SlideShare ist ein Scribd-Unternehmen logo

STIX Patterning: Viva la revolución!

Als PPTX, PDF herunterladen
T
treyka

FIRST Technical Symposium and OASIS Borderless Cyber Conference, 08 December 2017, Prague, Czech Republic

Technologie
1 von 27
STIX Patterning: Viva la revolución! Cyber Threat Intelligence Matters FIRST Technical Symposium and OASIS Borderless Cyber Conference Jason Keirstead - STSM, IBM Security Trey Darley - Director of Standards Development, New Context
History vs. mystery "What the hell were you guys smoking?!"
What was wrong in STIX 1.x ● Too many ways to define matches (multiple meanings of "Equals") ● Too many ways to define expressions (ANDs and ORs in both Indicators and Observables) ○ One analysis found twelve different ways to compare two IP addresses ● Lists are just plain "weird" ( ##comma## - need I say more?) ● Despite all this complexity, lacked fundamental capabilities such as temporal matching (A followed by B)
But (Snort|YARA|OpenIOC|Sigma) already exist?! ● Snort only makes sense on the network ● YARA library only works on a file-like blob ○ Neither allows encoding of malware behaviour information ● OpenIOC limited in expressivity; also limited in network coverage ● Basic use case: malware matching signature X will beacon with traffic that looks like Y before dropping Z ○ Combination of file attributes, network attributes, sequential / temporal matching ○ This extremely simple use case is impossible to model using any of these standards ● Sigma: https://github.com/Neo23x0/sigma ○ Their effort started after we'd already achieved our Committee Specification Draft. We reached out to collaborate but got zero acknowledgement. :-(
Questions we asked ● Should we think beyond simple CTI use cases of "find this IOC" ? ● What if our cybersecurity tools could share rules and searches for analytics and correlations? ● What factors have been preventing this from emerging in the industry? Could we have an opportunity to finally move the needle? ● What if SIEM vendor lock-in were to just die in a fire? "We're here to put a dent in the universe." — Steve Jobs
Basic design principles ● One way to do things (not 12)! ● Base things on a grammar, not nested XML or JSON ○ Makes things easier for humans to understand, and for machines to parse! ● Base that grammar on something that as many folks are familiar with as possible ○ Candidates: SQL, Lucene, YARA, Snort/OpenSig… ○ We ended with SQL-like after some debate ● Define a grammar that allows sharing descriptions of advanced threats, not just simple atomic IOCs (ip = 1.2.3.4) ● Define it in a way that was expandable in the future without "breaking changes"
Overview of STIX Patterning "What's the frequency, Kenneth?"
Basic structure of a STIX Pattern
How this ties to STIX Cyber Observables ● Cyber Observables provide a data model for describing things you've actually seen. ● STIX Patterning is a language for describing chaotic maliciousness one might see. ● SCO (STIX Cyber Observables) : nouns :: STIX Patterning : language ● SCO : DB Tables :: STIX Patterning : SQL
THIS SOUNDS INCREDIBLY COMPLICATED, I JUST WANTED TO FIND AN IP ADDRESS
It's not that bad, see! Finding an IP Finding a URL Finding one of two registry keys [ip-addr.value = '8.8.8.8'] [url:value MATCHES '^(?:https?://)?(?:www.)?example.com/.*'] [windows-registry-key:key = 'HKEY_CURRENT_USERSoftwareCryptoLockerFiles ' OR windows-registry-key:key = 'HKEY_CURRENT_USERSoftwareMicrosoftCurrentV ersionRunCryptoLocker_0388']
Currently-defined Cyber Observables ● Artifact ● AS ● Directory ● Email Address ● Email Message ● File ○ Archive Extension ○ NTFS File Extension ○ PDF File Extension ○ Raster Image File Extension ○ Windows PE Binary File Extension ● IPv4 Address ● IPv6 Address ● MAC Address ● Mutex ● Network Traffic ○ HTTP Request Extension ○ ICMP Extension ○ Network Socket Extension ○ TCP Extension ● Process ○ Windows Process Extension ○ Windows Service Extension ● Software ● User Account ○ UNIX Account Extension ● Windows Registry Key ● X.509 Certificate
Use cases and examples
File-based Pattern (vs. YARA) ​​Basic File with Hexadecimal Payload STIX Indicator Pattern [file:contents_ref.payload_bin MATCHES 'x65x78x61x6dx70x6cx65' AND file:size > '31284'] Corresponding YARA Rule rule Example { strings: $hex_string = { 65 78 61 6d 70 6c 65 } condition: $hex_string and filesize > 31284 } Basic File with Textual Payload STIX Indicator Pattern [file:contents_ref.payload_bin MATCHES 'this is an example'] Corresponding YARA Rule rule Example { strings: $text_string = “this is an example” condition: $text_string }
Network-based Pattern (vs. Snort) ​Basic TCP Network Traffic STIX Indicator Pattern [network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '192.0.2.1' AND network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.0.113.10' AND network-traffic:dst_port = '21' AND network-traffic:protocols[*] = 'tcp'] Corresponding Snort Rule alert tcp 192.0.2.1 any -> 203.0.113.10 21 ​​HTTP Network Traffic with User Agent STIX Indicator Pattern [network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.0.113.11' AND network-traffic:dst_port = '80' AND network-traffic:protocols[*] = 'tcp' AND network-traffic:extended_properties.http-ext.request_header.User-Agent = 'Mazilla/5.0'] Corresponding Snort Rule alert tcp any any -> 203.0.113.11 80 (content:"User-Agent|3a| Mazilla/5.0"; http_header;)
