stix in practice for incident response
TRANSCRIPT
SESSION ID:
#RSAC
Freddy Dezeure
STIX in Practice for Incident Response
HT-F03
Head of CERT-EUhttp://cert.europa.eu/
#RSAC
About Us
EU Institutions’ own CERT
Supports 60+ entities
Operational defense against cyber threats
2
#RSAC
Other EU Cyber Bodies
ENISA
Europe-wide mandate in cyber security
Supporting best practices, capacity building and awareness raising
EUROPOL EC3
Europe-wide mandate in fight against cyber-crime
Operational cooperation between police computer crime units
3
#RSAC
Services
Alerts
Specialised support
Peers & PartnersLaw enforcement
Prevention Detection ResponseIncidentHandling
Malwareanalysis
Threatassessment
AdvisoriesWhite Papers
Threat Intelligence
SecurityTools
ConstituentsConstituentsConstituentsConstituents
FeedsIOCsRules
Context
CERT-EU
4
#RSAC
Services
Alerts
Specialised support
Peers & PartnersLaw enforcement
Prevention Detection ResponseIncidentHandling
Threatassessment
AdvisoriesWhite Papers
Threat Intelligence
ConstituentsConstituentsConstituentsConstituents
FeedsIOCsRules
Context
CERT-EU
Malwareanalysis
SecurityTools
5
#RSAC
Agenda
Introduction
Architecture
Use case 1: Detection
Use case 2: Scoping
Use case 3: Strategic insight
Apply
6
#RSAC
STIX Model+
RelatedIndicator
Organisation
Associated Campaigns
Related Indicators
RelatedIndicators
SubObservables
ObservablesRelated TTPRelatedTTP
Historical Campaigns
AttributionRelated
Incidents
AssociatedActors
Observed TTP
LeveragedTTP
COATaken COA
Requested
Related Threat Actors
Related Incidents
SuggestedCOA
Related TTP
Exploit Target
VictimsSourcesClients
#RSAC
IndicatorsObservables
ActorsTTPs
CampaignsCourses of
ActionTargets
IncidentsOrganisations
CTI-db
Impo
rt C
ontr
ol
Expo
rt C
ontr
ol
Colle
ctor
Prod
ucer
Unstructured
CTI RepositorySources Data
RecipientsProducts
Feeds
Structured
Exte
rnal
In
telli
genc
e
MISP
STIX/Cybox
Inte
rnal
In
telli
genc
e
STIX / Cybox
MISP
Specific Threatsl
Threat Landscape
Constituents
Peers
Partners
Constituents
Othersources
CERT-EU
Partners
Peers
CTI Architecture
8
#RSAC
CTI Architecture
FormattingContextualisation
Standard FormatRouting
Course of Action
Correlation
CollectedThreat data
SharedThreat data
CERT-EUCTI
Repository
Others
Partners
Peers
Sources
Constituents
Partners
Peers
Consumers
Constituents
FeedbackPositives
False Positives
9
#RSAC
Threat Data Collection
Large diversity of information sources Too much irrelevant information Accuracy not guaranteed Unclear timing Unclear sighting or targeting Difficult prioritisation
10
#RSAC
Contextualisation
Raw Minimal Context
Timing
Types Values
Date
Dete
ct
Date
Star
t
Date
End
Targeting
Continent
Sector /Industry
KillChain
1. Scan/Reco2. Weapon3. Delivery4. Exploit5. Install6. CnC7. Actions
Country
Organisation
Extended Context
TTP Campaign Actor
Industry best practice?
