PRACTICAL CYBER THREAT INTELLIGENCE WITH STIX Sponsored by the US Department of Homeland Security Sean Barnum Nov 2013 © 2013 The MITRE Corporation. All rights reserved. https://stix.mitre.org Diverse and evolving threats Balance inward & outward focus Standardized Threat Representation Proactive & reactive actions Recon Deliver Weaponize Control Exploit Maintain Execute Information sharing Need for holistic threat intelligence © 2013 The MITRE Corporation. All rights reserved. Information Sharing Cyber threat information (particularly indicators) sharing is not new Typically very atomic and very limited in sophistication IP lists, File hashes, URLs, email addresses, etc. Most sharing is unstructured & human-to-human Recent trends of machine-to-machine transfer of simple/atomic indicators STIX aims to enable sharing of more expressive indicators as well as other fullspectrum cyber threat information. © 2013 The MITRE Corporation. All rights reserved. What is STIX? A language for the characterization and communication of cyber threat information – NOT a sharing program, database, or tool …but supports all of those uses and more Developed with open community feedback Supports – – – – Clear understandings of cyber threat information Consistent expression of threat information Automated processing based on collected intelligence Advance the state of practice in threat analytics © 2013 The MITRE Corporation. All rights reserved. STIX Use Cases STIX provides a common mechanism for addressing structured cyber threat information across and among this full range of use cases improving consistency, efficiency, interoperability, and overall situational awareness. © 2013 The MITRE Corporation. All rights reserved. |6| What is “Cyber (Threat) Intelligence?” Consider these questions: What activity are we seeing? What threats should I look for on my networks and systems and why? Where has this threat been seen? What does it do? What weaknesses does this threat exploit? Why does it do this? Who is responsible for this threat? What can I do about it? © 2013 The MITRE Corporation. All rights reserved. 6 |7| © 2013 The MITRE Corporation. All rights reserved. |8| © 2013 The MITRE Corporation. All rights reserved. |9| © 2013 The MITRE Corporation. All rights reserved. | 10 | © 2013 The MITRE Corporation. All rights reserved. | 11 | © 2013 The MITRE Corporation. All rights reserved. | 12 | © 2013 The MITRE Corporation. All rights reserved. | 13 | © 2013 The MITRE Corporation. All rights reserved. | 14 | © 2013 The MITRE Corporation. All rights reserved. | 15 | © 2013 The MITRE Corporation. All rights reserved. | 16 | What you are looking for Why were they doing it? Why should you care about it? What exactly were they doing? Where was it seen? What should you do about it? Who was doing it? What were they looking to exploit? © 2013 The MITRE Corporation. All rights reserved. Expressing Relationships ObservedTTP “Bad Guy” Infrastructure Backdoor Badurl.com, 10.3.6.23, … Observables Indicator-9742 CERT-2013-03… Observables RelatedTo RelatedTo “BankJob23” Email-Subject: “Follow-up” Indicator-985 MD5 hash… 17 Expressing Relationships in STIX Initial Compromise l33t007@badassin.com Electronic Address Spear Phishing Email Indicator Observed TTP Sender: John Smith Subject: Press Release Observable Establish Foothold MD5: d8bb32a7465f55c368230bb52d52d885 WEBC2 Indicator Malware Behavior Leet Associated Actor Observable cachedump Observed TTP Uses Tool lslsass Pamina Republic Army Unit 31459 Targets Uses Tool Escalate Privilege Observed TTP Leverages Infrastructure Khaffeine Bronxistan Perturbia Blahniks ... Observed TTP Observed TTP Internal Reconnaissance Attack Pattern ipconfig net view net group “domain admins” Uses Tool Exfiltration C2 Servers IP Range: 172.24.0.0-112.25.255.255 GETMAIL | 19 | Data Markings, Profiles and Privacy STIX leverages an abstract data markings approach – Enables marking of content data down to the field level with any number of custom marking models – Current default model implementations exist for Traffic Light Protocol (TLP) and Enterprise Data Header (EDH) Profiles can be defined to specify relevant subsets of the language – Can be used to scope what information is exchanged between parties, what capabilities a tool or service provides, or to support differential policies on different types of information Addressing privacy with STIX – Structured representation assists in explicitly delineating types of information – Profiles assist in explicit design-time specification of scoping policy around data with potential privacy implications – Data markings assist in explicit implementation-time labeling of content based on policy around potential privacy implications © 2013 The MITRE Corporation. All rights reserved. Implementations Initial implementation has been done in XML Schema Ubiquitous, portable and structured Concrete strawman for community of experts Practical structure for early real-world prototyping and POC implementations Plan to iterate and refine with real-world use Next step will be a formal implementation-independent specification Will include guidance for developing XML, JSON, RDF/OWL, or other implementations © 2013 The MITRE Corporation. All rights reserved. Enabling Utilities Utilities to enable easier prototyping and usage of the language. Utilities consist of things like: Language (Python) bindings for STIX, CybOX, MAEC, etc. High-level programmatic APIs for common needs/activities Conversion utilities from commonly used formats & tools Comparator tools for analyzing language-based content STIX-to-HTML