Modern Cyber Defense with Automated Real-Time Response: A Standards Update

Transcription

1 SESSION ID: AIR-F01 Modern Cyber Defense with Automated Real-Time Response: A Standards Update Bret Jordan Director of Security Architecture Joe Brule Executive Director OpenC2 Forum

2 Today we will answer What is wrong with cyber defense today? What is STIX? What is OpenC2? What is TAXII? How will these standards improve cyber defense? 2

3 Traditional Cyber Defense 3

4 Everyone is getting hacked No vertical, sector, or industry is immune Does not matter the size of the organization Who will make the front page this year? Some quick highlights from last year 4

5 Defense Industrial Base Hackers carry out $55m cyber heist from Boeing aerospace parts manufacturer The U.S. weapons systems that experts say were hacked by the Chinese Chinese cyberspies are believed to have compromised the designs for more than two dozen major weapons systems 5

6 Technology 6

7 What s wrong with Cyber Defense? Defenses are statically configured and operate in isolation Changes take time to implement Human discovery Business approval Cross-team coordination Manual deployment which can take forever to get all devices and systems in the network Architectures that are not working 7

8 What s wrong with Cyber Defense? (cont.) Cyber Attacks Sophisticated Adaptive and Automated Occur in Seconds Ever increasing attack surface Cyber Response Slow Manual 8

9 Lucrative business Defenders Cost to US Industry ~ $336 Billion/ year (2012 NSA estimate) Targeted Companies include General Motors, Lockheed Martin, Boeing, Valspar Malware as a Service (MAAS) Cost for a DDoS ~ $38/hr Cost for 10,000 hosts (World mix) ~ $200 We really ought to do something about it 9

10 Traditional cyber security architecture NIST Cyber Security Framework Identify Protect Detect Respond Recover Asset Management Access Control Anomalies and Events Response Planning Recovery Planning Business Environment Awareness and Training Security Continuous Monitoring Communications Improvements Governance Data Security Detection Processes Analysis Communications Risk Assessment Info Protection Processes and Procedures Mitigation Risk Management Strategy Maintenance Improvements Protective Technology 10

11 Another View 11

12 With more detail 12

13 Actual implementations 13

14 Turning the tide on a losing battle We can not win the war this way Not a question of if you will be breached, but when? We need to work together and respond more quickly Need to speak the same language and protocols Need to share what we know about attacks in cyber-relevant time 14

15 Cyber Threat Intelligence (CTI)

16 STIX at a glance It is a language for Cyber Threat Intelligence It has been around for almost 5 years It provides a structured way to document CTI It enables improved understanding and cyber defense through context Lets look at some specific problems STIX can solve 16

17 The problems STIX solves today 1/3 Who is responsible for the attack? Threat Actors Intrusion Sets Campaigns Identity 17

18 The problems STIX solves today 2/3 How are they doing it, what is their modus operandi and TTPs? Attack Pattern Malware Tools Vulnerability 18

19 The problems STIX solves today 3/3 How do you detect it and stop it? Indicator Observed Data Sighting Course of Action (manual) 19

20 Status of STIX 2.0 STIX 2.0 was finished last month STIX now supports a Patterning Grammar for Indicators with conditional and temporal logic support CybOX is no longer a standalone specification It was folded in to STIX 2.0 as Parts 3 and 4 of the multipart document It is now called Cyber Observables It can still be used by other standards without inheriting all of STIX 20

21 How is STIX 2.0 different? Reduced a lot complexity Simplified and flattened the design Focused on making it easier to use and consume Moved the serialization to JSON This makes integration with existing Web2.0 applications easier This also means no more XML namespaces or XSI-Type pain to deal with 21

22 How is STIX 2.0 different? cont. Graph based model External relationship structure This allows 3 rd parties to assert relationships about content they do not own You could NOT do this in STIX Lets look at one of the new STIX Domain Objects and see how it relates to other objects in the model 22

23 Relationships! 23

24 Relationships! You can now do things like 24

25 Patterning You can now build both simple indicator patterns and very complex indicator patterns Here are 3 examples 25