11
#RSAC
Poor ContextTiming Detect_date Start_date End_dateKillChain Targeting Geoloc Sector
Timing Detect_date Start_date End_dateKillChain Targeting Geoloc Sector
12
#RSAC
Better ContextTiming Detect_date Start_date End_date N/AKillChain Targeting Geoloc Sector
13
#RSAC
World-Class - EU-I might be
'opportunity' or 'collateral' victims of major world-wide threats
EU Nearby - Targeting close partners (e.g. NATO, USA)
EU-Centric – Targeting EU Member States
EU-I - Targeting one or more constituents
HighVery sophisticated APT
MediumAPT
LowNon-targeted mass attacks / malware
Threat ScopeThreat Level
Threat ScopeWorld-Wide EU-nearby EU-centric EU-I
HIGH
MEDIUM
LOW
Threat level
Out of scope = 'noise'
High priority threat
Highpriority
Highpriority
Highpriority
Medium priority threatMediumpriority
Mediumpriority
Mediumpriority
Low priority threat
Lowpriority
Lowpriority
Lowpriority
#RSAC
Constituent Perspective
Limited resources
Specific IT security tools
Specific policies
Prioritisation
Automation / Routing
Minimise false-positives
Actionable context when needed
15
#RSAC
SelectionRouting
IDS Firewall IntelligenceAwareness
Mail server Log analyser
HostScanner
SIEM
Threat Data Sharing
Raw
PrioritiseDecide
Act
Context+
16
#RSAC
STIX Model
RelatedIndicator
Related Indicators
RelatedIndicators
SubObservables
ObservablesRelated TTPRelatedTTP
AttributionRelated
Incidents
Observed TTP
LeveragedTTP
Related TTP
#RSAC
Use Case 1: Detection
IndicatorsObservables
ActorsTTPs
CampaignsCourses of
ActionTargets
IncidentsOrganisations
CTI-db
Expo
rt C
ontr
ol
Prod
ucer
RecipientsProducts
SNORT
STIX / Cybox
MISP
Constituents
Peers
Partners
YARA
CSV
SOURCEFIRESURICATA
Q-RADARARCSIGHT
SPLUNK
TH0RnCASE
Proxy
Detection
IndicatorsObservables
ActorsTTPs
CampaignsCourses of
ActionTargets
IncidentsOrganisations
CTI-db
18
#RSAC
Use Case 2: ScopingMalware reversingInternal process
Scanning for IOCs in logs and hosts Scanning for anomalous traffic Hits on the proxy/IDS
External process Has anybody else seen this?
No? -> You’re on your own Yes? -> Multiply knowledge on IOCs What’s the timeline
Sinkholing
19
#RSAC
Pivoting via Actor / Campaign
Incident 1
Incident 3Incident 2
Incident 1
Incident 3
Incident 2
Unique TTPsYaraSnort
20
#RSAC
Use Case 3: Strategic Insight
• Immediate reaction to threats: Detection, Prevention, Reaction (eradication, recovery), Report
• Dynamic feeding cyber-defense tools: IDS, IPS, SIEM, Security Scanners, Mailguard, Firewalls, etc
• Cyber-defense teams• IT administrators(or direct tool feeding)
IOCsRules
(Near real-time -> Towards full automation)
CIMBLFeeds
• Understanding cyber-attacks tactical context: threat type and level, timing of events, techniques/malware used.
• Planning structured course of actions for permanent protection
• CIO• Cyber-defense teams For every new
significant campaignCITAR
• Understanding the broader context. • Strategic context: profile, motives, new
techniques/tactics, sector and location of victims, business risk.
• Planning high level actions for non-technical treatment of the threat.
• CEO• Business VP• CIO Periodic Bulletin
Threat Landscape
SecurityBrief
Tech
nica
lTa
ctic
alSt
rate
gic
#RSAC
Current Content
Threat Actors• 200+• Espionage/Strategic• Hacktivists• Cyber-criminals
Campaigns• 300+• Espionage (political, industrial, etc)• Hacktivism• CyberCrime
Observables• 800.000 targeted IOCs• Malicious Domains = 65 % • Malicious Files = 10%• Malicious email addresses = 8%• Malicious IP = 5 %• Malicious URL = 4 %• Other (Regkey, snort, etc) = 8%
Victims• 500+• Continet/country• Sector (Diplomacy, Defense, Energy, Transport, etc)• Type (Private, Public)
Techniques, Tactics, Procedures
• 500+• "Idendity card" of malware, botnets, C&C infrastructures, tools, exploit-kits• Killchain analysis• Focus on sophisticated & targeted TTP
Incidents & Indicators
• 3000+ per year • Scope: Constituency / EU-centric / EU-nearby/ World-class
Victims
22
#RSAC
Some Open Issues
How to manage lifetime of the data How to remove data downstream How to control sharing groups downstream Implement Course of Action How to maintain the treasure trove of TTPs
23
#RSAC
Apply Slide
Insist with your suppliers to deliver context with their feeds
Identify “your” definitions to filter inputs/outputs Threat scope and level Sharing groups Course of Action …
Start implementing your own internal STIX repository
Embed it in your processes
24
