Targeted attacks need targeted Defense What protocol should we use for CTI information exchange? How should we describe our indicators of compromise Structured threat information expression (STIX) How we can keep information within our defined trust boundaries? Where to store IOCs? Threat Intelligence Feeds Lifecycle How to measure the CTI process?

1. Reinhold Wochner, MSc., MBA
Raiffeisen Bank International
Cyber Threat Intelligence
Technical Track

2. Who are we?
2

3. 3
Subtypes of Cyber Threat Intelligence
Technical
Operational
TacticalStrategic

4. 4
Cyber Threat Intelligence Stakeholders
GSM and Group CISO
Feeds (SIEM)
Strategic
Reports
Topic specific
reports
Intelligence
Briefing
Analyst Access
CTI Provider
Collection
Analysis
Prioritization
Clustering
Unit CISO
Officials (Europol, Police)
Group CTI
Competence
Center
Digital Competence Centre
Peer Partner/Banks
Group Architect
IOCs
Vendors (e.g. NCR)
Group CIO Group Security Committee
Group Operation Risk Committee
Group Board
Group Antifraud Committee
Public relations
Investor Relations
Unit CIO
Unit Security
Committee
Unit Operation Risk
Committee
Unit Board
Unit Antifraud
Committee
Business Owner (ATM,
OLB, Call Centre)
Unit Architect
CERT
E-Fraud Officer
Stakeholder ActionInputKey Stakeholder
Group functions
Units/Entities
CTI Competence Center
CTI KPIs,
Improvements
Incident
IOC Hub
Incident
Management
Process
Incident
Response
Team
IOCs
IOC Rules
Definition,
Implementatio
n
IOC rules
Implementat
ion support
External sources
FS-ISAC
Compromis
e
Security Champions
Monitoring Team
IT Support
Critical Incident report
Reaction to
Incident
Security
Operation
Predefined
rulesconfigurations
Early
warning
indicator
creation
Data breach
notification

5. GSM and
Group CISO
Feeds (SIEM)
Strategic
Reports
Topic specific
reports
Intelligence
Briefing
Analyst Access
CTI Provider
Collection
Analysis Distribution
Clustering
Unit LCISO
Officials (Interpol,
Europol, Police)
Peer
banks/partners
IOCs
Vendors (e.g. NCR) CERT
Stakeholder ActionInputKey Stakeholder
Group functions
Unit
CTI Competence Center
CTI KPIs, Improvements
Proposal for IOC
SIEM Rule
Definition for IOCs
IOC rules Implementation
& support
External sources
FS-ISAC
Security
Champions
Monitoring Team
IOCs creation
IOC HUB
Quality assurance
of IOCs
SIEM Rule Testing
of IOCs
Coordination
Country victim
notification
CTI SLAs (between Group
and Units) Adjustment
Early warning
indicator creation
Data breach
notification
Work of Cyber Threat Intelligence Competence Center

6. Unit A
CTI Security User Stories – Data breach detected by CTI
Provider (breach is not publicly known)
Data breach discovered by CTI Provider

7. “Targeted attacks need targeted Defense”
“Your prevention (failure) is
my detection”

8. CTI Security User Stories – Bank A is attacked
Indicator of
Compromise
Sector
Sharing
Bank A
CTI Competence Centre
or SOC
Unit A
Unit B Unit C
Unit D
Attack

9. Unit A
CTI Security User Stories – Unit A is attacked
Indicator of
Compromise
Sector
Sharing
Bank A
CTI Competence Centre
or SOC
Unit B Unit C
Unit D
Bank B
Bank D
Bank C
Attack
?
??
?
?
?
?
?

10. What protocol should
we use for CTI information
exchange?

11. 11
• Sharing models with Taxii by MITRE:
Source
Subscriber
Subscriber Subscriber
Subscriber
Source/Subscriber
Peer E
Peer D Peer C
Peer B
Peer A
Peer-to-peer
Hub
Spoke
(Consumer
only)
Spoke
(Consumer
& Producer)
Spoke
(Producer
only)
Spoke
(Consumer &
Producer)
Hub and spoke

12. • Trusted Automated eXchange of Indictor Information (TAXIIT™)
• Open community led by DHS and coordinated by MITRE
• Simplicity (Easy to implement and understand)
• One standardized way (Reduce uncontrolled growth of different formats)
• Minimize resource usage (Reduce message size, Only transmit what is
necessary)
• Scalable performance
• TAXII core services:
• Discovery – Indicates how to communicate with other services
• Feed Management – Identify and manage subscriptions to data
feeds
• Poll – Support pull messaging
• Inbox – Receive pushed messages

13. How should we describe
our
indicators of compromise
IOCs

14. 14
STIX (Structured Threat Information eXpression)
§ A language for the characterization and communication of cyber threat
information
§ What activity are we seeing?
§ What threats should I look for on my networks and
systems and why?
§ Where has this threat been seen?
§ What does it do?
§ What weaknesses does this threat exploit?
§ Why does it do this?
§ Who is responsible for this threat?
§ What can I do about it?
Source: https://stix.mitre.org

