Soltra edge open cyber intelligence platform report

(1)

Prepared By: Alan Magar Sphyrna Security

340 Ridgeside Farm Drive Kanata, Ontario K2W 0A1

PWGSC Contract Number: W7714-08FE01/001/ST Task 33 CSA: Melanie Bernier, Defence Scientist, 613-996-3937

Scientific Authority: Melanie Bernier Defence Scientist

DRDC – CORA Research Centre

The scientific or technical validity of this Contract Report is entirely the responsibility of the Contractor and the contents do not necessarily have the approval or endorsement of the Department of National Defence of Canada.

Contract Report

(2)

This Contract Report was produced for the Cyber Decision Making and Response project (05ac) under the DRDC Cyber Operations S&T program.

© Her Majesty the Queen in Right of Canada, as represented by the Minister of National Defence, 2015 © Sa Majesté la Reine (en droit du Canada), telle que représentée par le ministre de la Défense nationale, 2015

(3)

Soltra Edge Open Cyber Intelligence

Platform Report

prepared for

Defence Research and Development Canada

prepared by

(4)

Marc ch 2015

Be

16 Ott

ell Canad

60 Elgin Stre

17th Floor

tawa, Ontar

K1S 5N4

B

da

et

rio

Soltra Ed Bell Canada

dge Open C a

Sphy

340 Rid

Ka

Cyber Intelli Re

yrna Sec

dgeside Farm

anata, Ontar

K2W 0A1

igence Plat evision: 1.0

urity

m Drive

rio

March 2

tform Final ii

2015

(5)

Confidentiality This document is UNCLASSIFIED. Authors Bell / Sphyrna Team Role Alan Magar Security Architect Revision Control

Revision Date Modifications

0.1 12 March 2015 Draft Report

1.0 27 March 2015 Final Report

(6)

Soltra Edge Open Cyber Intelligence Platform Revision: 1.0 Final

March 2015 Bell Canada iv

List of Figures

Figure 1 – Soltra Edge Cyber Intelligence Platform ... 4

Figure 2 – Soltra Edge Upgrade ... 10

Figure 3 – Adding a Site ... 11

Figure 4 – Site Added ... 12

Figure 5 – Unconfigured Feeds ... 13

Figure 6 – Configure Feed ... 14

Figure 7 – Configured Feed ... 14

Figure 8 – Downloaded Feed ... 15

Figure 9 – Indicator Catalog ... 16

Figure 10 – Specific Indicator ... 17

Figure 11 – Observable Catalog ... 18

Figure 12 – Specific Observable ... 19

Figure 13 – Adapters Installed ... 20

Figure 14 – CSV Indicators Import ... 21

Figure 15 – CSV Indicators Preview ... 22

Figure 16 ‐ Soltra Edge STIX/TAXII Integrations... 24

(8)

March 2015 Bell Canada vi

(9)

1.0 Introduction

Cyber threat intelligence has received a great deal of publicity of late. This is not surprising given the number of high profile cyber attacks that have figured prominently in the news over the past year. President Obama recently (February 2015) signed an executive order to improve the sharing of cyber threat information within the private sector and between the private sector and government. Specifically, the executive order enables the Department of Homeland Security (DHS) to share classified intelligence with the private sector and to develop standards to facilitate the sharing of cyber threat information.1 Later the same month, President Obama announced the establishment of a cyber threat intelligence integration center “aimed at coordinating ongoing federal efforts to counter hackers and other cyber threats aimed at the U.S. government and private industry”.2

1.1 Background

The Centre for Operational Research and Analysis (CORA), which is a Defence Research & Development Canada (DRDC) research centre for systems analysis and operational research, is in the process of characterizing threat and building a Department of National Defence (DND)‐specific cyber threat model. The aggregation of cyber threat intelligence information from a variety of reputable sources and the ability to act on this information are likely to be important aspects of the overall cyber threat model being developed.

