© 2013 The MITRE Corporation. All rights reserved. Sean Barnum Nov 2013 Sponsored by the US Department of Homeland Security PRACTICAL

© 2013 The MITRE Corporation. All rights reserved.

Sean Barnum

Nov 2013

https://stix.mitre.org

Sponsored by the US Department of Homeland

Security

PRACTICAL CYBER THREAT INTELLIGENCE WITH STIX


Recon

Weaponize

Deliver

Exploit

Control

Execute

Maintain

Diverse and evolving threats

Need for holistic threat intelligence

Proactive & reactive actions

Balance inward & outward focus

Information sharing

Standardized

Threat Representati

on


Cyber threat information (particularly indicators) sharing is not new

Typically very atomic and very limited in sophistication IP lists, File hashes, URLs, email addresses, etc.

Most sharing is unstructured & human-to-human

Recent trends of machine-to-machine transfer of simple/atomic indicators

STIX aims to enable sharing of more expressive indicators as well as other

full-spectrum cyber threat information.

Information Sharing


A language for the characterization and communication of cyber threat information– NOT a sharing program, database, or tool

…but supports all of those uses and more

Developed with open community feedback

Supports– Clear understandings of cyber threat information– Consistent expression of threat information– Automated processing based on collected intelligence– Advance the state of practice in threat analytics

What is STIX?


STIX provides a common mechanism for addressing structured cyber threat information across and among this full range of use cases improving consistency, efficiency,

interoperability, and overall situational awareness.

STIX Use Cases


What is “Cyber (Threat) Intelligence?”

Consider these questions: What activity are we seeing?

What threats should I look for on my networks and systems and why?

Where has this threat been seen?

What does it do?

What weaknesses does this threat exploit?

Why does it do this?

Who is responsible for this threat?

What can I do about it?6

| 6 |


| 7 |


| 8 |


| 9 |


| 10 |


| 11 |


| 12 |


| 13 |


| 14 |


| 15 |


What you are looking forWhy were they doing it?

Who was doing it? What were they

looking to exploit?

What should you do about

it?

Where was it seen?

What exactly were they

doing?

| 16 |

Why should you care about it?

Expressing Relationships

17

“Bad Guy”

ObservedTTP

Backdoor

Infrastructure

Badurl.com, 10.3.6.23, …

“BankJob23”

RelatedTo

Indicator-985

Observables

MD5 hash…

RelatedTo

RelatedTo

CERT-2013-03…

Indicator-9742Observables

Malware

Email-Subject: “Follow-up”

Pamina Republic Army

Unit 31459

[email protected]

Associated ActorLeet

Electronic Address

Initial Compromise

Indicator Observable

Spear Phishing Email

Establish FootholdObserved TTP

Observed TTP

WEBC2

MalwareBehavior

Escalate PrivilegeObserved TTP

Uses Tool

Uses Tool

cachedump

lslsass

MD5:d8bb32a7465f55c368230bb52d52d885

Indicator

Observed TTP

InternalReconnaissance

Attack Patternipconfignet view net group “domain admins”

Observed TTP

ExfiltrationUses Tool

GETMAIL

Targets

KhaffeineBronxistanPerturbiaBlahniks. . .

LeveragesInfrastructure

IP Range:172.24.0.0-112.25.255.255

C2 Servers

Observable

Sender: John SmithSubject: Press Release

Expressing Relationships in STIX

| 19 |

Data Markings, Profiles and Privacy

STIX leverages an abstract data markings approach

– Enables marking of content data down to the field level with any number of custom marking models

– Current default model implementations exist for Traffic Light Protocol (TLP) and Enterprise Data Header (EDH)

Profiles can be defined to specify relevant subsets of the language

– Can be used to scope what information is exchanged between parties, what capabilities a tool or service provides, or to support differential policies on different types of information

Addressing privacy with STIX

– Structured representation assists in explicitly delineating types of information

– Profiles assist in explicit design-time specification of scoping policy around data with potential privacy implications

– Data markings assist in explicit implementation-time labeling of content based on policy around potential privacy implications



Initial implementation has been done in XML Schema Ubiquitous, portable and structured

Concrete strawman for community of experts

Practical structure for early real-world prototyping and POC implementations

Plan to iterate and refine with real-world use

Next step will be a formal implementation-independent specification Will include guidance for developing XML, JSON, RDF/OWL,

or other implementations

Implementations


Utilities to enable easier prototyping and usage of the language.

Utilities consist of things like: Language (Python) bindings for STIX, CybOX, MAEC, etc. High-level programmatic APIs for common needs/activities Conversion utilities from commonly used formats & tools Comparator tools for analyzing language-based content STIX-to-HTML Stixviz (simple visualization tool) Utilities supporting common use cases

E.g. Email_to_CybOX utility supporting phishing analysis & management

Open communities on GitHub (STIXProject, CybOXProject & MAECProject)

Enabling Utilities

STIXViz with STIX-to-HTML Example


© 2013 The MITRE Corporation. All rights

reserved.

