Add to collection(s) Add to saved
  1. Business

CYBER(15)

advertisement 
®
CYBER(15)004016r1
TC CYBER#4
25-26 Jun 2015
Developments related to DTR/CYBER-009,
TR 103331, Structured threat information sharing
Tony Rutkowski, mailto:tony@yaanatech.co.uk
EVP, Standards & Regulatory Affairs
Rapporteur, DTR/CYBER-009
®
Current status of the DTR/CYBER-009 work item
• DTR/CYBER-009 was tasked at TC CYBER#3 (4 Feb
2015) for producing a Technical Report on means for
describing and exchanging cyber threat information in a
standardized and structured manner
– Such information includes include technical indicators of
adversary activity, contextual information, exploitation targets, and
courses of action
– Modelled after established U.S. DHS/MITRE community efforts
• STIX - Structured Threat Information eXpression
• TAXII - Trusted Automated eXchange of Indicator Information
• Version 0.0.1 of the draft was uploaded 6 Feb 2015
– Contains Technical Report skeleton
2
®
New OASIS Cyber Threat Intelligence Technical Committee
• On 20 April, a New committee (CTI) was established in OASIS with
essentially an identical remit as DTR/CYBER-009
• Initial specifications were transferred from MITRE/DHS to CTI for
evolution and development
• MITRE github will continue to host running code and documents
until a transition is effected
• Has been months in the making
– Approval within the USG (DHS/White House, etc.)
– Announcing in stages (development community, RSA, OASIS)
• First meeting (teleconference) held virtually 18 June among 100
participants
• Subsequent meetings will occur monthly
• Elected chair is Rich Struse, DHS Chief Advanced Technology
Officer, with intent to expand to possible co-chair
• Active global outreach is considered essential
• Tumblr feeds continuously
– http://stixproject.tumblr.com/
3
TC CTI Roster (18 Jun 2015)
Aetna
Australia and New Zealand Banking Group
(ANZ Bank)
Bank of America
Intel Corporation
Intelworks BV
Johns Hopkins University Applied Physics
Laboratory
Bloomberg
JPMorgan Chase Bank, N.A.
Blue Coat Systems, Inc.
Lumeta Corporation
Center for Internet Security (CIS)
Mitre Corporation
Cisco Systems
MTG Management Consultants, LLC.
Citrix Systems
National Council of ISACs (NCI)
Comilion (mobile) Ltd.
National Security Agency
Cyber Threat Intelligence Network, Inc. (CTIN) NEC Corporation
Dell
New Context Services, Inc.
DHS Office of Cybersecurity and
NIST
Communications (CS&C)
Depository Trust & Clearing Corporation
Nomura Research Institute, Ltd. (NRI)
EMC
North American Energy Standards Board
Ericsson
Object Management Group
Fujitsu Limited
Oracle
Georgetown University
Palo Alto Networks
Hewlett-Packard
Queralt, Inc.
IBM
Raytheon Company-SAS
Internet Identity (IID)
Retail Cyber Intelligence Sharing Center (RCISC)
Integrated Networking Technologies, Inc.
Securonix
Siemens AG
Soltra
TELUS
The Boeing Company
Threat Intelligence Pty Ltd
ThreatConnect, Inc.
ThreatQuotient, Inc.
ThreatStream
U.S. Bank
United Kingdom Cabinet Office
ViaSat, Inc.
Yaana Technologies, LLC
*Jerome Athias
*Peter Brown
*Elysa Jones
*Terry MacDonald
*Alex Pinto
*Andrew Schoka
*Michael Schwartz
54 organizations and 7 Individuals
4
®
CTI TC charter
• Phase One
– STIX 1.2, TAXII 1.1, and CybOX 2.1 will be contributed to the OASIS CTI
TC by DHS
– Each will form the basis for a subcommittee
– Contributions are the basis for corresponding OASIS Standards Track
Work Products
• A key objective of the TC will be to limit changes to the input
specifications in order to minimize impacts on existing implementations
• Phase Two
– Evolve the specifications
• Further work related to information representations for codifying,
analyzing, or sharing of cyber threat intelligence that was not included in
the input specifications is also in scope
– Produce supporting documentation, open source tooling, and any
other materials deemed necessary to encourage the adoption of the
specifications
5
®
STIX, TAXII, & CybOX
• Conceived by US CERT developer community to meet
critical needs for real-time actor tailored traffic/behavior
acquisitions, analysis, and remediation
• Development led by notable MITRE staff and entwined with
other MITRE best-of-breed platforms
• Considerable freely-available running code exists
• Constitutes the foundation for the White House Executive
Order 13691 (13 Feb 2015) on threat information sharing
– Foundation platforms for Information Sharing and Analysis
Organizations (ISAOs) (http://www.dhs.gov/isao)
• Extensible for a broad array of other compliance obligations
– Already being used by banking/financial community and
emergency/disaster warning segment
6
®
Similar work
• *IETF IODEF/RID/RID-T (RFC 5070, RFC 6545, RFC 6546)
–
–
IETF specifications (https://tools.ietf.org/wg/mile/) to describe and share incident information and used by many CERTs