1.2 Purpose

Soltra Edge is intended to serve as the intelligence hub for an organization, connecting to all threat intelligence communities and providing actionable data back to the organization’s environment for integration with internal security tools/appliances. The intent is that Soltra Edge will allow organizations to receive, store and send cyber security threat intelligence automatically, allowing these organizations to better deploy safeguards against a potential cyber attack. 1_{This announcement is mentioned in numerous locations including} http://www.politico.com/story/2015/02/obama‐cyberthreat‐executive‐order‐115187.html 2_{This announcement is mentioned in numerous locations including} http://www.washingtontimes.com/news/2015/feb/25/obama‐create‐new‐cyber‐threat‐center

(10)

March 2015 Bell Canada 2

The purpose of this report is to review and analyze the Soltra Edge Open Cyber Intelligence Platform and its components (Structured Threat Information eXpression (STIX)/Trusted Automated eXchange of Indicator Information (TAXII)).

1.3 Document Structure

This report consists of the following sections:  Section 1.0 – Introduction: provides an overview of the report;  Section 2.0 – Technical Overview: provides a high‐level overview of Soltra Edge including its architecture, standards and capabilities;  Section 3.0 – Product Evaluation: documents the evaluation of the platform, including the deployed environment, configured feeds, adapters and an assessment of the product;  Section 4.0 – Conclusions & Recommendations: summarizes the conclusions and recommendations derived from the development of this report; and  Section 5.0 – Acronyms & Abbreviations: lists the acronyms and abbreviations used throughout this report.

(11)

2.0 Technical Overview

The Security Automation Working Group (SAWG) within the Financial Services Information Sharing and Analysis Center (FS‐ISAC) initiated a project code‐named Avalanche to champion the use of standards‐based cyber threat intelligence sharing. In September 2014, FS‐ISAC and the Depository Trust & Clearing Corporation (DTCC) announced a joint effort to “develop and market automation solutions that advance cyber security capabilities and the resilience of critical infrastructure organizations”. The resulting solution, Soltra Edge, is based on the requirements, standards and overall roadmap from the SAWG group within FS‐ISAC. This section of the report will provide a technical overview of the product, including an examination of its architecture, standards and capabilities.

2.1 Architecture

Soltra Edge, which runs on CentOS 6.5 3 and utilizes MongoDB 4 for storage, is administered through a web interface. In terms of cyber threat intelligence services, Soltra Edge can be configured to accept structured (e.g., STIX/TAXIII) threat intelligence feeds and other file types through adapters. The threat information can be managed and then exported in STIX format to various STIX‐ compatible security tools/appliances including firewalls or proxy servers, Mail Transfer Agents (MTAs) and Security Incident and Event Management (SIEMs). It is the security appliances that are responsible for taking the threat information provided by Soltra Edge and acting upon it. For example, a list of malicious URLs could be sent to firewalls/proxy servers, which would then proceed to block traffic originating from those network addresses. The Soltra Edge Cyber Intelligence Platform is illustrated in Figure 1. 3_{CentOS is an open source Linux distribution derived from the sources of Red Hat Enterprise Linux} (RHEL). Additional information on CentOS can be found at http://www.centos.org 4_{MongoDB (from “humongous”) is an open‐source document database, and the leading NoSQL} database. Additional information on MongoDB can be found at http://www.mongodb.org

(12)

Marc

2.2

Soltra Specif    Note It sho by So devel comp stand • comp analys defen ch 2015

Standa

a Edge is inten fically, it curr Structured Trusted Au Traffic Ligh – Other Cybe uld be noted ltra Edge. W opment of th anies and the ards identifie Common A rehensive dic sts, develope nces; Fi

ards

nded to supp ently support d Threat Infor utomated eXc htweight Prot er Threat Stan that there ar hile there are his report. Inte en transitione ed include the Attack Pattern ctionary and c ers, testers, an B gure 1 – Soltra E ort a variety o ts the followi rmation eXpre change of Ind tocol (TLP). ndards re other cybe e likely many erestingly en ed to the ope e following: n Enumeratio classification nd educators Soltra Ed Bell Canada Edge Cyber Inte of open stand ng standards ession (STIX); dicator Inform r threat stand such standar ough, most o n source com on and Classif taxonomy of to advance c dge Open C a elligence Platfor dards for cybe : mation (TAXII) dards that ar rds, a few wer of these stand mmunity to va fication (CAPE f known attac community un Cyber Intelli Re m er threat info ); and e supported t re identified d dards have or arious degree EC) – CAPEC cks that can b nderstanding igence Plat evision: 1.0 ormation shar to varying de during the riginated in pr es. The other C is a be used by g and enhance tform Final 4 ring. grees rivate e

