I SS

A Q

UA

RT

ER

ME

ET

I NG

20

15

David EilkenCo-Chair

FS-ISAC Security Automation Working Group

Intelligence Driven Community Defense

OVERVIEW Cyber Intelligence – What, Why, Where

A Vision for Community Defense

Cyber Threat Intelligence Standards

Maturing the Ecosystem

How do We Get There

EXTERNAL THREATS GROWING

117,339 incoming attacks every dayThe total number of security incidents detected by respondents climbed to 42.8 million this year, an increase of 48% over 2013.

Findings from The Global State of Information Security Survey 2015 Graphic Source: PwC

Fun• Technically curious individuals

Fortune• Cyber criminals and organized gangs

stealing money, data ransom schemes and competitive

information

EVOLUTION OF CYBER ATTACKSCyber Threats on the Private Sector

2010

2001

2004

1988

Academic

“Script Kiddies”

Commodity Threats

Advanced Persistent Threats (APT) – Targeting government entities

APT– Targeting private sector

Nature of Threat

WHO ARE THE ADVERSARIES?Attacker Motivation, Capability & Intent

Crimi

nals

•Money•Money•And more money•Large number of groups•Skills from basic to advanced•Present in virtually every country•Up to $$$

Hacktivists

•Protest•Revenge•Large number of groups•Groups tend to have basic skills with a few 'standout' individuals with advanced technical and motivational skills"•Up to $ -$$

Espionage

•Acquiring Secrets for national security or economic benefit•Small but growing number of countries with capability•Larger array of ‘supported’ or ‘tolerated’ groups•Up to $$$$+

War

•Motivation is to destroy, degrade, or deny capabilities of an adversary

•Politics by other means

•Small but growing number of countries with capability

•Non-state actors may utilize ‘war’ like approaches

•Up to $$$$$ ?

•…but, a lot less expensive than a nuclear weapon

$ - Under thousands$$ - Tens to hundreds of thousands$$$ - Millions$$$$ - Tens to hundreds of millions$$$$$ - Billions

August 2014

THE NEED FOR SPEEDAttackers Act 150x Faster Than Victims Respond Minutes vs. Weeks/ Months

Initial Attack to Initial

Compromise(Shorter Time

Worse)

Initial Compromise to Discovery

(Longer Time Worse)

Seconds

Minutes

Hours Days Weeks Months

12% 2% 0% 1%

14% 25% 8% 8%

0% 0% 2%

Response is SLOW

Attackers are FAST

13% 29% 54%

Initial Compromise to

Data Exfiltration(Shorter Time

Worse)

10% 75%

8% 38%

EVOLUTION OF CYBER SECURITY DEFENSE

Increasing Cyber Risks• Malicious actors have become much

more sophisticated & money driven.• Losses to US companies now in the

tens of millions; WW hundreds of millions.

• Cyber Risks are now ranked #3 overall corporate risk on Lloyd’s 2013 Risk Index.

We are Solving the Problem

• Security standards are maturing• FS-ISAC has become the trusted

model for sharing industry threat intelligence.

• Soltra Edge Cyber Intelligence Sharing Platform revolutionizing sharing and utilization of threat intelligence.

Manually Sharing Ineffective

• Time consuming and ineffective in raising the costs to the attackers.

• Not all cyber intelligence is processed; probably less than 2% overall = high risk.

• No way to enforce cyber intelligence sharing policy = non-compliance.

Yesterday’s Security

Intelligence SharingIdentify and track threats,

incorporate knowledge and share what you know manually to

trusted others.

Network AwarenessProtect the perimeter and patch the holes to keep out threats share

knowledge internally.

Situational Awareness

Automate sharing – develop clearer picture from all observers’ input and pro-actively mitigate.

Present Day Problem

Future Solution

?? ?

? ??

WHAT IS CYBER INTELLIGENCEInformation about cyber threats

• Bad people, things, or events• Plans to attack victims• Tactics used by bad people • Actions to deal with bad events• Weaknesses targeted by bad people

WHY CYBER INTELLIGENCE IS IMPORTANTTactical Uses Proactively detect or defend against attacks before they happen Diagnose infected corporate systems

Strategic Uses Compile and track bad people or things that don’t like you, your

industry, or your company – report out and potentially sent to authorities

Improve your security posture - The more you understand the things, people, and organizations that are attacking you, the have the better you can defend yourself

Intelligence Can Help Protect You!

WHERE DOES CYBER INTELLIGENCE COME FROM?Buy It Purchase from professional intelligence providers

Collect for Free From inside your organizational environment The Internet has many Open Source Intelligence (OSINT) feeds

available

From Friends Information Sharing Communities or ISACs Business partners, associates, peers, etc.

Get from Authorities Government – DHS, FBI, etc.

INTELLIGENCE LIFE-CYCLE

Graphic Source: FBI

#1 Collect

#2 Proces

s

#3 Analyz

e

#4 Dissemin

ate

Security Operation

sIntelligence Starts

Here

What Do We Do With It? (What are we supposed to do with it?)

