cti & information fusion benefits and challenges
TRANSCRIPT
January 2020
CTI & Information FusionBenefits and Challenges
Frédéric Garnier
TLP:WHITE
CTI EU Workshop
Cyber threat intelligenceenables to
“predict the future“or
“understand the present” ?
TLP:WHITE
Information fusion
Benefits
Principles
Challenges
TLP:WHITE
Information fusion
Benefits
TLP:WHITE
Information fusion
Supported services
ConsolidatedSituational awareness
ActionableDetection and hunting
ConsistentKnowledge bases
Source
Source
Source
Source
Source
Source
Source
TailoredAlerts and Memos
TLP:WHITE
Situation awareness - example (1)
Regional threat activity
27%
15%
13%
10%
8%
8%
6%
5%
4%4%
Top 10 affected sectors in Europe2019
Gov. / Admin.
IT
Digital services
Bank
Finance
Health
Telecoms
Military
Energy
Industrial
Top 10 malware families(December 2019)
1 TrickBot
2 Qbot
3 Mofksys
4 NjRAT
5 Emotet
6 Agent Tesla
7 Tinba
8 UrSnif
9 GandCrab
10 Pony
3%
51%
8%
31%
6%2%
Threats categoriesin Europe2019
(CS) Censorhip
(CC) Cybercrime
(CW) Cyberwar
(CE) Espionage
(HA) Hacktivism
(SO) Sovereignty
TLP:WHITE
Situation awareness - example (2)
Sectoral threat activity
0%
24%
32%
37%
7%
0%
Threat categoriesEnergy sector2019
(CS) Censorhip
(CC) Cybercrime
(CW) Cyberwar
(CE) Espionage
(HA) Hacktivism
(SO) Sovereignty
Top threat actors
against the energy sector
Rank Name Type Count. Share
1 APT34 CE IR 23%
2 Berserk Bear CE RU 20%
3 APT33 CE IR 12%
4 Energetic Bear CE RU 10%
5 Lazarus Group CE NK 9%
6 MuddyWater CE IR 7%
7 Sandworm CE RU 5%
8 Hexane CE 5%
9 APT35 CE IR 4%
10 APT28 CE RU 4%
Top-20 affected countries
in the energy sector
Rank Name Share
1 US 18%
2 Middle East 14%
3 Iran 9%
4 India 8%
5 Italy 5%
6 Ukraine 5%
7 South Africa 5%
8 Saudi Arabia 5%
9 UK 4%
10 Canada 4%
11 Turkey 4%
12 Israel 3%
13 Germany 3%
14 Vietnam 3%
15 Australia 3%
16 Europe 2%
17 Kuwait 2%
18 Mexico 2%
19 Asia 2%
20 Belarus 2%
TLP:WHITE
Tailored intelligence
Memos and Alerts
TLP:WHITE
Tailored intelligence
Alerts
Websitepage
Report
EU Institutions
Websitepage
Domain
IP
URL
sha256
TLP:WHITE
Tailored intelligence
Actionable data - Example
TLP:WHITE
Information fusion
Principles
TLP:WHITE
Conditions
• Reliable sources
• Sufficient context from sources
• Consistent data model
• Well defined process
• Automation
TLP:WHITE
Hunting
Geeks NewsNewspapers / Press agencies
Universities
Researchers
IT SecurityVendors
IT SecurityNews
CommercialPartners
(contract)
N-CSC
Sources (external) -
examples
EU Institutions
TLP:WHITE
Intrusion sets
Cosmology
Threat actors
TTP
Tactics
Malware
Attack Patterns
Countries Regions
Sectors
Orgs
TLP:WHITE
Incoming threat information
Report
Websitepage
Report
Websitepage
Websitepage
Message
Report
Report
ReportMessage
Message
ReportsObservables
Domain
Domain
URL
subj
IP
sha256
IP
addr.
addr.