(13)

 Cyber Information Sharing and Collaboration Program (CISCP) 5 ‐ The Critical Infrastructure and Key Resource (CIKR) CISCP is a DHS program to improve the security posture of organizations by providing threat data in the form of indicator bulletins, analysis bulletins, alert bulletins and recommended practices to participating organizations. It should be noted that Soltra Edge supports the conversion of CISCP indicators to a STIX list through the use of an adapter;  Cyber Observable eXpression (CybOX) 6 – CybOX is a standardized schema for the specification, capture, characterization, and communication of events or stateful properties that are observable in the operational domain. It should be noted that STIX uses CybOX language to describe observables;  alware Attribute Enumeration and Characterization (MAEC) 7 – MAEC is a standardized language for encoding and communicating high‐fidelity information about malware based upon attributes such as behaviours, artefacts, and attack patterns. It should be noted that STIX can describe malware using MAEC characterizations through the use of the MAEC schema extension;  OpenIOC8 9 – OpenIOC is an extensible XML schema for the description of technical characteristics that identify a known threat, an attacker’s methodology, or other evidence of compromise. It should be noted that STIX provides a default extension for OpenIOC; and  Open Threat eXchange (OTX) 10 – OTX is an open threat information sharing and analysis network that provides real‐time, actionable cyber threat information. 5_{Additional information on CISCP can be found at} http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2013‐ 06/ispab_june2013_menna_ciscp_one_pager.pdf

6_{Additional information on CybOX can be found at}_{https://cybox.mitre.org}_and

https://github.com/CybOXProject

7_{Additional information on MAEC can be found at}_{http://maec.mitre.org}_and

http://maecproject.github.io

8_{IOC stands for Indicators of Compromise}

9_{Additional information on OpenIOC can be found at}_{http://www.openioc.org}

10_{Additional information on OTX can be found at}_{https://www.alienvault.com/open‐threat‐}

(14)

2.2.1 STIX

STIX 11 is a collaborative community‐driven effort to define and develop a standardized language to represent structured cyber threat information. STIX characterizes an extensive set of cyber threat information, to include indicators of adversary activity (e.g., IP addresses and file hashes) as well as additional contextual information regarding threats (e.g., adversary Tactics, Techniques and Procedures [TTPs]; exploitation targets; Campaigns; and Courses of Action [COA]) that together more completely characterize the cyber adversary’s motivations, capabilities, and activities, and thus, how to best defend against them.12 STIX, which is XML‐based, is sponsored by the office of Cybersecurity and Communications at the DHS. Soltra Edge supports the latest version (version 1.1.1) of STIX, including all 1.1.1 objects. Since STIX basically provides a common language for describing cyber threat information so that it can be automatically shared, stored and used consistently, the following STIX definitions 13 have been included in the report:  Observable ‐ An Observable is an event or stateful property that is observed or may be observed in the operational cyber domain, such as a registry key value, an IP address, deletion of a file, or the receipt of an http GET. STIX uses Cyber Observable eXpression (CybOX) to represent Observables;  Indicator ‐ An Indicator is a pattern of relevant observable adversary activity in the operational cyber domain along with contextual information regarding its interpretation (e.g., this domain has been compromised, this email is spoofed, this file hash is associated with this trojan, etc.), handling, etc. An Observable pattern captures what may be seen; the Indicator enumerates why this is Observable pattern is of interest;

11_{Additional information on STIX can found at}_{https://stix.mitre.org}_and

https://github.com/STIXProject Samples of STIX content can be found at

https://stix.mitre.org/language/version1.0.1/samples.html 12_{https://stix.mitre.org/about/faqs.html#A1}

13_{These definitions are STIX language definitions that were taken directly from}

(15)

