Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2013 The MITRE Corporation. All rights reserved. Sean Barnum Nov 2013 https://stix.mitre.org Sponsored by the US Department of Homeland Security PRACTICAL.

Published byPhoebe Hopkins Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2013 The MITRE Corporation. All rights reserved. Sean Barnum Nov 2013 https://stix.mitre.org Sponsored by the US Department of Homeland Security PRACTICAL."— Presentation transcript:

1 © 2013 The MITRE Corporation. All rights reserved. Sean Barnum Nov 2013 https://stix.mitre.org Sponsored by the US Department of Homeland Security PRACTICAL CYBER THREAT INTELLIGENCE WITH STIX

2 © 2013 The MITRE Corporation. All rights reserved. Recon Weaponize Deliver Exploit Control Execute Maintain Diverse and evolving threats Need for holistic threat intelligence Proactive & reactive actions Balance inward & outward focus Information sharing

3 © 2013 The MITRE Corporation. All rights reserved. Cyber threat information (particularly indicators) sharing is not new Typically very atomic and very limited in sophistication IP lists, File hashes, URLs, email addresses, etc. Most sharing is unstructured & human-to-human Recent trends of machine-to-machine transfer of simple/atomic indicators STIX aims to enable sharing of more expressive indicators as well as other full- spectrum cyber threat information. Information Sharing

4 © 2013 The MITRE Corporation. All rights reserved.  A language for the characterization and communication of cyber threat information –NOT a sharing program, database, or tool  …but supports all of those uses and more  Developed with open community feedback  Supports –Clear understandings of cyber threat information –Consistent expression of threat information –Automated processing based on collected intelligence –Advance the state of practice in threat analytics What is STIX?

5 © 2013 The MITRE Corporation. All rights reserved. STIX provides a common mechanism for addressing structured cyber threat information across and among this full range of use cases improving consistency, efficiency, interoperability, and overall situational awareness. STIX Use Cases

6 © 2013 The MITRE Corporation. All rights reserved. What is “Cyber (Threat) Intelligence?” Consider these questions:  What activity are we seeing?  What threats should I look for on my networks and systems and why?  Where has this threat been seen?  What does it do?  What weaknesses does this threat exploit?  Why does it do this?  Who is responsible for this threat?  What can I do about it? 6 | 6 || 6 |

7 © 2013 The MITRE Corporation. All rights reserved. | 7 || 7 |

8 | 8 || 8 |

9 | 9 || 9 |

10 | 10 |

11 © 2013 The MITRE Corporation. All rights reserved. | 11 |

12 © 2013 The MITRE Corporation. All rights reserved. | 12 |

13 © 2013 The MITRE Corporation. All rights reserved. | 13 |

14 © 2013 The MITRE Corporation. All rights reserved. | 14 |

15 © 2013 The MITRE Corporation. All rights reserved. | 15 |

16 © 2013 The MITRE Corporation. All rights reserved. What you are looking for Why were they doing it? Who was doing it? What were they looking to exploit? What should you do about it? Where was it seen? What exactly were they doing? | 16 | Why should you care about it?

17 Expressing Relationships 17 “Bad Guy” ObservedTTP Backdoor Infrastructure Badurl.com, 10.3.6.23, … “BankJob23” RelatedTo Indicator-985 Observables MD5 hash… RelatedTo CERT-2013-03… Indicator-9742 Observables Malware Email-Subject: “Follow-up”

18 Pamina Republic Army Unit 31459 l33t007@badassin.com Associated Actor Leet Electronic Address Initial Compromise Indicator Observable Spear Phishing Email Establish Foothold Observed TTP WEBC2 Malware Behavior Escalate Privilege Observed TTP Uses Tool cachedump lslsass MD5: d8bb32a7465f55c368230bb52d52d885 Indicator Observed TTP Internal Reconnaissance Attack Pattern ipconfig net view net group “domain admins” Observed TTP Exfiltration Uses Tool GETMAIL Targets Khaffeine Bronxistan Perturbia Blahniks... Leverages Infrastructure IP Range: 172.24.0.0-112.25.255.255 C2 Servers Observable Sender: John Smith Subject: Press Release Expressing Relationships in STIX

19 | 19 | Data Markings, Profiles and Privacy  STIX leverages an abstract data markings approach –Enables marking of content data down to the field level with any number of custom marking models –Current default model implementations exist for Traffic Light Protocol (TLP) and Enterprise Data Header (EDH)  Profiles can be defined to specify relevant subsets of the language –Can be used to scope what information is exchanged between parties, what capabilities a tool or service provides, or to support differential policies on different types of information  Addressing privacy with STIX –Structured representation assists in explicitly delineating types of information –Profiles assist in explicit design-time specification of scoping policy around data with potential privacy implications –Data markings assist in explicit implementation-time labeling of content based on policy around potential privacy implications © 2013 The MITRE Corporation. All rights reserved.