Watching for "Fileless" UAC Bypass [ ( windows-registry-key:key = 'HKEY_CURRENT_USERSoftwareClassesexefileshellrunascommand' AND windows-registry- key:values[*].name = 'isolatedCommand' ) ] OR [ ( windows-registry-key:key = 'HKEY_CURRENT_USERMicrosoftWindowsCurrentVersionApp Pathscontrol.exe' AND windows-registry-key:values[*].data != "C:WindowsSystem32cmd.exe" ) ]
Bad Powershell! Suspicious Powershell has been used [ process:command_line MATCHES '((.*NewObject(System)?NetWebClient.*DownloadFile.*((StartProcess)|(shellexecute)|(win32_proc ess)|(start)|(saps)).*)|(.*((iex)|(InvokeExpression)).*NewObject(System)?NetWebClient.*Downlo adString.*)|(.*NewObject(System)?NetWebClient.*DownloadString.*((iex)|(InvokeExpression)).*)| (.*IEX.*[SystemDiagnosticsProcess]::Start.*)|(.*StartBitsTransfer.*InvokeItem.*))' ]
Necurs Botnet Looks for a particular malware payload followed by HTTP beaconing traffic generated by the payload: [file:name = 'rekakva32.exe' AND file:parent_directory_ref.path MATCHES 'C:Users[ws]+AppDataLocalTemp'] FOLLOWEDBY [network- traffic:protocols[*] = 'http' AND network-traffic:extensions.'http-request- ext'.request_method = 'post' AND network-traffic:extensions.'http-request- ext'.request_header.'User-Agent' = 'Windows-Update-Agent'] Source: https://isc.sans.edu/forums/diary/Necurs+Botnet+malspam+pushes+Locky+using+DDE+attack/22946/
OSS tools and libs
Github all the things! OASIS Open Repository: TAXII 2 Server Library Written in Python cti-taxii-server: https://github.com/oasis-open/cti-taxii-server OASIS Open Repository: TAXII 2 Client Library Written in Python cti-taxii-client: https://github.com/oasis-open/cti-taxii-client OASIS Open Repository: Python APIs for STIX 2 cti-python-stix2: https://github.com/oasis-open/cti-python-stix2 OASIS Open Repository: Match STIX content against STIX patterns cti-pattern-matcher: https://github.com/oasis-open/cti-pattern-matcher OASIS Open Repository: Convert STIX 1.2 XML to STIX 2.0 JSON cti-stix-elevator: https://github.com/oasis-open/cti-stix-elevator
Github all the things (2)! Translate STIX 2 Patterning Queries Into Splunk and ElasticSearch stix2patterns_translator: https://github.com/mitre/stix2patterns_translator Downgrade STIX2 content to STIX1 cti-stix-slider: https://github.com/oasis-open/cti-stix-slider Malware Information Sharing Platform & Threat Sharing MISP: https://github.com/MISP/MISP A cyber threat intelligence server based on TAXII 2 and written in Golang freetaxii-server: https://github.com/freetaxii/freetaxii-server APIs for generating STIX 2.x messages with Go (Golang) libstix2: https://github.com/freetaxii/libstix2 The CaRT file format is used to store/transfer malware and its associated metadata cse cart: https://bitbucket.org/cse-assemblyline/cart
Github all the things (3)! Convert STIX2 to GraphML or GEXF (Gephi format) StixConvert: https://github.com/workingDog/StixConvert Convert STIX2 and load into Neo4j graph database StixToNeoDB: https://github.com/workingDog/StixToNeoDB Browser-based STIX2 editor, with ability to publish to a TAXII2 server cyberstation: https://github.com/workingDog/cyberstation STIX2 Scala library scalastix: https://github.com/workingDog/scalastix TAXII2 Scala library Taxii2LibScala: https://github.com/workingDog/Taxii2LibScala TAXII2 JS library taxii2lib: https://github.com/workingDog/taxii2lib
We're Not Done!
Beyond indicators - analytics use cases ● Threat Intelligence sharing has received a lot of focus; however the analytics to actually find things, not so much ● People re-build the same analytics over and over because they either don't know of, or have access to, what has been done many times before ● In order to share analytics in a scalable fashion, a vendor-neutral language for said analytics has to be developed ● We believe SCO Pattern could be the basis for this ● CAR - The MITRE Cyber Analytics Repository ○ PRE-ATT&CK and ATT&CK based analytics ○ Long-term goal: ability to define the analytics in STIX Patterning ○ Collaborative ecosystem for analytics development
Correlation rules ● SIEM correlation rules share a lot of the same challenges as analytics ○ In fact, they are analytics! Imagine! ● Future vision / desire is for SIEM vendors to support SCO Pattern as a method to define rules ○ Reduce / eliminate vendor lock-in ○ Enable broader ecosystem of cross-vendor solutions sharing tools ○ Seamless integration of STIX 2.0 compatible threat intelligence with SIEM correlation engines ● Again, speak to your vendor! ○ Nothing moves ahead without customers demanding it
It's not perfect...yet. ● Known gaps in SCO object model itself ● Known gaps in language ● We need your help! ● While we believe that STIX Patterning is amongst the most long-term significant innovations in STIX 2.x, it is nevertheless a work product coming out of a very small team of people. If we have succeeded in convincing you that we are not in fact smoking crazy goat-weed, please come join the party!
tl;dr ● Make sure to grab a quick reference card. ● We're having a ½ day STIX/TAXII 2.0 training followed by a ½ day hackathon Friday where you can learn more and try out the tools we discussed. ● Kudos to our colleagues from CIRCL for being so supportive and for early adoption in MISP. ● Thanks to FIRST and OASIS for making this event happen and to you for giving us your attention today! Thank you!