 Incident ‐ An Incident is a set of related system and network activity that is associated with the same adversary activity and/or attack along with contextual information such as who is involved, when it occurred, what was affected, what was the impact, what actions were taken in response, etc.;  TTP ‐ Tactics, Techniques and Procedures are a representation of the behaviour or modus operandi of a cyber adversary including the use of particular attack patterns, malware, exploits, tools, infrastructure, or the targeting of particular victims;  ExploitTarget ‐ An ExploitTarget is something about a potential victim that may make them susceptible to a particular adversary TTP (e.g., a system vulnerability, weakness or configuration issue);  CourseOfAction ‐ A CourseOfAction captures a particular action that could be taken to prevent, mitigate or remediate the effects of a given cyber threat. These actions could be remedial to proactively address known issues a priori or could be responses to specific adversary activity;  Campaign ‐ A Campaign is a set of related adversary activity, to include TTPs, indicators, exploit targets, and incidents. It characterizes the modus operandi of a particular adversary in executing a particular intent; and  ThreatActor ‐ A ThreatActor is a cyber adversary and his or her known characteristics. It is who is perpetrating the cyber attacks.

2.2.2 TAXII

TAXII 14 defines a set of services and message exchanges that, when implemented, enable sharing of actionable cyber threat information across organization and product/service boundaries. Specifically, TAXII defines an XML data format and message protocols (Hypertext Transfer Protocol (HTTP)/Hypertext Transfer Protocol Secure (HTTPS)) for transporting STIX information. TAXII is

14_{Additional information on TAXII can be found at}_{https://taxii.mitre.org}_and

(16)

sponsored by the office of Cybersecurity and Communications at the DHS. Soltra Edge supports the latest version (version 1.1) of TAXII.

2.2.3 TLP

TLP 15, which was developed by the U.S. Computer Emergency Readiness Team (US‐CERT), is a simple standard that is used to control the dissemination of shared data. It uses four distinct colours to distinguish how the information may be shared. Data that is tagged white can be distributed without restriction. Data that is tagged green can be shared within the community, but not publicly. Data that is tagged amber can only be shared within an organization. Data that is tagged red cannot be shared. TLP has been adopted within Soltra Edge to allow automated filtering of data by sensitivity level and for user access control.

2.3 Capabilities

Soltra Edge is intended to be an aggregator of cyber threat intelligence information and the primary data store for structured intelligence within an organization. Consequently, it is intended to accept cyber intelligence feeds, in the form of STIX/TAXII feeds, from a variety of sources including the following:  Commercial Feeds – Commercial feeds are feeds that are purchased from professional intelligence providers;  Organizational Feeds – Organizational feeds are feeds that exist within the organizational environment;  Open Source Feeds – Open source feeds are Open Source Intelligence (OSINT) feeds provided by the open source community;  Community Feeds – Community feeds are feeds provided by business partners, associates, sharing communities or Information Sharing and Analysis Centers (ISACs); and  Government Feeds – Government feeds are typically provided by the federal government for the benefit of private industry. Soltra Edge is also capable of manually importing threat information using the web interface from a Comma‐Separated Values (CSV) file, a STIX file or CISCP indicators. In addition, organizations can export data from Soltra Edge in STIX formatted XML. Soltra has also demonstrated the creation of 15_{Additional information on TLP can be found at}_{https://www.us‐cert.gov/tlp}

(17)

SNORT 16 rules from threat intelligence data. This was accomplished using a SNORT adapter that has yet to be released. 16_{SNORT is an open source, lightweight network intrusion detection system. Additional information} on SNORT can be found at https://www.snort.org

(18)

Marc

3.0

This s will de the so

3.1

Soltra enviro Febru deplo the la identi was s ch 2015

Produ

ection will do escribe the d olution.

