Ryusuke Masuoka Fujitsu System Integration Laboratories, Ltd. November 2016

CTI: Cyber Threat Intelligence - Enabling Predictive Defense by Reading Attackers’ Intent

Copyright 2016 FUJITSU LIMITED

Copyright 2016 FUJITSU LIMITED

https://en.wikipedia.org/wiki/Euthalia_aconthea

Cyber Threat Intelligence (CTI)

Copyright 2016 FUJITSU LIMITED

Definition: Product of collecting, processing, integrating, analyzing, evaluating, interpreting data and information

Two Elements of Cyber Threat Intelligence (CTI) • Data/Information like IP addresses and malware hash values: CTI Level 1 (L1) – Observables • Cyber Threat Intelligence in its real meaning: CTI Level 2 (L2) – Contextual CTI

5Ws1H of Cyber Attacks Lets you determine who the adversary is what their purpose is how serious it is

12

C&C IP Address Malware Hash

TTP - Tactics, Techniques, Procedures

Watering Hole Phishing Email CVE2014-6324

Two Elements: CTI L1 and L2

Copyright 2016 FUJITSU LIMITED

New Indicators What

Who

Why

Where

How

Attack from Attacker’s Point of View

Target Region, Industry, Organization

Observables CTI L1 (Observables)

CTI L2 (Contextual CTI) Links between observables and information pieces

5

CTI Analysis

Mitigation

Artifact

Analysis

Machine Learning

CTIM: CTI-Driven Platform for Proactive Defense

Copyright 2016 FUJITSU LIMITED

Analysis Environment Malware Analysis Memory Analysis Log Analysis Disk Forensics Attack Campaign Analysis

IDS/IPS

Sandbox

AntiVirus Servers

PCs

Logs

Firewall

Proxy

SIEM Incident Tracking Alerts

CTI Distribution → Detection → Block

(SOC) • Operator • 1st Tier Analyst

Senior Analyst (SIC)

Monitoring Incident Management

Triage Artifacts (Memory, Log, Disks, Malware, etc.)

CTI Registration Evaluation

Manual Artifact Analysis

CTI Matching

Escalation

Decoy System

Obs

erva

tion

Atta

ck L

og

Disconnecting from Network, Shutting down, Locking Accounts, etc.

External Network Analysis

C2 Analysis Services OSINT

CTI Store

Automation Engine

CTI Sharing CTI Gateway CTI

Sources Communities

Detection Analysis Response Artifacts Information

Web News, Blogs, SNS Security Reports Vulnerability information Communities

Information Collection

ICT Environment

Alert/Ticket Registration

Artifact Store

Art

ifact

s In

form

atio

n 6

Sample Similarity Scoring System

Sharing Policy Enforcement

Automation Engine CTIM: CTI-Driven Platform for Proactive Defense

OASIS CTI Standardization

Bi-Directional CTI Sharing

CTI Graph Analytics and Editing

Private Translator

Pushing the Boundaries – Phased Adoption Unlock the true potential of structured contextual CTI Phase 1 - Accumulate CTI in STIX Phase 2 + Consume External CTI Phase 3 + Share Observables/Indicators Phase 4 + Share Technical Context Phase 5 + Sharing Adversarial Context

8 Copyright 2016 FUJITSU LIMITED

Adversarial Context

Technical Context

Indicators Observables

Copyright 2016 FUJITSU LIMITED