Stixviz (simple visualization tool) Utilities supporting common use cases E.g. Email_to_CybOX utility supporting phishing analysis & management Open communities on GitHub (STIXProject, CybOXProject & MAECProject) © 2013 The MITRE Corporation. All rights reserved. STIXViz with STIX-to-HTML Example Adoption & Usage Still in its early stages but already generating extensive interest and initial operational use Actively being worked by numerous information sharing communities Initial operational use by several large “user” organizations Actively being worked by numerous service/product vendors © 2013 The MITRE Corporation. All rights reserved. © 2013 The MITRE Corporation. All rights reserved. Some of the organizations contributing to the STIX conversation: Recent Focus Make it easier for people to understand and use STIX Improve documentation Develop supporting utilities Provide collaborative guidance Gather feedback Refine and extend the language based on feedback and needs © 2013 The MITRE Corporation. All rights reserved. Timelines Current Versions CybOX 2.0.1, MAEC 4.0.1, STIX 1.0.1 (Sep 2013) Near Term CybOX 2.1 (EOY 2013) MAEC 4.1, STIX 1.1 (January 2014) Mid Term CybOX 3.0, MAEC 5.0, STIX 2.0 (Summer 2014) Long Term Transition to international standards bodies (EOY 2014-2015) © 2013 The MITRE Corporation. All rights reserved. For more information STIX Website – Contains official releases and other info – http://stix.mitre.org/ Sign up for the STIX Discussion and Announcement mailing lists – http://stix.mitre.org/community/registration.html Open issues can be discussed on GitHub – https://github.com/STIXProject STIX-related software can be found on GitHub – https://github.com/STIXProject/python-stix – https://github.com/STIXProject/Tools Related sites – https://cybox.mitre.org/ – https://maec.mitre.org/ – https://capec.mitre.org/ – https://taxii.mitre.org/ ©© 2013 2013 TheThe MITRE MITRE Corporation. Corporation. All rights Allreserved. rights reserved. | 28 | Orient on the Adversary! We want you to be part of the conversation. stix@mitre.org https://stix.mitre.org © 2013 The MITRE Corporation. All rights reserved. | 29 | Backup TAXII Slides © 2013 The MITRE Corporation. All rights reserved. Trusted Automated eXchange of Indicator Information (TAXII) Open community led by DHS and coordinated by MITRE Defines services and messages for sharing cyber threat info Not bound to one sharing architecture – Composable TAXII services support many sharing models – Support push or pull sharing – Do not force data consumers to host network services Enable (but don’t require) authentication/encryption Do not dictate data handling – TAXII handles transport; storage & access control left to back-end Core services and data models are protocol/format neutral – Binding specs standardize TAXII’s use of specific protocols/formats – Users not forced to use one protocol or format Convey any data (not just STIX) © © 2013 2013 The The MITRE MITRE Corporation. Corporation. All All rights rights reserved. reserved. TAXII 1.0 TAXII 1.0 Specifications – TAXII Overview Defines the primary concepts of TAXII – TAXII Services Specification = core services and exchanges – TAXII Message Binding = how to express messages in a format TAXII 1.0 has an XML Message Binding – TAXII Protocol Binding = how to transmit message over the network TAXII 1.0 has an HTTP (and HTTPS) Message Binding TAXII core services – – – – Discovery – Indicates how to communicate with other services Feed Management – Identify and manage subscriptions to data feeds Poll – Support pull messaging Inbox – Receive pushed messages © © 2013 2013 The The MITRE MITRE Corporation. Corporation. All All rights rights reserved. reserved. Identified Sharing Models Research identified three primary sharing models: – Source/subscriber – Peer-to-peer – Hub and spoke Subscriber Subscriber Source Peer D Peer C Subscriber Subscriber Peer E Peer B Peer A Spoke (Consumer & Producer) Spoke (Producer only) TAXII supports all three Hub Spoke (Consumer only) © © 2013 2013 The The MITRE MITRE Corporation. Corporation. All All rights rights reserved. reserved. Spoke (Consumer & Producer) Simple Hub & Spoke Example Poll Client Inbox Push data to the hub Spoke 1 Spoke 4 Hub Pull data from the hub Spoke 2 © © 2013 2013 The The MITRE MITRE Corporation. Corporation. All All rights rights reserved. reserved. Spoke 3 Hub & Spoke Example Discovery Feed Manage. Poll Client Inbox Get connection info Spoke 1 Pull recent data from the hub Spoke 4 Hub Subscribe to data feeds Push recent data to a spoke Push new data to the hub Spoke 2 © © 2013 2013 The The MITRE MITRE Corporation. Corporation. All All rights rights reserved. reserved. Spoke 3 Peer-to-Peer Example Inbox Client Peer 1 Peer 5 Peer 4 Peer 2 Peer 3 © © 2013 2013 The The MITRE MITRE Corporation. Corporation. All All rights rights reserved. reserved. RID-T Example Inbox Client Peer 1 Peer 5 Peer 4 Peer 2 Peer 3 © © 2013 2013 The The MITRE MITRE Corporation. Corporation. All All rights rights reserved. reserved. For internal MITRE use For more information TAXII Website – Contains official releases and other info – http://taxii.mitre.org/ Sign up for the TAXII Discussion and Announcement mailing lists – http://taxii.mitre.org/community/registration.html Open issues can be discussed on GitHub – https://github.com/TAXIIProject/TAXII-Specifications TAXII-related software can be found on GitHub – https://github.com/TAXIIProject Related sites – https://stix.mitre.org/ ©©2013 2013The TheMITRE MITRECorporation. Corporation.AllAllrights rightsreserved. reserved.