifications, etc.) TAXII Discussion List TAXII GitHub site (bindings, APIs, utilities, implementations) CybOX Website (whitepapers, specifications, etc.) CybOX Discussion List CybOX GitHub site (bindings, APIs, utilities, implementations) Questions The MITRE Corporation. All rights reserved The MITRE Corporation. All rights reserved.

Leveraging CybOX to Standardize Representation and Exchange of Digital Forensic Information

DIGITAL FORENSIC RESEARCH CONFERENCE Leveraging CybOX to Standardize Representation and Exchange of Digital Forensic Information By Eoghan Casey, Greg Back, and Sean Barnum Presented At The Digital Forensic