Cyber Threat Intelligence Standards - A high-level overview

Size: px

Start display at page:

Download "Cyber Threat Intelligence Standards - A high-level overview"

Richard Newman
5 years ago
Views:

1 Cyber Threat Intelligence Standards - A high-level overview Christian Doerr TU Delft, Cyber Threat Intelligence Lab Delft University of Technology Challenge the future

Fingerprinting Adversarial Procedures Secure Threat Intelligence Sharing

2 ~ whoami At TU Delft since 2008 in area Network Security, Critical Infrastructure Protection Threat Intelligence Lab with currently 23 team members Research Themes: Fingerprinting Adversarial Procedures Secure Threat Intelligence Sharing Vulnerability Analysis Design of Mitigation Schemes 2

3 For effective Cyber Defense you need Cyber Threat Intelligence Organized crime Script Kiddies Hacktivists Who is out there (and after me)? Cracker Cyber terrorists Nation-state actors What are their capabilities? What are their intentions? 3

4 What is Threat Intelligence? The purpose of threat intelligence is to understand the enemy, help anticipate future actions and plan a response. Knowns Unknowns Knowns Things we are aware of and understand Things we are aware of but don't understand Unknowns Things we are not aware of but would understand Things we don't know that they exist and don't understand Data Understanding 4

5 What is Threat Intelligence? The purpose of threat intelligence is to understand the enemy, help anticipate future actions and plan a response. Improving Data Improving Interpretation Knowns Unknowns Knowns Things we are aware of and understand Things we are aware of but don't understand Unknowns Things we are not aware of but would understand Things we don't know that they exist and don't understand Data Understanding 4

6 When is it a threat to me? Risk = Vulnerability * Impact Attacker Opportunity Means Motives System Access / Knowledge Vulnerabilities Capabilities and Resources Skill Valuation Goals 5

7 When is it a threat to me? Risk = Vulnerability * Impact * Threat Attacker Opportunity Means Motives System Access / Knowledge Vulnerabilities Capabilities and Resources Skill Valuation Goals Intelligence needs to help me understand these aspects for adversaries I potentially face. Threat Intelligence is in essence risk reduction. 5

8 Strategic Cyber Threat Intelligence Key goal: Support executives in decision making Strategic All deliverables are written in a language for policy makers and strategists 6

9 Operational Cyber Threat Intelligence Key goal: Understand the threat actors and their modus operandi Strategic Operational Investigate the capabilities, intent and methods or techniques, tactics and procedures (TTPs) Provides input to network architects, system administrators, etc. 7

10 Tactical Cyber Threat Intelligence Key goal: Apply knowledge about threats into concrete detection capabilities. Strategic Strategic Strategic Operational Operational Feed information that can be directly used to respond to threats (MD5 file hashes, Bro signatures, malicious domain names) into controls Tactical 8

11 Intelligence starts with a question and answers it Analyze available information against some requirements to make an assessment in decision making. Intelligence is both product and process! 9

12 CTI Interaction in the Organization and Standardization Efforts open data source Cyber Threat Intelligence Corpus commercial feeds shared intelligence asset information 10

13 CTI Interaction in the Organization and Standardization Efforts open data source commercial feeds Stix Taxii IODEF Cyber Threat Intelligence Corpus shared intelligence asset information 10

14 CTI Interaction in the Organization and Standardization Efforts open data source commercial feeds Stix Taxii IODEF Cyber Threat Intelligence Corpus shared intelligence asset information 10

15 CTI Interaction in the Organization and Standardization Efforts open data source commercial feeds Stix Taxii IODEF Cyber Threat Intelligence Corpus ISACs Threat Intelligence Provider subject to active research Malicious Actor Internet shared intelligence Communication Protocol Cryptographic Protocol asset information Victim 10

16 CTI Interaction in the Organization and Standardization Efforts open data source commercial feeds Stix Taxii IODEF Cyber Threat Intelligence Corpus subject to active research shared intelligence asset information 10

17 CTI Interaction in the Organization and Standardization Efforts open data source commercial feeds Stix Taxii IODEF subject to active research shared intelligence Cyber Threat Intelligence Corpus decision making support security policy resource allocation security by design asset information 11

18 CTI Interaction in the Organization and Standardization Efforts open data source commercial feeds Stix Taxii IODEF subject to active research shared intelligence Cyber Threat Intelligence Corpus decision making support security policy resource allocation security by design administrators CSIRTs / ISACs asset information 11

19 CTI Interaction in the Organization and Standardization Efforts open data source commercial feeds Stix Taxii IODEF subject to active research shared intelligence Cyber Threat Intelligence Corpus decision making support security policy resource allocation security by design administrators CSIRTs / ISACs Pawn Storm Sednit APT28 Sofacy Group Strontium Tsar Team Fancy Bear asset information 11

20 CTI Interaction in the Organization and Standardization Efforts open data source commercial feeds Stix Taxii IODEF subject to active research shared intelligence Cyber Threat Intelligence Corpus decision making support security policy resource allocation security by design Threat Modeling administrators CSIRTs / ISACs Ontologies VERIS e.g. OWASP, Intel TARA asset information 11