Still in its early stages but already generating extensive interest and initial operational use

Actively being worked by numerous information sharing communities

Initial operational use by several large “user” organizations

Actively being worked by numerous service/product vendors

Adoption & Usage

Some of the organizations contributing to the STIX conversation:


Make it easier for people to understand and use STIX

Improve documentation

Develop supporting utilities

Provide collaborative guidance

Gather feedback

Refine and extend the language based on feedback and needs

Recent Focus


Current Versions

CybOX 2.0.1, MAEC 4.0.1, STIX 1.0.1 (Sep 2013)

Near Term

CybOX 2.1 (EOY 2013)

MAEC 4.1, STIX 1.1 (January 2014)

Mid Term

CybOX 3.0, MAEC 5.0, STIX 2.0 (Summer 2014)

Long Term

Transition to international standards bodies (EOY 2014-2015)

Timelines


STIX Website– Contains official releases and other info– http://stix.mitre.org/

Sign up for the STIX Discussion and Announcement mailing lists– http://stix.mitre.org/community/registration.html

Open issues can be discussed on GitHub– https://github.com/STIXProject

STIX-related software can be found on GitHub– https://github.com/STIXProject/python- stix– https://github.com/STIXProject/ Tools

Related sites– https://cybox.mitre.org/– https://maec.mitre.org/– https://capec.mitre.org/– https://taxii.mitre.org/

For more information


http://taxii.mitre.org/



http://taxii.mitre.org/community/registration.html


https://github.com/STIXProject

https://github.com/STIXProject

https://github.com/STIXProject/python-stix

https://github.com/STIXProject/python-stix

https://github.com/STIXProject/Tools

https://github.com/STIXProject/Tools

https://cybox.mitre.org/












https://stix.mitre.org

[email protected]

We want you to be part of the conversation.

Orient on the Adversary!| 28

|


| 29 |

Backup TAXII Slides


Trusted Automated eXchange of Indicator Information (TAXII)

Defines services and messages for sharing cyber threat info Not bound to one sharing architecture

– Composable TAXII services support many sharing models– Support push or pull sharing– Do not force data consumers to host network services

Enable (but don’t require) authentication/encryption Do not dictate data handling

– TAXII handles transport; storage & access control left to back-end

Core services and data models are protocol/format neutral– Binding specs standardize TAXII’s use of specific

protocols/formats– Users not forced to use one protocol or format

Convey any data (not just STIX)


Open community led by DHS and coordinated by MITRE


TAXII 1.0

TAXII 1.0 Specifications– TAXII Overview

Defines the primary concepts of TAXII

– TAXII Services Specification = core services and exchanges– TAXII Message Binding = how to express messages in a format

TAXII 1.0 has an XML Message Binding

– TAXII Protocol Binding = how to transmit message over the network TAXII 1.0 has an HTTP (and HTTPS) Message Binding

TAXII core services– Discovery – Indicates how to communicate with other services– Feed Management – Identify and manage subscriptions to data feeds– Poll – Support pull messaging– Inbox – Receive pushed messages



Research identified three primary sharing models:– Source/subscriber– Peer-to-peer– Hub and spoke

TAXII supports all three

Identified Sharing Models


Source

Subscriber

Subscriber Subscriber

Subscriber

Peer E

Peer D Peer C

Peer B

Peer A

Hub

Spoke(Consumer only)

Spoke(Consumer &

Producer)

Spoke(Producer only)

Spoke(Consumer

& Producer)


Simple Hub & Spoke Example


PollInbox

HubSpoke 1

Spoke 2

Spoke 3

Spoke 4

Client

Push data to the hub

Pull data from the

hub


Hub & Spoke Example


Discovery PollInbox

Feed Manage

.

HubSpoke 1

Spoke 2

Spoke 3

Spoke 4

Get connection

info

Subscribe to data feeds

Client

Push new data to the

hub

Pull recent data from the

hub

Push recent data to a

spoke


Peer-to-Peer Example


Inbox

Client

Peer 1

Peer 5

Peer 2

Peer 4

Peer 3


RID-T Example

© 2013 The MITRE Corporation. All rights reserved. For internal MITRE use

Peer 1

Peer 5

Peer 2

Peer 4

Peer 3

Inbox

Client


TAXII Website– Contains official releases and other info– http://taxii.mitre.org/

Sign up for the TAXII Discussion and Announcement mailing lists– http://taxii.mitre.org/community/registration.html

Open issues can be discussed on GitHub– https://github.com/TAXIIProject/TAXII-Specifications

TAXII-related software can be found on GitHub– https://github.com/TAXIIProject

Related sites– https://stix.mitre.org/

For more information







https://github.com/TAXIIProject/TAXII-Specifications

https://github.com/TAXIIProject/TAXII-Specifications

https://github.com/TAXIIProject

https://stix.mitre.org/



Documents

© 2013 The MITRE Corporation. All rights reserved. Sean Barnum Nov 2013 Sponsored by the US Department of Homeland Security PRACTICAL