Making Threat Intelligence Actionable Final
2 likes1,525 views
The document discusses making threat intelligence actionable by recommending responses using STIX. It proposes extending the STIX CourseOfActionType to include specific network actions like block, contain, inspect. Network actions could then be applied automatically or semi-automatically based on indicators in STIX. This would improve the connection between threat detection and response by enabling threat intelligence to recommend standardized, machine-readable responses.
Making Threat Intelligence Actionable Final
- 1. #RSAC SESSION ID: David McGrew Jyoti Verma Making Threat Intelligence Actionable: Recommending Responses with STIX ANF-R04 Technical Leader Cisco Systems Fellow Cisco Systems @mcgrewAnalog
- 4. #RSAC Poll What is the mean time to detect cyber threats in your organization ? < 3 hours < 3 days < 3 weeks < 3 months 4 https://pollev.com/mrti
- 5. #RSAC Response 5 Investigate Obtain more information about a threat Mitigate Block, but not eliminate, a threat Remediate Fix or eliminate a threat
- 6. #RSAC Poll What is the mean time to contain/remediate cyber threats in your organization ? < 3 hours < 3 days < 3 weeks < 3 months 6 https://pollev.com/mrti
- 7. #RSAC Connecting detection to response 7 There may be multiple detection sources There may be multiple response systems A human should be in the loop Or have that option Processes should be automatable One-click approval
- 8. #RSAC Connecting detection to response 8 Cloud Threat Analytics Local Threat Analytics Network Controller Endpoint Protection
- 9. #RSAC Threat Intelligence Aggregator 9 Cloud Threat Analytics Local Threat Analytics Network Controller Endpoint Protection TIA SIEM
- 10. #RSAC Threat Intelligence Aggregator 10 Cloud Threat Analytics Local Threat Analytics Network Controller Endpoint Protection TIA SIEM TI
- 11. #RSAC Threat Intelligence Aggregator 11 Threat type Risk Host security group Reputation Rules Engine Recommended CoA
- 12. #RSAC Rule Engine Threat Intelligence Aggregator 12 Threat type Risk Host security group Reputation Recommended CoA
- 13. #RSAC Rules 13 Risk Threat Type Default Suggested Course of Action 8-9 malware using automatically generated domain (DGA) Block compromised host 8-9 malware using url-string as communication channel (C&C) Block compromised host 8-9 malware using https communication channel Block compromised host 8-9 malware downloading suspicious file Block compromised host 7-8 malware using repetitive requests Contain compromised host 7 malware downloading malicious file Contain compromised host 6-7 misuse of web proxy auto discovery protocol (WPAD) Tag host as suspicious and inspect through IPS 6 anonymization software (TOR) Tag host as suspicious and inspect through IPS 5 remote desktop connection Inspect host traffic through IPS 3 Skype Inspect host traffic through IPS
- 14. #RSAC Manual 14 Incident detected Determine Course of Action Determine console to use for CoA Enter CoA data into console ok? Monitor
- 15. #RSAC Manual Semiautomated 15 Incident detected Determine Course of Action Determine console to use for CoA Enter CoA data into console ok? Monitor Incident detected Approve or select Course of Action ok? Monitor
- 16. #RSAC Network actions Investigate Inspect with IPS: SPAN, TAP, SDN copying or redirection Netflow/IPFIX monitoring Packet capture Mitigate Perimeter blocking: BGP black hole, DNS sinkhole, ACL Interior blocking: 802.1X Change of Authorization, ACL Containment: VLAN tagging, SGT tagging Remediate Containment to remediation server or service 16
- 17. #RSAC Endpoint actions Investigate Scan endpoint Mitigate Kill process, Delete file Remediate Reimage host, Remove software, Reinstall software 17
- 18. #RSAC
- 19. #RSAC Poll What is STIX? Structured Threat Information eXchange Structured Threat Information eXpression Some Thing In XML 19 https://pollev.com/mrti
- 20. #RSAC Poll What is STIX? Structured Threat Information eXchange Structured Threat Information eXpression Some Thing In XML 20 https://pollev.com/mrti
- 21. #RSAC What is STIX? 21 Incident Indicator Observable Course of Action Tactics, Techniques, Procedures Campaign Exploit Target Threat Actor
- 22. #RSAC Why use STIX between detection & response? Standard for communicating threat info between elements Human and machine readable Standard definitions Normalized measures of risk and likelihood 22
