Downloaded 55 times
Uploaded byIBM Security
Level Up Your Security with Threat Intelligence
The document outlines IBM's X-Force Exchange and its role in enhancing security through threat intelligence, including the analysis of spam emails and websites. It discusses the importance of timely threat intelligence sharing and the various standards and formats for exchanging such information, specifically focusing on STIX and TAXII. Additionally, it emphasizes the need for community collaboration in threat intelligence to mitigate active campaigns against various targets.
More Related Content
Similar to Level Up Your Security with Threat Intelligence
Level Up Your Security with Threat Intelligence
- 1. Copyright 2016 IBMCorporation Level Up Your Security with Threat Intelligence X-Force Exchange and Analytics ron williams, sr. technical staff member, ibm security
- 2. Copyright 2016 IBMCorporation x-force exchange analytics & research • 12M+ SPAM emails analyzed/day • 12M+ WebSites & 3M+ images scanned daily • 7300 Internet Application Profiles added/yr • x-force research collections (zero index) • user contributions (collections)
- 3. Copyright 2016 IBMCorporation https://exchange.xforce.ibmcloud.com
- 4. Copyright 2016 IBMCorporation core use case active threat mitigation
- 5. Copyright 2016 IBMCorporation anatomy of an attack
- 6. Copyright 2016 IBMCorporation attack chain OBSERVATIONS Src/Dest IP! Src URL! Transmitted Files!
- 7. Copyright 2016 IBMCorporation reconnaissance
- 8. Copyright 2016 IBMCorporation weaponization
- 9. Copyright 2016 IBMCorporation delivery
- 10. Copyright 2016 IBMCorporation exploitation
- 11. Copyright 2016 IBMCorporation exploitation
- 12. Copyright 2016 IBMCorporation command & control
- 13. Copyright 2016 IBMCorporation analyst quest: i have an alert, what do I do? Scenario SEIM alert dest IP and/or URL poor reputation traffic from DB farm, not user network analyst checklist 1) What do I know about the internet located IP’s, URLs on which the alert triggered? 2) Is this a ‘real’ alert, or false positive 3) If real, what potential business impact might it have? 4) If impact sufficient, what action should be taken, and when?
- 14. Copyright 2016 IBMCorporation analyst quest: solve the three legged stool • url’s: contained in spam, known malware source, IP reputation • ip’s: destination for suspicious traffic, known Bad Actor, IP • malware: c&c destinations, dropped files, registry keys
- 15. Copyright 2016 IBMCorporation zero index • URL yields IP, both known for malicious activity • Where’s the malware? What is it? What evidence does it provide? What properties does it exhibit? • Solving the Zero Index requires associating Source IPs and URLs with Malware Delivery (dropper URLs) and C&C (c&c infrastructure)
- 16. Copyright 2016 IBMCorporation observations • zero index solutions (largely) require manual analysis, today • network observables in the exploitation phase of a campaign tend to be ephemeral (minutes/hours) • 50% of all malware is delivered as part of a SPAM Campaign • campaigns are short term (hours, days) attacks against particular targets, finance, healthcare, infrastructure, etc. • zero index sightings at the beginning of a campaign provide valuable and actionable insights to potential targets • zero index sightings have the potential to severely cripple malware campaigns if disseminated within the first hours of a new campaign
- 17. Copyright 2016 IBMCorporation the ‘why’ of threat intelligence sharing • network observables related to the exploitation phase of an active campaign tend to be ephemeral • timely dissemination of zero index findings can severely hamper a new campaign, providing currently relevant threat intel to a community • x-force exchange provides for timely dissemination of new threats
- 18. Copyright 2016 IBMCorporation threat intelligence sharing exchange formats and motivation
- 19. Copyright 2016 IBMCorporation motivation • as part of a community, leverage it’s members insights and findings
- 20. Copyright 2016 IBMCorporation threat sharing languages and protocols • The Incident Object Description Exchange Format (IETF RFC 5070/IODef) • OpenIOC (Mandiant/FireEye) • Common Weakness Enumeration (CWE/Mitre) • Common Vulnerability Enumeration (CVE/Mitre) • Common Attack Pattern Enumeration & Classification (CAPEC/Mitre) • Malware Attribute Enumeration and Characterization (MAEC/Mitre) • Cyber Observable Expression (CyBox/Mitre) • Structured Threat Information eXpression (STIX/Mitre/Oasis Open) • Trusted Automated eXchange of Indicator Information (TAXII/Mitre/Oasis Open) • and many, many more …
- 21. Copyright 2016 IBMCorporation STIX & TAXII • Structured Threat Information eXpression: STIX • Trusted Automated eXchange of Indicator Information: TAXII • Version 1.x: STIX/XML & TAXII/XML • Version 2.x: STIX/JSON & TAXII/JSON
- 22. Copyright 2016 IBMCorporation STIX & TAXII • Various (US) Presidential Directives since 1997 encouraged Threat Intelligence Sharing • 2013 - US DHS Contracts with MITRE Corp to Develop Specification for Threat Intelligence Sharing • STIX/TAXII is born
- 23. Copyright 2016 IBMCorporation STIX & TAXII Specficiations • 2014 - Publicly Available Specification (1.0) • 2015 - STIX & TAXII moved to newly created Oasis-Open Cyber Threat Intelligence Group 1.x Oasis Specification Finalized (XML) 2.x STIX & TAXII Specifications commenced (JSON)
- 24. Copyright 2016 IBMCorporation why STIX? The information being managed and exchanged today is typically very atomic, inconsistent, and very limited in sophistication and expressivity • relationships, not just indicators • consistency of semantics and use • identifying the ‘big picture’ • standard language to express, obtain, and share threat information
- 25. Copyright 2016 IBMCorporation STIX information model
- 26. Copyright 2016 IBMCorporation STIX/TAXII and x-force exchange • ibm indicators available via TAXII service in STIX format • x-force exchange ‘collections’ available via STIX/TAXII & JSON • collections import of STIX documents via TAXII inbox
- 27. Copyright 2016 IBMCorporation join the community • share your insights • gain other’s • make threat intelligence sharing a reality • https://exchange.xforce.ibmcloud.com
- 28. Copyright 2016 IBMCorporation