Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Cyber Threat Intelligence: Technical Committee
(CTI TC)
Monthly Meetings – July 20, 2017Session #1 & Session #2
www.oasis-open.org
&
www.oasis-open.org
Agenda
● Welcome & Meeting Overview (Richard Struse)○ Report on Ballots
● Update on Face-to-Face Meetings○ Austin F2F (Jason Keirstead)○ Salt Lake City F2F (Bret Jordan)○ Call for other F2F Sponsors (Richard Struse)
● Report on an FAQ● Subcommittee Updates (Co-Chairs)
○ STIX & Cyber Observables (Sarah, John, Ivan, & Trey)○ TAXII (Mark & Bret)○ Interoperability (Allan & Jason)
● Update on STIX/TAXII APIs and Tools (Greg Back)● Threat Report Mapping Exercise to STIX 2.x (Richard Struse)
Richard Struse – Chairman, CTI TC
Ballot Results Updates
● STIX 2.0 Ballot Results○ 48 yes, 0 no, out of 62 eligible voters (77%)
● TAXII 2.0 Ballot Results○ 48 yes, 0 no, out of 62 eligible voters (77%)
● Internationalization Ballot Results○ 10 yes, 36 no, out of 218 eligible voters○ 78% of voters want `lang` optional
Richard Struse
Upcoming F2F Meetings
● Austin, Texas○ October 17-18, 2017○ Hosted by IBM
● Salt Lake City, Utah○ January 31-February 1st, 2018○ Hosted by Symantec
● Volunteers for Next Meeting(s)?
Richard Struse
Update on FAQ
● Purpose of FAQ● Examples of Coverage
● Why move to 2.0? Backward/Forward Compatible? ● What happened to CybOX? ● Why aren’t cyber_observables top-level-objects?● Why UUIDv4? What precision for Timestamp?● Why both Embedded and External Relationships?● Will the Tools be Updated?
● How to get involved
Richard Struse
STIX 2.1Specification Update
Finished:● Confidence, Intel Note, Opinion, Internationalization
Mostly done:● Location (review), Malware (finishing development, Friday call)
In Progress:● Event/Incident (Tuesday working call)
Still to come (or in mini-group):● IEP, COA, Infrastructure, DNS Request/Response
Other:● There are also miscellaneous topics that we need to address
Sarah Kelley and John Wunder – Co-Chairs, STIXTrey Darley and Ivan Kirillov – Co-Chairs, Observables
STIX 2.1Progress Check-In
We aren't making fast enough progress to finish by the fall.
Should we:- Schedule more meetings, move faster?- Remove items from the release?- Accept it and delay the release?
Sarah Kelley and John Wunder – Co-Chairs, STIXTrey Darley and Ivan Kirillov – Co-Chairs, Observables
Interoperability Subcommittee Update
● Interop Test Document Development Continues
● Part 1 is considered DONE will published for TC Ballot Approval (consideration) next week
● https://docs.google.com/document/d/1Bk3QsGqS84odU2iJtTZ8GokLZIOuz52iM7QKkRhJtQc/edit?usp=sharing
● Part 2 focuses on TAXII testing leveraging Part 1 tests● Target End of Aug Final Draft
● Part 2 draft available here https://docs.google.com/document/d/11MocPK3s8im8O5-7rgZhtVHoxO72aQicJj2v-HDx-Q8/edit?usp=sharing
Self Certification is coming, orgs that want approval should make sure Part 1 and Part 2 meet the needs.
Allan Thomson & Jason Keirstead – Co-Chairs
CTI Open Repositories Greg Back
cti-python-stix2
●●
●●
●●
●
cti-python-stix2
cti-python-stix2
●●
●●
●●
●●
●●
●●
cti-python-stix2
cti-stix-elevator
●●●
●
●●
●
●
cti-stix-elevator
cti-stix-elevator
cti-stix-elevator
cti-stix-validator
cti-stix-validator
cti-stix-validator
cti-stix-validator
How YOU can help
STIX 2 Modeling Exercise
● Goal: have several TC members model a published threat report in STIX 2 to assess the extent to which we achieved our goal of having one way of doing things.
● Report: https://www.coresecurity.com/publication/imddos-botnet-discovery-and-analysis
● Five solutions submitted: Sarah Kelley, Trey Darley, Ivan Kirillov, John Wunder & Rich Struse
● John Wunder’s “CTI Whittler” was a huge help (https://johnwunder.github.io/cti-whittler/)
Richard Struse
The IMDDOS Report...
