Professional Documents
Culture Documents
2
#RSAC
3
#RSAC
4
#RSAC
Hackers carry out $55m cyber heist from Boeing aerospace parts manufacturer
The U.S. weapons systems that experts say were hacked by the Chinese
“Chinese cyberspies are believed to have compromised the designs for more than two
dozen major weapons systems …”
5
#RSAC
Technology
6
#RSAC
7
#RSAC
Cyber Attacks
Sophisticated
Adaptive and Automated
Occur in Seconds
Ever increasing attack surface
Cyber Response
Slow
Manual
8
#RSAC
Lucrative business
Defenders
Cost to US Industry ~ $336 Billion/ year (2012 NSA estimate)
Targeted Companies include General Motors, Lockheed Martin, Boeing, Valspar
Malware as a Service (MAAS)
Cost for a DDoS ~ $38/hr
Cost for 10,000 hosts (World mix) ~ $200
9
#RSAC
Asset Management Access Control Anomalies and Events Response Planning Recovery Planning
Security Continuous
Business Environment Awareness and Training Communications Improvements
Monitoring
Protective Technology
10
#RSAC
Another View
11
#RSAC
12
#RSAC
Actual implementations
13
#RSAC
14
#RSAC
STIX at a glance
16
#RSAC
17
#RSAC
How are they doing it, what is their modus operandi and TTPs?
Attack Pattern
Malware
Tools
Vulnerability
18
#RSAC
19
#RSAC
20
#RSAC
21
#RSAC
Lets look at one of the new STIX Domain Objects and see how it
relates to other objects in the model
22
#RSAC
Relationships!
23
#RSAC
Relationships!
24
#RSAC
Patterning
You can now build both simple indicator patterns and very complex
indicator patterns
Here are 3 examples…
25
#RSAC
Patterning
26
#RSAC
Patterning
27
#RSAC
28
#RSAC
29
#RSAC
30
#RSAC
OpenC2 at a glance
32
#RSAC
OpenC2 Terminology
33
#RSAC
OpenC2 Syntax
34
#RSAC
35
#RSAC
Possible Implementation
Hardware API
36
#RSAC
Hardware API
37
#RSAC
set
Hardware API
Whitebox Switch
38
#RSAC
Level of Abstraction
39
#RSAC
OpenC2 Syntax
40
#RSAC
TAXII at a glance
42
#RSAC
43
#RSAC
44
#RSAC
Discovery
Collections Objects
Status
45
#RSAC
46
#RSAC
48
#RSAC
49
#RSAC
Working as one!
50
#RSAC
SIEM
51
#RSAC
Step 1
52
#RSAC
Step 2
53
#RSAC
Step 3
TAXII Server
SIEM
54
#RSAC
Step 4
TAXII Server
55
#RSAC
Step 5
TAXII Server
56
#RSAC
Step 6
TAXII Server
Talk to
product’s API OpenC2
DENY
Command
OpenC2
OpenC2 Proxy SCAN, OpenC2
(convert to product’s UPDATE (to prevent future issues), Orchestrator
native API commands) DELETE
Command
57
#RSAC
Step 7
OpenC2
INVESTIGATE,
TAXII Server TAXII Server
MITIGATE,
REMEDIATE
Command
58
#RSAC
Conclusions
#RSAC
Get more context about who and what is attacking our networks
We need inter and intra domain coordinated automated responses in
cyber-relevant time
We need to decouple the functional blocks
We need standardized interfaces
60
#RSAC
Why standards?
61
#RSAC
Conclusions
62
#RSAC
Start identifying areas of your network / enclave that can benefit from OpenC2
Plan for a CTI sharing program that includes automated Courses of Action
— Identify key stakeholders in your organization that can help you get this going
Developers, start thinking about reference implementations
63
#RSAC
64
#RSAC
65
#RSAC