20  Initial implementation has been done in XML Schema  Ubiquitous, portable and structured  Concrete strawman for community of experts  Practical structure for early real-world prototyping and POC implementations  Plan to iterate and refine with real-world use  Next step will be a formal implementation-independent specification  Will include guidance for developing XML, JSON, RDF/OWL, or other implementations Implementations

21 © 2013 The MITRE Corporation. All rights reserved.  Utilities to enable easier prototyping and usage of the language.  Utilities consist of things like:  Language (Python) bindings for STIX, CybOX, MAEC, etc.  High-level programmatic APIs for common needs/activities  Conversion utilities from commonly used formats & tools  Comparator tools for analyzing language-based content  STIX-to-HTML  Stixviz (simple visualization tool)  Utilities supporting common use cases  E.g. Email_to_CybOX utility supporting phishing analysis & management  Open communities on GitHub (STIXProject, CybOXProject & MAECProject) Enabling Utilities

22 STIXViz with STIX-to-HTML Example

23 © 2013 The MITRE Corporation. All rights reserved. Still in its early stages but already generating extensive interest and initial operational use  Actively being worked by numerous information sharing communities  Initial operational use by several large “user” organizations  Actively being worked by numerous service/product vendors Adoption & Usage

24 Some of the organizations contributing to the STIX conversation:

25 © 2013 The MITRE Corporation. All rights reserved.  Make it easier for people to understand and use STIX  Improve documentation  Develop supporting utilities  Provide collaborative guidance  Gather feedback  Refine and extend the language based on feedback and needs Recent Focus

26 © 2013 The MITRE Corporation. All rights reserved.  Current Versions  CybOX 2.0.1, MAEC 4.0.1, STIX 1.0.1 (Sep 2013)  Near Term  CybOX 2.1 (EOY 2013)  MAEC 4.1, STIX 1.1 (January 2014)  Mid Term  CybOX 3.0, MAEC 5.0, STIX 2.0 (Summer 2014)  Long Term  Transition to international standards bodies (EOY 2014-2015) Timelines

27 © 2013 The MITRE Corporation. All rights reserved.  STIX Website –Contains official releases and other info –http://stix.mitre.org/http://stix.mitre.org/  Sign up for the STIX Discussion and Announcement mailing lists –http://stix.mitre.org/community/registration.htmlhttp://stix.mitre.org/community/registration.html  Open issues can be discussed on GitHub –https://github.com/STIXProjecthttps://github.com/STIXProject  STIX-related software can be found on GitHub –https://github.com/STIXProject/python-stixhttps://github.com/STIXProject/python-stix –https://github.com/STIXProject/Toolshttps://github.com/STIXProject/Tools  Related sites –https://cybox.mitre.org/https://cybox.mitre.org/ –https://maec.mitre.org/https://maec.mitre.org/ –https://capec.mitre.org/https://capec.mitre.org/ –https://taxii.mitre.org/https://taxii.mitre.org/ For more information © 2013 The MITRE Corporation. All rights reserved.

28 https://stix.mitre.org stix@mitre.org We want you to be part of the conversation. Orient on the Adversary! | 28 |

29 © 2013 The MITRE Corporation. All rights reserved. | 29 | Backup TAXII Slides

30 © 2013 The MITRE Corporation. All rights reserved. Trusted Automated eXchange of Indicator Information (TAXII)  Defines services and messages for sharing cyber threat info  Not bound to one sharing architecture –Composable TAXII services support many sharing models –Support push or pull sharing –Do not force data consumers to host network services  Enable (but don’t require) authentication/encryption  Do not dictate data handling –TAXII handles transport; storage & access control left to back-end  Core services and data models are protocol/format neutral –Binding specs standardize TAXII’s use of specific protocols/formats –Users not forced to use one protocol or format  Convey any data (not just STIX) © 2013 The MITRE Corporation. All rights reserved. Open community led by DHS and coordinated by MITRE

31 © 2013 The MITRE Corporation. All rights reserved. TAXII 1.0  TAXII 1.0 Specifications –TAXII Overview  Defines the primary concepts of TAXII –TAXII Services Specification = core services and exchanges –TAXII Message Binding = how to express messages in a format  TAXII 1.0 has an XML Message Binding –TAXII Protocol Binding = how to transmit message over the network  TAXII 1.0 has an HTTP (and HTTPS) Message Binding  TAXII core services –Discovery – Indicates how to communicate with other services –Feed Management – Identify and manage subscriptions to data feeds –Poll – Support pull messaging –Inbox – Receive pushed messages © 2013 The MITRE Corporation. All rights reserved.

32  Research identified three primary sharing models: –Source/subscriber –Peer-to-peer –Hub and spoke  TAXII supports all three Identified Sharing Models © 2013 The MITRE Corporation. All rights reserved. Source Subscriber Peer E Peer D Peer C Peer B Peer A Hub Spoke (Consumer only) Spoke (Consumer & Producer) Spoke (Producer only) Spoke (Consumer & Producer)

33 © 2013 The MITRE Corporation. All rights reserved. Simple Hub & Spoke Example © 2013 The MITRE Corporation. All rights reserved. Poll Inbox Hub Spoke 1 Spoke 2 Spoke 3 Spoke 4 Client Push data to the hub Pull data from the hub

