STIX in Practice for Incident Response
Transcription
STIX in Practice for Incident Response
SESSION ID: HT-F03 STIX in Practice for Incident Response Freddy Dezeure Head of CERT-EU http://cert.europa.eu/ #RSAC #RSAC About Us EU Institutions’ own CERT Supports 60+ entities Operational defense against cyber threats 2 #RSAC Other EU Cyber Bodies ENISA Europe-wide mandate in cyber security Supporting best practices, capacity building and awareness raising EUROPOL EC3 Europe-wide mandate in fight against cyber-crime Operational cooperation between police computer crime units 3 #RSAC Services Prevention Constituents Constituents Constituents Constituents Detection Incident Handling Response Specialised support Alerts Peers & Partners Law enforcement 4 Security Tools Threat Threat Intelligence assessment CERT-EU Advisories White Papers Malware analysis Feeds IOCs Rules Context #RSAC Services Prevention Constituents Constituents Constituents Constituents Detection Incident Handling Response Specialised support Alerts Peers & Partners Law enforcement 5 Security Tools Threat Threat Intelligence assessment CERT-EU Advisories White Papers Malware analysis Feeds IOCs Rules Context #RSAC Agenda Introduction Architecture Use case 1: Detection Use case 2: Scoping Use case 3: Strategic insight Apply 6 #RSAC STIX Model+ Associated Campaigns RelatedIndicators Related Indicators RelatedTTP Observables Related TTP RelatedIndicator Historical Campaigns Related Incidents Related TTP Attribution SubObservables LeveragedTTP Observed TTP Organisation Exploit Target Associated Actors COA Taken COA Requeste d Suggested COA Related Incidents Related Threat Actors Victims Sources Clients #RSAC CTI Architecture Data CTI Repository CERT-EU Import Control MISP Collector External Intelligence Partners STIX/Cybox Actors TTPs Campaigns Courses of Action Targets Incidents Organisations Other sources Indicators Observables 8 Recipients Threat Landscape CTI-db Unstructured Structured Peers Products Producer Constituents Export Control Internal Intelligence Sources Specific Threatsl Constituents MISP Peers STIX / Cybox Partners Feeds #RSAC Feedback Positives False Positives CTI Architecture Sources Consumers Constituents Collected Threat data Peers Partners CERT-EU CTI Repository Shared Threat data Constituents Peers Partners Others Formatting Contextualisation Correlation Standard Format Routing Course of Action 9 #RSAC Threat Data Collection Large diversity of information sources Too much irrelevant information Accuracy not guaranteed Unclear timing Unclear sighting or targeting Difficult prioritisation 10 #RSAC Contextualisation Raw Minimal Context Timing Targeting Continent Date End Date Start Values Date Detect Types Industry best practice? Country Sector / Industry Organisation 11 Extended Context KillChain 1. 2. 3. 4. 5. 6. 7. Scan/Reco Weapon Delivery Exploit Install CnC Actions TTP Campaign Actor #RSAC Poor Context Tim ing Detect_date Start_date End_date KillChain Targe ting Geoloc Sector Tim ing Detect_date Start_date End_date KillChain Targe ting Geoloc Sector 12 #RSAC Better Context Tim ing Detect_date Start_date End_date KillChain Targe ting Geoloc Sector 13 N/A #RSAC EU-I - Targeting one or more constituents Threat Scope Threat Level EU-Centric – Targeting EU Member States High EU Nearby - Targeting close partners (e.g. NATO, USA) Very sophisticated APT World-Class - EU-I might be Medium 'opportunity' or 'collateral' victims of major world-wide threats APT Low Non-targeted mass attacks / malware Threat level HIGH Medium priority Medium priority High priority High priority High priority threat Low priority MEDIUM LOW World-Wide EU-nearby Medium priority High priority Low priority Low priority EU-centric EU-I Medium priority threat Low priority threat Out of scope = 'noise' Threat Scope #RSAC Constituent Perspective Limited resources Specific IT security tools Specific policies Prioritisation Automation / Routing Minimise false-positives Actionable context when needed 15 #RSAC Threat Data Sharing Raw + Prioritise Decide Act Selection Routing IDS Firewall Context Log analyser Mail server SIEM 16 Host Scanner Intelligence Awareness #RSAC STIX Model RelatedIndicators Related Indicators RelatedTTP Observables Related TTP RelatedIndicator Related TTP Attribution Observed TTP LeveragedTTP SubObservables Related Incidents #RSAC Use Case 1: Detection Products CTI-db Indicators Observables Producer Detection SOURCEFIRE SURICATA SNORT Export Control Actors TTPs Campaigns Courses of Action Targets Incidents Organisations Recipients YARA Constituents Q-RADAR ARCSIGHT CSV Peers SPLUNK MISP Partners TH0R nCASE STIX / Cybox Proxy 18 CTI-db Actors TTPs Campaigns Courses of Action Targets Incidents Organisations Indicators Observables #RSAC Use Case 2: Scoping Malware reversing Internal process Scanning for IOCs in logs and hosts Scanning for anomalous traffic Hits on the proxy/IDS External process Has anybody else seen this? No? -> You’re on your own Yes? -> Multiply knowledge on IOCs What’s the timeline Sinkholing 19 #RSAC Pivoting via Actor / Campaign Incident 2 Incident 1 Incident 1 Incident 3 Incident 2 Unique TTPs Yara Snort 20 Incident 3 #RSAC Strategic • Understanding the broader context. • Strategic context: profile, motives, new techniques/tactics, sector and location of victims, business risk. • Planning high level actions for non-technical treatment of the threat. Tactical • Understanding cyber-attacks tactical context: threat type and level, timing of events, techniques/malware used. • Planning structured course of actions for permanent protection Technical Use Case 3: Strategic Insight • Immediate reaction to threats: Detection, Prevention, Reaction (eradication, recovery), Report • Dynamic feeding cyber-defense tools: IDS, IPS, SIEM, Security Scanners, Mailguard, Firewalls, etc • CEO • Business VP • CIO • CIO • Cyber-defense teams • Cyber-defense teams • IT administrators (or direct tool feeding) Threat Landscape Periodic Bulletin Security Brief For every new significant campaign IOCs Rules (Near real-time -> Towards full automation) CITAR CIMBL Feeds #RSAC Current Content Victims Threat Actors • • • • 200+ Espionage/Strategic Hacktivists Cyber-criminals 500+ Continet/country Sector (Diplomacy, Defense, Energy, Transport, etc) Type (Private, Public) • • • • • • • 800.000 targeted IOCs Malicious Domains = 65 % Malicious Files = 10% Malicious email addresses = 8% Malicious IP = 5 % Malicious URL = 4 % Other (Regkey, snort, etc) = 8% Observables Campaigns • • • • • • • • 300+ Espionage (political, industrial, etc) Hacktivism CyberCrime Incidents & Indicators • • Techniques, Tactics, Procedures 3000+ per year Scope: Constituency / EU-centric / EU-nearby/ World-class • • • • 22 500+ "Idendity card" of malware, botnets, C&C infrastructures, tools, exploit-kits Killchain analysis Focus on sophisticated & targeted TTP Victims #RSAC Some Open Issues How to manage lifetime of the data How to remove data downstream How to control sharing groups downstream Implement Course of Action How to maintain the treasure trove of TTPs 23 #RSAC Apply Slide Insist with your suppliers to deliver context with their feeds Identify “your” definitions to filter inputs/outputs Threat scope and level Sharing groups Course of Action … Start implementing your own internal STIX repository Embed it in your processes 24 Thank You! http://cert.europa.eu/ #RSAC