© 2015 The MITRE Corporation. All rights reserved.

Jackson Wynn

Federated Analysis of Cyber Threats (FACT)Capstone Overview

The MITRE Corporation

July 2015

One of five U.S. Air Force Air and Space Operations Centers (AOCs)

http://www.mitre.org/publications/project-stories/smaller-computer-footprint-

in-air-force-operations-centers-boosts-effectiveness

Approved for Public Release: 15-2008. Distribution Unlimited.

| 2 |

© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release

Federated Analysis of Cyber Threats (FACT)

Explores the exchange of cyber threat intelligence developed

from cyber incident analysis and response

– Exchange of threat indicators and adversary TTPs among mission

partners

– Cyber incident reporting

– Mitigation best practices released to acquisition organizations

– Distribution of cyber playbook and mission model data

Imports and exports cyber threat intelligence in an industry-

standard XML format (STIXTM)

Approved for Public Release: 15-2008

Distribution Unlimited.

| 3 |

© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release

Modeling the Decision Lifecycle:Observe, Orient, Decide, Act (OODA)1 Loop

The time from initial indicator to response is a Key Performance Parameter (KPP)

“In order to win, we should operate at a faster tempo or rhythm than our

adversaries...” Col John Boyd2

2Boyd, J., “Patterns of Conflict”, presentation, December 1986. http://www.dnipogo.org/boyd/patterns_ppt.pdf

1Observe, Orient, Decide, Act (OODA) loop: https://en.wikipedia.org/wiki/OODA_loop

| 4 |

© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release

OODA Loops in Cyber Incident Handling

CJCSM 6510.01B

NIST SP800-61r2

Short turn

OODA Loop

Long turn

OODA Loop

Automated response: milliseconds, seconds, minutes

Operations response: hours, days, weeks

Acquisition response: months, years, decades

OODA Loop

Response

Timeframes

| 5 |

© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release

FACT Tool Use Cases

Tool support for Information Security Analysis Teams (ISATs)

– Support identification of TTPs and potential mission impacts with a tempo

that allows mitigations to be enacted without disrupting mission operations

– Respond to intrusions more effectively using team structures that leverage

federated analysis capabilities, enabled through information sharing

Reachback to leverage national assets that provide malware analysis and

reverse engineering, coordinated response, etc.

http://cybersecuritydojo.com/2015/03/28/

U.S. Army Cyber CommandNavy Cyber Defense Operations Command

http://www.defense.gov/news/newsarticle.aspx?id=119470

| 6 |

© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release

FACT Operational Context

Audit and Logging Cyber Incident Analysis

and Response

Trouble ticketing

and IT Support

SIEM repository

of alert and

event infoRemedyFACT

Continuous Monitoring

Cyber Threat

Intelligence Sharing

Threat

Indicators

Mitigation Best

Practices

FACT Capstone ScopeIncident Data

| 7 |

© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release

MITRE-Developed Tools Integrated into FACT:CRITS, CyCS, and TARA

CRITS CyCS TARA Playbook

Collaborative

Research into Threats

(CRITS) Used to analyze SIEM and

sensor data to identify and

correlate cyber threat

indicators with campaigns

(intrusion sets) and threat

actors

Cyber Command

System (CyCS)Used to assess mission

impact based on a mission

model reflecting the

mission’s functional

decomposition and

allocation to cyber

resources

Threat Assessment

and Remediation

Analysis (TARA)

Used to store cyber threat

indicators, adversary TTPs,

and defensive

countermeasures to

support analysis of threats

and selection of alternative

Courses of Action (COAs)

in response to cyber

incidents

| 8 |

© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release

Tool Functional Integration

CRITS

Playbook

CyCS

View

transition

Data

exchange

Denotes

Incident

Analysis

Incident

Response

Indicator

Adversary

TTPs

COAs

Playbook

Training

Event containing

indicators,

IP addresses,

campaign, etc.

| 9 |

© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release

FACT “As Is” Architecture

CRITSCyCS

TARA

Operator Browser

Ubuntu VM Windows VMOpen

LDAP

Events

Threat indicators

Adversary TTPs, Courses

of Action (COAs)

PlaybookMongo

DB

https

Mission and

resource

dependencies,

etc.

Adversary TTPs,

COAsCOA Best

Practices

Mission

ModelIncidents

Incident dataThreat

indicators,

actors,

campaigns,

events, etc.

| 10 |

© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release

STIXTM as a Unifying Data Model

The STIXTM Data Modelhttp://stix.mitre.org/

Maintained, imported,

exported in CRITS

Maintained, exported

from CyCS

Maintained, imported,

exported in TARA

Legend

CRITS, CyCS, and TARA each support subsets of the STIXTM data model,

making STIXTM a unifying influence in the integration of these tools

| 11 |

© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release

Benefits

Faster operator response to cyber-attack, with better understanding of mission impacts and mitigations

– Use of CRITS facilitates correlation of threat indicators with known bad actors and targeted cyber resources.

– Integration of CRITS with CyCS expands awareness of the potential mission impact(s) resulting from compromise of cyber resources.

– Use of a playbook promotes systematic analysis of alternative courses of actions (COAs) when responding to cyber threats

Long term objective to establish a federated repository of cyber threat intelligence that can be shared within the DoD community

– Sharing of cyber threat intelligence with mission partners is prerequisite to development of proactive cyber defensive strategies

– Use of industry standard data models and exchange formats (STIXTM) promotes interoperability with commercial products

Acquisition of more resilient systems that implement “tried and true” mitigations for real-world cyber attacks

– Mitigation best practices applied operationally can inform acquisition community of potential gaps and areas for improvement

| 12 |

© 2015 The MITRE Corporation. All rights reserved. Approved for Public Release

CyCS

ISAT Use of FACT Tools in Cyber Incident Analysis and Response

CRITS

CRITS

Cyber Threat

IntelligenceFiltered SIEM log data

Cyber

Playbook

Intelligence analyst

Watch List

Maintenance

Mission ModelMission and resource

dependencies

Campaign data Threat indicators,

campaigns, threat actors

Incident Management

Targeted resource(s)

Tradecraft details, e.g., threat

indicators, attribution, etc.

Adversary TTP(s)

Mission Impacts

Alternative COAs

COA selected

Cyber security analyst

Threat Data Correlation

and Attribution

SIEM

Continuous Monitoring Function

Remedy

Intelligence analyst

Cyber Threat

Sharing

Cyber security analyst

Root cause analysis,

Mission impact analysis,

Forensic analysis

Incident Manager

COA Selection and

Incident Report

Production

Cyber security analyst

Mission Dependency

AnalysisIncident Manager

Trouble Ticket

Creation

Guidance for

Acquisitions

Incident Manager

Incident Trends

Analysis

Threat Model Indicators,

Adversary TTPs,

Countermeasures

Cyber security analyst

Cyber Threat Modeling

CRITS

CRITS

Indicator Watch List