26 Patterning Matching a File with a SHA-256 hash [file:hashes."sha-256" = 'aec070645fe53ee3b f058cc337247c978add178b6ccdfb0019f ] Matching a File with an MD5 hash, followed by (temporally) a Registry Key Object that matches a value, within 5 minutes [file:hashes.md5 = ' fb1a26e4bc422aef54eb4'] FOLLOWEDBY [win-registry-key:key = 'HKEY_LOCAL_MACHINE\\foo\\bar'] WITHIN 300 SECONDS 26

27 Patterning Matching three different, but specific Unix User Accounts [user-account:account_type = 'unix' AND user-account:user_id = '1007' AND user-account:account_login = 'Peter'] AND [user-account:account_type = 'unix' AND user-account:user_id = '1008' AND user-account:account_login = 'Paul'] AND [user-account:account_type = 'unix' AND user-account:user_id = '1009' AND user-account:account_login = 'Mary'] 27

28 What does it look like? (STIX 2.0 Indicator) { "type": "indicator", "id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f", "created_by_ref": "identity--f431f b-45e0-aa1c-6a4751cae5ff", "created": " T20:03:48.000Z", "modified": " T20:03:48.000Z", "labels": ["malicious-activity"], "name": "Poison Ivy Malware", "description": "This file is part of Poison Ivy", "pattern": "[ file.hashes.md5 = '3773a88f65a5e780c8dff9cdc3a056f3' ]", "valid_from": " T00:00:00Z" }, 28

29 What about future 2.x versions Future releases of STIX will be additive STIX 2.1 should be done by end of 2017 STIX 2.1 will contain some added functionality and a few new STIX Domain Objects Lets look at some of the possibilities 29

30 Potential STIX 2.1 additions Opinion / Intel Notes Updates to Malware / Infrastructure Updates to Course of Action / Playbooks Confidence Location Incident / Event Internationalization IEP Data Marking 30

31 Automated Courses of Action

32 OpenC2 at a glance Enables coordinated defense in cyber relevant time Simplicity Low overhead on sensor and actuator Focuses on Acting portion of cyber-defense External Dependencies Analytics; Why you are acting Decision; Which action Sensing; What triggers the action OpenC2 is agnostic of transport and information assurance mechanisms 32

33 OpenC2 Terminology Actuator: The device or sensor that executes a native OpenC2 command Orchestrator: Is a mission manager that will issue the OpenC2 commands to the appropriate actuators, and in the synchronous case, ensure the commands are executed in the correct order Profile: A minimum to implement set of OpenC2 commands that a class of actuators support OpenC2 Proxy: Provide a mapping of OpenC2 commands to and from devices that do not natively support OpenC2. 33

34 OpenC2 Syntax The Lexicon Decouples the aspects of the commands ACTION: What is to be done TARGET: What you are doing it to ACTUATOR: Who is executing the command Benefits of decoupling Facilitates integration of new technologies Supports high level effects based AND device specific use case Extensions permit additional precision to the commands MODIFIER: Additional details for the Verb SPECIFIER: Additional details for the Nouns 34

35 Example of what OpenC2 can do Abstract Use Case Mitigate Evil Domain Local Orchestrator Deny Evil Domain Scan Evil.pdf Contain Evil Firewall executes command Implement on OpenC2 Message Fabric Orchestration OpenC2 Message Fabric OpenC2 Proxy Hardware API 35

36 Possible Implementation Orchestrators and Actuators converge on the OpenC2 message fabric OpenC2 Proxy maps to hardware API Converging on Message Fabric Facilitates implementation OpenC2 Message Fabric OpenC2 Proxy Hardware API 36

37 Change out the Actuators Allows Corporate wide sharing of cyber defense tactics Minimizes impact when changing components OpenC2 Message Fabric OpenC2 Proxy Hardware API 37

38 Abstracts the cyber-defense function Deny Command is executed REGARDLESS of product Simplifies integration of new technologies that achieve similar actions Unified tactical approach independent of equipment set SDN Controller Whitebox Switch 38 OpenC2 Publisher OpenC2 Subscriber OpenC2 Proxy Device Manager API Hardware API

39 Level of Abstraction Extensible to permit different levels of abstraction High level commands are suitable for inter-domain coordination Additional precision needed for intra-domain commands to the actual devices 39