Deploy

a Edge was do onment. The uary 2015. Ho oyed environm test release. ified bugs. It eamless. The

uct Evaluat

ocument the eployed envi

yed Environ

ownloaded an initial evalua owever, versi ment was upg Version 2.1. is worth men e successful u B

tion

results of the ronment, con

nment

nd deployed a tion was of S on 2.1.1 of So graded to this 1 contains ma ntioning that upgrade of the Figure 2 Soltra Ed Bell Canada e product eva nfiguring feed as a VMware oltra Edge 2.1 oltra Edge wa s version so th any security u the upgrade e Soltra Edge 2 – Soltra Edge U dge Open C a luation perfo ds, installing a Virtual Mach 1, which was as released on hat the evalu updates as w process, whic e can be seen Upgrade Cyber Intelli Re ormed. Specif adapters, and hine (VM) in a available for n 24 February ation could b ell as fixes fro ch is accompl as Figure 2. igence Plat evision: 1.0 fically, this se d an assessme a virtualized la download as y 2015. The be completed om member lished using y tform Final 10 ction ent of ab s of 6 on yum,

(19)

3.2

Soltra produ to the Cyber neces The fi was a Site. F config

Configu

a recommend uct. Unfortun e FS‐ISAC mem r Threat Intell ssary to config rst step in th dded as illust Figure 4 show gured.

ured Feeds

ds configuring nately, one of mbership. Th ligence feeds gure this feed e process of c trated in Figu ws that the sit g two STIX/TA f the two reco he remaining in STIX forma d on Soltra Ed configuring a re 3. The Add te has been a Figu AXII feeds in o ommended fe feed, Hail a T at. This sectio dge. feed is to ad d Site window dded but tha ure 3 – Adding a order to start eeds, FS‐ISAC TAXII.com, is a on of the repo d a site. In th w is accessible t no feeds fro Site experimentin C intelligence, a repository o ort will docum his case, the H e through Adm om the site ha ng with their is only availa of Open Sour ment the step Hailataxii.com min – Sites – ave been able ce ps m site Add

(20)

Marc The n availa emerg manu ch 2015 ext step is to able from the ging threats f ually. This is il configure fee hailataxii site feed was sele lustrated in F B Fig eds from the e. One merel cted for conf Figure 6. Soltra Ed Bell Canada ure 4 – Site Add remote site. ly clicks to co figuration. Fee dge Open C a ded Figure 5 show nfigure the fe eds can be se Cyber Intelli Re ws the ten un eed of choice et to update a igence Plat evision: 1.0 nconfigured fe e. In this case automatically tform Final 12 eeds e, the y or

(21)

Figure 55 – Unconfiguredd Feeds

(22)

Marc The co inform seen i ch 2015 onfigured fee mation can be in Figure 8. ed can be see e downloaded B Figur n in Figure 7. d for this feed Figure Soltra Ed Bell Canada re 6 – Configure . By clicking o d. The succes e 7 – Configured dge Open C a Feed on “poll now” ssful completi d Feed Cyber Intelli Re the latest th ion of this op igence Plat evision: 1.0 reat intelligen eration can b tform Final 14 nce be

(23)

Once for th admin 2.2.1) packa For ex be see doma indica Conse indica seen i malw The o in Figu Doma denot 12. Un availa catalo 17_A d http:/ a site has bee e feed, an ex nistrators to b ) including ca ages, threat a xample, the in en in Figure 9 ain watchlist, ator. Most ind equently, this ators listed in in Figure 10. are.17 bservable cat ure 11. The re ainNameObje te observed e nfortunately, able. This lack og from the H escription of //www.arbor en added, a f amination of browse the ca mpaigns, cou ctors and TTP ndicator cata 9. The reader URL watchlist dicators are u s information the catalog, Apparently, t talog, which i eader will not ectType, URIO events in the aside from a k of additiona Hail a TAXII.co the Athena m networks.com Figure feed configure f the threat in atalog of obje urses of action Ps. log, which is will note tha t indicators. T used to denot could be use there is addit this site is be is simply a list te that there ObjectType an operational c a domain nam al information om feed. malware is av m/asert/2013 8 – Downloade ed and the th ntelligence inf ects by any of n, exploit targ simply a list o t of the indica The remainin te domains or ed to update f tional informa ing used as a t of observab are three typ nd AddressOb cyber domain me for a botne n was standar ailable at 3/11/athena‐a d Feed hreat intellige formation is p f the STIX par gets, incident of indicators f ators listed in g indicator is r IPs that hav firewalls and ation availab command an bles from the pes of observ bjectType. Mo n. A specific o et site there i rd across the a‐ddos‐malw ence informat possible. Solt rameters (disc ts, indicators, from the con n Figure 9, all an IP watchl e been comp proxy servers le. A specific nd control sit configured fe ables listed in ost observabl bservable can s no addition observables ware‐odyssey tion dowload ra Edge allow cussed in Sec observables, figured feeds but one are ist, URL watc promised. s. For each of indicator can e for Athena eeds, can be s n Figure 11; les are used t n be seen in F nal informatio listed in the ed ws ction , s, can hlist f the n be seen to Figure on

