Cyber Threat Intelligence: Technical Committee

(CTI TC)

Monthly Meetings – July 20, 2017Session #1 & Session #2

www.oasis-open.org

&

www.oasis-open.org

Agenda

● Welcome & Meeting Overview (Richard Struse)○ Report on Ballots

● Update on Face-to-Face Meetings○ Austin F2F (Jason Keirstead)○ Salt Lake City F2F (Bret Jordan)○ Call for other F2F Sponsors (Richard Struse)

● Report on an FAQ● Subcommittee Updates (Co-Chairs)

○ STIX & Cyber Observables (Sarah, John, Ivan, & Trey)○ TAXII (Mark & Bret)○ Interoperability (Allan & Jason)

● Update on STIX/TAXII APIs and Tools (Greg Back)● Threat Report Mapping Exercise to STIX 2.x (Richard Struse)

Richard Struse – Chairman, CTI TC

Ballot Results Updates

● STIX 2.0 Ballot Results○ 48 yes, 0 no, out of 62 eligible voters (77%)

● TAXII 2.0 Ballot Results○ 48 yes, 0 no, out of 62 eligible voters (77%)

● Internationalization Ballot Results○ 10 yes, 36 no, out of 218 eligible voters○ 78% of voters want `lang` optional

Richard Struse

Upcoming F2F Meetings

● Austin, Texas○ October 17-18, 2017○ Hosted by IBM

● Salt Lake City, Utah○ January 31-February 1st, 2018○ Hosted by Symantec

● Volunteers for Next Meeting(s)?

Richard Struse

Update on FAQ

● Purpose of FAQ● Examples of Coverage

● Why move to 2.0? Backward/Forward Compatible? ● What happened to CybOX? ● Why aren’t cyber_observables top-level-objects?● Why UUIDv4? What precision for Timestamp?● Why both Embedded and External Relationships?● Will the Tools be Updated?

● How to get involved

Richard Struse

STIX 2.1Specification Update

Finished:● Confidence, Intel Note, Opinion, Internationalization

Mostly done:● Location (review), Malware (finishing development, Friday call)

In Progress:● Event/Incident (Tuesday working call)

Still to come (or in mini-group):● IEP, COA, Infrastructure, DNS Request/Response

Other:● There are also miscellaneous topics that we need to address

Sarah Kelley and John Wunder – Co-Chairs, STIXTrey Darley and Ivan Kirillov – Co-Chairs, Observables

STIX 2.1Progress Check-In

We aren't making fast enough progress to finish by the fall.

Should we:- Schedule more meetings, move faster?- Remove items from the release?- Accept it and delay the release?

Sarah Kelley and John Wunder – Co-Chairs, STIXTrey Darley and Ivan Kirillov – Co-Chairs, Observables

Interoperability Subcommittee Update

● Interop Test Document Development Continues

● Part 1 is considered DONE will published for TC Ballot Approval (consideration) next week

● https://docs.google.com/document/d/1Bk3QsGqS84odU2iJtTZ8GokLZIOuz52iM7QKkRhJtQc/edit?usp=sharing

● Part 2 focuses on TAXII testing leveraging Part 1 tests● Target End of Aug Final Draft

● Part 2 draft available here https://docs.google.com/document/d/11MocPK3s8im8O5-7rgZhtVHoxO72aQicJj2v-HDx-Q8/edit?usp=sharing

Self Certification is coming, orgs that want approval should make sure Part 1 and Part 2 meet the needs.

Allan Thomson & Jason Keirstead – Co-Chairs

CTI Open Repositories Greg Back

cti-python-stix2

●●

●●

●●

●

cti-python-stix2

cti-python-stix2

●●

●●

●●

●●

●●

●●

cti-python-stix2

cti-stix-elevator

●●●

●

●●

●

●

cti-stix-elevator

cti-stix-elevator

cti-stix-elevator

cti-stix-validator

cti-stix-validator

cti-stix-validator

cti-stix-validator

How YOU can help

STIX 2 Modeling Exercise

● Goal: have several TC members model a published threat report in STIX 2 to assess the extent to which we achieved our goal of having one way of doing things.

● Report: https://www.coresecurity.com/publication/imddos-botnet-discovery-and-analysis

● Five solutions submitted: Sarah Kelley, Trey Darley, Ivan Kirillov, John Wunder & Rich Struse

● John Wunder’s “CTI Whittler” was a huge help (https://johnwunder.github.io/cti-whittler/)

Richard Struse

The IMDDOS Report...