Empfohlen

Mining Your Logs - Gaining Insight Through Visualization
Mining Your Logs - Gaining Insight Through VisualizationMining Your Logs - Gaining Insight Through Visualization
Mining Your Logs - Gaining Insight Through Visualization
Raffael Marty
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Yossi Sassi
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt Scanner
Florian Roth
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
amiable_indian
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Data Encryption at Rest
Data Encryption at RestData Encryption at Rest
Data Encryption at Rest
All Things Open
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
Christopher Gerritz
 
RSA APJ Velociraptor Lab
RSA APJ Velociraptor LabRSA APJ Velociraptor Lab
RSA APJ Velociraptor Lab
Velocidex Enterprises
 

Empfohlen

Mining Your Logs - Gaining Insight Through Visualization
Mining Your Logs - Gaining Insight Through VisualizationMining Your Logs - Gaining Insight Through Visualization
Mining Your Logs - Gaining Insight Through Visualization
Raffael Marty
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Yossi Sassi
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt Scanner
Florian Roth
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
amiable_indian
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Data Encryption at Rest
Data Encryption at RestData Encryption at Rest
Data Encryption at Rest
All Things Open
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
Christopher Gerritz
 
RSA APJ Velociraptor Lab
RSA APJ Velociraptor LabRSA APJ Velociraptor Lab
RSA APJ Velociraptor Lab
Velocidex Enterprises
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Christopher Gerritz
 
PKI token as a secure mechanism of Keystone authentication system for OpenStack
PKI token as a secure mechanism of Keystone authentication system for OpenStackPKI token as a secure mechanism of Keystone authentication system for OpenStack
PKI token as a secure mechanism of Keystone authentication system for OpenStack
shaerraezzaty
 
Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017
Mohamad Hassan
 
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchManaging Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
Vic Hargrave
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]
Phil Huggins FBCS CITP
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
Michael Gough
 
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
James Bromberger
 
Как разработать DBFW с нуля
Как разработать DBFW с нуляКак разработать DBFW с нуля
Как разработать DBFW с нуля
Positive Hack Days
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!
Jerod Brennen
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
CODE BLUE
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
NotSoSecure Global Services
 
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
Jared Atkinson
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
Automated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget ChainsAutomated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget Chains
Priyanka Aash
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
Jaime Blasco
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
Raffael Marty
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian Malware
Kaspersky
 
OSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdfOSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdf
Mohamed Taoufik TEKAYA
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector
Rishi Bhargava
 

Weitere ähnliche Inhalte

Was ist angesagt?

PKI token as a secure mechanism of Keystone authentication system for OpenStack
PKI token as a secure mechanism of Keystone authentication system for OpenStackPKI token as a secure mechanism of Keystone authentication system for OpenStack
PKI token as a secure mechanism of Keystone authentication system for OpenStack
shaerraezzaty
 
Как разработать DBFW с нуля
Как разработать DBFW с нуляКак разработать DBFW с нуля
Как разработать DBFW с нуля
Positive Hack Days
 
Automated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget ChainsAutomated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget Chains
Priyanka Aash
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
Jaime Blasco
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian Malware
Kaspersky
 

Was ist angesagt? (20)

Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
 
PKI token as a secure mechanism of Keystone authentication system for OpenStack
PKI token as a secure mechanism of Keystone authentication system for OpenStackPKI token as a secure mechanism of Keystone authentication system for OpenStack
PKI token as a secure mechanism of Keystone authentication system for OpenStack
 
Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017
 
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchManaging Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
 
Как разработать DBFW с нуля
Как разработать DBFW с нуляКак разработать DBFW с нуля
Как разработать DBFW с нуля
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
 
Automated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget ChainsAutomated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget Chains
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian Malware
 

Ähnlich wie STIX Patterning: Viva la revolución!

Total E(A)gression defcon
Total E(A)gression defconTotal E(A)gression defcon
Total E(A)gression defcon
Alvaro Folgado Rueda
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
Rod Soto
 
stackconf 2021 | Why you should take care of infrastructure drift
stackconf 2021 | Why you should take care of infrastructure driftstackconf 2021 | Why you should take care of infrastructure drift
stackconf 2021 | Why you should take care of infrastructure drift
NETWAYS
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
aleph - Malware analysis pipelining for the masses
aleph - Malware analysis pipelining for the massesaleph - Malware analysis pipelining for the masses
aleph - Malware analysis pipelining for the masses
Jan Seidl
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
Apostolos Giannakidis
 
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
Demi Ben-Ari
 
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Demi Ben-Ari
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
CloudVillage
 

Ähnlich wie STIX Patterning: Viva la revolución! (20)

OSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdfOSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdf
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector
 
Total E(A)gression defcon
Total E(A)gression defconTotal E(A)gression defcon
Total E(A)gression defcon
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
Toorcon - Purple Haze: The Spear Phishing Experience
Toorcon - Purple Haze: The Spear Phishing ExperienceToorcon - Purple Haze: The Spear Phishing Experience
Toorcon - Purple Haze: The Spear Phishing Experience
 
stackconf 2021 | Why you should take care of infrastructure drift
stackconf 2021 | Why you should take care of infrastructure driftstackconf 2021 | Why you should take care of infrastructure drift
stackconf 2021 | Why you should take care of infrastructure drift
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat
 
Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019
 
aleph - Malware analysis pipelining for the masses
aleph - Malware analysis pipelining for the massesaleph - Malware analysis pipelining for the masses
aleph - Malware analysis pipelining for the masses
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
 
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
 
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
 
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
 

Kürzlich hochgeladen

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Kürzlich hochgeladen (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

STIX Patterning: Viva la revolución!

