1. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
STIX Introduction
What is STIX and why is it relevant?
2. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Balance of Inward & Outward Focus
Traditional approach to security has been inward focused
– Understand ourselves: find all vulnerabilities, fix all vulnerabilities, et
voila we are magically “secure”
– This is based on a fallacy that we can know and/or fix all vulnerabilities
– Inward focus (hygiene) is necessary but inadequate.
Need for a balancing outward focus on understanding the
adversary, their motivation, tactics, activity to make intelligent and
realistic defense decisions.
| 1 |
3. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Proactive & Reactive Actions Needed
Many attacks today are increasingly complex and multistage.
Current visibility and ability to act is typically after exploit has
occurred
– Response is important but inadequate alone
Need to balance response with proactive detection and
prevention of pre-exploit activity
| 2 |
Recon
Weaponize
Deliver
Exploit
Control
Execute
Maintain
Kill Chain or Cyber Attack Lifecycle
4. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Need for Holistic Threat Intelligence
Effective understanding, decision-making and action require a
holistic picture of both ourselves and the adversary.
– What are our assets? What are our missions and activities? What is our
attack surface? Where are we vulnerable?
– Who is the adversary? Where are they acting? How are they acting? What
does it look like when they act? What are they targeting? What actions
should we take to mitigate their actions?
This is holistic threat intelligence
| 3 |
5. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Need for Information Sharing
Holistic threat intelligence is not a single player sport
It depends on access to a wide range of information and no single
entity, no matter how large, has the full picture to be consistently
predictive or effective in prevention.
It requires sharing of information between interested parties.
– Sharing applies both internally and externally
– Sharing is not completely new but is typically focused on very atomic, limited-
sophistication indicators (IP lists, file hashes, URLS, email addresses, etc.)
– Most sharing is unstructured and human-to-human
– There is a need to share more sophisticated behavioral and contextual information
How can my detection today aid your prevention tomorrow?
| 4 |
6. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Cost to Adversary
Trivial/cheap
to hop between
IP addresses
Slightly more
expensive to hop
between
domains
Difficult &
expensive:
Changing tactics and
procedures to evade
behavioral detection
| 5 |
7. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Need for Automation
Massive amounts of information, diverse sharing partners, rapid
tempo of attack and need to respond at machine speed require
automation
Human interpretation and decision will always be involved but
we need to assist them in this by letting machines do what
machines do well.
| 6 |
8. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Pulling it All Together
Pursuing holistic threat intelligence
Sharing of information among a diverse set of players
Leveraging automation throughout
Standardized Representation of
Cyber Threat Information
STIX is intended to address this issue
| 7 |
9. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
What is STIX?
A language for the characterization and communication of
cyber threat information
– NOT a sharing program, database, or tool
…but supports all of those uses and more
Developed with open community feedback
Supports
– Clear understandings of cyber threat information
– Consistent expression of threat information
– Automated processing based on collected intelligence
– Advance the state of practice in threat analytics
| 8 |
10. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Analyzing Cyber Threats
Specifying Indicator Patterns for Cyber Threats
Managing Cyber Threat Operations/Response Activities
– Cyber Threat Prevention
– Cyber Threat Detection
– Incident Response (investigation, digital forensics, malware analysis,
etc.)
Sharing Cyber Threat Information (internally and externally)
| 9 |
Use Cases
11. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
STIX provides a common mechanism for addressing structured cyber threat
information across and among this full range of use cases improving consistency,
efficiency, interoperability, and overall situational awareness.
STIX Use Cases Cover a Broad Spectrum
| 10 |
12. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
What is “Cyber (Threat) Intelligence?”
Consider these questions:
What activity are we seeing?
What threats should I look for on my
networks and systems and why?
Where has this threat been seen?
What does it do?
What weaknesses does this threat exploit?
Why does it do this?
Who is responsible for this threat?
What can I do about it?
| 11 |
13. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
STIX Architecture
| 12 |
14. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
| 13 |
Observable
Primary intent:
Primary content:
– Title/Description
– Information source
Who, when, where, how (tools), etc.
– Object, Event or Composition
Object
– Description
– Properties (extensible with
different object types)
» Each property can
express observed
value or rich
patterning for potential
observations
– Location
– Related Objects
Event
– Type
– Description
– Actions
» Type
» Name
» Arguments
» Location
» Associated objects
» Related actions
– Location
Composition
– Observables combined
using logical operators
(And/Or)
– Convey specific instances of cyber observation (either static or dynamic) or
patterns of what could potentially be observed.
15. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
■ Account
■ Address
■ API
■ Archive File
■ ARP Cache Entry
■ Artifact
■ Autonomous System
■ Code
■ Custom
■ Device
■ Disk
■ Disk Partition
■ DNS Query
■ DNS Record
■ DNS Cache
■ Domain Name
■ Email Message
■ File
■ GUI
■ GUI Dialog Box
■ GUI Window
■ Hostname
■ HTTP Session
■ Image
■ Library
■ Link
■ Linux Package
■ Memory
■ Mutex
■ Network Connection
■ Network Flow
■ Network Packet
■ Network Route Entry
■ Network Route
■ Network Subnet
■ PDF File
■ Pipe
■ Port
■ Process
■ Product
■ Semaphore
■ SMS
■ Socket
■ Socket Address
■ System
■ Unix File
■ Unix Network Route Entry
■ Unix Pipe
■ Unix Process
■ Unix User Account
■ Unix Volume
■ URI
■ URL History
■ User Account
■ User Session
■ Volume
■ Whois
■ Win Computer Account
■ Win Critical Section
■ Win Driver
CybOX v2.1 Objects
■ Win Event
■ Win Event Log
■ Win Executable File
■ Win File
■ Win Filemapping
■ Win Handle
■ Win Hook
■ Win Kernel
■ Win Kernel Hook
■ Win Mailslot
■ Win Memory Page Region
■ Win Mutex
■ Win Network Route Entry
■ Win Pipe
■ Win Network Share
■ Win Prefetch
■ Win Process
■ Win Registry Key
■ Win Semaphore
■ Win Service
■ Win System
■ Win System Restore
■ Win Task
■ Win Thread
■ Win User Account
■ Win Volume
■ Win Waitable Timer
■ X509 Certificate
(more on the way)
| 14 |
16. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
| 15 |
Observable
Simple examples
– A file with particular MD5 hash is seen
– An incoming network connection is seen from a particular IP address
– A particular registry key is modified
– A particular process is killed
– A pattern that might be seen for an email with a particular subject line and with a
.PDF file attached
– A pattern for an HTTP Get with a particular user agent
17. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
| 16 |
Indicator
Primary intent:
Primary content:
– Title/Description/ShortDescription
– Type of Indicator
– Valid time range
– Observable pattern
– Indicated TTP
– Test mechanisms
Non-CybOX pattern representation
(e.g. Snort, Yara, OpenIOC)
– Suggested course of action
– Confidence
– Sightings
– Kill chain phases
– Handling
– Information source
– Convey specific Observable patterns with contextual information intended to
represent artifacts and/or behaviors of interest (“indicated” TTPs) within a cyber
security context
18. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
| 17 |
Indicator
Simple examples
– If network traffic is seen from a particular range of IP addresses it indicates a
DDoS attack
– If a file is seen with a particular SHA256 hash it indicates the presence of Poison
Ivy
– If an email is seen with an attached file that has a particular string in the filename
and has a particular MD5 hash it indicates a phishing attack associated with a
particular campaign
– If an outgoing network connection to 218.077.079.034 is seen within the next week
there is a medium confidence that it indicates exfiltration from a Zeus infection
– If HTTP traffic is seen with particular characteristics including a particular user
agent it indicates a particular form of data exfiltration is occuring.
19. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Primary intent:
Primary content:
– Title/Description/ShortDescriptio
n
– Granular milestone timestamps
– Categories
– Role identities (CIQ extensible)
Reporter/Responder/Coordinator
– Victim identity (CIQ extensible)
– Affected assets
– Impact assessment
– Status
– Related Indicators
– Related Observables
– Leveraged TTPs
| 18 |
Incident
– Attributed Threat Actor
– Intended effect
– Security compromise
– Course of Action requested/taken
– Confidence
– Contact information
– History
Action entries
Journal entries
– Handling
– Information source
– Convey details of specific security events affecting an organization(s) along with
information discovered or decided during an incident response investigation
20. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Simple example
– A laptop assigned to Joe Smith was found on 4/30/14 to be
infected with a specific variant of Zeus using a specific range of
IPs for C2.
– The investigation coordinated by Jane Jones found that the initial
infection came from a phishing attack with malicious attachment
on 4/28/14.
– Authentication credentials to the FooBar system were found to
be compromised and exfiltrated to 123.54.33.234 on 4/29/14.