(24)

Marc ch 2015 B Figure Soltra Ed Bell Canada e 9 – Indicator Ca dge Open C a atalog Cyber Intelli Re igence Plat evision: 1.0 tform Final 16

(25)

Figure 10 – Specific Inddicator

(26)

Marc ch 2015 B Figure 1 Soltra Ed Bell Canada 11 – Observable dge Open C a Catalog Cyber Intelli Re igence Plat evision: 1.0 tform Final 18

(27)

3.3

Soltra conve threat were Appar additi Altho separ of res respo can b

Adapte

a has made av ersion of CISC t information unable to tes rently, US‐Ce ion, the CSV a ugh this prob ate forums), solution for th onsive in reso e seen in Figu

ers

vailable two a CP indicators t n. The two ad st the CISCP a rt files are cla adapter failed blem has been at the time o his issue is so lving outstan ure 14 and Fig Figure 1 adapters for d to a STIX list, dapters were adapter as no assified TLP A d to import th n reported to of writing this mewhat surp ding issues. T gure 15 respe 12 – Specific Obs download on while the oth both installed CISCP indicat Amber meanin he CSV test fil o Soltra (by th problem had prising given t The import an ectively. servable their site. O her allows for d successfully tor file has be ng that they c le provided. I hree other me d yet to be res that Soltra sta nd preview o ne adapter su r the import o y (see Figure een made ava cannot be sha t resulted in a embers of the solved by Sol aff are usually f the CSV ind upports the of CSV‐based 13). Howeve ailable for tes ared publicly. an adapter er e forum unde tra staff. The y extremely icators test fi r, we sting. . In rror. er two lack ile

(28)

Marc ch 2015 B Figure 1 Soltra Ed Bell Canada 13 – Adapters In dge Open C a nstalled Cyber Intelli Re igence Plat evision: 1.0 tform Final 20

(29)

Figure 144 – CSV Indicatorrs Import

(30)

Marc

3.4

This s    

3.4.

Soltra The fr conta under comm Febru releas ch 2015

Assessm

ection of the Release Cy User Comm Functional Alternative

.1

Relea

a Edge will ev ree communi in “the featu rgone a numb mitment to th uary 2015 and sed once the

ment

report will as ycle; munity; lity; and es.

ase Cycle

entually be re ty version, w res most nee ber of release e product. V d version 2.1. product has m B Figure 15 ssess Soltra E

e

eleased in tw hich is the ve ded by many e cycles in a re ersion 2.0 wa 1 on 24 Febru matured, will Soltra Ed Bell Canada – CSV Indicator Edge in terms o versions; a ersion that is c y organization elatively shor as released on uary 2015. Th l “support the dge Open C a rs Preview of the follow free commun currently ava ns”. This vers rt period of ti n 4 Decembe he paid versio e requiremen Cyber Intelli Re wing: nity version a ilable for dow sion of Soltra me, demonst er 2014, versio on, which will nts of larger e igence Plat evision: 1.0 and a paid ver wnload, will Edge has trating Soltra on 2.1 on 6 be presumab entities”. In al tform Final 22 rsion. ’s bly l

(31)

likelihood this will create a two‐tiered solution in which users of the community version are forced to upgrade to the paid version to take advantage of additional functionality.

3.4.2 User Community

The Soltra Edge user community currently has 1720 members who have made in excess of eight hundred posts on the Soltra forum.18 Given the relative infancy of the product these numbers are quite impressive. Furthermore, the Soltra staff (technical and business) are quite responsive in addressing both technical problems and business‐related issues.