Report content Copyright 2010, Damballa, Inc,

Modeling Exercise Results

● All five solutions were very similar in structure :)● Differences in two main areas:

● Some solutions included (unnamed) threat actor

● Indicator patterns varied (mostly stylistically)● Modeling results here:

https://gist.github.com/rjsmitre/79775df68b0d1c7c0985b4fe7f115586

(Both the JSON and “Whittler YAML” files provided)

IMDDOS: The Big Picture*

* Created directly from the JSON via the STIX Viewer: https://oasis-open.github.io/cti-stix-visualization/

Bundle & Marking Definition{ "type": "bundle", "id": "bundle--9f0725cb-4bc3-47c3-aba6-99cb97ba4f52", "spec_version": "2.0", "objects": [ { "type": "marking-definition", "id": "marking-definition--dc1b5371-1918-4e57-93f2-25d1d78d983f", "created": "2017-07-18T22:00:30.404Z", "definition_type": "statement", "definition": { "statement": "Copyright 2010, Damballa, Inc All Rights Reserved" } },...

Report "type": "report",… "name": "IMDDOS Botnet", "labels": [ "threat-report" ], "description": "The newly-uncovered IMDDOS Botnet is a commercial DDOS service hosted in China.", "published": "2010-09-13T00:00:00.000Z", "object_refs": [ "malware--efd5ac80-79ba-45cc-9293-01460ad85303", "threat-actor--e234c322-0981-4aa4-ae03-f4037e6be83f", "indicator--691d06b5-aa1d-46ec-97d6-e59ef9411b8a",... ], "object_marking_refs": [ "marking-definition--dc1b5371-1918-4e57-93f2-25d1d78d983f" ], "external_references": [ { "source_name": "Damballa, Inc.", "url": "https://www.coresecurity.com/system/files/publications/2017/03/Damballa_Report_IMDDOS.pdf", "hashes": { "SHA-1": "4e0f4197d6d61f52f80a5560d78af599a37277c0" } ...

Malware{ "type": "malware", "id": "malware--efd5ac80-79ba-45cc-9293-01460ad85303", "created": "2017-07-18T22:00:30.405Z", "modified": "2017-07-18T22:00:30.405Z", "name": "IMDDOS", "labels": [ "bot", "ddos" ], "description": "Once infected with this malware, a host becomes part of the IMDDOS Botnet", "kill_chain_phases": [ { "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "exploit" } ] },

Threat Actor & Location { "type": "threat-actor", "id": "threat-actor--e234c322-0981-4aa4-ae03-f4037e6be83f", "created": "2017-07-18T22:00:30.405Z", "modified": "2017-07-18T22:00:30.405Z", "name": "(Unnamed) IMDDOS Threat Actor", "labels": [ "criminal" ] }, { "type": "location", "id": "location--07608992-927e-434c-9cbd-bf45274290a0", "created": "2017-07-18T22:00:30.405Z", "modified": "2017-07-18T22:00:30.405Z", "country": "China" },

Indicator: TLHD { "type": "indicator", "id": "indicator--691d06b5-aa1d-46ec-97d6-e59ef9411b8a", "created": "2017-07-18T22:00:30.406Z", "modified": "2017-07-18T22:00:30.406Z", "name": "IMDDOS THLD", "labels": [ "malicious-activity" ], "description": "References to this domain are indicative of the presence of the IMDDOS malware in the environment", "valid_from": "2010-04-01T00:00:00.000Z", "kill_chain_phases": [ { "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "exploit" } ], "pattern": "[ domain-name:value = 'imddos.my03.com' ]" },

Indicator: TLHD Traffic { "type": "indicator", "id": "indicator--b2ab314f-3a97-44d4-bfca-6a9857a6fe17", "created": "2017-07-18T22:00:30.406Z", "modified": "2017-07-18T22:00:30.406Z", "name": "IMDDOS THLD Traffic", "labels": [ "malicious-activity" ], "description": "Traffic to this domain indicates the source host is infected with IMDDOS malware", "valid_from": "2010-04-01T00:00:00.000Z", "kill_chain_phases": [ { "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "exploit" } ], "pattern": "[ network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value = 'imddos.my03.com' AND network-traffic:dst_port = 9090 ]" },

