Practical Cyber Threat Intelligence with STIX

PRACTICAL CYBER THREAT
INTELLIGENCE WITH STIX
Sponsored by the US Department
of Homeland Security
Sean Barnum
Nov 2013
© 2013 The MITRE Corporation. All rights reserved.
https://stix.mitre.org
Diverse and evolving threats
Balance inward & outward focus
Standardized
Threat
Representation
Proactive & reactive actions
Recon
Deliver
Weaponize
Control
Exploit
Maintain
Execute
Information sharing
Need for holistic threat intelligence
© 2013 The MITRE Corporation. All rights reserved.
Information Sharing
Cyber threat information (particularly indicators) sharing
is not new
Typically very atomic and very limited in sophistication
IP lists, File hashes, URLs, email addresses, etc.
Most sharing is unstructured & human-to-human
Recent trends of machine-to-machine transfer of
simple/atomic indicators
STIX aims to enable sharing of more
expressive indicators as well as other fullspectrum cyber threat information.
© 2013 The MITRE Corporation. All rights reserved.
What is STIX?
 A language for the characterization and communication of
cyber threat information
– NOT a sharing program, database, or tool
 …but supports all of those uses and more
 Developed with open community feedback
 Supports
–
–
–
–
Clear understandings of cyber threat information
Consistent expression of threat information
Automated processing based on collected intelligence
Advance the state of practice in threat analytics
© 2013 The MITRE Corporation. All rights reserved.
STIX Use Cases
STIX provides a common mechanism for addressing structured cyber threat
information across and among this full range of use cases improving
consistency, efficiency, interoperability, and overall situational awareness.
© 2013 The MITRE Corporation. All rights reserved.
|6|
What is “Cyber (Threat) Intelligence?”
Consider these questions:
 What activity are we seeing?
 What threats should I look for on my
networks and systems and why?
 Where has this threat been seen?
 What does it do?
 What weaknesses does this threat exploit?
 Why does it do this?
 Who is responsible for this threat?
 What can I do about it?
© 2013 The MITRE Corporation. All rights reserved.
6
|7|
© 2013 The MITRE Corporation. All rights reserved.
|8|
© 2013 The MITRE Corporation. All rights reserved.
|9|
© 2013 The MITRE Corporation. All rights reserved.
| 10 |
© 2013 The MITRE Corporation. All rights reserved.
| 11 |
© 2013 The MITRE Corporation. All rights reserved.
| 12 |
© 2013 The MITRE Corporation. All rights reserved.
| 13 |
© 2013 The MITRE Corporation. All rights reserved.
| 14 |
© 2013 The MITRE Corporation. All rights reserved.
| 15 |
© 2013 The MITRE Corporation. All rights reserved.
| 16 |
What you are looking for
Why were they doing it?
Why should you care
about it?
What
exactly
were they
doing?
Where was
it seen?
What should
you do about
it?
Who was
doing it?
What were they
looking to exploit?
© 2013 The MITRE Corporation. All rights reserved.
Expressing Relationships
ObservedTTP
“Bad Guy”
Infrastructure
Backdoor
Badurl.com,
10.3.6.23, …
Observables
Indicator-9742
CERT-2013-03…
Observables
RelatedTo
RelatedTo
“BankJob23”
Email-Subject:
“Follow-up”
Indicator-985
MD5 hash…
17
Expressing Relationships in STIX
Initial Compromise
l33t007@badassin.com
Electronic Address
Spear Phishing Email
Indicator
Observed TTP
Sender: John Smith
Subject: Press Release
Observable
Establish Foothold
MD5:
d8bb32a7465f55c368230bb52d52d885
WEBC2
Indicator
Malware
Behavior
Leet
Associated Actor
Observable
cachedump
Observed TTP
Uses Tool
lslsass
Pamina Republic
Army
Unit 31459
Targets
Uses Tool
Escalate Privilege
Observed TTP
Leverages
Infrastructure
Khaffeine
Bronxistan
Perturbia
Blahniks
...
Observed TTP
Observed TTP
Internal
Reconnaissance
Attack Pattern
ipconfig
net view
net group “domain admins”
Uses Tool
Exfiltration
C2 Servers
IP Range:
172.24.0.0-112.25.255.255
GETMAIL
| 19 |
Data Markings, Profiles and Privacy
 STIX leverages an abstract data markings approach


