Embed Size (px)
Citation preview
Cyber Intelligence Repository
Overview
FS-ISAC SAWG 22Mar2013
SAWG (Repository) Introduction
• Driving forces in a changing InfoSec landscape – increase in malicious activity and level of sophistication across more attack surfaces
• Creates need for faster response time – gathering information is the first step – Improve sharing of cyber threat information capability
– In large volume, high quality, and as fast as possible
– Security standards are fundamental - TAXII, STIX, CybOX, etc.
• We are building a Repository to achieve a vision where disseminating critical security information is structured and near instantaneous
InfoSec Sharing at Wire-Speed
FS-ISAC
Trusted Others
US CERT
FI
Other ISACs
DSIE
Other ISACs
FI
FI
FI
FI
FI
ISAC – Information Sharing Analysis Center FI – Financial Institution US-CERT – US Computer Emergency Response Team DSIE – Defense Security Information Exchange
Sharing Cyber-Intelligence with Trusted Partners •Standards based for machine-to-machine communication •Central ISAC repositories serve as hubs •“Internal Repositories” to connect, filter & distribute inside FIs
Financial
Institution
Financial
Institution
Financial
Institution
STIX & TAXII Standards
FS-ISAC
Financial Institution
“Internal Repository”
Connecting FS-ISAC members with STIX & TAXII •Repository built on STIX expressive language •Utilizes TAXII services for transmission
Repository
STIX Constructs Utilized: •Observable (in CybOX)
› Artifacts › Sightings
•Indicator •TTP •Campaign •ThreatActor
[See Appendix on STIX for full list of Constructs]
Faster Time to Action
Connect, Filter,
Structure, Distribute
Aggregate & Add
Context
FS-ISAC Repository Structured
Cyber Threat Intelligence
Detect – Structure – Share – Analyze – Action
Internal Organization
Detect Threats
Analyze Risk
“Internal Repository”
Respond Reduce
Other Sources
Actions
Speeding the flow of Threat Intelligence Ultimately, certain threat data will be automatically distributed, filtered/ analyzed, and made actionable.
Road Map
Repository
Integration
Analysis
May 2013
Version 1.0 – FS-ISAC Summit Launch -TAXII enabled to download from Repository -Support of 7 Object Types
July 2013
Version 1.x – Machine to Machine -Full TAXII service up/ down loading -Anonymous Submissions -Many Object Types
Late 2013
Version 2.0 Attribution and Federation -TTP, Campaign and ThreatActor -Trust Groups -Synching
2012
Prior to Summit Mid-Late 2013
Implementing STIX Architecture
Version 2.0 -Email Targeting
Late 2013
Early Adopters -Pulling data from Repository
More Mainstream Adoption -Able to pull & push data with additional features
What you are looking for Why were they doing it?
Who was doing it?
What were they looking to exploit?
What should you do about it?
Where was it seen?
What exactly
were they doing?
Why should you care about it?
Appendix – STIX 8 Constructs of Structured Threat Information eXpression (STIX) •Observable •Indicator •Tactics, Techniques, and Procedures (TTP) •Incident •ExploitTarget •Campaign •ThreatActor •Course of Action (COA)
Source: The MITRE Corporation, stix.mitre.org
Collaborative community-driven effort to define and develop a standardized language to represent structured cyber threat information. Intended to convey the full range of potential cyber threat information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible.
Appendix – TAXII
Source: The MITRE Corporation, taxii.mitre.org
Trusted Automated eXchange of Indicator Information (TAXII) • Goal to facilitate the exchange of structured cyber threat information • Designed to support existing sharing paradigms in a more automated
manner • TAXII is a set of specifications defining the network-level activity of the
exchange
– Defines services and messages to exchange data
– Does NOT dictate HOW data is handled in the back-end, WHAT data is shared or WHO it is shared with
– TAXII is NOT a sharing program