21 CTI Interaction in the Organization and Standardization Efforts open data source commercial feeds Stix Taxii IODEF subject to active research shared intelligence Cyber Threat Intelligence Corpus decision making support security policy resource allocation security by design Threat Modeling administrators CSIRTs / ISACs Ontologies VERIS e.g. OWASP, Intel TARA asset information Terminology Methods and Techniques 11

22 Processing CTI: The Intelligence Cycle Planning and Direction Dissemination and Integration Collection Analysis and Production Processing and Exploitation 12

23 Processing CTI: The Intelligence Cycle Start with intelligence gaps and prioritize them. Planning and Direction Dissemination and Integration Collection Analysis and Production Processing and Exploitation 12

24 Processing CTI: The Intelligence Cycle Planning and Direction Determine which data sources you need and how to get them. Acquire the data. Dissemination and Integration Collection Analysis and Production Processing and Exploitation 12

25 Processing CTI: The Intelligence Cycle Planning and Direction Dissemination and Integration Collection Correlation and validation of data. Evaluate its usefulness to answer the question. Analysis and Production Processing and Exploitation 12

26 Processing CTI: The Intelligence Cycle Planning and Direction Dissemination and Integration Collection Analysis and Production Processing and Exploitation Evaluate relevance to answer gap, draw conclusions. 12

27 Processing CTI: The Intelligence Cycle Planning and Direction Dissemination and Integration Collection Analysis and Production Processing and Exploitation Distribute and package the information for the customer. The format, language and medium is as important as the message! 12

28 OODA Main takeaway: Structure how you operate. (Remember intelligence and incident response is a process.) You can also use strategy to disrupt the activities of the adversary. Act Observe Decide Orient 13

29 OODA Main takeaway: Structure how you operate. (Remember intelligence and incident response is a process.) You can also use strategy to disrupt the activities of the adversary. Act Observe Decide Orient Observe Orient Decide Act Observe Orient Decide Act O O D A O O D A 13

30 Cyber Kill Chain Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions Pre-Compromise Compromise Post-Compromise Cost to Defender 14

31 Cyber Kill Chain can help you structure knowledge about adversarial TTPs Reconnaissance Weaponization Which hosts/employees were targeted? Analysis Which vector was used? Delivery How was the payload delivered?! Detection Exploitation Installation Command Which vulnerabilities and Control were used? Which modules, filenames contained the malware? To which C&C servers would the malware connect? Actions Synthesis These insights can then be mapped to tactical CTI for detection. 15

32 Diamond Model Main idea: Intrusions are a series of events connected in activity threads. As resources are reused, connections between common elements are drawn. persona (mail, handles), network assets Adversary Infrastructure IP, DNS, Victim persona, network assets, addresses Capability malware, exploit kits, stolen TLS certs, tools 16

33 Diamond Model Main idea: Intrusions are a series of events connected in activity threads. As resources are reused, connections between common elements are drawn. persona (mail, handles), network assets Adversary Infrastructure IP, DNS, Intention Victim persona, network assets, addresses Capability malware, exploit kits, stolen TLS certs, tools 16

34 Diamond Model Main idea: Intrusions are a series of events connected in activity threads. As resources are reused, connections between common elements are drawn. persona (mail, handles), network assets Adversary Infrastructure IP, DNS, TTP Victim persona, network assets, addresses Capability malware, exploit kits, stolen TLS certs, tools 16

35 CTI Interaction in the Organization and Standardization Efforts open data source commercial feeds subject to active research shared intelligence asset information Stix Taxii IODEF Cyber Threat Intelligence Corpus Terminology Methods and Techniques decision making support security policy resource allocation security by design Threat Modeling administrators CSIRTs / ISACs Ontologies VERIS Detection Formats SIEM / SOC / IR pentesting forensics e.g. OWASP, Intel TARA Snort, Bro, Yara Modeling Adversarial Behavior MITRE ATT&CK 18

36 CTI Interaction in the Organization and Standardization Efforts CTI Education (Training + Quality Standards) open data source commercial feeds subject to active research shared intelligence asset information Stix Taxii IODEF Cyber Threat Intelligence Corpus Terminology Methods and Techniques decision making support security policy resource allocation security by design Threat Modeling administrators CSIRTs / ISACs Ontologies VERIS Detection Formats SIEM / SOC / IR pentesting forensics e.g. OWASP, Intel TARA Snort, Bro, Yara Modeling Adversarial Behavior MITRE ATT&CK 18

37 Key Takeaways There is not one CTI Standardization effort: A broad portfolio of activities covering various aspects of the lifecycle Standardization activities are to some extent bottom up or are driven by individual organizations and become de-facto standards We are still missing agreement / standardization on a significant number of components in the CTI landscape 19

38 Thank you Christian Doerr Cyber Threat Intelligence Lab 20

Cyber Threat Intelligence Sharing Standards

SESSION ID: PST-W08 Cyber Threat Intelligence Sharing Standards Jerome Athias Cybersecurity Specialist Saudi Aramco @JA25000 Agenda Cyber Threat Intelligence (CTI) CTI Sharing Standards Summary & Apply