STIX in Practice for Incident Response

SESSION ID: HT-F03
STIX in Practice
for Incident Response
Freddy Dezeure
Head of CERT-EU
http://cert.europa.eu/
#RSAC
#RSAC
About Us

EU Institutions’ own CERT

Supports 60+ entities

Operational defense against cyber threats
2
#RSAC
Other EU Cyber Bodies
ENISA

Europe-wide mandate in cyber security

Supporting best practices, capacity building and awareness raising
EUROPOL EC3

Europe-wide mandate in fight against cyber-crime

Operational cooperation between police computer crime units
3
#RSAC
Services
Prevention
Constituents
Constituents
Constituents
Constituents
Detection
Incident
Handling
Response
Specialised
support
Alerts
Peers & Partners
Law enforcement
4
Security
Tools
Threat
Threat
Intelligence assessment
CERT-EU
Advisories
White Papers
Malware
analysis
Feeds
IOCs
Rules
Context
#RSAC
Services
Prevention
Constituents
Constituents
Constituents
Constituents
Detection
Incident
Handling
Response
Specialised
support
Alerts
Peers & Partners
Law enforcement
5
Security
Tools
Threat
Threat
Intelligence assessment
CERT-EU
Advisories
White Papers
Malware
analysis
Feeds
IOCs
Rules
Context
#RSAC
Agenda

Introduction

Architecture

Use case 1: Detection

Use case 2: Scoping

Use case 3: Strategic insight

Apply
6
#RSAC
STIX Model+
Associated Campaigns
RelatedIndicators
Related Indicators
RelatedTTP
Observables
Related TTP
RelatedIndicator
Historical
Campaigns
Related
Incidents
Related TTP
Attribution
SubObservables
LeveragedTTP
Observed
TTP
Organisation
Exploit Target
Associated
Actors
COA
Taken
COA
Requeste
d
Suggested
COA
Related Incidents
Related Threat
Actors
Victims
Sources
Clients
#RSAC
CTI Architecture
Data
CTI Repository
CERT-EU
Import Control
MISP
Collector
External
Intelligence
Partners
STIX/Cybox
Actors
TTPs
Campaigns
Courses of
Action
Targets
Incidents
Organisations
Other
sources
Indicators
Observables
8
Recipients
Threat
Landscape
CTI-db
Unstructured
Structured
Peers
Products
Producer
Constituents
Export Control
Internal
Intelligence
Sources
Specific
Threatsl
Constituents
MISP
Peers
STIX /
Cybox
Partners
Feeds
#RSAC
Feedback
Positives
False Positives
CTI Architecture
Sources
Consumers
Constituents
Collected
Threat data
Peers
Partners
CERT-EU
CTI
Repository
Shared
Threat data
Constituents
Peers
Partners
Others
Formatting
Contextualisation
Correlation
Standard Format
Routing
Course of Action
9
#RSAC
Threat Data Collection

Large diversity of information sources

Too much irrelevant information

Accuracy not guaranteed

Unclear timing

Unclear sighting or targeting

Difficult prioritisation
10
#RSAC
Contextualisation
Raw
Minimal Context
Timing
Targeting
Continent
Date
End
Date
Start
Values
Date
Detect
Types
Industry best practice?
Country
Sector /
Industry
Organisation
11
Extended Context
KillChain
1.
2.
3.
4.
5.
6.
7.
Scan/Reco
Weapon
Delivery
Exploit
Install
CnC
Actions
TTP
Campaign
Actor
#RSAC
Poor Context
Tim ing
Detect_date
Start_date
End_date
KillChain
Targe ting
Geoloc
Sector

Tim ing
Detect_date
Start_date
End_date
KillChain
Targe ting
Geoloc
Sector


12



#RSAC
Better Context
Tim ing
Detect_date
Start_date
End_date
KillChain
Targe ting
Geoloc
Sector
13



N/A


#RSAC
EU-I - Targeting one or more constituents
Threat Scope
Threat Level
EU-Centric – Targeting EU Member States
High
EU Nearby - Targeting close partners (e.g. NATO,
USA)
Very sophisticated APT
World-Class - EU-I might be
Medium
'opportunity' or 'collateral' victims of
major world-wide threats
APT
Low
Non-targeted mass attacks / malware
Threat level
HIGH
Medium
priority
Medium
priority
High
priority
High
priority
High priority threat
Low
priority
MEDIUM
LOW
World-Wide
EU-nearby
Medium
priority
High
priority
Low
priority
Low
priority
EU-centric
EU-I
Medium priority threat
Low priority threat
Out of scope = 'noise'
Threat Scope
#RSAC
Constituent Perspective