  • 1. STIX Patterning: Viva la revolución! Cyber Threat Intelligence Matters FIRST Technical Symposium and OASIS Borderless Cyber Conference Jason Keirstead - STSM, IBM Security Trey Darley - Director of Standards Development, New Context
  • 2. History vs. mystery "What the hell were you guys smoking?!"
  • 3. What was wrong in STIX 1.x ● Too many ways to define matches (multiple meanings of "Equals") ● Too many ways to define expressions (ANDs and ORs in both Indicators and Observables) ○ One analysis found twelve different ways to compare two IP addresses ● Lists are just plain "weird" ( ##comma## - need I say more?) ● Despite all this complexity, lacked fundamental capabilities such as temporal matching (A followed by B)
  • 4. But (Snort|YARA|OpenIOC|Sigma) already exist?! ● Snort only makes sense on the network ● YARA library only works on a file-like blob ○ Neither allows encoding of malware behaviour information ● OpenIOC limited in expressivity; also limited in network coverage ● Basic use case: malware matching signature X will beacon with traffic that looks like Y before dropping Z ○ Combination of file attributes, network attributes, sequential / temporal matching ○ This extremely simple use case is impossible to model using any of these standards ● Sigma: https://github.com/Neo23x0/sigma ○ Their effort started after we'd already achieved our Committee Specification Draft. We reached out to collaborate but got zero acknowledgement. :-(
  • 5. Questions we asked ● Should we think beyond simple CTI use cases of "find this IOC" ? ● What if our cybersecurity tools could share rules and searches for analytics and correlations? ● What factors have been preventing this from emerging in the industry? Could we have an opportunity to finally move the needle? ● What if SIEM vendor lock-in were to just die in a fire? "We're here to put a dent in the universe." — Steve Jobs
  • 6. Basic design principles ● One way to do things (not 12)! ● Base things on a grammar, not nested XML or JSON ○ Makes things easier for humans to understand, and for machines to parse! ● Base that grammar on something that as many folks are familiar with as possible ○ Candidates: SQL, Lucene, YARA, Snort/OpenSig… ○ We ended with SQL-like after some debate ● Define a grammar that allows sharing descriptions of advanced threats, not just simple atomic IOCs (ip = 1.2.3.4) ● Define it in a way that was expandable in the future without "breaking changes"
  • 7. Overview of STIX Patterning "What's the frequency, Kenneth?"
  • 8. Basic structure of a STIX Pattern
  • 9. How this ties to STIX Cyber Observables ● Cyber Observables provide a data model for describing things you've actually seen. ● STIX Patterning is a language for describing chaotic maliciousness one might see. ● SCO (STIX Cyber Observables) : nouns :: STIX Patterning : language ● SCO : DB Tables :: STIX Patterning : SQL
  • 10. THIS SOUNDS INCREDIBLY COMPLICATED, I JUST WANTED TO FIND AN IP ADDRESS
  • 11. It's not that bad, see! Finding an IP Finding a URL Finding one of two registry keys [ip-addr.value = '8.8.8.8'] [url:value MATCHES '^(?:https?://)?(?:www.)?example.com/.*'] [windows-registry-key:key = 'HKEY_CURRENT_USERSoftwareCryptoLockerFiles ' OR windows-registry-key:key = 'HKEY_CURRENT_USERSoftwareMicrosoftCurrentV ersionRunCryptoLocker_0388']
  • 12. Currently-defined Cyber Observables ● Artifact ● AS ● Directory ● Email Address ● Email Message ● File ○ Archive Extension ○ NTFS File Extension ○ PDF File Extension ○ Raster Image File Extension ○ Windows PE Binary File Extension ● IPv4 Address ● IPv6 Address ● MAC Address ● Mutex ● Network Traffic ○ HTTP Request Extension ○ ICMP Extension ○ Network Socket Extension ○ TCP Extension ● Process ○ Windows Process Extension ○ Windows Service Extension ● Software ● User Account ○ UNIX Account Extension ● Windows Registry Key ● X.509 Certificate
  • 13. Use cases and examples
  • 14. File-based Pattern (vs. YARA) ​​Basic File with Hexadecimal Payload STIX Indicator Pattern [file:contents_ref.payload_bin MATCHES 'x65x78x61x6dx70x6cx65' AND file:size > '31284'] Corresponding YARA Rule rule Example { strings: $hex_string = { 65 78 61 6d 70 6c 65 } condition: $hex_string and filesize > 31284 } Basic File with Textual Payload STIX Indicator Pattern [file:contents_ref.payload_bin MATCHES 'this is an example'] Corresponding YARA Rule rule Example { strings: $text_string = “this is an example” condition: $text_string }
  • 15. Network-based Pattern (vs. Snort) ​Basic TCP Network Traffic STIX Indicator Pattern [network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '192.0.2.1' AND network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.0.113.10' AND network-traffic:dst_port = '21' AND network-traffic:protocols[*] = 'tcp'] Corresponding Snort Rule alert tcp 192.0.2.1 any -> 203.0.113.10 21 ​​HTTP Network Traffic with User Agent STIX Indicator Pattern [network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.0.113.11' AND network-traffic:dst_port = '80' AND network-traffic:protocols[*] = 'tcp' AND network-traffic:extended_properties.http-ext.request_header.User-Agent = 'Mazilla/5.0'] Corresponding Snort Rule alert tcp any any -> 203.0.113.11 80 (content:"User-Agent|3a| Mazilla/5.0"; http_header;)