STEP #1 – IN THE REAL-LIFE CYCLE

Firm XSOC

Analysts

Company Y

CIRC Analyst

Time Waning

Cyber Analysts

Eyes of Distrust

“My Wheel Bette

r”

…Machines Need a Language to Talk about Threats

STIX – Structured Threat Intelligence eXpression Structured language used by machines to describe cyber threats

TAXII – Trusted Automated eXchange of Indicator Information

Transport mechanism for cyber threat information represented in STIX

MACHINES CAN HELP, BUT FIRST…

Like HTML

Like TCP/ IP

Like HTML

stix.mitre.org taxii.mitre.org

INTELLIGENCE DRIVEN COMMUNITY DEFENSE

ISAC

Organization

Attacked

Trusted Organizatio

ns Protected

AutomatedDefense

FS-ISAC

Extended Trusted Organizations

Protected

Machines

An open standard to categorize cyber threat intelligence information

STIX CONSTRUCTS

Strategic

Atomic

Tactical

Operational

What threat activity are we seeing?

What can I do about it?

What threats should I look for on my networks and systems and why?

Where has this threat been seen?

Who is responsible for this threat?

Why do they do this?

What do they do?

What weaknesses does this threat exploit?

STIX ARCHITECTUREThe Power of Structured Intelligence Key to effective strategic cyber intelligence analysis and threat

tracking Ability to pivot, view, analyze, and enrich complex relationships

STIX SAMPLEEmail Message Object

<cybox:Observable id="cybox:observable-6f45ce72-30c8-11e2-8011-000c291a73d5"> <cybox:Stateful_Measure> <cybox:Object id="cybox:object-6dc7fc5a-30c8-11e2-8011-000c291a73d5"> <cybox:Defined_Object xsi:type="EmailMessageObj:EmailMessageObjectType"> <EmailMessageObj:Attachments> <EmailMessageObj:File xsi:type="FileObj:FileObjectType" object_reference="cybox:object-6dcae276-30c8-11e2-8011-000c291a73d5"/> </EmailMessageObj:Attachments> <EmailMessageObj:Links>

<EmailMessageObj:Link type="URL" object_reference="cybox:guid-6dcb5fda-30c8-11e2-8011-000c291a73d5“/><EmailMessageObj:Link type="URL" object_reference="cybox:guid-6ec9050e-30c8-11e2-8011-000c291a73d5“/>

</EmailMessageObj:Links> <EmailMessageObj:Header> <EmailMessageObj:To> <EmailMessageObj:Recipient category="e-mail"> <AddressObj:Address_Value datatype="String">jsmith@gmail.com</AddressObj:Address_Value> </EmailMessageObj:Recipient> </EmailMessageObj:To> <EmailMessageObj:From category="e-mail"> <AddressObj:Address_Value datatype="String">jdoe@state.gov</AddressObj:Address_Value> </EmailMessageObj:From> <EmailMessageObj:Subject datatype="String">Fw:Draft US-China Joint Statement</EmailMessageObj:Subject> <EmailMessageObj:Date datatype="DateTime">2011-01-05T12:48:50+08:00</EmailMessageObj:Date> <EmailMessageObj:Message_ID datatype="String">

CAF=+=fCSNqaNnR=wom=Y6xP09r_wfKjsm0hvY3wJYTGEzGyPkw@mail.gmail.com </EmailMessageObj:Message_ID> </EmailMessageObj:Header> <EmailMessageObj:Optional_Header> <EmailMessageObj:Content-Type datatype="String">

multipart/mixed; boundary=90e6ba10b0e7fbf25104cdd9ad08 </EmailMessageObj:Content-Type> <EmailMessageObj:MIME-Version datatype="String">1.0</EmailMessageObj:MIME-Version> <EmailMessageObj:X-Mailer datatype="String">Microsoft CDO for Windows 2000</EmailMessageObj:X-Mailer> </EmailMessageObj:Optional_Header>

HOW HUMANS VIEW INTELLIGENCE

Pamina Republic Army

Unit 31459

Associated ActorLeet

Electronic Address

Initial Compromise

Indicator Observable

Spear Phishing EmailEstablish FootholdObserved TTP

Observed TTP

WEBC2

MalwareBehavior

Escalate PrivilegeObserved TTP

Uses Tool

Uses Tool

cachedump

lslsass

MD5:d8bb32a7465f55c368230bb52d52d885

Indicator

Observed TTP

InternalReconnaissance

Attack Patternipconfignet view net group “domain admins”

Observed TTP

ExfiltrationUses Tool

GETMAIL

Targets

KhaffeineBronxistanPerturbiaBlahniks. . .

LeveragesInfrastructure

IP Range:172.24.0.0-112.25.255.255

C2 Servers

Observable

Sender: John SmithSubject: Press Release

Hey Mom! Watch Me Pivot!

LET’S NOT FORGET THE TRANSPORT STANDARD

STIX with

STIX without…Like a wheel without an axle

STIX & TAXII… JUST THE BEGINNINGCyber Security Measurement and Management Architecture

Source: MITRE

Standards across the Security Lifecycle

YOU ARE HERE

Awareness

STIX & TAXII Adoption Curve

Matu

rity

%

Time

ExcelNotepad

Trial

Adoption

Ubiquity

IntelligenceServer

IntelligenceNetwork

MATURING AN ECOSYSTEM

Sharing Communities ISACs Government Individuals

Security Vendors Service Providers Vendor Products

Consumers of Security Products and Intelligence Large Medium Small

CHANGING THE ECONOMICS

Cyber Warfare Symmetry

Cost to Defend

Cost to Attack

Policy Effectiveness

Advantage: DefendersAdvantage: Attackers

Cost

Min

Max

Future State of Cyber-Symmetry(Only Most Advanced Can Play)

Current State of Cyber-Symmetry(Unsophisticated Adversaries Can Play)

Cost to Firms The current cost to process a

single piece of intelligence is 7 hours. Equal to 2014 =$100m;

2015 = $1b; 2016 = $4b

Cost to Adversaries Adversaries must “re-tool” much

more often and their exploits cause less damage

Risks from Cyber Threats

Frequency and impact of threats decrease while higher adoption leads to exponential benefits

CYBER INTELLIGENCE MATURITYAccessible

Far beyond just a select few that have access to organized data; an

entire community can now be empowered.

DATA

Discrete Elements

Linked Elements

INFORMATION

KNOWLEDGE

Organized Information

Actionable Intelligence

PROCESSING

ANALYSIS

JUDGMENT

SITUATIONAL AWARENESS

WISDOM

Aggregation and Normalization

Localized Data CorrelationPattern Recognition

Some Contextual Knowledge Deductive Reasoning

Pro-Active Auto-Response

Increasing Situational Awareness=>Increasing Cost to Adversaries

Levels of Cyber Intelligence

EnrichedCommunities of industry verticals fight the same threats, and have

the most to share about their adversaries.

ActionableStructured data can be understood by machines. Machines can detect,

share, and make defensive adjustments at wire-speed.

COMMUNITY – IT TAKES A VILLAGE…

Operational Intelligence

Strategic Intelligence

CONSUMER FREEDOM

HISTORY OF AVALANCHE

Security Automation Working Group Started in early 2012 prior to STIX 1.0 Small group of security professionals Steadily grew STIX & TAXII awareness and involvement

Started with an idea to automate sharing of intelligence

Listened to security analysts – Broke down the problem

Prioritized and built in chunks – Didn’t boil the ocean

Relied on open standards as the base and became STIX & TAXII experts

Built an initial Central Intelligence Repository for the SAWG members Utilized scripts to pull data, then push data (the SAWG community

helped a lot) Realized we needed not just a server and some client side scripts…

WHAT IS SOLTRAA Company for the Community Increasing adoption of STIX & TAXII to reduce friction in security

operations Formed with the support of the FS-ISAC community & backing of DTCC

scalability Market Changing - created for the good of the information security

consumer At-Cost Business Model – generates revenue just to keep the lights on

Continue Driving the Technology Innovate on open standards to automate the sharing of cyber threat

intelligence A Platform for Everyone – can be extended to all sizes of financial

services firms, other sharing communities and industry verticals Enabling seamless integration across security lifecycle solutions

(threat intelligence, firewalls, intrusion detection, anti-virus, etc.) 10x reduction to collect/ process intelligence & cost to respond

S O LT RA | A N F S - I S A C D TC C C O M PA N Y

SOLTRA EDGE OVERVIEWBasis for an Cyber Intelligence Sharing Network Like an Intelligence Server and Router Big Data STIX Store, Sends & Receives via TAXII w/ Access Control

Key Features Instant Aggregation of Intelligence from Sources You Choose On-Premise – you own and control your data and sharing Collect, Process, and Disseminate (Internal & External) to Standards

Based Devices De-Duplication and Automatic Sightings (+1) Trust Groups and Traffic Light Protocol Control Data Access Hides Complex STIX & TAXII with simple user interface

S O LT RA | A N F S - I S A C D TC C C O M PA N Y

THANK Y

OU FOR

PARTI

CIPATI

NG

WW

W. S

OLT

RA

. CO

M

David EilkenVP Product Strategy

Soltra

SOLTRA EDGEThe Center of an Open Framework Primary Data Store for Structured Intelligence Connects your STIX and TAXII enabled tools

SOLTRA EDGEFoundation of a Security Network Structured Intelligence Server and Router Can act as a TAXII Gateway to other STIX sources

SOLTRA EDGEHides Complexity of STIX & TAXII Simple and Intuitive Interface Visualize, Create, and Move Intelligence