15. STIX
Source: https://stix.mitre.org

16. Expressing Relationships in STIX
Pamina Republic
Army
Unit 31459
l33t007@badassin.com
Associated ActorLeet
Electronic Address
Initial Compromise
Indicator Observable
Spear Phishing Email
Establish Foothold
Observed TTP
Observed TTP
WEBC2
Malware
Behavior
Escalate Privilege
Observed TTP
Uses Tool
Uses Tool
cachedump
lslsass
MD5:
d8bb32a7465f55c368230bb52d52d885
Indicator
Observed TTP
Internal
Reconnaissance
Attack Pattern
ipconfig
net view
net group “domain admins”
Observed TTP
Exfiltration
Uses Tool
GETMAIL
Targets
Khaffeine
Bronxistan
Perturbia
Blahniks
. . .
Leverages
Infrastructure
IP Range:
172.24.0.0-112.25.255.255
C2 Servers
Observable
Sender: John Smith
Subject: Press Release
Source: https://stix.mitre.org

17. 17
CTI IOCs

18. Subtypes of Cyber Threat Intelligence with STIX
Source: https://forums.soltra.com/index.php?/topic/266-soltra-intro-pdf-deck/

19. How can we keep
information within our
defined trust boundaries?

20. § TLP Protocol simple and intuitive schema by US-Cert to indicate how
information can be shared
§ There are 4 classes:
20
Traffic Light Protocol (TLP)
https://www.us-cert.gov/tlp
RED
High risk that information owner has impact on
business, reputation, or privacy
AMBER
Still high risk but information requires support
to be effectively used
GREEN If it is usefull for a broader community or sector
WHITE
Information contains no or only minimal risk for
public use
TLP level When to use it?
Recipients may not share this information
Recipients may share it within their organization and other
stakeholders according to the need to know principle
Can be shared with peers and partners
but not outside the community
No restrictions except standard copyright rules
How to use it?
Example:

21. § Example: TLP Data Marking in STIX
§ Please note:
§ In STIX structure it is allowed to do multiple markings for one item
§ If an item is marked GREEN and RED than the higher marking applies
§ Markings must be done at the right place (global level or field level)
21
TLP Data Marking in STIX

22. § Example: Terms of use Data Marking in STIX
§ Please note:
22
Terms o use Data Marking in STIX

23. § An IOC repository is like a treasure chest with golden nuggets (IOCs)
§ Each “golden nugget” IOC enables Security to detect and react upon an attack
1209070305
6209070304
7209070303
8209070302
4209070301
8209070300
7209070299
8209070298
5209070297
4209070296
3209070295
6209070294
7209070293
8209070292
4209070291
3209070290
109070272
409070271
609070270
709070269
309070268
709070267
309070266
809070265
409070264
809070263
709070262
209070261
409070260
909070259
409070258
309070257
109070256
509070255
609070254
709070253
509070252
805143394
405143393
805143392
405143391
305143390
805143389
IOC repository
120907023
309070272
409070271
239070270
709070269
809070268
809070267
209070266
909070265
309070264
609070263
809070262
239070261
209070260
909070259
509070258
409070257
305143393
105143392
705143391
805143390
305143389
7035143393
1025143392
7045143391
8035143390
3025143389
3035143393
6025143392
7045143391
2035143390
8025143389
3209070305
6209070304
7209070303
7209070302
7209070301
3209070300
7209070299
1209070298
7209070297
4209070296
8209070295
3209070294
9209070293
1209070292
2209070291
1209070290
209070272
109070271
409070270
209070269
609070268
309070267
609070266
309070265
209070264
609070263
309070262
109070261
709070260
309070259
109070258
709070257
130907023
304070272
429070271
139070270
609070269
709070268
809070267
109070266
409070265
709070264
709070263
409070262
739070261
809070260
409070259
709070258
809070257
ATM IOCs
SWIFT IOCs
OLB IOCs

24. Let’s get
operational!

25. Where to store
IOCs?

26. Freedom of an open ecosystem
Source: https://forums.soltra.com/index.php?/topic/266-soltra-intro-pdf-deck/

27. What is SOLTRA?
Source: https://forums.soltra.com/index.php?/topic/266-soltra-intro-pdf-deck/

28. 28
CTI Blueprint
Internet
URLs
Inbound/
Outbound IPs
E-mail details
Outgoing e-
mail details
Inbound/
Outbound IPs
OLB
Customer’s IPs
Hash,
URLs
Correlates and analyzes
audit-trails and security
events from all systems
SIEM
Hash
Online Banking
Edge Firewall&
VPN concetrator
Firewall
STOP
Remote access to
apps, servers
Security
Web Gateway
STOP
Protects users
against viruses
during web-surfing
White listing agent
Whitelisting
DLP
Monitors outgoing e-
mails regarding
confidential info
leakage
ALARM
Spamfilter
STOP
Blocks infected
and spam e-mails
IPS
ALARM
& STOP
Monitors Internet
traffic for malicious
activities and stops
DDOS-attacks
STOP
Monitors all incoming
Internet traffic towards
WEB-applications
WAF

