Cyber Threat Intelligence Sharing Standards

Similar documents
Cyber Threat Intelligence Standards - A high-level overview

RSA NetWitness Suite Respond in Minutes, Not Months

Protocols for exchange of cyber security information

Leveraging CybOX to Standardize Representation and Exchange of Digital Forensic Information

Modern Cyber Defense with Automated Real-Time Response: A Standards Update

STANDARD INFORMATION SHARING FORMATS. Will Semple Head of Threat and Vulnerability Management New York Stock Exchange

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Cyberattack Analysis and Information Sharing in the U.S.

Cyber Threat Intelligence Debbie Janeczek May 24, 2017

Building Resilience in a Digital Enterprise

Supply Chain Information Exchange: Non-conforming & Authentic Components

Internet of Things Security standards

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

An All-Source Approach to Threat Intelligence Using Recorded Future

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

C T I A CERTIFIED THREAT INTELLIGENCE ANALYST. EC-Council PROGRAM BROCHURE. Certified Threat Intelligence Analyst 1. Certified

WHITE PAPER. Operationalizing Threat Intelligence Data: The Problems of Relevance and Scale

Intelligence Driven Incident Response Outwitting The Adversary

Cyber Intelligence Professional Certificate Program Booz Allen Hamilton 2-Day Seminar Agenda September 2016

The Mechanics of Cyber Threat Information Sharing

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

THE EVOLUTION OF SIEM

Adversary Playbooks. An Approach to Disrupting Malicious Actors and Activity

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

CYBER SECURITY OPERATION CENTER (CSOC)

The New Era of Cognitive Security

TURNING THE TABLE THROUGH FEDERATED INFORMATION SHARING

McAfee Advanced Threat Defense

CTI Capability Maturity Model Marco Lourenco

Are you safe? Your business growth strategies are at the heart of the cyber risks your organization faces

The rise of major Adversaries is the most relevant trend in 2014, targeting Government and Critical Services

Building Privacy into Cyber Threat Information Sharing Cyber Security Symposium Securing the Public Trust

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

Security & Phishing

Cyber Resilience. Think18. Felicity March IBM Corporation

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

4/13/2018. Certified Analyst Program Infosheet

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Building a Resilient Security Posture for Effective Breach Prevention

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Are we breached? Deloitte's Cyber Threat Hunting

Enabling Distributed Event Management: Interoperability for Automated Response and Prevention. Sean Barnum George Saylor Aug 2011

RSA Advanced Security Operations Richard Nichols, Director EMEA. Copyright 2015 EMC Corporation. All rights reserved. 1

Building a Threat-Based Cyber Team

Interested in learning more? Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

Supporting Situationally Aware Cybersecurity Systems. 30 th September 2015

Governance Ideas Exchange

Managed Endpoint Defense

Incident Response Services

Cyber Fraud What can you do about it?

PRACTICAL GUIDE FOR CRITICAL INFRASTRUCTURE ORGANIZATIONS

Speed Up Incident Response with Actionable Forensic Analytics

Sandboxing and the SOC

Reducing Liability and Threats through Effective Cybersecurity Risk Measurement. Does Your Security Posture Stand Up to Tomorrow s New Threat?

Addressing the elephant in the operating room: a look at medical device security programs

ARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin

Intelligent Protection

Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Cyber Attacks & Breaches It s not if, it s When

Cyber Security Incident Response Fighting Fire with Fire

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Security Essentials Start Here

Building an Effective Threat Intelligence Capability. Haider Pasha, CISSP, C EH Director, Security Strategy Emerging Markets Office of the CTO

Incident response to a breach: Right of boom you find ashes

Convegno Sezione Automazione ANIMP

NISTCSF.COM. NIST Cybersecurity Framework (NCSF) Workforce Development Solutions

Cybersecurity and Hospitals: A Board Perspective

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

(U) Cyber Threats to the Homeland

THREAT MANAGEMENT AND OUR TECHNICAL LEARNINGS IMPLEMENTING CTI

RIMS Perk Session Protecting the Crown Jewels A Risk Manager's guide to cyber security March 18, 2015

Cyber Threat Landscape April 2013

Qualys Indication of Compromise

Water Information Sharing and Analysis Center

Advanced Endpoint Protection

Achieving & Measuring the Value of Cyber Threat Information Sharing. Lindsley Boiney, Clem Skorupka (presenting)

Brussels. Cyber Resiliency Minimizing the impact of breaches on business continuity. Jean-Michel Lamby Associate Partner - IBM Security

Building an Efficient Incident Response Process Using Threat Intelligence A Global Enterprise Perspective

BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Building Successful Threat Intelligence Programs

Designing and Building a Cybersecurity Program

RSA INCIDENT RESPONSE SERVICES

Seven Steps to Ease the Pain of Managing a SOC

THE CRITICAL COMMUNICATIONS COMPANY CYBER SECURITY AS A SERVICE

RSA INCIDENT RESPONSE SERVICES

Security. Risk Management. Compliance.

