• No results found

Threat Intelligence: STIX and Stones Will Break Your Foes

N/A
N/A
Protected

Academic year: 2021

Share "Threat Intelligence: STIX and Stones Will Break Your Foes"

Copied!
35
0
0

Loading.... (view fulltext now)

Full text

(1)

Copyright  ©  2014  Splunk  Inc.  

Fred  Wilmot  

Director,  Global  Security  PracCce      

Brad  Lindow  

a.k.a.  Superman   Global  Security  Strategist,  Splunk  

Threat  Intelligence:  

STIX  and  Stones  Will  

Break  Your  Foes  

(2)

Disclaimer  

During  the  course  of  this  presentaCon,  we  may  make  forward  looking  statements  regarding  future  events  or  the   expected  performance  of  the  company.  We  cauCon  you  that  such  statements  reflect  our  current  expectaCons  and  

esCmates  based  on  factors  currently  known  to  us  and  that  actual  events  or  results  could  differ  materially.  For   important  factors  that  may  cause  actual  results  to  differ  from  those  contained  in  our  forward-­‐looking  statements,   please  review  our  filings  with  the  SEC.  The  forward-­‐looking  statements  made  in  the  this  presentaCon  are  being  made  as  

of  the  Cme  and  date  of  its  live  presentaCon.  If  reviewed  aTer  its  live  presentaCon,  this  presentaCon  may  not  contain   current  or  accurate  informaCon.  We  do  not  assume  any  obligaCon  to  update  any  forward  looking  statements  we  may   make.  In  addiCon,  any  informaCon  about  our  roadmap  outlines  our  general  product  direcCon  and  is  subject  to  change  

at  any  Cme  without  noCce.  It  is  for  informaConal  purposes  only  and  shall  not,  be  incorporated  into  any  contract  or   other  commitment.  Splunk  undertakes  no  obligaCon  either  to  develop  the  features  or  funcConality  described  or  to  

(3)

Fred  Wilmot  |  Director,  Global  Security  PracCce    

(fred|Securityczar)@splunk.com  

•  Strategy  

§  Drives  Security  PracCce  Strategy  globally  

§  Works  on  Splunk’s  hardest  Security  Use  Cases     §  VisualizaCon  and  AnalyCcs  using  Splunk  

§  Solves  strategic  product/implementaCon  challenges    

•  Research  

•  Digital  Forensics  /Assessment  Tools   •  Social  Risk/User  behavior  modeling   •  ML/Advanced  StaCsCcal  Analysis   •  Threat  Intelligence  

•  Product  

§  Influence  product  strategy  for  security  content  and  features   in  the  field  and  through  the  factory.  

 “Electric  Mayhem”   @fewdisc  

(4)

Brad  Lindow  |  Global  Security  Strategist  

[email protected]  

Former  aeorney,  current  aeending  SecPrax  Legal…Dr.Strangepork   Worked  with  some  of  the  largest  compuCng  environments  in  the   world:  Orbitz,  Department  of  Commerce,  ConsulCng  organizaCon,   and  Sears  

 Global  Security  Strategist  for  Splunk  

Drive  customer  success  and  security  innovaCon  around   Splunk’s  products,  customers,  partners  and  the  worldwide   security  community.    

Research  

Threat  Intelligence   Enterprise  Security  

Hadoop  Security  Use  Cases   Minister  of  JusCce    

(5)

Agenda  

"  

Threat  intelligence  today  

"  

Challenges  with  today’s  threat  intelligence  

"  

What  should  next  generaCon  threat  intelligence  look  like?  

"  

How  can  you  uClize  these  threat  intelligence  sources  despite  

their  complexity?  

