#RSAC

SESSION ID: AIR-F01

Modern Cyber Defense with

Automated Real-Time Response:
A Standards Update
Bret Jordan Joe Brule
Director of Security Architecture Executive Director
Symantec OpenC2 Forum
@jordan_bret
 #RSAC

Today we will answer

What is wrong with cyber defense today?

What is STIX?
What is OpenC2?
What is TAXII?
How will these standards improve cyber defense?

2
 #RSAC

Traditional Cyber Defense

3
 #RSAC

Everyone is getting hacked

No vertical, sector, or industry is immune

Does not matter the size of the organization
Who will make the front page this year?
Some quick highlights from last year…

4
 #RSAC

Defense Industrial Base

Hackers carry out $55m cyber heist from Boeing aerospace parts manufacturer

The U.S. weapons systems that experts say were hacked by the Chinese
“Chinese cyberspies are believed to have compromised the designs for more than two
dozen major weapons systems …”

5
 #RSAC

Technology

6
 #RSAC

What’s wrong with Cyber Defense?

Defenses are statically configured and operate in isolation

Changes take time to implement
Human discovery
Business approval
Cross-team coordination
Manual deployment
— which can take “forever” to get all devices and systems in the network

Architectures that are not working

7
 #RSAC

What’s wrong with Cyber Defense? (cont.)

Cyber Attacks
Sophisticated
Adaptive and Automated
Occur in Seconds
Ever increasing attack surface
Cyber Response
Slow
Manual

8
 #RSAC

Lucrative business

Defenders
Cost to US Industry ~ $336 Billion/ year (2012 NSA estimate)
Targeted Companies include General Motors, Lockheed Martin, Boeing, Valspar
Malware as a Service (MAAS)
Cost for a DDoS ~ $38/hr
Cost for 10,000 hosts (World mix) ~ $200

We really ought to do something about it…

9
 #RSAC

Traditional cyber security architecture

NIST Cyber Security Framework

Identify Protect Detect Respond Recover

Asset Management Access Control Anomalies and Events Response Planning Recovery Planning

Security Continuous
Business Environment Awareness and Training Communications Improvements
Monitoring

Governance Data Security Detection Processes Analysis Communications

Info Protection Processes

Risk Assessment Mitigation
and Procedures
Risk Management
Maintenance Improvements
Strategy

Protective Technology

10
 #RSAC

Another View

11
 #RSAC

With more detail…

12
 #RSAC

Actual implementations

13
 #RSAC

Turning the tide on a losing battle

We can not win the war this way

Not a question of if you will be breached, but when?
We need to work together and respond more quickly
Need to speak the same language and protocols
Need to share what we know about attacks in cyber-relevant time

14
 #RSAC

Cyber Threat Intelligence (CTI)

 #RSAC

STIX at a glance

It is a language for Cyber Threat Intelligence

It has been around for almost 5 years
It provides a structured way to document CTI
It enables improved understanding and cyber defense through context
Lets look at some specific problems STIX can solve…

16
 #RSAC

The problems STIX solves today – 1/3

Who is responsible for the attack?

Threat Actors
Intrusion Sets
Campaigns
Identity

17
 #RSAC

The problems STIX solves today – 2/3

How are they doing it, what is their modus operandi and TTPs?
Attack Pattern
Malware
Tools
Vulnerability

18
 #RSAC

The problems STIX solves today – 3/3

How do you detect it and stop it?

Indicator
Observed Data
Sighting
Course of Action (manual)

19
 #RSAC

Status of STIX 2.0

STIX 2.0 was finished last month

STIX now supports a Patterning Grammar for Indicators
— with conditional and temporal logic support

CybOX is no longer a standalone specification

It was folded in to STIX 2.0 as Parts 3 and 4 of the multipart document
It is now called “Cyber Observables”
It can still be used by other standards without inheriting all of STIX

20
 #RSAC

How is STIX 2.0 different?

Reduced a lot complexity

Simplified and flattened the design
Focused on making it easier to use and consume
Moved the serialization to JSON
This makes integration with existing Web2.0 applications easier
This also means no more XML namespaces or XSI-Type pain to deal with

21
 #RSAC

How is STIX 2.0 different? – cont.

Graph based model

External relationship structure
This allows 3rd parties to assert relationships about content they do not own
— You could NOT do this in STIX 1.2.1

Lets look at one of the new STIX Domain Objects and see how it
relates to other objects in the model

22
 #RSAC

Relationships!

23
 #RSAC

Relationships!