Limited resources

Specific IT security tools

Specific policies

Prioritisation

Automation / Routing

Minimise false-positives

Actionable context when needed
15
#RSAC
Threat Data Sharing
Raw
+
Prioritise
Decide
Act
Selection
Routing
IDS
Firewall
Context
Log
analyser
Mail server
SIEM
16
Host
Scanner
Intelligence
Awareness
#RSAC
STIX Model
RelatedIndicators
Related Indicators
RelatedTTP
Observables
Related TTP
RelatedIndicator
Related TTP
Attribution
Observed
TTP
LeveragedTTP
SubObservables
Related
Incidents
#RSAC
Use Case 1: Detection
Products
CTI-db
Indicators
Observables
Producer
Detection
SOURCEFIRE
SURICATA
SNORT
Export Control
Actors
TTPs
Campaigns
Courses of
Action
Targets
Incidents
Organisations
Recipients
YARA
Constituents
Q-RADAR
ARCSIGHT
CSV
Peers
SPLUNK
MISP
Partners
TH0R
nCASE
STIX /
Cybox
Proxy
18
CTI-db
Actors
TTPs
Campaigns
Courses of
Action
Targets
Incidents
Organisations
Indicators
Observables
#RSAC
Use Case 2: Scoping
Malware
reversing
Internal



process
Scanning for IOCs in logs and hosts
Scanning for anomalous traffic
Hits on the proxy/IDS
External

process
Has anybody else seen this?




No? -> You’re on your own
Yes? -> Multiply knowledge on IOCs
What’s the timeline
Sinkholing
19
#RSAC
Pivoting via Actor / Campaign
Incident 2
Incident 1
Incident 1
Incident 3
Incident 2
Unique TTPs
Yara
Snort
20
Incident 3
#RSAC
Strategic
• Understanding the broader context.
• Strategic context: profile, motives, new
techniques/tactics, sector and location of victims,
business risk.
• Planning high level actions for non-technical treatment
of the threat.
Tactical
• Understanding cyber-attacks tactical context: threat type
and level, timing of events, techniques/malware used.
• Planning structured course of actions for permanent
protection
Technical
Use Case 3: Strategic Insight
• Immediate reaction to threats: Detection, Prevention,
Reaction (eradication, recovery), Report
• Dynamic feeding cyber-defense tools: IDS, IPS, SIEM,
Security Scanners, Mailguard, Firewalls, etc
• CEO
• Business VP
• CIO
• CIO
• Cyber-defense teams
• Cyber-defense teams
• IT administrators
(or direct tool feeding)
Threat
Landscape
Periodic Bulletin
Security
Brief
For every new
significant campaign
IOCs
Rules
(Near real-time ->
Towards full
automation)
CITAR
CIMBL
Feeds
#RSAC
Current Content
Victims
Threat Actors
•
•
•
•
200+
Espionage/Strategic
Hacktivists
Cyber-criminals
500+
Continet/country
Sector (Diplomacy, Defense, Energy, Transport, etc)
Type (Private, Public)
•
•
•
•
•
•
•
800.000 targeted IOCs
Malicious Domains = 65 %
Malicious Files = 10%
Malicious email addresses = 8%
Malicious IP = 5 %
Malicious URL = 4 %
Other (Regkey, snort, etc) = 8%
Observables
Campaigns
•
•
•
•
•
•
•
•
300+
Espionage (political, industrial, etc)
Hacktivism
CyberCrime
Incidents & Indicators
•
•
Techniques, Tactics, Procedures
3000+ per year
Scope: Constituency / EU-centric / EU-nearby/ World-class
•
•
•
•
22
500+
"Idendity card" of malware, botnets, C&C infrastructures, tools, exploit-kits
Killchain analysis
Focus on sophisticated & targeted TTP
Victims
#RSAC
Some Open Issues

How to manage lifetime of the data

How to remove data downstream

How to control sharing groups downstream

Implement Course of Action

How to maintain the treasure trove of TTPs
23
#RSAC
Apply Slide

Insist with your suppliers to deliver context with their feeds

Identify “your” definitions to filter inputs/outputs

Threat scope and level

Sharing groups

Course of Action

…

Start implementing your own internal STIX repository

Embed it in your processes
24
Thank You!
http://cert.europa.eu/
#RSAC