| 19 |
Incident
21. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Primary intent:
Primary content:
– Title/Description/ShortDescription
– Intended effect
– Behavior
Attack patterns (CAPEC
extensible)
Malware (MAEC extensible)
Exploits
– Resources
Tools
Infrastructure
Personas (CIQ extensible)
| 20 |
Tactics, Techniques & Procedures (TTP)
– Victim targeting
Identity (CIQ extensible)
Targeted systems
Targeted information
Technical targeting
– Exploit targets
– Related TTP
– Kill chains
– Handling
– Information source
– Convey details of the behavior or modus operandi of cyber adversaries (e.g. what do
they do, what do they use to do it, who do they target, what do they target)
22. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Simple examples
– Characterization of a particular variant of Zeus
– Characterization of a particular attack pattern leveraging a
particular form of system misconfiguration for post-exploit lateral
movement and privilege escalation
– Characterization of particular range of IP address used for C2
infrastructure
– Characterization of LOIC as a tool used for DoS attacks
– Characterization of project managers on a particular defense
program being targeted
– Characterization of HR information on Oracle 10i systems being
targeted
| 21 |
Tactics, Techniques & Procedures (TTP)
23. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Primary intent:
Primary content:
– Title/Description/ShortDescription
– Vulnerability (CVRF extensible)
Title/Description/ShortDescription
CVE ID
OSVDB ID
Source
CVSS score
Discovered date/time
Published date/time
Affected software
| 22 |
Exploit Target
– Weakness
– Configuration
– Potential Courses of Action
– Handling
– Information source
– Convey vulnerabilities or weaknesses in software, systems, networks or
configurations that may be targeted for exploitation by the TTP of a ThreatActor
24. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Simple example
– CVE-2014-0160 (Heartbleed vulnerability in OpenSSL)
– Characterization of a 0-day vulnerability in a particular Industrial
Control System valve actuator
– Characterization of a system design weakness enabling
asymmetric resource consumption (amplification) attacks (CWE-
405)
– Characterization of a particular configuration of MongoDB that
makes its management console vulnerable to particular injection
attacks
| 23 |
Exploit Target
25. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Primary intent:
Primary content:
– Title/Description/ShortDescription
– Names
– Intended effect
– Status
– Related TTPs
– Related Incidents
| 24 |
Campaign
– Attribution (Threat Actor(s))
– Associated Campaigns
– Confidence
– Handling
– Information source
– Convey perceived instances of Threat Actors pursuing an intent, as observed through
sets of Incidents and/or TTP, potentially across targeted organizations
26. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Simple example
– Characterization of the Operation Aurora campaign including
Its victim targeting of Google, Adobe, Juniper, Rackspace, etc.
Specific Incidents in the campaign
Particular malware and attack pattern TTPs leveraged
Particular IP addresses and Domain Names used infrastructure (TTP)
Asserted attribution to particular Chinese Threat Actors with ties to the
PLA
Asserted intent/motivation to access and potentially modify source code
repositories
| 25 |
Campaign
27. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Primary intent:
Primary content:
– Title/Description/ShortDescription
– Identity (CIQ extensible)
– Type of actor
– Motivation
– Sophistication
– Intended effect
– Planning and operational support
| 26 |
Threat Actor
– Observed TTPs
– Associated Campaigns
– Associated Threat Actors
– Confidence
– Handling
– Information source
– Convey characterizations of malicious actors (or adversaries) representing a cyber
attack threat including presumed intent and historically observed behavior
28. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Simple example
– Characterization of Mandiant-dubbed APT1 including
Assertions of it identity as Unit 61398 within the Chinese PLA
Assertions to specific locations associated (address in Shanghai)
Assertions to region (China), languages (Chinese&English), targeted
qualifications, etc.
Assertions that it is the same Threat Actor also known by the names
Comment Crew, Comment Group and Shady Rat
Assertions identifying particular individual Threat Actors associated with
APT1
Asserted characterization of the intent/motivation oriented around trade
secrets and business advantage
Assertions of particular TTP observed leveraged by APT1
| 27 |
Threat Actor
29. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Primary intent:
Primary content:
– Title/Description/ShortDescription
– Stage (preventative or responsive)
– Type of action to be taken
– Parameter Observables
Structured parameters for the action
– Objective
| 28 |
Course of Action
– Impact
– Cost
– Efficacy
– Handling
– Information source
– Convey specific actions to address threat whether preventative to address Exploit
Targets, or responsive to counter or mitigate the potential impacts of Incidents
30. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Simple examples
– Block outgoing network traffic to 218.077.079.034
– Redirect network traffic to/from 218.077.079.034 to denial/deception network
– Quarantine system containing file with MD5 = 2d75cc1bf8e57872781f9cd04a529256
– Reimage system to baseline
| 29 |
Course of Action
31. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Expressing Relationships
“Bad Guy”
ObservedTTP
Backdoor
Infrastructure
Badurl.com,
10.3.6.23, …
“BankJob23”
RelatedTo
Indicator-985
Observables
MD5 hash…
RelatedTo
CERT-2013-03…
Indicator-9742
Observables
Email-Subject:
“Follow-up”
| 30 |
32. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Pamina Republic
Army
Unit 31459
l33t007@badassin.com
Associated ActorLeet
Electronic Address
Initial Compromise
Indicator Observable
Spear Phishing Email
Establish Foothold
Observed TTP
Observed TTP
WEBC2
Malware
Behavior
Escalate Privilege
Observed TTP
Uses Tool
Uses Tool
cachedump
lslsass
MD5:
d8bb32a7465f55c368230bb52d52d885
Indicator
Observed TTP
Internal
Reconnaissance
Attack Pattern
ipconfig
net view
net group “domain admins”
Observed TTP
Exfiltration
Uses Tool
GETMAIL
Targets
Khaffeine
Bronxistan
Perturbia
Blahniks
. . .
Leverages
Infrastructure
IP Range:
172.24.0.0-112.25.255.255
C2 Servers
Observable
Sender: John Smith
Subject: Press Release
Expressing Relationships in STIX
| 31 |