40 OpenC2 Syntax 40

41 TAXII, Share all the things!

42 TAXII at a glance TAXII is an application protocol for transmitting and sharing CTI It has been around for almost 5 years Enables the good citizen philosophy of see something, say something Offers the possibility of plug-n-play interoperability between security tools and sensors Enables two fundamental ways of communicating threat intelligence Lets look at these 42

43 Data Collections via Request / Response 43

44 Channels via Publish / Subscribe 44

45 TAXII 2.0 Architecture Discovery Collections Objects API Root Channels Messages Status 45

46 Status of TAXII 2.0 TAXII 2.0 is nearing completion It supports a pure HTTPS RESTful design It enables network level discovery from DNS SRV records It support API discovery It supports running multiple trust groups on a single instance of TAXII 46

47 Improving your Cyber Defense

48 STIX + TAXII + OpenC2 We believe that everyone gets the general idea Fundamentally, we need an ecosystem where actionable CTI with automated Courses of Action are shared and acted upon in a standardized manner across verticals and public / private sectors in near real-time to address the ever increasing cyber threat landscape What are the benefits? 48

49 Why should you adopt these standards? Gain proactive defense Reduce your long-term risk Enable herd immunity Improve your operational understanding of the threats Enable automated real-time remediation / mitigation Bottom line Lower cyber insurance premiums Lower integration costs Gain greater situational awareness value 49

50 Working as one! Last year I showed you my vision of what could be Now let me show you how this can be solved with using STIX, TAXII, and OpenC2 50

51 End to end workflow SIEM 51

52 Step 1 52

53 Step 2 53

54 Step 3 TAXII Server SIEM 54

55 Step 4 TAXII Server 55

56 Step 5 TAXII Server 56

57 Step 6 TAXII Server Talk to product s API OpenC2 DENY Command OpenC2 Proxy (convert to product s native API commands) OpenC2 SCAN, UPDATE (to prevent future issues), DELETE Command 57 OpenC2 Orchestrator

58 Step 7 TAXII Server OpenC2 INVESTIGATE, MITIGATE, REMEDIATE Command TAXII Server 58

59 Conclusions

60 How do we fix cyber defense Get more context about who and what is attacking our networks We need inter and intra domain coordinated automated responses in cyber-relevant time We need to decouple the functional blocks We need standardized interfaces 60

61 Why standards? Standards enable interoperability STIX and TAXII are sub-committees of the OASIS CTI TC OpenC2 is in the process of entering OASIS These standards are gaining broad adoption Significant international vendor support for STIX, OpenC2, and TAXII The OASIS CTI Technical Committee is made up of 249 members from 85 different organizations. The OpenC2 Forum is made up of 34 member organizations with approximately 120 participants. 61

62 Conclusions Threat sharing and orchestration are moving to a better place Actionable threat intelligence is REAL Automated Courses of Action are REAL Combining STIX, TAXII, and OpenC2 fills in the missing pieces in cyber defense 62

63 What should you do now? Next week you should Start learning the basics of STIX and OpenC2 and get involved Start identifying areas of your network / enclave that can benefit from OpenC2 Plan for a CTI sharing program that includes automated Courses of Action Identify key stakeholders in your organization that can help you get this going Developers, start thinking about reference implementations 63

64 What should you do now? In the first three months following this presentation you should Start looking at TIP and orchestration vendors that support OpenC2 and TAXII and learn how they can automated your cyber defenses. Work with Legal/C-suite to gain approval to cooperate and share CTI Identify integration gaps and start hammering on your vendors Don t underestimate the value of when we make our next purchasing decision for $category; we are really looking for $feature Vendors, identify ways to incorporate STIX and OpenC2 64

65 What should you do now? Within six months you should Integrate threat intelligence and automated COAs in to your security playbook Start training your SOC team on CTI and automated Courses of Action Require STIX 2.0 / TAXII 2.0 / OpenC2 compliance on all RFIs and RFPs Think outside the box Be willing to share and trade Courses of Action or Indicators for extra context 65

66 SESSION ID: AIR-F01 Modern Cyber Defense with Automated Real-Time Response: A Standards Update Bret Jordan Director of Security Architecture Joe Brule Executive Director OpenC2 Forum