– Enables marking of content data down to the field level with any
number of custom marking models
– Current default model implementations exist for Traffic Light Protocol
(TLP) and Enterprise Data Header (EDH)
Profiles can be defined to specify relevant subsets of the language
– Can be used to scope what information is exchanged between
parties, what capabilities a tool or service provides, or to support
differential policies on different types of information
Addressing privacy with STIX
– Structured representation assists in explicitly delineating types of
information
– Profiles assist in explicit design-time specification of scoping policy
around data with potential privacy implications
– Data markings assist in explicit implementation-time labeling of
content based on policy around potential privacy implications
© 2013 The MITRE Corporation. All rights reserved.
Implementations
 Initial implementation has been done in XML Schema
 Ubiquitous, portable and structured
 Concrete strawman for community of experts
 Practical structure for early real-world prototyping and POC
implementations
 Plan to iterate and refine with real-world use
 Next step will be a formal implementation-independent
specification
 Will include guidance for developing XML, JSON, RDF/OWL, or
other implementations
© 2013 The MITRE Corporation. All rights reserved.
Enabling Utilities
 Utilities to enable easier prototyping and usage of
the language.
 Utilities consist of things like:







Language (Python) bindings for STIX, CybOX, MAEC, etc.
High-level programmatic APIs for common needs/activities
Conversion utilities from commonly used formats & tools
Comparator tools for analyzing language-based content
STIX-to-HTML
Stixviz (simple visualization tool)
Utilities supporting common use cases
 E.g. Email_to_CybOX utility supporting phishing analysis & management
 Open communities on GitHub (STIXProject,
CybOXProject & MAECProject)
© 2013 The MITRE Corporation. All rights reserved.
STIXViz with STIX-to-HTML Example
Adoption & Usage
Still in its early stages but already generating
extensive interest and initial operational use
 Actively being worked by numerous information sharing
communities
 Initial operational use by several large “user”
organizations
 Actively being worked by numerous service/product
vendors
© 2013 The MITRE Corporation. All rights reserved.
© 2013 The MITRE Corporation. All rights reserved.
Some of the organizations contributing to the STIX
conversation:
Recent Focus
 Make it easier for people to understand and use
STIX
 Improve documentation
 Develop supporting utilities
 Provide collaborative guidance
 Gather feedback
 Refine and extend the language based on feedback
and needs
© 2013 The MITRE Corporation. All rights reserved.
Timelines
 Current Versions
 CybOX 2.0.1, MAEC 4.0.1, STIX 1.0.1 (Sep 2013)
 Near Term
 CybOX 2.1 (EOY 2013)
 MAEC 4.1, STIX 1.1 (January 2014)
 Mid Term
 CybOX 3.0, MAEC 5.0, STIX 2.0 (Summer 2014)
 Long Term
 Transition to international standards bodies (EOY 2014-2015)
© 2013 The MITRE Corporation. All rights reserved.
For more information
 STIX Website




– Contains official releases and other info
– http://stix.mitre.org/
Sign up for the STIX Discussion and Announcement mailing lists
– http://stix.mitre.org/community/registration.html
Open issues can be discussed on GitHub
– https://github.com/STIXProject
STIX-related software can be found on GitHub
– https://github.com/STIXProject/python-stix
– https://github.com/STIXProject/Tools
Related sites
– https://cybox.mitre.org/
– https://maec.mitre.org/
– https://capec.mitre.org/
– https://taxii.mitre.org/
©©
2013
2013
TheThe
MITRE
MITRE
Corporation.
Corporation.
All rights
Allreserved.
rights reserved.
| 28 |
Orient on the Adversary!
We want you to be part of the conversation.
stix@mitre.org
https://stix.mitre.org
© 2013 The MITRE Corporation. All rights reserved.
| 29 |
Backup TAXII Slides
© 2013 The MITRE Corporation. All rights reserved.
Trusted Automated eXchange of Indicator
Information (TAXII)
Open community led by DHS and coordinated by MITRE
 Defines services and messages for sharing cyber threat info
 Not bound to one sharing architecture