- 23. #RSAC Pros and Cons of STIX 23 PROS CONS Very comprehensive list of elements to build IoCs Limited commercial adoption Support for “free text” and comments Fairly verbose and complex schema Integration with CAPEC and MAEC for robust IoCs Course of Actions needs further definition to be useful Vendor neutral
- 25. #RSAC Extending CourseOfActionType 25 1. Expanded vocabulary with specific network action types • Block • Contain • Inspect • Packet Capture 2. Added priority for the actions
- 26. #RSAC STIX Course Of Action Indicator - SuggestedCOA Incident - RequestedCOA Incident - COATaken Action target Cybox Observable tied to Indicator • URL • Email addresses, subjects • Files • DNS domain names • IP addresses 1. Cybox Observable tied to Incident 2. Incident Victim • IP address • MAC address 1. Cybox Observable tied to Incident 2. Incident Victim External threats Internal threats 26 Course of Actions along the attack continuum AFTERDURINGBEFORE
- 28. #RSAC BLOCK 28 Types: 1. Perimeter block 2. Internal block Actions: 1. Network ACL 2. BGP black-hole 3. DNS sink-hole What is needed to apply this rule? Matching traffic (5 tuple) Action (Alert, Drop, Deny, Log, Pass, Reject) DNS ACL ACL
- 29. #RSAC 29 TCP, UDP, ICMP, ANY NetworkStructuredCOAType - Block Type
- 30. #RSAC BLOCK 30 Types: 1. Perimeter block 2. Internal block Actions: 1. Network ACL 2. BGP black-hole 3. DNS sink-hole What is needed to apply this rule? Reflect router on which the static route will be applied DNS
- 31. #RSAC BLOCK 31 Types: 1. Perimeter block 2. Internal block Actions: 1. Network ACL 2. BGP black-hole 3. DNS sink-hole What is needed to apply this rule? Custom DNS server DNS
- 32. #RSAC CONTAIN 32 Remediation: 1. VLAN Containment 2. Security Group Tagging What is needed to apply this rule? VLAN Profile VLAN Tag Other requirements Network infrastructure to handle VLANs DNS VLAN 40 VLAN 10 VLAN 10 VLAN 10
- 35. #RSAC CONTAIN 35 Remediation: 1. VLAN Containment 2. Security Group Tagging What is needed to apply This rule? Security Group Profile Security Group Tag Security Group ACL Other requirements Security Group Policy enforcer Network devices that can handle tags DNS SGT 16 SGT 1 SGT 1 SGT 1 SGACL SGT 2
- 36. #RSAC CONTAINMENT TO HONEYNET 36 What is needed to apply this rule? Permissible IP list Traffic description (5 tuple) • Source port, Destination port, Source IP, Destination IP, Protocol Routes • Prefix, next hop, next hop type DNS Honeypot
- 37. #RSAC 37 TCP, UDP, ICMP, ANY ContainType - HoneyPot
- 38. #RSAC INSPECTION ON DEMAND 38 What is needed to achieve this? Inspection profile Inspection Server Encapsulations – GRE, VXLAN etc.
- 39. #RSAC 39 GRE, VXLAN GRE, VXLAN NetworkStructuredCOAType - InspectType
- 40. #RSAC 40 TCP, UDP, ICMP, ANY PacketCaptureType
- 42. #RSAC Threat Analytics API 1. Export incidents in a given time range Workflow 42 Network Controller SIEM Identity Services Engine TIA
- 43. #RSAC Workflow 43 API 2. STIX report for exported incidents with suggested course of actions Threat Analytics Network Controller SIEM Identity Services Engine TIA
- 44. #RSAC Workflow 44 API Threat Analytics Network Controller SIEM Identity Services Engine TIA 3. Trigger response using SIEM
- 45. #RSAC Workflow 45 4. SDN & ISE TD system responds Threat Analytics Network Controller SIEM Identity Services Engine TIA API
- 47. #RSAC Future work 47 Threat Analytics Network Controller SIEM Identity Services Engine TIA API 5. SIEM feeds back COA Taken to TIA 6. TIA updates incident with COA Taken
- 48. #RSAC Summary STIX can be used to recommend actionable responses Machine readable: actionable NetworkStructuredCOA used for investigation, mitigation, and remediation 48
- 49. #RSAC Apply what you have learned In the next week Identify detection and response systems within your organization that could use an actionable CoA Determine if those elements are using STIX Over the next three months Provide feedback to the STIX community Experiment with STIX CoA definition and software 49
- 50. #RSAC Thanks for your attention
- 51. #RSAC STIX extensions <xs:complexType name="NetworkStructuredCOAType" abstract="true”> <xs:extension base="coa:StructuredCOAType"> <xs:choice> <xs:element name="Inspect" type="network_coa:InspectType" minOccurs="0"/> <xs:element name="PacketCapture" type="network_coa:PacketCaptureType" minOccurs="0"/> <xs:element name="Block" type="network_coa:BlockType" minOccurs="0"/> <xs:element name="Contain" type="network_coa:ContainType" minOccurs="0"/> </xs:choice> </xs:extension> </xs:complexType> 51