  • 16. Watching for "Fileless" UAC Bypass [ ( windows-registry-key:key = 'HKEY_CURRENT_USERSoftwareClassesexefileshellrunascommand' AND windows-registry- key:values[*].name = 'isolatedCommand' ) ] OR [ ( windows-registry-key:key = 'HKEY_CURRENT_USERMicrosoftWindowsCurrentVersionApp Pathscontrol.exe' AND windows-registry-key:values[*].data != "C:WindowsSystem32cmd.exe" ) ]
  • 17. Bad Powershell! Suspicious Powershell has been used [ process:command_line MATCHES '((.*NewObject(System)?NetWebClient.*DownloadFile.*((StartProcess)|(shellexecute)|(win32_proc ess)|(start)|(saps)).*)|(.*((iex)|(InvokeExpression)).*NewObject(System)?NetWebClient.*Downlo adString.*)|(.*NewObject(System)?NetWebClient.*DownloadString.*((iex)|(InvokeExpression)).*)| (.*IEX.*[SystemDiagnosticsProcess]::Start.*)|(.*StartBitsTransfer.*InvokeItem.*))' ]
  • 18. Necurs Botnet Looks for a particular malware payload followed by HTTP beaconing traffic generated by the payload: [file:name = 'rekakva32.exe' AND file:parent_directory_ref.path MATCHES 'C:Users[ws]+AppDataLocalTemp'] FOLLOWEDBY [network- traffic:protocols[*] = 'http' AND network-traffic:extensions.'http-request- ext'.request_method = 'post' AND network-traffic:extensions.'http-request- ext'.request_header.'User-Agent' = 'Windows-Update-Agent'] Source: https://isc.sans.edu/forums/diary/Necurs+Botnet+malspam+pushes+Locky+using+DDE+attack/22946/
  • 20. Github all the things! OASIS Open Repository: TAXII 2 Server Library Written in Python cti-taxii-server: https://github.com/oasis-open/cti-taxii-server OASIS Open Repository: TAXII 2 Client Library Written in Python cti-taxii-client: https://github.com/oasis-open/cti-taxii-client OASIS Open Repository: Python APIs for STIX 2 cti-python-stix2: https://github.com/oasis-open/cti-python-stix2 OASIS Open Repository: Match STIX content against STIX patterns cti-pattern-matcher: https://github.com/oasis-open/cti-pattern-matcher OASIS Open Repository: Convert STIX 1.2 XML to STIX 2.0 JSON cti-stix-elevator: https://github.com/oasis-open/cti-stix-elevator
  • 21. Github all the things (2)! Translate STIX 2 Patterning Queries Into Splunk and ElasticSearch stix2patterns_translator: https://github.com/mitre/stix2patterns_translator Downgrade STIX2 content to STIX1 cti-stix-slider: https://github.com/oasis-open/cti-stix-slider Malware Information Sharing Platform & Threat Sharing MISP: https://github.com/MISP/MISP A cyber threat intelligence server based on TAXII 2 and written in Golang freetaxii-server: https://github.com/freetaxii/freetaxii-server APIs for generating STIX 2.x messages with Go (Golang) libstix2: https://github.com/freetaxii/libstix2 The CaRT file format is used to store/transfer malware and its associated metadata cse cart: https://bitbucket.org/cse-assemblyline/cart
  • 22. Github all the things (3)! Convert STIX2 to GraphML or GEXF (Gephi format) StixConvert: https://github.com/workingDog/StixConvert Convert STIX2 and load into Neo4j graph database StixToNeoDB: https://github.com/workingDog/StixToNeoDB Browser-based STIX2 editor, with ability to publish to a TAXII2 server cyberstation: https://github.com/workingDog/cyberstation STIX2 Scala library scalastix: https://github.com/workingDog/scalastix TAXII2 Scala library Taxii2LibScala: https://github.com/workingDog/Taxii2LibScala TAXII2 JS library taxii2lib: https://github.com/workingDog/taxii2lib
  • 24. Beyond indicators - analytics use cases ● Threat Intelligence sharing has received a lot of focus; however the analytics to actually find things, not so much ● People re-build the same analytics over and over because they either don't know of, or have access to, what has been done many times before ● In order to share analytics in a scalable fashion, a vendor-neutral language for said analytics has to be developed ● We believe SCO Pattern could be the basis for this ● CAR - The MITRE Cyber Analytics Repository ○ PRE-ATT&CK and ATT&CK based analytics ○ Long-term goal: ability to define the analytics in STIX Patterning ○ Collaborative ecosystem for analytics development
  • 25. Correlation rules ● SIEM correlation rules share a lot of the same challenges as analytics ○ In fact, they are analytics! Imagine! ● Future vision / desire is for SIEM vendors to support SCO Pattern as a method to define rules ○ Reduce / eliminate vendor lock-in ○ Enable broader ecosystem of cross-vendor solutions sharing tools ○ Seamless integration of STIX 2.0 compatible threat intelligence with SIEM correlation engines ● Again, speak to your vendor! ○ Nothing moves ahead without customers demanding it
  • 26. It's not perfect...yet. ● Known gaps in SCO object model itself ● Known gaps in language ● We need your help! ● While we believe that STIX Patterning is amongst the most long-term significant innovations in STIX 2.x, it is nevertheless a work product coming out of a very small team of people. If we have succeeded in convincing you that we are not in fact smoking crazy goat-weed, please come join the party!
  • 27. tl;dr ● Make sure to grab a quick reference card. ● We're having a ½ day STIX/TAXII 2.0 training followed by a ½ day hackathon Friday where you can learn more and try out the tools we discussed. ● Kudos to our colleagues from CIRCL for being so supportive and for early adoption in MISP. ● Thanks to FIRST and OASIS for making this event happen and to you for giving us your attention today! Thank you!