– Composable TAXII services support many sharing models
– Support push or pull sharing
– Do not force data consumers to host network services
Enable (but don’t require) authentication/encryption
Do not dictate data handling
– TAXII handles transport; storage & access control left to back-end
Core services and data models are protocol/format neutral
– Binding specs standardize TAXII’s use of specific protocols/formats
– Users not forced to use one protocol or format
Convey any data (not just STIX)
©
© 2013
2013 The
The MITRE
MITRE Corporation.
Corporation. All
All rights
rights reserved.
reserved.
TAXII 1.0
 TAXII 1.0 Specifications
– TAXII Overview
 Defines the primary concepts of TAXII
– TAXII Services Specification = core services and exchanges
– TAXII Message Binding = how to express messages in a format
 TAXII 1.0 has an XML Message Binding
– TAXII Protocol Binding = how to transmit message over the network
 TAXII 1.0 has an HTTP (and HTTPS) Message Binding
 TAXII core services
–
–
–
–
Discovery – Indicates how to communicate with other services
Feed Management – Identify and manage subscriptions to data feeds
Poll – Support pull messaging
Inbox – Receive pushed messages
©
© 2013
2013 The
The MITRE
MITRE Corporation.
Corporation. All
All rights
rights reserved.
reserved.
Identified Sharing Models
 Research identified three primary sharing models:
– Source/subscriber
– Peer-to-peer
– Hub and spoke
Subscriber
Subscriber
Source
Peer D
Peer C
Subscriber
Subscriber
Peer E
Peer B
Peer A
Spoke
(Consumer &
Producer)
Spoke
(Producer only)
 TAXII supports all three
Hub
Spoke
(Consumer only)
©
© 2013
2013 The
The MITRE
MITRE Corporation.
Corporation. All
All rights
rights reserved.
reserved.
Spoke
(Consumer
& Producer)
Simple Hub & Spoke Example
Poll
Client
Inbox
Push data to
the hub
Spoke
1
Spoke
4
Hub
Pull data from
the hub
Spoke
2
©
© 2013
2013 The
The MITRE
MITRE Corporation.
Corporation. All
All rights
rights reserved.
reserved.
Spoke
3
Hub & Spoke Example
Discovery
Feed
Manage.
Poll
Client
Inbox
Get connection
info
Spoke
1
Pull recent data
from the hub
Spoke
4
Hub
Subscribe to
data feeds
Push recent
data to a spoke
Push new data
to the hub
Spoke
2
©
© 2013
2013 The
The MITRE
MITRE Corporation.
Corporation. All
All rights
rights reserved.
reserved.
Spoke
3
Peer-to-Peer Example
Inbox
Client
Peer
1
Peer
5
Peer
4
Peer
2
Peer
3
©
© 2013
2013 The
The MITRE
MITRE Corporation.
Corporation. All
All rights
rights reserved.
reserved.
RID-T Example
Inbox
Client
Peer
1
Peer
5
Peer
4
Peer
2
Peer
3
©
© 2013
2013 The
The MITRE
MITRE Corporation.
Corporation. All
All rights
rights reserved.
reserved.
For internal MITRE use
For more information
 TAXII Website




– Contains official releases and other info
– http://taxii.mitre.org/
Sign up for the TAXII Discussion and Announcement mailing
lists
– http://taxii.mitre.org/community/registration.html
Open issues can be discussed on GitHub
– https://github.com/TAXIIProject/TAXII-Specifications
TAXII-related software can be found on GitHub
– https://github.com/TAXIIProject
Related sites
– https://stix.mitre.org/
©©2013
2013The
TheMITRE
MITRECorporation.
Corporation.AllAllrights
rightsreserved.
reserved.