3.4.3 Functionality

In terms of functionality, Soltra Edge is currently somewhat hindered at this point due to its close integration with STIX/TAXII due to the lack of available threat intelligence feeds in this format and the relative lack of availability of security tools/appliances supporting these standards. A list of intelligence providers and security tool vendors that have validated STIX/TAXII implementations and integration with Soltra Edge is available on the Soltra site.19 Unfortunately, the list, which was last updated on 18 December 2014, is not extensive. The list has also been included as Figure 16. However, it is worth mentioning that what current functionality is provided by Soltra Edge in terms of supporting/configuring STIX/TAXII feeds and aggregating/storing threat intelligence information seems to work quite well. Furthermore, the product is quite stable and quite easy to use. 18_{The Soltra Edge forum is available at}_{https://forums.soltra.com} 19_{The Soltra Edge STIX/TAXII integrations list is available at} https://forums.soltra.com/index.php?/topic/196‐vendor‐stix‐taxii‐integrations/

(32)

Marc

3.4.

This r Specif Soltra   

3.

Micro worki there 20_This http:/ sharin http:/ 21_Add https: ch 2015

.4

Altern

eport would fically, this se a Edge: Microsoft ThreatCon Vorstack A

.4.4.1

M

osoft announc ng in cyberse has been ver s announcem //www.darkre ng‐platform/d //blogs.techn ditional inform ://technet.mi

natives

be remiss if it ection of the r Interflow; nnect; and Automation a

Microsoft In

ced 20 their se ecurity, called ry little additi ment can be fo eading.com/a d/d‐id/12787 et.com/b/ms mation on the icrosoft.com/ B Figure 16 ‐ Soltr t did not men report will pro nd Collaborat

nterflow

ecurity and th d Microsoft In ional informa ound in many analytics/thre 81 and src/archive/20 e Microsoft In /en‐us/library Soltra Ed Bell Canada ra Edge STIX/TA ntion cyber th ovide a brief tion Platform hreat informa nterflow 21, in tion provided y places includ eat‐intelligenc 014/06/23/a nterflow Platf y/dn750892.a dge Open C a AXII Integrations hreat intellige overview of t m (ACP). ation exchang June 2014. U d except that ding ce/microsoft‐ nnouncing‐m form can be f aspx Cyber Intelli Re s ence platform the following ge platform fo Unfortunately t the platform ‐unveils‐new microsoft‐inte found at igence Plat evision: 1.0 m alternatives g alternatives or professiona y, since that d m is currently ‐intelligence‐ rflow.aspx tform Final 24 . to als date ‐

(33)

available for private preview. Interflow uses industry specifications to create an automated, machine‐readable feed of threat and security information that can be shared across industries and groups in near real‐time. The goal of the platform is to help security professionals respond more quickly to threats. It will also help reduce cost of defense by automating processes that are currently performed manually.22 In terms of industry specifications, Interflow will support STIX, TAXII and CybOX. It will also provide a means to feed threat and security information into firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and SIEMS. Interflow will run on the Microsoft Azure public cloud. While the data feeds will be free, organizations will require an Azure subscription to receive them.

3.4.4.2 ThreatConnect

ThreatConnect 23 is a threat intelligence platform that allows an organization to aggregate, analyze, and act on all of the threat intelligence data it receives. While ThreatConnect supports the ingest of multiple data formats, including emerging standards such as STIX, the focus seems to be on integration with commercial threat intelligence feeds (e.g., CrowdStrike’s Falcon Intelligence, iSIGHT’s ThreatScape, Wapack Labs ThreatRecon) and products. There is a free community version, along with three paid versions (basic, team and enterprise) of the product. ThreatConnect also supports a variety of deployment models, including on‐premises, private cloud and public cloud.