You can now do

things like

24
 #RSAC

Patterning

You can now build both simple indicator patterns and very complex
indicator patterns
Here are 3 examples…

25
 #RSAC

Patterning

Matching a File with a SHA-256 hash

[file:hashes."SHA-256" =
'aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f
’]

Matching a File with an MD5 hash, followed by (temporally) a

Registry Key Object that matches a value, within 5 minutes
[file:hashes.MD5 = '79054025255fb1a26e4bc422aef54eb4'] FOLLOWEDBY
[win-registry-key:key = 'HKEY_LOCAL_MACHINE\\foo\\bar'] WITHIN 300
SECONDS

26
 #RSAC

Patterning

Matching three different, but specific Unix User Accounts

[user-account:account_type = 'unix' AND user-account:user_id = '1007' AND

user-account:account_login = 'Peter'] AND [user-account:account_type =
'unix' AND user-account:user_id = '1008' AND user-account:account_login =
'Paul'] AND [user-account:account_type = 'unix' AND user-account:user_id =
'1009' AND user-account:account_login = 'Mary']

27
 #RSAC

What does it look like? (STIX 2.0 Indicator)

{
"type": "indicator",
"id": "indicator--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",
"created": "2016-04-06T20:03:48.000Z",
"modified": "2016-04-06T20:03:48.000Z",
"labels": ["malicious-activity"],
"name": "Poison Ivy Malware",
"description": "This file is part of Poison Ivy",
"pattern": "[ file.hashes.MD5 = '3773a88f65a5e780c8dff9cdc3a056f3' ]",
"valid_from": "2016-01-01T00:00:00Z"
},

28
 #RSAC

What about future 2.x versions

Future releases of STIX will be additive

STIX 2.1 should be done by end of 2017
STIX 2.1 will contain some added functionality and a few new STIX
Domain Objects
Lets look at some of the possibilities…

29
 #RSAC

Potential STIX 2.1 additions

Opinion / Intel Notes

Updates to Malware / Infrastructure
Updates to Course of Action / Playbooks
Confidence
Location
Incident / Event
Internationalization
IEP Data Marking

30
 #RSAC

Automated Courses of Action

 #RSAC

OpenC2 at a glance

Enables coordinated defense in cyber relevant time

Simplicity
Low overhead on sensor and actuator
Focuses on ‘Acting’ portion of cyber-defense
External Dependencies
— Analytics; ‘Why’ you are acting
— Decision; ‘Which’ action
— Sensing; ‘What’ triggers the action
OpenC2 is agnostic of transport and information assurance mechanisms

32
 #RSAC

OpenC2 Terminology

Actuator: The device or sensor that executes a native OpenC2

command
Orchestrator: Is a mission manager that will issue the OpenC2
commands to the appropriate actuators, and in the synchronous case,
ensure the commands are executed in the correct order
Profile: A minimum to implement set of OpenC2 commands that a
class of actuators support
OpenC2 Proxy: Provide a mapping of OpenC2 commands to and from
devices that do not natively support OpenC2.

33
 #RSAC

OpenC2 Syntax

The Lexicon Decouples the aspects of the commands

ACTION: What is to be done
TARGET: What you are doing it to
ACTUATOR: Who is executing the command
Benefits of decoupling
Facilitates integration of new technologies
Supports high level effects based AND device specific use case
Extensions permit additional precision to the commands
MODIFIER: Additional details for the ‘Verb’
SPECIFIER: Additional details for the ‘Nouns’

34
 #RSAC

Example of what OpenC2 can do

Abstract Use Case Orchestration

Mitigate Evil Domain
Local Orchestrator
OpenC2 Message Fabric
— Deny Evil Domain
— Scan Evil.pdf
— Contain Evil OpenC2 Proxy
Firewall executes command
Implement on OpenC2
Message Fabric
Hardware API

35
 #RSAC

Possible Implementation

Orchestrators and Actuators

converge on the OpenC2
message fabric
OpenC2 Message Fabric
OpenC2 ‘Proxy’ maps to
hardware API
OpenC2 Proxy
Converging on Message Fabric
Facilitates implementation

Hardware API

36
 #RSAC

Change out the Actuators

Allows Corporate wide

sharing of cyber defense
tactics
OpenC2 Message Fabric
Minimizes impact when
changing components
OpenC2 Proxy

Hardware API

37
 #RSAC

Abstracts the cyber-defense function

Deny Command is OpenC2 Publisher

executed REGARDLESS of
product
OpenC2 Subscriber
Simplifies integration of
new technologies that
achieve similar actions OpenC2 Proxy

Unified tactical approach Device Manager

independent of equipment SDN Controller

API

set
Hardware API

Whitebox Switch

38
 #RSAC

Level of Abstraction

Extensible to permit different

levels of abstraction
High level commands are
suitable for inter-domain
coordination
Additional precision needed for
intra-domain commands to the
actual devices

39
 #RSAC

OpenC2 Syntax

40
 #RSAC

TAXII, “Share all the things!”