"  

SPLICE  -­‐  Splunk’s  soluCon  for  IOC  threat  intelligence  

"  

SPLICE  Demo  

(6)

Today’s  Threat  Landscape  

"   You’ve  all  heard  this  many  Cmes  before  (and  you  probably  live  it)  

but:  

–  Bad  guys  are  genng  more  sophisCcated  and  organized   –  Its  genng  increasingly  more  difficult  to  defend  

–  Tools,  tacCcs  and  procedures  change  during  the  course  of  campaign  aeacks  

"   We  need  to  move  quicker  and  share  informaCon  

–  Bad  guys  are  watching  us  and  we  need  to  be  “watching”  them   –  Threat  Intelligence  is  old  in  a  week  

–  Triaging  mulCple  sources  of  Threat  Intel  makes  them  hard  to  acCon  on  YOUR   data  

(7)

Current  Threat  Intelligence  

"   Some  intelligence  sharing  is  happening  but:  

–  Limited  in  detail  and  simplisCc  (lists,  spreadsheets)   –  Human  readable  only  

–  Derived  from  various  sources  (.xls,.PDF,RSS,  XML  objects,e-­‐mail)   –  Intel  Not  leveraged  fast  enough  in  the  SOC  

–  Not  leveraged  historically  AND  in  real-­‐Cme  

–  Requires  manicuring  (watchlists  aren’t  good  forever)   –  No  context  to  any  other  indicator  

–  Shortage  in  talented  analysts  reduces  kill  chain  visibility  

Watchlists  of  10,000  IP  addresses  or  Hashes  are  not  enough,  we  need   context…  

(8)

External  Threat  Intelligence  Sources  

"   OSINT  

"   Dell  SecureWorks   " Verisign  iDefense     "   Symantec  Deepsight  

"   McAfee  Threat  Intelligence   "   SANS  

"   CVEs,  CWEs,  OSVDB  (Vulns)   " iSight  Partners  

" ThreatStream   " OpenDNS  

"   Palo  Alto  Wildfire   " Crowdstrike   " AlienVault  OTX   " RecordedFuture   "   Team  Cymru   "   ISACs  /  US-­‐CERT   " FireEye/Mandiant   " Vorstack   " cyberUnited   "   Norse  IPViking/Darklist  

(9)

Internal  Threat  Intelligence  Sources  

"   Directory  user  informaCon  (personal    

e-­‐mail,  access,  user  privilege,     start/end  date)  

"   Proxy  informaCon  (content)   "   DLP  &  business  unit  risk    

(trade  secrets  /  IP  sensiCve  docs)  

"   IT  Case  history  /  Ccket  tracking   "   Malware  detecCon  /  AV  alerts   "   SensiCve  business  roles  

"   ApplicaCon  usage  &  consumpCon    

events  (in-­‐house)  

"   Database  usage  /  access  monitoring  

(privileged)  

"   EnCtlements  /  access  outliers  (in-­‐

house)  

"   User  behavior  associaCon  based  on  

geography,  frequency,  uniqueness,   and  privilege  

(10)

Challenges  InteracCng  with  Threat  Intel  

Most  complete    

(11)

Next  GeneraCon  Threat  Intelligence  

"   In  today’s  threat  landscape,  threat  intelligence  using  structured  

indicators  of  compromise  (IOC)  should  enable:  

–  AutomaCc  consumpCon  and  parsing  (at  least  largely)   –  Shareable  IOCs,  internally  and  externally  

–  NormalizaCon  of  key  indicators  

–  Contextual  enrichment  for  data  in  Splunk    

–  CreaCon  of  STIX  objects  from  internal  Threat  Intelligence  and  Incidents   –  Efficient  use  of  Internal  Threat  Intelligence  as  context  sources  

–  MulCple  chains  of  indicators  increase  urgency  for  invesCgaCon   –  Indicators  with  Deeper  Meaning  than  a  list  of  IP  addresses  

(12)

Threat  Intelligence  “Standards”  

"   STIX  -­‐  Structured  Threat  InformaEon  eXpression    

" A  standardized  language  uClizing  XML  to  represent  structured  cyber  threat  informaCon.  

Conveys  the  full  range  of  potenCal  cyber  threat  informaCon  and  strives  to  be  fully  expressive,   flexible,  extensible,  automatable,  and  as  human-­‐readable  as  possible.  

"   TAXII  -­‐  Trusted  Automated  eXchange  of  Indicator  InformaEon  

" Transport  mechanism  for  cyber  threat  informaCon  represented  as  STIX.  Through  the  use  of  

TAXII  services,  organizaCons  can  share  cyber  threat  informaCon  in  a  secure  and  automated   manner.  