URL
URL
URL
TLP:WHITE
Report stream (fictitious examples)
21.3 reports
per day in 2019
Threat analysis
TLP TTP Reports Category
Cybercrime
Espionage
Hacktivism
Cyberwar
Censorship
Sovereignty
Espionage
Cybercrime
Cybercrime
Espionage
Countries Source
Secureworks
ESET
Reuters
Commercialsource A
Commercial source B
Commercial source C
US CERT
CitizenLabs
Bleeping Computer
European CSIRT
Date
11/9/2019
11/9/2019
11/9/2019
11/9/2019
11/9/2019
12/9/2019
12/9/2019
12/9/2019
12/9/2019
12/9/2019
World
Unspecified
Brazil
Asia
China
Russia
US
UAE
Europe
Country A, Country B
Lokibot
Malware XYZ, ATT&CK T1189, T1059, …
Defacement, Leakage
Wiper XYZ
Great Firewall, Blocking
Ban
Malware XYZ
Tool XYZ
Ransomware Ryuk, Extortion
Malware XYZ, ATT&CK T1223, T1118, …
Sectors
Finance
Government, Foreign affairs
Government
Media
Citizens
Digital services
Universities
Citizens
Digital infra
Government
Threat Actor
XYZ Spider
APT15. China
Anonymous Brazil
Xyz Tiger
MSS, China
Russia
North Korea
XYZ Spider
APT28, Russia
Assets
Banking data
Classified data
Personal data
Cryptocurrency
Military data
Meta data
TLP:WHITE
Observables stream (fictitious examples)
IP
Do
mai
nD
om
ainIP
Emai
l-ad
dr
Emai
l-su
bje
ct url
Emai
l-ad
dr
file
nam
esh
a25
6sh
a25
6sh
a25
6sh
a25
6sh
a25
6u
rlu
rlu
rlu
rl
com
men
t
text
sha2
56
sha1
md
5sh
a25
6sh
a1m
d5
sha2
56
sha1
md
5fi
len
ame
file
nam
efi
len
ame
yara
yara
sno
rt IP IPre
gkey
regk
eyre
gkey IP IP IP IP IP
link
yara
yara
yara
yara
yara
sno
rtsn
ort
sno
rtsn
ort
sno
rtp
atte
rn-i
n-f
ile
pat
ter-
in-t
raff
ic
pat
tern
-in
-file
pat
tern
-in
-file
pat
ter-
in-t
raff
icp
atte
r-in
-tra
ffic
Mal
icio
us
do
mai
ns
Ph
ish
ing
emai
l
Ph
ish
ing
emai
l
RA
T
Ph
iish
ing
cam
pai
gn
Mal
icio
us
sam
ple
s
Targ
eted
in
tru
sio
n
Bo
tnet
Yara
mas
ter
sno
rt
mas
ter
Mal
war
e an
alys
is
10
01
00
10
01
00
10
01
00
10
01
00
0 10
01
00
10
01
00
10
01
00
10
01
00
10
01
00
10
01
00
10
01
00
10
01
00
10
01
00
10
01
00
10
01
00
10
01
00
10
01
00
10
01
00
10
01
00
10
01
00
10
01
00
10
01
00
10
01
00
10
01
00
10
01
00
10
01
00
10
00 1
00
10
01
00
10
01
00
10
01
00
10
01
00
10
0
10
0
31
-11
-19
31
-11
-19
31
-11
-19
31
-11
-19
28
-10
-21
28
-10
-21
28
-10
-21
28
-10
-21
28
-10
-21
28
-10
-21
05
-01
-20
05
-01
-20
05
-01
-20
05
-01
-20
05
-01
-20
05
-01
-20
05
-01
-20
07
-06
-20
07
-06
-20
07
-06
-20
07
-06
-20
07
-06
-20
07
-06
-20
07
-06
-20
07
-06
-20
07
-06
-20
15
-12
-19
15
-12
-19
15
-12
-19
15
-12
-19
15
-12
-19
15
-12
-19
15
-12
-19
15
-12
-19
07
-12
-23
07
-12
-23
07
-12
-23
07
-12
-23
07
-12
-23
07
-12
-23
07
-12
-23
07
-12
-23
07
-12
-23
07
-12
-23
28
-07
-22
28
-07
-22
28
-07
-22
28
-07
-22
28
-07
-22
28
-07
-22
28
-07
-22
28
-07
-22
13
-10
-19
13
-10
-19
13
-10
-19
13
-10
-19
13
-10
-19
13
-10
-19
13
-10
-19
13
-10
-19
13
-10
-19
13
-10
-19
13
-10
-19
13
-10
-19
31
-11
-19
31
-11
-19
Rat
ing
Exp
dat
eT
TPTh
reat
acto
rR
epo
rtIn
dic
ato
rO
bs
Sigh
tin
g
Dip
lom
acy
Euro
pe
EU-I
Par
tner
Un
kno
wn
Euro
pe
Un
ited
St
ates
EU-I
Wo
rld
Un
kno
wn
Un
kno
wn
Un
kno
wn
AP
T28
Emo
tet
Turl
a
Dri
dex
Mir
ai
AP
T1
Gan
dC
rab
Loki
bo
t
Co
mm
erci
alre
po
rt
Co
nst
itu
ent
rep
ort
Par
tner
re
po
rt
ven
do
r re
po
rt
ven
do
r re
po
rt
OSI
NT
rep
ort
Co
nst
itu
ent
rep
ort
OSI
NT
rep
ort
28.5KPer day in 2019
Context
Raw data
Actionable parameters
Association
Report
Threat actors
Tactics
Malware
Countries Regions
Sectors
Orgs
Attack Patterns
Countries Regions
Tactics
SectorsSectors
Orgs
Countries Regions
Countries Regions
Attack Patterns
Malware
Threat actors
Indicator
Obs
Obs
Obs
OrgsOrgs
TLP:WHITE
Pivoting
Threat actor
Obs
ObsObs
Obs Obs
Report
Report
Report
Malware
Obs
ObsObs
Obs Obs
Report
Report
Report
Attack pattern
Obs
ObsObs
Obs Obs
Report
Report
Report
TLP:WHITE
Inference
APT28
Obs
ObsObs
Obs Obs
Report
Report
Report
Military
Malware
Gov /Admin
Ukraine
Belaruss
TLP:WHITE
Inference
(OpenCTI visualization)
TLP:WHITE
Inference
TLP:WHITE
Malware <-> Attack patterns
TLP:WHITE
Malware <-> Victimology
TLP:WHITE
Information fusion process
Report
Website
page
Websitepage
Website
page
Report
Report
Message
Domain
URL
subj
IP
IP
addr.