Report content Copyright 2010, Damballa, Inc,
Modeling Exercise Results
● All five solutions were very similar in structure :)● Differences in two main areas:
● Some solutions included (unnamed) threat actor
● Indicator patterns varied (mostly stylistically)● Modeling results here:
https://gist.github.com/rjsmitre/79775df68b0d1c7c0985b4fe7f115586
(Both the JSON and “Whittler YAML” files provided)
IMDDOS: The Big Picture*
* Created directly from the JSON via the STIX Viewer: https://oasis-open.github.io/cti-stix-visualization/
Bundle & Marking Definition{ "type": "bundle", "id": "bundle--9f0725cb-4bc3-47c3-aba6-99cb97ba4f52", "spec_version": "2.0", "objects": [ { "type": "marking-definition", "id": "marking-definition--dc1b5371-1918-4e57-93f2-25d1d78d983f", "created": "2017-07-18T22:00:30.404Z", "definition_type": "statement", "definition": { "statement": "Copyright 2010, Damballa, Inc All Rights Reserved" } },...
Report "type": "report",… "name": "IMDDOS Botnet", "labels": [ "threat-report" ], "description": "The newly-uncovered IMDDOS Botnet is a commercial DDOS service hosted in China.", "published": "2010-09-13T00:00:00.000Z", "object_refs": [ "malware--efd5ac80-79ba-45cc-9293-01460ad85303", "threat-actor--e234c322-0981-4aa4-ae03-f4037e6be83f", "indicator--691d06b5-aa1d-46ec-97d6-e59ef9411b8a",... ], "object_marking_refs": [ "marking-definition--dc1b5371-1918-4e57-93f2-25d1d78d983f" ], "external_references": [ { "source_name": "Damballa, Inc.", "url": "https://www.coresecurity.com/system/files/publications/2017/03/Damballa_Report_IMDDOS.pdf", "hashes": { "SHA-1": "4e0f4197d6d61f52f80a5560d78af599a37277c0" } ...
Malware{ "type": "malware", "id": "malware--efd5ac80-79ba-45cc-9293-01460ad85303", "created": "2017-07-18T22:00:30.405Z", "modified": "2017-07-18T22:00:30.405Z", "name": "IMDDOS", "labels": [ "bot", "ddos" ], "description": "Once infected with this malware, a host becomes part of the IMDDOS Botnet", "kill_chain_phases": [ { "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "exploit" } ] },
Threat Actor & Location { "type": "threat-actor", "id": "threat-actor--e234c322-0981-4aa4-ae03-f4037e6be83f", "created": "2017-07-18T22:00:30.405Z", "modified": "2017-07-18T22:00:30.405Z", "name": "(Unnamed) IMDDOS Threat Actor", "labels": [ "criminal" ] }, { "type": "location", "id": "location--07608992-927e-434c-9cbd-bf45274290a0", "created": "2017-07-18T22:00:30.405Z", "modified": "2017-07-18T22:00:30.405Z", "country": "China" },
Indicator: TLHD { "type": "indicator", "id": "indicator--691d06b5-aa1d-46ec-97d6-e59ef9411b8a", "created": "2017-07-18T22:00:30.406Z", "modified": "2017-07-18T22:00:30.406Z", "name": "IMDDOS THLD", "labels": [ "malicious-activity" ], "description": "References to this domain are indicative of the presence of the IMDDOS malware in the environment", "valid_from": "2010-04-01T00:00:00.000Z", "kill_chain_phases": [ { "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "exploit" } ], "pattern": "[ domain-name:value = 'imddos.my03.com' ]" },
Indicator: TLHD Traffic { "type": "indicator", "id": "indicator--b2ab314f-3a97-44d4-bfca-6a9857a6fe17", "created": "2017-07-18T22:00:30.406Z", "modified": "2017-07-18T22:00:30.406Z", "name": "IMDDOS THLD Traffic", "labels": [ "malicious-activity" ], "description": "Traffic to this domain indicates the source host is infected with IMDDOS malware", "valid_from": "2010-04-01T00:00:00.000Z", "kill_chain_phases": [ { "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "exploit" } ], "pattern": "[ network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'imddos.my03.com' AND network-traffic:dst_port = 9090 ]" },