"   OpenIOC  –  Open  sourced  schema  from  Mandiant  

" An  extensible  XML  schema  that  enables  you  to  describe  the  technical  characterisCcs  that  

(13)

InteracCng  with  IOCs  in  Splunk  

MILE  

VERIS  

(14)

InteracCng  with  threat  IOCs  in  Splunk  (current)  

Start  with  the  most  

widely  adopted…  

Predominant  

in  confidenCal   informaCon-­‐ sharing  

associaCons…   Predominant  in  vendor  and   researcher   world  –  lots  of   useful  data   available  on   the  public   internet…  

(15)
(16)

Example  of  STIX  object  

...

<stix:Observables cybox_major_version="2" cybox_minor_version="1">

<cybox:Observable id="mandiant:observable-b7013416-7e77-4078-a0bd-a33b49c7cb2f"> <cybox:Object> <cybox:Properties xsi:type="FileObj:FileObjectType"> <FileObj:Hashes> <cyboxCommon:Hash> <cyboxCommon:Type>MD5</cyboxCommon:Type> <cyboxCommon:Simple_Hash_Value>b305b543da332a2fcf6e1ce55ed2ea79</cyboxCommon:Simple_Hash_Value> </cyboxCommon:Hash> </FileObj:Hashes> </cybox:Properties> </cybox:Object> </cybox:Observable> <cybox:Observable id="mandiant:observable-749eea4e-2812-4b4d-bba9-4292bedc05a2"> ...

(17)
(18)

Splunking  IOCs  with  

SPLICE  

(19)

What  is  SPLICE?  

•  SPLICE  is  a  free  Splunk  App  that  enables  you  to  easily  consume  IOCs  

(STIX,  CybOX,  OpenIOC)  and  use  them  to  quickly  evaluate  your  own   environment  for  potenCal  security  issues  

•  SPLICE  easily  installs  like  any  other  Splunk  App  and  just  requires  an  

instance  of  MongoDB  on  the  search  head  Splice  is  installed  on  

•  Get  Splice  RIGHT  NOW  by  following  @SplunkSec  at  

(20)

How  can  SPLICE  help  you?  

"   Facilitates  automated  IOC  consumpCon   "   Provides  you  richer  threat  intelligence  data  

"   Provides  the  intel  in  Splunk  to  correlate  with  all  of  your  other  data   "   Provides  searching,  reporCng  and  visualizaCon  capabiliCes  

"   Enables  less  experienced  personnel  to  uClize  the  data  

(21)

How  does  it  reduce  the  complexity?  

"   Splunk  has  chosen  to  iniCally  reduce  the  IOC  surface  area  to  ‘atomic’  

indicators  for  usability  and  to  allow  for  more  flexibility  in  IOC   analyCcs  

"   Splunk  has  also  partnered  with  FS-­‐ISAC  (who  have  also  chosen  the  

same  approach)  to  integrate  with  their  Avalanche  product  for  IOC   federaCon  and  collaboraCon  

(22)

SPLICE  –  Supported  Indicators  

"   Supports  STIX  1.1  (more  than  80  Objects!)   –  FileObjectType  (Hash  values,  File  names)  

ê  Examples:  “64ef07ce3e4b420c334227eecb3b3f4c”  or  “virus.exe”  

–  DomainNameObjectType  (Domains,  URLs)  

ê  Examples:  “malicious1.example.com”  or  “h9p://malicious1.example.com/

clickme.html”  

–  URIObjectType  (Domains,  URLs)  

ê  Examples:    “h9p://malicious1.example.com/clickme.html”  or  “>p://

badfiles.example.com/data.txt”  

–  AddressObjectType  (IP  Addresses)  

ê  Example:  “1.2.3.4”  

(23)

SPLICE  –  Supported  Indicators  

"   Supports  CybOX  2.1    

–  Same  indicators  as  STIX  

(24)

SPLICE  Architecture  

1.  SPLICE  consumes  IOCs  (STIX,  CybOX,  

OpenIOC)  through  either  a  monitored   directory  path  or  via  TAXII  (including   Avalanche)  

2.  IOCs  are  parsed  and  the  atomic  

indicators  (along  with  the  raw  IOC)  are   stored  in  MongoDB  

3.  Security  Analyst  uses  the  Splice  Splunk  

App  to  search,  report,  visualize  and  alert   on  the  IOCs  

(25)