More narrow scope than proposed CTI platforms
• *FireEye OpenIOC (http://www.openioc.org)
–
–
FireEys specification to describe Indicators of Compromise and available for public use
Addresses a narrow use case (observable patterns for Indicators of Compromise) and represents a partial solution to part of the overall
cyber threat information problem, but does not fully address the needs of a holistic cyber threat intelligence information model
• *VERIS (http://veriscommunity.net)
–
–
–
A set of metrics designed to provide a common language for describing security incidents
Addresses a narrow use case and represents a partial solution to part of the overall cyber threat information problem but does not fully
address the needs of a holistic cyber threat intelligence information model
Published format available on GitHub, developed at the sole discretion of the VERIS community
• *OMG Threat Modeling Working Group (http://www.omg.org/hot-topics/threat-modeling.htm)
–
–
A proposal for a combined risk-threat information model that incorporates STIX (among other things)
Expected to cover a broader scope (cyber and physical, threat and risk) in order to coordinate across these domains but does not seek to
re-define a model within the domain to the low level that STIX and CybOX do
• EU Advanced Cyber Defence Centre (ACDC) (http://acdc-project.eu/)
–
–
–
EU funded project from early 2013 to mid-2015 – evolving into a sustainable European centre for cyber defence, building on 8 networked
support centres and 1 clearing house deployed during the project and enlarging the cyber-protection scope beyond botnets
ACDC unites a community of 28 organisations from 14 countries, including Internet Service Providers, CERTs, law enforcement agencies,
IT providers, National Research and Education Networks (NRENs), academia and critical infrastructure operators
Many platforms leveraged (http://acdc-project.eu/acdc-deliverables/)
• NATO Abuse Helper (http://abusehelper.be/)
–
An open-source project initiated by CERT.FI and CERT.EE with Clarified Networks to automatically process incidents notifications
• ITU-T SG17 X.nessa, Access control models for incidents exchange networks (http://www.itu.int/itut/workprog/wp_item.aspx?isn=10477) (Ref TD 1792r2)
–
Initiative by Russian government to produce a Recommendation to “identify incidents exchange entities for facilitation of implementation
of access control policies”
7
®
Formation of ISAOs
(Information Sharing and Analysis Organizations)
• The operational side of structured threat information
sharing is enhanced through ISAOs
• Explicitly treated by White House Executive Order
13691.
• Some unknown number of ISAO-like entities presently
exist – largely as industry ISACs (Information Sharing
and Analysis Centers)
• Promotion is currently subject of two U.S. DHS
initiatives
– Consultative proceeding (Docket No. DHS–2015–0017)
• Comments submitted
– Funding RFP (DHS-15-NPPD-128-001)
8
®
Known ISACs
A-ISAC
DIM-ISAC
DNG-ISAC
EMR-ISAC
ES-ISAC
FS-ISAC
ICS-ISAC
IT-ISAC
Maritime ISAC
MS-ISAC
NC-ICSAC
NCC
NEI
NH-ISAC
ONG-ISAC
PT-ISAC
RE-ISAC
REN-ISAC
SC-ISAC
ST-ISAC
Water ISAC
Aviation Information Sharing and Analysis Center ISAC
Defense Industrial Base ISAC
Downstream Natural Gas ISAC
Emergency Management & Response ISAC
Electric Sector ISAC
Financial Services ISAC
Industrial Control System ISAC
Information Technology ISAC
Maritime Security ISAC
Multi-State ISAC
National Council of ISACs
Communications ISAC
Nuclear Energy Institute ISAC
National Health ISAC
Oil and Gas ISAC
Public Transit ISAC
Real Estate ISAC
Research & Education ISAC
Supply Chain ISAC
Surface Transportation ISAC
Water Information Sharing and Analysis Center ISAC
9
®
For discussion and guidance
• How to evolve DTR/CYBER-009 work item
– Collaborate closely with OASIS CTI
– Replicate OASIS CTI specifications
– Enumerate other discoverable threat intelligence sharing activities
as a generic report
– Facilitate some further ETSI roles, e.g., ISAO formation
• What role should ETSI play concerning Information
Sharing and Analysis Organizations (ISAOs)
– Facilitate specialized community ISAOs around ETSI technology
platforms (NFV, LI/RD, ESI, DECT, …)
– Facilitate mobile ISAOs around 3GPP/GSMA or one M2M
platforms
– Provide a global registry for ISAOs
– Develop ISAO certification requirements
10
Related documents
Above My Pay Grade
Above My Pay Grade
Session confirmation form
Session confirmation form
RADM Day (USCG Cyber) - Feb 2013
RADM Day (USCG Cyber) - Feb 2013
ex_buisness_expansion
ex_buisness_expansion
ISACs - International Cyber Center
ISACs - International Cyber Center
a full copy of the press release. - Iowa State Association of Counties
a full copy of the press release. - Iowa State Association of Counties
a GAO CRITICAL INFRASTRUCTURE
a GAO CRITICAL INFRASTRUCTURE
Download
advertisement