Indicator: IMDDOS Infected Host { "type": "indicator", "id": "indicator--ca26195e-e3c0-4139-8e21-0af90c89bd27", "created": "2017-07-18T22:00:30.407Z", "modified": "2017-07-18T22:00:30.407Z", "name": "IMDDOS Infected Host", "labels": [ "malicious-activity" ], "description": "Presence of this registry key on a host indicates it is infected with the IMDDOS malware", "valid_from": "2010-04-01T00:00:00.000Z", "kill_chain_phases": [ { "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "exploit" } ], "pattern": "[windows-registry-key:key LIKE 'HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\SafePrec%' ]" },
Indicator: IMDDOS C2 Traffic { "type": "indicator", "id": "indicator--644bc5dc-1627-4c3a-b9d8-bb2a9fa30567", "created": "2017-07-18T22:00:30.407Z", "modified": "2017-07-18T22:00:30.407Z", "name": "IMDDOS C2 Traffic", "labels": [ "malicious-activity" ], "description": "Traffic to these domains indicates that the source host is under the control of the IMDDOS malware", "valid_from": "2010-04-01T00:00:00.000Z", "kill_chain_phases": [ { "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "control" } ], "pattern": "[ network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value IN ('dns.ddos.im', 'win2003ddos.3322.org', 'woshindi.3322.org', 'pk518.3322.org', 'huanjue6369029.3322.org', 'qq603535.3322.org', 'qq188588.3322.org', 'hjff.3322.org', '198600.3322.org', 'ankankan.3322.org', 'yinn.3322.org') ]" },
External Relationships { "type": "relationship",... "relationship_type": "indicates", "source_ref": "indicator--691d06b5-aa1d-46ec-97d6-e59ef9411b8a", "target_ref": "malware--efd5ac80-79ba-45cc-9293-01460ad85303" },<other indicates Relationships omitted for clarity> { "type": "relationship",… "relationship_type": "located-at", "source_ref": "threat-actor--e234c322-0981-4aa4-ae03-f4037e6be83f", "target_ref": "location--07608992-927e-434c-9cbd-bf45274290a0" }, { "type": "relationship",... "relationship_type": "uses", "source_ref": "threat-actor--e234c322-0981-4aa4-ae03-f4037e6be83f", "target_ref": "malware--efd5ac80-79ba-45cc-9293-01460ad85303" }
Pattern Variants#1) Use domain-namedomain-name:value IN ('dns.ddos.im', 'win2003ddos.3322.org', 'woshindi.3322.org')domain-name:value MATCHES '^(dns.ddos.im|win2003ddos,3322.org|woshindi.3322.org)$'domain-name:value = 'dns.ddos.im' OR domain-name:value = 'win2003ddos.3322.org' or domain-name:value = 'woshindi.3322.org'
#2) Use network-traffic without portnetwork-traffic:dst_ref.type = 'domain-name' AND ( network-traffic:dst_ref.value IN ( 'dns.ddos.im', 'win2003ddos.3322.org', 'woshindi.3322.org' )network-traffic:dst_ref.type = 'domain-name' AND ( network-traffic:dst_ref.value MATCHES '^(dns.ddos.im|win2003ddos,3322.org|woshindi.3322.org)$'network-traffic:dst_ref.type = 'domain-name' AND ( network-traffic:dst_ref.value = 'dns.ddos.im' OR network-traffic:dst_ref.value = 'win2003ddos.3322.org' OR network-traffic:dst_ref.value = 'woshindi.3322.org' )
#3) Use network-traffic with portnetwork-traffic:dst_ref.type = 'domain-name' AND ( network-traffic:dst_ref.value IN ( 'dns.ddos.im', 'win2003ddos.3322.org', 'woshindi.3322.org' ) AND network-traffic.dst_port = 9090network-traffic:dst_ref.type = 'domain-name' AND ( network-traffic:dst_ref.value MATCHES '^(dns.ddos.im|win2003ddos,3322.org|woshindi.3322.org)$' AND network-traffic.dst_port = 9090network-traffic:dst_ref.type = 'domain-name' AND ( network-traffic:dst_ref.value = 'dns.ddos.im' OR network-traffic:dst_ref.value = 'win2003ddos.3322.org' OR network-traffic:dst_ref.value = 'woshindi.3322.org' ) AND network-traffic.dst_port = 9090
Final Thoughts on Modeling
● DIY - take a published threat report and model parts or all of it in STIX 2
● Share your results - #modeling channel on CTI TC Slack
● Use modeling of real-world reports to inform our continued development/evolution of STIX
Q & ARichard Struse – Chairman, CTI TC
Cyber Threat Intelligence Technical Committee