cti: cyber threat intelligence - oasis...2016/11/02 · • cyber threat intelligence in its real...
TRANSCRIPT
![Page 1: CTI: Cyber Threat Intelligence - OASIS...2016/11/02 · • Cyber Threat Intelligence in its real meaning: CTI Level 2 (L2) – Contextual CTI 5Ws1H of Cyber Attacks Lets you determine](https://reader036.vdocument.in/reader036/viewer/2022081522/5f02055f7e708231d4022f3b/html5/thumbnails/1.jpg)
Ryusuke Masuoka Fujitsu System Integration Laboratories, Ltd. November 2016
CTI: Cyber Threat Intelligence - Enabling Predictive Defense by Reading Attackers’ Intent
Copyright 2016 FUJITSU LIMITED
![Page 2: CTI: Cyber Threat Intelligence - OASIS...2016/11/02 · • Cyber Threat Intelligence in its real meaning: CTI Level 2 (L2) – Contextual CTI 5Ws1H of Cyber Attacks Lets you determine](https://reader036.vdocument.in/reader036/viewer/2022081522/5f02055f7e708231d4022f3b/html5/thumbnails/2.jpg)
![Page 3: CTI: Cyber Threat Intelligence - OASIS...2016/11/02 · • Cyber Threat Intelligence in its real meaning: CTI Level 2 (L2) – Contextual CTI 5Ws1H of Cyber Attacks Lets you determine](https://reader036.vdocument.in/reader036/viewer/2022081522/5f02055f7e708231d4022f3b/html5/thumbnails/3.jpg)
![Page 4: CTI: Cyber Threat Intelligence - OASIS...2016/11/02 · • Cyber Threat Intelligence in its real meaning: CTI Level 2 (L2) – Contextual CTI 5Ws1H of Cyber Attacks Lets you determine](https://reader036.vdocument.in/reader036/viewer/2022081522/5f02055f7e708231d4022f3b/html5/thumbnails/4.jpg)
Copyright 2016 FUJITSU LIMITED
https://en.wikipedia.org/wiki/Euthalia_aconthea
![Page 5: CTI: Cyber Threat Intelligence - OASIS...2016/11/02 · • Cyber Threat Intelligence in its real meaning: CTI Level 2 (L2) – Contextual CTI 5Ws1H of Cyber Attacks Lets you determine](https://reader036.vdocument.in/reader036/viewer/2022081522/5f02055f7e708231d4022f3b/html5/thumbnails/5.jpg)
Cyber Threat Intelligence (CTI)
Copyright 2016 FUJITSU LIMITED
Definition: Product of collecting, processing, integrating, analyzing, evaluating, interpreting data and information
Two Elements of Cyber Threat Intelligence (CTI) • Data/Information like IP addresses and malware hash values: CTI Level 1 (L1) – Observables • Cyber Threat Intelligence in its real meaning: CTI Level 2 (L2) – Contextual CTI
5Ws1H of Cyber Attacks Lets you determine who the adversary is what their purpose is how serious it is
12
![Page 6: CTI: Cyber Threat Intelligence - OASIS...2016/11/02 · • Cyber Threat Intelligence in its real meaning: CTI Level 2 (L2) – Contextual CTI 5Ws1H of Cyber Attacks Lets you determine](https://reader036.vdocument.in/reader036/viewer/2022081522/5f02055f7e708231d4022f3b/html5/thumbnails/6.jpg)
C&C IP Address Malware Hash
TTP - Tactics, Techniques, Procedures
Watering Hole Phishing Email CVE2014-6324
Two Elements: CTI L1 and L2
Copyright 2016 FUJITSU LIMITED
New Indicators What
Who
Why
Where
How
Attack from Attacker’s Point of View
Target Region, Industry, Organization
Observables CTI L1 (Observables)
CTI L2 (Contextual CTI) Links between observables and information pieces
5
![Page 7: CTI: Cyber Threat Intelligence - OASIS...2016/11/02 · • Cyber Threat Intelligence in its real meaning: CTI Level 2 (L2) – Contextual CTI 5Ws1H of Cyber Attacks Lets you determine](https://reader036.vdocument.in/reader036/viewer/2022081522/5f02055f7e708231d4022f3b/html5/thumbnails/7.jpg)
CTI Analysis
Mitigation
Artifact
Analysis
Machine Learning
CTIM: CTI-Driven Platform for Proactive Defense
Copyright 2016 FUJITSU LIMITED
Analysis Environment Malware Analysis Memory Analysis Log Analysis Disk Forensics Attack Campaign Analysis
IDS/IPS
Sandbox
AntiVirus Servers
PCs
Logs
Firewall
Proxy
SIEM Incident Tracking Alerts
CTI Distribution → Detection → Block
(SOC) • Operator • 1st Tier Analyst
Senior Analyst (SIC)
Monitoring Incident Management
Triage Artifacts (Memory, Log, Disks, Malware, etc.)
CTI Registration Evaluation
Manual Artifact Analysis
CTI Matching
Escalation
Decoy System
Obs
erva
tion
Atta
ck L
og
Disconnecting from Network, Shutting down, Locking Accounts, etc.
External Network Analysis
C2 Analysis Services OSINT
CTI Store
Automation Engine
CTI Sharing CTI Gateway CTI
Sources Communities
Detection Analysis Response Artifacts Information
Web News, Blogs, SNS Security Reports Vulnerability information Communities
Information Collection
ICT Environment
Alert/Ticket Registration
Artifact Store
Art
ifact
s In
form
atio
n 6
![Page 8: CTI: Cyber Threat Intelligence - OASIS...2016/11/02 · • Cyber Threat Intelligence in its real meaning: CTI Level 2 (L2) – Contextual CTI 5Ws1H of Cyber Attacks Lets you determine](https://reader036.vdocument.in/reader036/viewer/2022081522/5f02055f7e708231d4022f3b/html5/thumbnails/8.jpg)
Sample Similarity Scoring System
Sharing Policy Enforcement
Automation Engine CTIM: CTI-Driven Platform for Proactive Defense
OASIS CTI Standardization
Bi-Directional CTI Sharing
CTI Graph Analytics and Editing
Private Translator
![Page 9: CTI: Cyber Threat Intelligence - OASIS...2016/11/02 · • Cyber Threat Intelligence in its real meaning: CTI Level 2 (L2) – Contextual CTI 5Ws1H of Cyber Attacks Lets you determine](https://reader036.vdocument.in/reader036/viewer/2022081522/5f02055f7e708231d4022f3b/html5/thumbnails/9.jpg)
Pushing the Boundaries – Phased Adoption Unlock the true potential of structured contextual CTI Phase 1 - Accumulate CTI in STIX Phase 2 + Consume External CTI Phase 3 + Share Observables/Indicators Phase 4 + Share Technical Context Phase 5 + Sharing Adversarial Context
8 Copyright 2016 FUJITSU LIMITED
Adversarial Context
Technical Context
Indicators Observables
![Page 10: CTI: Cyber Threat Intelligence - OASIS...2016/11/02 · • Cyber Threat Intelligence in its real meaning: CTI Level 2 (L2) – Contextual CTI 5Ws1H of Cyber Attacks Lets you determine](https://reader036.vdocument.in/reader036/viewer/2022081522/5f02055f7e708231d4022f3b/html5/thumbnails/10.jpg)
Copyright 2016 FUJITSU LIMITED