URL
Intrusion sets
Threat actors
TTP
Tactics
Malware
Attack Patterns
Sources Collect
Report
Tacti
cs
Sect
ors
Tacti
cs
Sect
ors
Sect
ors
Orgs
Countri
es
Regions
Cou
ntries
Regions
Attack
Patt
erns
Malw
are
Threat
actor
s
Thr
eat acto
rs
Mal
ware
Co
un
tries
Regio
ns
Orgs
At
ta
ck
Patter
ns
Co
untri
es Re
gio
ns
Orgs
Orgs
Threat actor
O
b
s
O
b
s
O
b
s
O
bs
O
bs
Report
Report
Report
Malware
O
bs
Ob
s
O
bs
Ob
s
Ob
s
Report
Report
Report
Source
Source
Source
Source
Source
Source
Source
Contextualise Pivoting Inference
Taxonomies & GalaxiesThreat actors
Attack patternsMalware
SectorsCountries
…
Situational awareness
Actionable data
Knowledge bases
Tailored intelligence
Cosmology
TLP:WHITE
Benefits of information fusion
Qualitative CTImerge a few qualitative sources for a
limited set of subjects
• In-depth investigation of specific(selected) campaigns or incidents
• Tracking of specific (selected) intrusion sets / threat actors or malware families
• Knowledge bases enrichment
“investigative” approach
Quantitative CTIindustrial scale merging of several quantitative
– yet reliable - sources for a large set of subjects
• Monitoring activities of malware, techniques, threat actors / intrusions sets (e.g. determine and rank the most active)
• Monitoring threats per sector, per country, per region
• Monitoring threats from countries
“Landscaping” approach
TLP:WHITE
Information fusion
Challenges
TLP:WHITE
Challenges
TLP:GREEN
Redundancy
Several times the same information
Taxonomies
Not all sources speaks the “same
language”
Context
Some sources do not provide
enough details
Automation
Too much manual processing
InformationFusion
Challenges
Sources
Community
Sources
Community
Platforms
Platforms
Challenge : Redundancy
Issue
• Several sources sharing the same information
OR• Several organisations relaying the
same information (in a community)
• Applies to • Reports • Observables
Solution / mitigation
• Privilege original sources• Carefully select and subscribe to
aggregators• Limit OSINT sharing in
communities (e.g. MISP)• Share what YOU see, NOT what
OTHERS see
• For observables : unique record based on value
• Develop use of sightings
TLP:WHITE
Challenge : Taxonomies
Issue
• Sources with different taxonomiesOR
• Sources with no taxonomies
• Applies to:• Observables (type), Sectors,
Threat actors, Malware, Countries, Organisations
Solution / mitigation
• For countries, use ISO code (2 letters or 3 letters)
• Develop new taxonomies ?
• Translation between taxonomies ?
• Develop “galaxies” ? community approach
TLP:WHITE
Challenge : No (structured) context
Issue
• Sources do not provide any context with reports or feeds
OR• They provide context in a an
unstructured way (no tags)
• For information fusion, manual review is currently needed
Solution / mitigation
• Tools finding and extracting relevant context automatically ?
such as:• Sectors names• Countries names• Malware names• Threat actors names• Attack patterns names• …
TLP:WHITE
Challenge : Automation
Issue
• Manual operations in the information fusion flow • Collection
• observables : very good level of automation
• reports : poor level of automation
• Contextualisation• Inferences• Analysis• Situational awareness
Solution / mitigation
• Taxonomies and structured context
• Step up artificial intelligence in CTI platforms – especially• recognize victims, TTPs, threat
actors, etc• create smart inferences• assist situational awareness
TLP:WHITE