Sage Data Security Services Directory

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Statement for the Record

Stakeholders Analysis

Dr. Stephanie Carter CISM, CISSP, CISA

NISTCSF.COM. NIST Cybersecurity Framework (NCSF) Workforce Development Solutions

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

Symantec Ransomware Protection

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Threat Modeling and Sharing

Transcription:

SESSION ID: PST-W08 Cyber Threat Intelligence Sharing Standards Jerome Athias Cybersecurity Specialist Saudi Aramco @JA25000

Agenda Cyber Threat Intelligence (CTI) CTI Sharing Standards Summary & Apply Q&A 2

Cyber Threat Intelligence (CTI)

Cyber Threat Intelligence (CTI) What is CTI? Definition(s) of this Capability Why is it useful? Identify, Protect, Detect, Respond, Recover. More and faster Situational Awareness, Know your enemy, be proactive (Observe, Learn, Prioritize, Adapt, Adjust, Defend, React, Prevent, Track, Disrupt, Deter ) Interoperability (Common Language) Automation (M2M) Actionable (data-driven decisions, visualization, COAs) 4

CTI Sharing Standards

CTI Sharing Standards Why? Information is a source of learning. But unless it is organized, processed, and available to the right people in a format for decision making, it is a burden, not a benefit. William Pollard Where? Who? Internal/External Continuous Monitoring, Fast Incident Prevention and Response CERTs, CSIRTs, SOCs, Threat Forensic Malware Analysts, etc. What? Information Model, Data Model from community-driven initiatives How? Commonly XML schemas, language, protocols, tools 6

CTI ecosystem ISO IETF IRTF ITU-T Trusted Computing Group CA/B Forum 3GPP FIRST ETSI Common Criteria Recognition Arrangement NATO Cloud Security Alliance Council on Cyber security/ CIS OMG GSMA Security Group OASIS CTI TC * NIST DHS MITRE IEEE NFV Information Sharing and Analysis Organizations (ISAOs) Cable Labs 7

CTI Sharing Standards To name a few OpenIOC, Mandiant VERIS, Verizon IODEF, IETF DFXML WG, NIST - DFAX OASIS-CTI (DHS) (CybOX, STIX, TAXII, MAEC, ) Support and leverage well-known frameworks and standards (and tools) LM Kill Chain, Diamond Model, OODA loop TLP CVE, CAPEC, CPE, OVAL, CIQ SNORT, YARA 8

Common Language

Common Concepts https://stixproject.github.io/documentation/ 10

STIX Architecture Contextual relationships 11

Fictitious Example Incident: Rogue AP at RSA Conference 2015 Abu Dhabi ExploitTarget: RSA Conference s attendees TTP: Rogue Wi-Fi Access Point, MITM tools, answers to any ESSID Threat Actor: The French Fries Gang Threat Campaign: Wi-Fi hijacking over the world Indicator: Too nice to be true Wi-Fi AP name Observables: ssid= FreeWifiRSA, spoofed DNS queries COAs: Training, Monitoring, Eradication, Public Disclosure 12

Other Examples Victim Targeting by Sector, for a Campaign Assets Affected in an Incident Incident Essentials - Who, What, When Vulnerability (CVE) in an Exploit Target Malicious E-mail Indicator With Attachment Malware: File Hash Reputation, Characterization using MAEC Command and Control IP List Course of Action to Block Network Traffic 13

Controlled Vocabularies

Controlled Vocabularies STIX IncidentEffect Brand or Image Degradation Data Breach or Compromise Degradation of Service Destruction Financial Loss IODEFv2 business impact Degraded-reputation Breach-* Loss-of-service Asset-damage Theft-financial 15

STIX Default Vocabularies (overview) Threat Information Management 16

Controlled Vocabulary STIX Threat Actor Type Cyber Espionage Operations Hacker Hacktivist State Actor / Agency Insider Threat Disgruntled Customer / User ecrime Actor - Credential Theft ecrime Actor - Malware Developer ecrime Actor - Organized Crime Actor ecrime Actor - Spam Service ecrime Actor - Traffic Service 17

Controlled Vocabulary STIX Motivation Ego Financial or Economic Military Opportunistic Political Ideological IncidentCategory Unauthorized Access Improper Usage Denial of Service Malicious Code Scans/Probes/Attempted Access Exercise/Network Defense Testing 18

Controlled Vocabularies Ex: types of indicators (IOCs) in STIX 19

Observables

CybOX Objects Network Address Domain Name Hostname URI Email Message, SMS Network Connection, Packet System Account File Unix/Win (PDF, Exe, X509 ) Process Win Service Win Registry Key Device, Disk, Memory 21

CybOX Objects Relationships https://cyboxproject.github.io/documentation/object-relationships/ 22

Profiles

STIX Profiles, Workflow https://stixproject.github.io/documentation/profiles/ 24

Tools

Tools APIs, Bindings: Python-stix, Java-stix Stix-validator Openioc2stix Stix2html STIX Generator STIXViz TAXII : lib-taxii, java-taxii, YETI 26

MITRE STIXViz https://github.com/stixproject/stix-viz 27

STIX Builder http://xorcism.org 28

Apply CTI Foundation (month 1-6) Identify needs, knowledge gaps. Threat Intelligence Lifecycle Identify resources Collect and analyze data. (asset-, adversary-, technology- centric approaches) Training and Framework (month 6-12) Strategy (e.g. internal/external sharing, human/machine) Consult experts Mature and Automate Collaborate CTI Platform and Processes 29

Thank you Q&A

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback