issa quarter meeting 2015 david eilken co-chair fs-isac security automation working group...
TRANSCRIPT
I SS
A Q
UA
RT
ER
ME
ET
I NG
20
15
David EilkenCo-Chair
FS-ISAC Security Automation Working Group
Intelligence Driven Community Defense
OVERVIEW Cyber Intelligence – What, Why, Where
A Vision for Community Defense
Cyber Threat Intelligence Standards
Maturing the Ecosystem
How do We Get There
EXTERNAL THREATS GROWING
117,339 incoming attacks every dayThe total number of security incidents detected by respondents climbed to 42.8 million this year, an increase of 48% over 2013.
Findings from The Global State of Information Security Survey 2015 Graphic Source: PwC
Fun• Technically curious individuals
Fortune• Cyber criminals and organized gangs
stealing money, data ransom schemes and competitive
information
EVOLUTION OF CYBER ATTACKSCyber Threats on the Private Sector
2010
2001
2004
1988
Academic
“Script Kiddies”
Commodity Threats
Advanced Persistent Threats (APT) – Targeting government entities
APT– Targeting private sector
Nature of Threat
WHO ARE THE ADVERSARIES?Attacker Motivation, Capability & Intent
Crimi
nals
•Money•Money•And more money•Large number of groups•Skills from basic to advanced•Present in virtually every country•Up to $$$
Hacktivists
•Protest•Revenge•Large number of groups•Groups tend to have basic skills with a few 'standout' individuals with advanced technical and motivational skills"•Up to $ -$$
Espionage
•Acquiring Secrets for national security or economic benefit•Small but growing number of countries with capability•Larger array of ‘supported’ or ‘tolerated’ groups•Up to $$$$+
War
•Motivation is to destroy, degrade, or deny capabilities of an adversary
•Politics by other means
•Small but growing number of countries with capability
•Non-state actors may utilize ‘war’ like approaches
•Up to $$$$$ ?
•…but, a lot less expensive than a nuclear weapon
$ - Under thousands$$ - Tens to hundreds of thousands$$$ - Millions$$$$ - Tens to hundreds of millions$$$$$ - Billions
August 2014
THE NEED FOR SPEEDAttackers Act 150x Faster Than Victims Respond Minutes vs. Weeks/ Months
Initial Attack to Initial
Compromise(Shorter Time
Worse)
Initial Compromise to Discovery
(Longer Time Worse)
Seconds
Minutes
Hours Days Weeks Months
12% 2% 0% 1%
14% 25% 8% 8%
0% 0% 2%
Response is SLOW
Attackers are FAST
13% 29% 54%
Initial Compromise to
Data Exfiltration(Shorter Time
Worse)
10% 75%
8% 38%
EVOLUTION OF CYBER SECURITY DEFENSE
Increasing Cyber Risks• Malicious actors have become much
more sophisticated & money driven.• Losses to US companies now in the
tens of millions; WW hundreds of millions.
• Cyber Risks are now ranked #3 overall corporate risk on Lloyd’s 2013 Risk Index.
We are Solving the Problem
• Security standards are maturing• FS-ISAC has become the trusted
model for sharing industry threat intelligence.
• Soltra Edge Cyber Intelligence Sharing Platform revolutionizing sharing and utilization of threat intelligence.
Manually Sharing Ineffective
• Time consuming and ineffective in raising the costs to the attackers.
• Not all cyber intelligence is processed; probably less than 2% overall = high risk.
• No way to enforce cyber intelligence sharing policy = non-compliance.
Yesterday’s Security
Intelligence SharingIdentify and track threats,
incorporate knowledge and share what you know manually to
trusted others.
Network AwarenessProtect the perimeter and patch the holes to keep out threats share
knowledge internally.
Situational Awareness
Automate sharing – develop clearer picture from all observers’ input and pro-actively mitigate.
Present Day Problem
Future Solution
?? ?
? ??
WHAT IS CYBER INTELLIGENCEInformation about cyber threats
• Bad people, things, or events• Plans to attack victims• Tactics used by bad people • Actions to deal with bad events• Weaknesses targeted by bad people
WHY CYBER INTELLIGENCE IS IMPORTANTTactical Uses Proactively detect or defend against attacks before they happen Diagnose infected corporate systems
Strategic Uses Compile and track bad people or things that don’t like you, your
industry, or your company – report out and potentially sent to authorities
Improve your security posture - The more you understand the things, people, and organizations that are attacking you, the have the better you can defend yourself
Intelligence Can Help Protect You!
WHERE DOES CYBER INTELLIGENCE COME FROM?Buy It Purchase from professional intelligence providers
Collect for Free From inside your organizational environment The Internet has many Open Source Intelligence (OSINT) feeds
available
From Friends Information Sharing Communities or ISACs Business partners, associates, peers, etc.
Get from Authorities Government – DHS, FBI, etc.
INTELLIGENCE LIFE-CYCLE
Graphic Source: FBI
#1 Collect
#2 Proces
s
#3 Analyz
e
#4 Dissemin
ate
Security Operation
sIntelligence Starts
Here
What Do We Do With It? (What are we supposed to do with it?)
STEP #1 – IN THE REAL-LIFE CYCLE
Firm XSOC
Analysts
Company Y
CIRC Analyst
Time Waning
Cyber Analysts
Eyes of Distrust
“My Wheel Bette
r”
…Machines Need a Language to Talk about Threats
STIX – Structured Threat Intelligence eXpression Structured language used by machines to describe cyber threats
TAXII – Trusted Automated eXchange of Indicator Information
Transport mechanism for cyber threat information represented in STIX
MACHINES CAN HELP, BUT FIRST…
Like HTML
Like TCP/ IP
Like HTML
stix.mitre.org taxii.mitre.org
INTELLIGENCE DRIVEN COMMUNITY DEFENSE
ISAC
Organization
Attacked
Trusted Organizatio
ns Protected
AutomatedDefense
FS-ISAC
Extended Trusted Organizations
Protected
Machines
An open standard to categorize cyber threat intelligence information
STIX CONSTRUCTS
Strategic
Atomic
Tactical
Operational
What threat activity are we seeing?
What can I do about it?
What threats should I look for on my networks and systems and why?
Where has this threat been seen?
Who is responsible for this threat?
Why do they do this?
What do they do?
What weaknesses does this threat exploit?
STIX ARCHITECTUREThe Power of Structured Intelligence Key to effective strategic cyber intelligence analysis and threat
tracking Ability to pivot, view, analyze, and enrich complex relationships
STIX SAMPLEEmail Message Object
<cybox:Observable id="cybox:observable-6f45ce72-30c8-11e2-8011-000c291a73d5"> <cybox:Stateful_Measure> <cybox:Object id="cybox:object-6dc7fc5a-30c8-11e2-8011-000c291a73d5"> <cybox:Defined_Object xsi:type="EmailMessageObj:EmailMessageObjectType"> <EmailMessageObj:Attachments> <EmailMessageObj:File xsi:type="FileObj:FileObjectType" object_reference="cybox:object-6dcae276-30c8-11e2-8011-000c291a73d5"/> </EmailMessageObj:Attachments> <EmailMessageObj:Links>
<EmailMessageObj:Link type="URL" object_reference="cybox:guid-6dcb5fda-30c8-11e2-8011-000c291a73d5“/><EmailMessageObj:Link type="URL" object_reference="cybox:guid-6ec9050e-30c8-11e2-8011-000c291a73d5“/>
</EmailMessageObj:Links> <EmailMessageObj:Header> <EmailMessageObj:To> <EmailMessageObj:Recipient category="e-mail"> <AddressObj:Address_Value datatype="String">[email protected]</AddressObj:Address_Value> </EmailMessageObj:Recipient> </EmailMessageObj:To> <EmailMessageObj:From category="e-mail"> <AddressObj:Address_Value datatype="String">[email protected]</AddressObj:Address_Value> </EmailMessageObj:From> <EmailMessageObj:Subject datatype="String">Fw:Draft US-China Joint Statement</EmailMessageObj:Subject> <EmailMessageObj:Date datatype="DateTime">2011-01-05T12:48:50+08:00</EmailMessageObj:Date> <EmailMessageObj:Message_ID datatype="String">
CAF=+=fCSNqaNnR=wom=Y6xP09r_wfKjsm0hvY3wJYTGEzGyPkw@mail.gmail.com </EmailMessageObj:Message_ID> </EmailMessageObj:Header> <EmailMessageObj:Optional_Header> <EmailMessageObj:Content-Type datatype="String">
multipart/mixed; boundary=90e6ba10b0e7fbf25104cdd9ad08 </EmailMessageObj:Content-Type> <EmailMessageObj:MIME-Version datatype="String">1.0</EmailMessageObj:MIME-Version> <EmailMessageObj:X-Mailer datatype="String">Microsoft CDO for Windows 2000</EmailMessageObj:X-Mailer> </EmailMessageObj:Optional_Header>
HOW HUMANS VIEW INTELLIGENCE
Pamina Republic Army
Unit 31459
Associated ActorLeet
Electronic Address
Initial Compromise
Indicator Observable
Spear Phishing EmailEstablish FootholdObserved TTP
Observed TTP
WEBC2
MalwareBehavior
Escalate PrivilegeObserved TTP
Uses Tool
Uses Tool
cachedump
lslsass
MD5:d8bb32a7465f55c368230bb52d52d885
Indicator
Observed TTP
InternalReconnaissance
Attack Patternipconfignet view net group “domain admins”
Observed TTP
ExfiltrationUses Tool
GETMAIL
Targets
KhaffeineBronxistanPerturbiaBlahniks. . .
LeveragesInfrastructure
IP Range:172.24.0.0-112.25.255.255
C2 Servers
Observable
Sender: John SmithSubject: Press Release
Hey Mom! Watch Me Pivot!
STIX & TAXII… JUST THE BEGINNINGCyber Security Measurement and Management Architecture
Source: MITRE
Standards across the Security Lifecycle
YOU ARE HERE
Awareness
STIX & TAXII Adoption Curve
Matu
rity
%
Time
ExcelNotepad
Trial
Adoption
Ubiquity
IntelligenceServer
IntelligenceNetwork
MATURING AN ECOSYSTEM
Sharing Communities ISACs Government Individuals
Security Vendors Service Providers Vendor Products
Consumers of Security Products and Intelligence Large Medium Small
CHANGING THE ECONOMICS
Cyber Warfare Symmetry
Cost to Defend
Cost to Attack
Policy Effectiveness
Advantage: DefendersAdvantage: Attackers
Cost
Min
Max
Future State of Cyber-Symmetry(Only Most Advanced Can Play)
Current State of Cyber-Symmetry(Unsophisticated Adversaries Can Play)
Cost to Firms The current cost to process a
single piece of intelligence is 7 hours. Equal to 2014 =$100m;
2015 = $1b; 2016 = $4b
Cost to Adversaries Adversaries must “re-tool” much
more often and their exploits cause less damage
Risks from Cyber Threats
Frequency and impact of threats decrease while higher adoption leads to exponential benefits
CYBER INTELLIGENCE MATURITYAccessible
Far beyond just a select few that have access to organized data; an
entire community can now be empowered.
DATA
Discrete Elements
Linked Elements
INFORMATION
KNOWLEDGE
Organized Information
Actionable Intelligence
PROCESSING
ANALYSIS
JUDGMENT
SITUATIONAL AWARENESS
WISDOM
Aggregation and Normalization
Localized Data CorrelationPattern Recognition
Some Contextual Knowledge Deductive Reasoning
Pro-Active Auto-Response
Increasing Situational Awareness=>Increasing Cost to Adversaries
Levels of Cyber Intelligence
EnrichedCommunities of industry verticals fight the same threats, and have
the most to share about their adversaries.
ActionableStructured data can be understood by machines. Machines can detect,
share, and make defensive adjustments at wire-speed.
HISTORY OF AVALANCHE
Security Automation Working Group Started in early 2012 prior to STIX 1.0 Small group of security professionals Steadily grew STIX & TAXII awareness and involvement
Started with an idea to automate sharing of intelligence
Listened to security analysts – Broke down the problem
Prioritized and built in chunks – Didn’t boil the ocean
Relied on open standards as the base and became STIX & TAXII experts
Built an initial Central Intelligence Repository for the SAWG members Utilized scripts to pull data, then push data (the SAWG community
helped a lot) Realized we needed not just a server and some client side scripts…
WHAT IS SOLTRAA Company for the Community Increasing adoption of STIX & TAXII to reduce friction in security
operations Formed with the support of the FS-ISAC community & backing of DTCC
scalability Market Changing - created for the good of the information security
consumer At-Cost Business Model – generates revenue just to keep the lights on
Continue Driving the Technology Innovate on open standards to automate the sharing of cyber threat
intelligence A Platform for Everyone – can be extended to all sizes of financial
services firms, other sharing communities and industry verticals Enabling seamless integration across security lifecycle solutions
(threat intelligence, firewalls, intrusion detection, anti-virus, etc.) 10x reduction to collect/ process intelligence & cost to respond
S O LT RA | A N F S - I S A C D TC C C O M PA N Y
SOLTRA EDGE OVERVIEWBasis for an Cyber Intelligence Sharing Network Like an Intelligence Server and Router Big Data STIX Store, Sends & Receives via TAXII w/ Access Control
Key Features Instant Aggregation of Intelligence from Sources You Choose On-Premise – you own and control your data and sharing Collect, Process, and Disseminate (Internal & External) to Standards
Based Devices De-Duplication and Automatic Sightings (+1) Trust Groups and Traffic Light Protocol Control Data Access Hides Complex STIX & TAXII with simple user interface
S O LT RA | A N F S - I S A C D TC C C O M PA N Y
SOLTRA EDGEThe Center of an Open Framework Primary Data Store for Structured Intelligence Connects your STIX and TAXII enabled tools
SOLTRA EDGEFoundation of a Security Network Structured Intelligence Server and Router Can act as a TAXII Gateway to other STIX sources