Indicator: IMDDOS Infected Host { "type": "indicator", "id": "indicator--ca26195e-e3c0-4139-8e21-0af90c89bd27", "created": "2017-07-18T22:00:30.407Z", "modified": "2017-07-18T22:00:30.407Z", "name": "IMDDOS Infected Host", "labels": [ "malicious-activity" ], "description": "Presence of this registry key on a host indicates it is infected with the IMDDOS malware", "valid_from": "2010-04-01T00:00:00.000Z", "kill_chain_phases": [ { "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "exploit" } ], "pattern": "[windows-registry-key:key LIKE 'HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\SafePrec%' ]" },

Indicator: IMDDOS C2 Traffic { "type": "indicator", "id": "indicator--644bc5dc-1627-4c3a-b9d8-bb2a9fa30567", "created": "2017-07-18T22:00:30.407Z", "modified": "2017-07-18T22:00:30.407Z", "name": "IMDDOS C2 Traffic", "labels": [ "malicious-activity" ], "description": "Traffic to these domains indicates that the source host is under the control of the IMDDOS malware", "valid_from": "2010-04-01T00:00:00.000Z", "kill_chain_phases": [ { "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "control" } ], "pattern": "[ network-traffic:dst_ref.type = 'domain-name' AND network-traffic:dst_ref.value IN ('dns.ddos.im', 'win2003ddos.3322.org', 'woshindi.3322.org', 'pk518.3322.org', 'huanjue6369029.3322.org', 'qq603535.3322.org', 'qq188588.3322.org', 'hjff.3322.org', '198600.3322.org', 'ankankan.3322.org', 'yinn.3322.org') ]" },

External Relationships { "type": "relationship",... "relationship_type": "indicates", "source_ref": "indicator--691d06b5-aa1d-46ec-97d6-e59ef9411b8a", "target_ref": "malware--efd5ac80-79ba-45cc-9293-01460ad85303" },<other indicates Relationships omitted for clarity> { "type": "relationship",… "relationship_type": "located-at", "source_ref": "threat-actor--e234c322-0981-4aa4-ae03-f4037e6be83f", "target_ref": "location--07608992-927e-434c-9cbd-bf45274290a0" }, { "type": "relationship",... "relationship_type": "uses", "source_ref": "threat-actor--e234c322-0981-4aa4-ae03-f4037e6be83f", "target_ref": "malware--efd5ac80-79ba-45cc-9293-01460ad85303" }

Pattern Variants#1) Use domain-namedomain-name:value IN ('dns.ddos.im', 'win2003ddos.3322.org', 'woshindi.3322.org')domain-name:value MATCHES '^(dns.ddos.im|win2003ddos,3322.org|woshindi.3322.org)$'domain-name:value = 'dns.ddos.im' OR domain-name:value = 'win2003ddos.3322.org' or domain-name:value = 'woshindi.3322.org'

#2) Use network-traffic without portnetwork-traffic:dst_ref.type = 'domain-name' AND ( network-traffic:dst_ref.value IN ( 'dns.ddos.im', 'win2003ddos.3322.org', 'woshindi.3322.org' )network-traffic:dst_ref.type = 'domain-name' AND ( network-traffic:dst_ref.value MATCHES '^(dns.ddos.im|win2003ddos,3322.org|woshindi.3322.org)$'network-traffic:dst_ref.type = 'domain-name' AND ( network-traffic:dst_ref.value = 'dns.ddos.im' OR network-traffic:dst_ref.value = 'win2003ddos.3322.org' OR network-traffic:dst_ref.value = 'woshindi.3322.org' )

#3) Use network-traffic with portnetwork-traffic:dst_ref.type = 'domain-name' AND ( network-traffic:dst_ref.value IN ( 'dns.ddos.im', 'win2003ddos.3322.org', 'woshindi.3322.org' ) AND network-traffic.dst_port = 9090network-traffic:dst_ref.type = 'domain-name' AND ( network-traffic:dst_ref.value MATCHES '^(dns.ddos.im|win2003ddos,3322.org|woshindi.3322.org)$' AND network-traffic.dst_port = 9090network-traffic:dst_ref.type = 'domain-name' AND ( network-traffic:dst_ref.value = 'dns.ddos.im' OR network-traffic:dst_ref.value = 'win2003ddos.3322.org' OR network-traffic:dst_ref.value = 'woshindi.3322.org' ) AND network-traffic.dst_port = 9090

Final Thoughts on Modeling

● DIY - take a published threat report and model parts or all of it in STIX 2

● Share your results - #modeling channel on CTI TC Slack

● Use modeling of real-world reports to inform our continued development/evolution of STIX

Q & ARichard Struse – Chairman, CTI TC

Cyber Threat Intelligence Technical Committee