 #RSAC

TAXII at a glance

TAXII is an application protocol for transmitting

and sharing CTI
It has been around for almost 5 years
Enables the good citizen philosophy of “see something, say
something”
Offers the possibility of plug-n-play interoperability between security
tools and sensors
Enables two fundamental ways of communicating threat intelligence
Lets look at these…

42
 #RSAC

Data Collections via Request / Response

43
 #RSAC

Channels via Publish / Subscribe

44
 #RSAC

TAXII 2.0 Architecture

Discovery
Collections Objects

API Root Channels Messages

Status

45
 #RSAC

Status of TAXII 2.0

TAXII 2.0 is nearing completion

It supports a pure HTTPS RESTful design
It enables network level discovery from DNS SRV records
It support API discovery
It supports running multiple trust groups on a single instance of TAXII

46
 #RSAC

Improving your Cyber Defense

 #RSAC

STIX + TAXII + OpenC2

We believe that everyone gets the general idea

Fundamentally, we need an ecosystem where actionable CTI with automated
Courses of Action are shared and acted upon in a standardized manner across
verticals and public / private sectors in near real-time to address the ever
increasing cyber threat landscape
What are the benefits?

48
 #RSAC

Why should you adopt these standards?

Gain proactive defense

Reduce your long-term risk
Enable herd immunity
Improve your operational understanding of the threats
Enable automated real-time remediation / mitigation
Bottom line
Lower cyber insurance premiums
Lower integration costs
Gain greater situational awareness value

49
 #RSAC

Working as one!

Last year I showed you my vision of what “could be”

Now let me show you how this can be solved with using STIX, TAXII,
and OpenC2

50
 #RSAC

End to end workflow

SIEM

51
 #RSAC

Step 1

52
 #RSAC

Step 2

53
 #RSAC

Step 3

TAXII Server

SIEM

54
 #RSAC

Step 4

TAXII Server

55
 #RSAC

Step 5

TAXII Server

56
 #RSAC

Step 6

TAXII Server

Talk to
product’s API OpenC2
DENY
Command

OpenC2
OpenC2 Proxy SCAN, OpenC2
(convert to product’s UPDATE (to prevent future issues), Orchestrator
native API commands) DELETE
Command
57
 #RSAC

Step 7

OpenC2
INVESTIGATE,
TAXII Server TAXII Server
MITIGATE,
REMEDIATE
Command

58
 #RSAC

Conclusions
 #RSAC

How do we fix cyber defense

Get more context about who and what is attacking our networks
We need inter and intra domain coordinated automated responses in
cyber-relevant time
We need to decouple the functional blocks
We need standardized interfaces

60
 #RSAC

Why standards?

Standards enable interoperability

STIX and TAXII are sub-committees of the OASIS CTI TC
OpenC2 is in the process of entering OASIS
These standards are gaining broad adoption
Significant international vendor support for STIX, OpenC2, and TAXII
The OASIS CTI Technical Committee is made up of 249 members from 85
different organizations.
The OpenC2 Forum is made up of 34 member organizations with approximately
120 participants.

61
 #RSAC

Conclusions

Threat sharing and orchestration are moving to a better place

Actionable threat intelligence is REAL
Automated Courses of Action are REAL
Combining STIX, TAXII, and OpenC2 fills in the missing pieces in cyber
defense

62
 #RSAC

What should you do now?

Next week you should

Start learning the basics of STIX and OpenC2 and get involved
— https://stixproject.github.io/
— http://openc2.org/

Start identifying areas of your network / enclave that can benefit from OpenC2
Plan for a CTI sharing program that includes automated Courses of Action
— Identify key stakeholders in your organization that can help you get this going
Developers, start thinking about reference implementations

63
 #RSAC

What should you do now?

In the first three months following this presentation you should

Start looking at TIP and orchestration vendors that support OpenC2 and TAXII
and learn how they can automated your cyber defenses.
Work with Legal/C-suite to gain approval to cooperate and share CTI
Identify integration gaps and start hammering on your vendors
— Don’t underestimate the value of “when we make our next purchasing decision for
$category; we are really looking for $feature”
Vendors, identify ways to incorporate STIX and OpenC2

64
 #RSAC

What should you do now?

Within six months you should

Integrate threat intelligence and automated COAs in to your security playbook
Start training your SOC team on CTI and automated Courses of Action
Require STIX 2.0 / TAXII 2.0 / OpenC2 compliance on all RFIs and RFPs
Think outside the box
— Be willing to share and trade Courses of Action or Indicators for extra context

65
 #RSAC

SESSION ID: AIR-F01

Modern Cyber Defense with

Automated Real-Time Response:
A Standards Update
Bret Jordan Joe Brule
Director of Security Architecture Executive Director
Symantec OpenC2 Forum
@jordan_bret