3.4.4.3 Vorstack ACP

Vorstack ACP 24 connects to third‐party (e.g., HP ArcSight, IBM QRadar, RSA Security Analytics, Splunk) SIEM and security log management tools to automate the ingestion, querying and reporting of threat intelligence data. Specifically, Vorstack ACP can automate the queries against these log management and analytics tools and then correlate the responses against other data points. The product supports STIX/TAXII, even providing a bridge to other software (e.g., Hadoop) so that the software doesn’t have to support the standards directly. 22_{http://blogs.technet.com/b/msrc/archive/2014/06/23/announcing‐microsoft‐interflow.aspx} 23_{Additional information on ThreatConnect can be found at}_{http://www.threatconnect.com} 24_{Additional information of Vorstack ACP can be found at}_{https://vorstack.com}

(34)

4.0 Conclusion & Recommendations

The Centre for Operational Research and Analysis (CORA), which is a Defence Research & Development Canada (DRDC) research centre for systems analysis and operational research, is in the process of characterizing threat and building a Department of National Defence (DND)‐specific cyber threat model. The aggregation of cyber threat intelligence information from a variety of reputable sources and the ability to act on this information are likely to be important aspects of the overall cyber threat model being developed. Soltra Edge is intended to serve as the intelligence hub for an organization, connecting to all threat intelligence communities and providing actionable data back to the organization’s environment for integration with internal security tools/appliances. The intent is that Soltra Edge will allow organizations to receive, store and send cyber security threat intelligence automatically, allowing these organizations to better deploy safeguards against a potential cyber attack. To realize these goals, Soltra Edge has been designed to support the STIX/TAXII standards almost exclusively. While this may prove to be the prudent long‐term approach, as these standards seem to be getting a considerable amount of traction, it does limit what can be accomplished in the short‐ term due to the lack of STIX/TAXII threat intelligence feeds and STIX/TAXII‐compliant security tools/appliances. It is anticipated that as Soltra Edge matures it will increase its support for commercial feeds and security tools/appliances, thus improving its overall utility as the central threat intelligence hub for an organization. This report makes the following recommendations:  DRDC should continue to actively monitor Soltra Edge and STIX/TAXII development;  DRDC should review and analyze the community version of ThreatConnect to ascertain how it compares to Soltra Edge; and  DRDC should implement a virtualized, cyber threat intelligence proof‐of‐concept to demonstrate cyber threat intelligence capabilities and how they can be used to automatically configure an organization’s security tools/appliances to thwart a cyber attack.

(35)

5.0 Acronyms & Abbreviations

ACP Automation and Collaboration Platform CAPEC Common Attack Pattern Enumeration and Classification CERT Computer Emergency Readiness Team CIKR Critical Infrastructure and Key Response CISCP Cyber Information Sharing and Collaboration Program COA Courses of Action CORA Centre for Operational Research and Analysis CSV Comma Separated Values CyBOX Cyber Observable eXpression DHS Department of Homeland Security DRDC Defence Research & Development Canada DTCC Depository Trust & Clearing Corporation FS‐ISAC Financial Services Information Sharing and Analysis Center HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure IDS Intrusion Detection System IOC Indicators of Compromise IPS Intrusion Prevention System ISAC Information Sharing and Analytics Center

(36)

MTA Mail Transfer Agent OSINT Open Source Intelligence OTX Open Threat eXchange RHEL Red Hat Enterprise Linux SAWG Security Automation Working Group SIEM Security Incident and Event Management STIX Structured Threat Information eXpression TAXII Trusted Automated eXchange of Indicator Information TLP Traffic Lightweight Protocol TTPs Tactics, Techniques and Procedures VM Virtual Machine

Soltra edge open cyber intelligence platform report

Contract Report

Soltra Edge Open Cyber Intelligence

Platform Report

prepared for

Defence Research and Development Canada

prepared by

Be

16

Ott

ell Canad

60 Elgin Stre

17th Floor

tawa, Ontar

K1S 5N4

da

et

rio

Sphy

340 Rid

Ka

yrna Sec

dgeside Farm

anata, Ontar

K2W 0A1

urity

m Drive

rio

March 2

2015

Table of Contents

List of Figures

1.0

Introduction

1.1

Background

1.2

Purpose

1.3

Document Structure

2.0

Technical Overview

2.1

Architecture

2.2

Standa

ards

2.2.1

STIX

2.2.2

TAXII

2.2.3

TLP

2.3

Capabilities

3.0

3.1

Produ

Deploy

uct Evaluat

yed Environ

tion

nment

3.2

Configu

ured Feeds

3.3

Adapte

ers

3.4

3.4.

Assessm

.1

Relea

ment

ase Cycle

e

3.4.2