29. FS- ISAC
Threat intelligence sources
Commercial
Intelligence
Provider
Open source
Intelligence
Providers
(Zeus Tracker, AlienVault,
MalcOcle, Crowd Strike
etc)
CTI Competence Center
WWW
API
SIEM
ANALYSIS
Network units
IPS / IDS
Firewall
Cyber
Intelligence
“Router” &
Native STIX
Store
Threat Intelligence Store
API
Web service
CTI Blueprint

30. 30
Internal threat feeds processing architecture
Firewall
Network devices
Proxy
Flex
Connector
ESM
Soltra API
Python
Script
API (.sh, .exe)
Python script
wgetindicators
TCP
Flex
Connector
indicators
indicators
indicators
indicators
WWW
CTI Providers

31. Internal threat feeds processing architecture

32. CTI Provider comparision

33. What if there are to much
golden nuggets in your
treasure chest?

34. Threats (&Intelligence) gowing fast!

35. 35
Threat sources/categories
Threat intelligence sources Threat intelligence feeds Threat intelligence feeds
devices
Open source
(community)
Paid services
(public)
Command & Control Centers (IP, URLs)
Malware / Phishing URLs
Malicious (Botnet, Trojan) IPs
(victims)
Malicious Domains
Malicious e-mails
(senders, IPs, subjects etc)
Malware artifacts (file hash, registry keys)
Compromised credit cards data
Compromised credentials/accounts
Domain registration
CVE/ CVSS vulnerabilities
TOR exit nods, anonymizers
Common (classic)
Exotic (implicit)
Specific
Firewall
(next generation)
IPS / IDS
SIEM
Proxy
HIPS
AntivirusDLP

36. 36
Flex
Connector.sh, .bat script (wget)
THREAT INTELLIGENCE FEEDS LIFECYCLE
IOCs
ID Created Source Category Type Value Expired Flag Rate First_seen Last_seen Description
Expired flag = 0
Yes
No
Remove from List
of feeds
Add to List of
feeds
0 – Actual
1 - Expired
§ Each feed in Repository (Repo) has special field “Expired” that indicates if the feed is actual (0) or expired (1)
§ When feed is downloaded from source to Repo, “expired” field is assigned 0, if source indicates that feed is obsoleted, the
field is assigned 1
§ Feed lifespan (IP, URL, e-mail) in Repo is xx days; Feed lifespan (hash) in Repo is unlimited*
§ If URL, IP, e-mails, feed (actual) age in Repo > x days, special script marks feed as obsoleted (expired field =1)
§ If URL, IP, e-mails, feed (obsoleted) age in Repo > x days, special script moves the feed from operational table to archive
table
REPOSITORY
Various
Feed Sources

37. SIEM Use cases based on IoC

38. How to measure the
CTI process?

39. 39
How to measure the CTI process (KPIs)
Strategical
- CTI inputs are ready before the update of the Security Strategy
- Security budget requirements are aligned with CTI outcome
Tactical
- Tactical information is distributed on a regular basis to all entities
- Ad Hoc Tactical Information is distributed to all entities
- Did company specific predictions made by the CTI providers
materialize?
Operational
- Number of calls/support requests
- Time to respond (entity requests)
Technical
- Availability of IOC Hub (RTO)
- Update feed source: h<4h;
- Feed completeness (№ received/ № imported);
- Feed data
- false positives (count by exclusion);
- false negatives
- Quantity of connected entities;
- Feeds usage by entity
- Quantity of feed categories (botnet, virus etc);
- Quantity of feed types (ip, url, md5 etc);
- Quantity of feed sources (FSISAC, Kaspersky )

40. Lessons learned J

41. Lessons learned: concerns and considerations
q Overlapping of IP addresses feeds
from Provider A, Provider B and
Provider C less than 5%. For open
sourced feeds – about 1% overlap
q Some indicators are merely that –
indicators:
• is either aged or is not currently
tied to active malware
participation;
• is not prioritized (have no
reputation or severity level);
• have no context;
• is generic, in the sense of not
being associated with any
particular type of enterprise;
David Bianco - Pyramid of Pain

42. Lessons learned: concerns and considerations
q A lot of indicators are public services.
q Indicator life time is tough question
q Too much false-positive alarms especially on Domain Watchlist, URL Watchlist

43. 43
CTI advantages
§ Changing the security model from reactive to proactive (if we understand
our adversaries we can develop tactics to combat current attacks and
plan better for future threats)
§ Setting up a CTI process assures that all indicators of compromise are
shared in the Group and the security alert problem that is overwhelming
most security teams is shrinked
§ Driving better, more informed responses to security incidents.
§ Extending the life of aging security technologies and improve defenses by
feeding IOCs with the ability to block rapidly emerging threats.
§ Enhance communications between the security team, management and
board members on threats for the bank
§ Enable better security investment strategies (more directly connected to
security priorities with business risk management priorities)
§ High potential to support future Digital Security process of the bank

44. Reinhold Wochner, MSc., MBA
CRISC, CRMA, CISM, CGEIT, CISSP, CISA
speaker.wochner@web.de
Thank you J