34 © 2013 The MITRE Corporation. All rights reserved. Hub & Spoke Example © 2013 The MITRE Corporation. All rights reserved. Discovery Poll Inbox Feed Manage. Hub Spoke 1 Spoke 2 Spoke 3 Spoke 4 Get connection info Subscribe to data feeds Client Push new data to the hub Pull recent data from the hub Push recent data to a spoke

35 © 2013 The MITRE Corporation. All rights reserved. Peer-to-Peer Example © 2013 The MITRE Corporation. All rights reserved. Inbox Client Peer 1 Peer 5 Peer 2 Peer 4 Peer 3

36 © 2013 The MITRE Corporation. All rights reserved. RID-T Example © 2013 The MITRE Corporation. All rights reserved. For internal MITRE use Peer 1 Peer 5 Peer 2 Peer 4 Peer 3 Inbox Client

37 © 2013 The MITRE Corporation. All rights reserved.  TAXII Website –Contains official releases and other info –http://taxii.mitre.org/http://taxii.mitre.org/  Sign up for the TAXII Discussion and Announcement mailing lists –http://taxii.mitre.org/community/registration.htmlhttp://taxii.mitre.org/community/registration.html  Open issues can be discussed on GitHub –https://github.com/TAXIIProject/TAXII-Specificationshttps://github.com/TAXIIProject/TAXII-Specifications  TAXII-related software can be found on GitHub –https://github.com/TAXIIProjecthttps://github.com/TAXIIProject  Related sites –https://stix.mitre.org/https://stix.mitre.org/ For more information © 2013 The MITRE Corporation. All rights reserved.

Download ppt "© 2013 The MITRE Corporation. All rights reserved. Sean Barnum Nov 2013 https://stix.mitre.org Sponsored by the US Department of Homeland Security PRACTICAL."

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
National Database Templates for the Biosafety Clearing-House Application (NDT-nBCH) Overview of the US nBCH Applications.

National Database Templates for the Biosafety Clearing-House Application (NDT-nBCH) Overview of the US nBCH Applications.
Distributed Data Processing

Distributed Data Processing
ASCR Data Science Centers Infrastructure Demonstration S. Canon, N. Desai, M. Ernst, K. Kleese-Van Dam, G. Shipman, B. Tierney.

ASCR Data Science Centers Infrastructure Demonstration S. Canon, N. Desai, M. Ernst, K. Kleese-Van Dam, G. Shipman, B. Tierney.
Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
Managed Incident Lightweight Exchange (MILE) Overview and Participation Kathleen Moriarty Global Lead Security Architect EMC Corporate CTO Office.

Managed Incident Lightweight Exchange (MILE) Overview and Participation Kathleen Moriarty Global Lead Security Architect EMC Corporate CTO Office.
© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.

© 2003 Carnegie Mellon University slide 1 Building CSIRT Capabilities and the State of the Practice Georgia Killcrece CSIRT Development Team CERT ® Training.
© 2013 The MITRE Corporation. All rights reserved. Sean Barnum March 2013 https://stix.mitre.org Sponsored by the US Department of Homeland Security Enabling.

© 2013 The MITRE Corporation. All rights reserved. Sean Barnum March Sponsored by the US Department of Homeland Security Enabling.
Overview of OASIS SOA Reference Architecture Foundation (SOA-RAF)

Overview of OASIS SOA Reference Architecture Foundation (SOA-RAF)
1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.

1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.
L4-1-S1 UML Overview © M.E. Fayad 2000 -- 2005 SJSU -- CmpE Software Architectures Dr. M.E. Fayad, Professor Computer Engineering Department, Room #283I.

L4-1-S1 UML Overview © M.E. Fayad SJSU -- CmpE Software Architectures Dr. M.E. Fayad, Professor Computer Engineering Department, Room #283I.
A New Computing Paradigm. Overview of Web Services Over 66 percent of respondents to a 2001 InfoWorld magazine poll agreed that Web services are likely.

A New Computing Paradigm. Overview of Web Services Over 66 percent of respondents to a 2001 InfoWorld magazine poll agreed that "Web services are likely.
Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.

Introduction and Overview “the grid” – a proposed distributed computing infrastructure for advanced science and engineering. Purpose: grid concept is motivated.
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
Web Service Architecture Part I- Overview and Models (based on W3C Working Group Note Frank.

Web Service Architecture Part I- Overview and Models (based on W3C Working Group Note Frank.
Lecture Nine Database Planning, Design, and Administration

Lecture Nine Database Planning, Design, and Administration
1 Universal Core Executive Briefing Paul Shaw COI Forum October 16, 2007.

1 Universal Core Executive Briefing Paul Shaw COI Forum October 16, 2007.
System Design/Implementation and Support for Build 2 PDS Management Council Face-to-Face Mountain View, CA Nov 30 - Dec 1, 2011 Sean Hardman.

System Design/Implementation and Support for Build 2 PDS Management Council Face-to-Face Mountain View, CA Nov 30 - Dec 1, 2011 Sean Hardman.
A global, public network of computer networks. The largest computer network in the world. Computer Network A collection of computing devices connected.

A global, public network of computer networks. The largest computer network in the world. Computer Network A collection of computing devices connected.

Similar presentations

Ads by Google