Using  SPLICE  –  Searching  Your  Data  

iocsearch   sourcetype=access_combined_wcookie  |  iocsearch  map="clienCp:ipv4-­‐addr”  |  search  ioc_indicators_count>0  |  `parse_ioc_indicators_json`  

(26)

Using  SPLICE  –  Searching  IOCs  

iocfilter   |  iocfilter  regex=”1.2.3.4"  

(27)

Using  SPLICE  –  Retrieve  the  full  raw  IOC  data    

iocdisplay  |  iocdisplay  object_id="example:Object-­‐12c760ba-­‐cd2c-­‐4f5d-­‐a37d-­‐18212eac7928"  

(28)

Using  SPLICE  –  StaCsCcs  about  ingested  IOCs    

iocstats   |  iocstats  stat=list  

(29)

Using  SPLICE  –Export  atomic  indicators  as  a  CSV    

iocexportcsv   |  iocexportcsv  value_type="ipv4-­‐addr"  alias="ip"  directory="/tmp"  filename="myIpList.csv"  

(30)
(31)

SPLICE  Challenges  

"   SPLICE  has  been  largely  tested  against  public  datasets,  requires  

more  sample  data  

"   Some  IOCs  cannot  be  converted  due  to  parser  errors  

"   STIX  libraries,  framework,  other  standards  are  sCll  works  in  progress  

(32)

SPLICE  –  Future  

"   Next  Steps:    

–  Support  addiConal  indicators  

–  Improved  dashboards  and  default  searches   –  Export  Splunk  content  as  a  STIX  object  

–  UClize  TAXII  to  serve  IOC  data  FROM  Splunk     –  Beeer  Enterprise  Security  integraCon  

–  Improved  features  around  how  closely  data  matches  IOCs   –  Improved  support  for  addiConal  indicators  

(33)

How  you  can  get  involved    

We  are  looking  for  feedback  to  further  enhance  SPLICE    

"   Download  Splice  and  play  with  it!    Tell  us  what  you  want  and  how  

you  want  Splice  or  IOCs  to  interoperate  with  your  data.  

"   Get  a  demo  of  how  Splice  works  from  the  Security  PracCce   "   GIVE  US  FEEDBACK!  [email protected]  is  a  perfect  way!   "   Support  the  STIX  community  heps://github.com/STIXProject  

(34)

Summary  

"   Threat  Landscape  is  rapidly  changing,  threat  data  from  yesterday,  

may  not  be  valuable  today  

"   Threat  Intelligence  provides  context,  but  formats,  diversity  limit  

adopCon  to  lowest  common  denominator  

"   TradiConal  things  like  IP  lists  are  ineffecCve  without  context   "   IOCs  through  STIX  gives  us  context  

"   SPLICE  gives  you  a  way  to  uClize  IOCs  across  your  Splunk  data  today   "   Get  Splice  RIGHT  NOW  by  following  @SplunkSec  at  

(35)

THANK  YOU  

References

Related documents

Relaxation techniques such as deep breathing, visualization, progressive muscle relaxation, meditation, and yoga can help you activate this relaxation response.. When

The final analysis that was performed on the entire data set of scheduled flights was to look at the geographic distribution of the airports with flights to/from RDU

In the 2014 edition, time series data for electricity, oil products, and coal products for 2005 to 2011 were re- vised based on newly available information.. This may lead to

The ORNL extruder will provide a continuous supply of solid hydrogen or deuterium to the gun assembly, where a punch-type chambering mecha- nism forms cylindrical pellets ranging from

produce actionable Intelligence E NFORCEMENT @ SRX Command &amp; Control Drive-by Attack Spotlight Cloud Feedback for global threat intelligence Threat intelligence

Extending to the Network Security Management Malicious Code Advanced Threat Analysis Local Threat Intelligence Reputation Intelligence. Protection Across

In essence, the results reported in this paper will apply to similar companies and estimation contexts, but the basic idea, to use unstructured group discussion to reduce

„ Transfer ownership and management of th i lt l ti l d d th the agricultural operation, land and other assets. „ Avoid unnecessary transfer taxes (income, gift