Hinweis der Redaktion

  1. Do we need to introduce ourselves? Assuming so, try to do 20 seconds or less. TODO: add more cat memes!
  2. Trey presents
  3. Cool project but unfortunately it's typical OSS wheel reinvention.
  4. Jason presents
  5. A pattern consists of one or more observation expressions joined by observation operators. Valid observation operators are AND, OR, and FOLLOWEDBY Each one of those observation expressions may be a simple test (eg. ip-addr.value = '1.2.3.4'), or may be multiple tests that create a comparison expression. Comparisons within an expression are separated by comparison operators. There are several comparison operators, including things like =, >, <, IN, LIKE, etc. An entire observation expression MAY be followed by a qualifier, such as 'REPEATS X TIMES' or 'WITHIN Y SECONDS'.
  6. TODO: add a slide with what's currently defined in SCO <= WILL DO TODO: add a slide enumerating what we'd like help with adding to SCO TODO: define an additional example illustrating succinctly something like malware beaconing, with both host and network-based patterning TODO: consider ditching the Powershell and UAC bypass examples (per Ivan)
  7. tag-team present
  8. Point out here that we expect that many vendors will likely generate patterns automatically for you from SCO observations seen on the wire or endpoint When was the last time you wrote a YARA rule by hand, vs copy/paste it from somewhere, take it from a content package, or use a tool?
  9. Yes, Snort is more succinct. Yes, we are looking at refactoring how network traffic works in STIX Patterning. But there are still significant advantages to STIX Patterning over either Snort or Yara insofar as it provides the ability to correlate across both network and endpoint telemetry.
  10. Trey presents
  11. TODO: break this out into 3-4 pages with project descriptions TODO: review this stuff https://github.com/workingDog?tab=repositories
  12. TODO: break this out into 3-4 pages with project descriptions TODO: review this stuff https://github.com/workingDog?tab=repositories
  13. TODO: break this out into 3-4 pages with project descriptions TODO: review this stuff https://github.com/workingDog?tab=repositories
  14. Jason presents
  15. TODO: add an example!
  16. TODO: talk about integrating with osquery, Bro, and other OSS security tools