Targeted attacks need targeted Defense
What protocol should we use for CTI information exchange?
How should we describe our indicators of compromise
Structured threat information expression (STIX)
How we can keep information within our defined trust boundaries?
Where to store IOCs?
Threat Intelligence Feeds Lifecycle
How to measure the CTI process?
3. 3
Subtypes of Cyber Threat Intelligence
Technical
Operational
TacticalStrategic
4. 4
Cyber Threat Intelligence Stakeholders
GSM and Group CISO
Feeds (SIEM)
Strategic
Reports
Topic specific
reports
Intelligence
Briefing
Analyst Access
CTI Provider
Collection
Analysis
Prioritization
Clustering
Unit CISO
Officials (Europol, Police)
Group CTI
Competence
Center
Digital Competence Centre
Peer Partner/Banks
Group Architect
IOCs
Vendors (e.g. NCR)
Group CIO Group Security Committee
Group Operation Risk Committee
Group Board
Group Antifraud Committee
Public relations
Investor Relations
Unit CIO
Unit Security
Committee
Unit Operation Risk
Committee
Unit Board
Unit Antifraud
Committee
Business Owner (ATM,
OLB, Call Centre)
Unit Architect
CERT
E-Fraud Officer
Stakeholder ActionInputKey Stakeholder
Group functions
Units/Entities
CTI Competence Center
CTI KPIs,
Improvements
Incident
IOC Hub
Incident
Management
Process
Incident
Response
Team
IOCs
IOC Rules
Definition,
Implementatio
n
IOC rules
Implementat
ion support
External sources
FS-ISAC
Compromis
e
Security Champions
Monitoring Team
IT Support
Critical Incident report
Reaction to
Incident
Security
Operation
Predefined
rulesconfigurations
Early
warning
indicator
creation
Data breach
notification
5. GSM and
Group CISO
Feeds (SIEM)
Strategic
Reports
Topic specific
reports
Intelligence
Briefing
Analyst Access
CTI Provider
Collection
Analysis Distribution
Clustering
Unit LCISO
Officials (Interpol,
Europol, Police)
Peer
banks/partners
IOCs
Vendors (e.g. NCR) CERT
Stakeholder ActionInputKey Stakeholder
Group functions
Unit
CTI Competence Center
CTI KPIs, Improvements
Proposal for IOC
SIEM Rule
Definition for IOCs
IOC rules Implementation
& support
External sources
FS-ISAC
Security
Champions
Monitoring Team
IOCs creation
IOC HUB
Quality assurance
of IOCs
SIEM Rule Testing
of IOCs
Coordination
Country victim
notification
CTI SLAs (between Group
and Units) Adjustment
Early warning
indicator creation
Data breach
notification
Work of Cyber Threat Intelligence Competence Center
6. Unit A
CTI Security User Stories – Data breach detected by CTI
Provider (breach is not publicly known)
Data breach discovered by CTI Provider
8. CTI Security User Stories – Bank A is attacked
Indicator of
Compromise
Sector
Sharing
Bank A
CTI Competence Centre
or SOC
Unit A
Unit B Unit C
Unit D
Attack
9. Unit A
CTI Security User Stories – Unit A is attacked
Indicator of
Compromise
Sector
Sharing
Bank A
CTI Competence Centre
or SOC
Unit B Unit C
Unit D
Bank B
Bank D
Bank C
Attack
?
??
?
?
?
?
?
11. 11
• Sharing models with Taxii by MITRE:
Source
Subscriber
Subscriber Subscriber
Subscriber
Source/Subscriber
Peer E
Peer D Peer C
Peer B
Peer A
Peer-to-peer
Hub
Spoke
(Consumer
only)
Spoke
(Consumer
& Producer)
Spoke
(Producer
only)
Spoke
(Consumer &
Producer)
Hub and spoke
12. • Trusted Automated eXchange of Indictor Information (TAXIIT™)
• Open community led by DHS and coordinated by MITRE
• Simplicity (Easy to implement and understand)
• One standardized way (Reduce uncontrolled growth of different formats)
• Minimize resource usage (Reduce message size, Only transmit what is
necessary)
• Scalable performance
• TAXII core services:
• Discovery – Indicates how to communicate with other services
• Feed Management – Identify and manage subscriptions to data
feeds
• Poll – Support pull messaging
• Inbox – Receive pushed messages
13. How should we describe
our
indicators of compromise
IOCs
14. 14
STIX (Structured Threat Information eXpression)
§ A language for the characterization and communication of cyber threat
information
§ What activity are we seeing?
§ What threats should I look for on my networks and
systems and why?
§ Where has this threat been seen?
§ What does it do?
§ What weaknesses does this threat exploit?
§ Why does it do this?
§ Who is responsible for this threat?
§ What can I do about it?
Source: https://stix.mitre.org
18. Subtypes of Cyber Threat Intelligence with STIX
Source: https://forums.soltra.com/index.php?/topic/266-soltra-intro-pdf-deck/
19. How can we keep
information within our
defined trust boundaries?
20. § TLP Protocol simple and intuitive schema by US-Cert to indicate how
information can be shared
§ There are 4 classes:
20
Traffic Light Protocol (TLP)
https://www.us-cert.gov/tlp
RED
High risk that information owner has impact on
business, reputation, or privacy
AMBER
Still high risk but information requires support
to be effectively used
GREEN If it is usefull for a broader community or sector
WHITE
Information contains no or only minimal risk for
public use
TLP level When to use it?
Recipients may not share this information
Recipients may share it within their organization and other
stakeholders according to the need to know principle
Can be shared with peers and partners
but not outside the community
No restrictions except standard copyright rules
How to use it?
Example:
21. § Example: TLP Data Marking in STIX
§ Please note:
§ In STIX structure it is allowed to do multiple markings for one item
§ If an item is marked GREEN and RED than the higher marking applies
§ Markings must be done at the right place (global level or field level)
21
TLP Data Marking in STIX
22. § Example: Terms of use Data Marking in STIX
§ Please note:
22
Terms o use Data Marking in STIX
36. 36
Flex
Connector.sh, .bat script (wget)
THREAT INTELLIGENCE FEEDS LIFECYCLE
IOCs
ID Created Source Category Type Value Expired Flag Rate First_seen Last_seen Description
Expired flag = 0
Yes
No
Remove from List
of feeds
Add to List of
feeds
0 – Actual
1 - Expired
§ Each feed in Repository (Repo) has special field “Expired” that indicates if the feed is actual (0) or expired (1)
§ When feed is downloaded from source to Repo, “expired” field is assigned 0, if source indicates that feed is obsoleted, the
field is assigned 1
§ Feed lifespan (IP, URL, e-mail) in Repo is xx days; Feed lifespan (hash) in Repo is unlimited*
§ If URL, IP, e-mails, feed (actual) age in Repo > x days, special script marks feed as obsoleted (expired field =1)
§ If URL, IP, e-mails, feed (obsoleted) age in Repo > x days, special script moves the feed from operational table to archive
table
REPOSITORY
Various
Feed Sources
39. 39
How to measure the CTI process (KPIs)
Strategical
- CTI inputs are ready before the update of the Security Strategy
- Security budget requirements are aligned with CTI outcome
Tactical
- Tactical information is distributed on a regular basis to all entities
- Ad Hoc Tactical Information is distributed to all entities
- Did company specific predictions made by the CTI providers
materialize?
Operational
- Number of calls/support requests
- Time to respond (entity requests)
Technical
- Availability of IOC Hub (RTO)
- Update feed source: h<4h;
- Feed completeness (â„– received/ â„– imported);
- Feed data
- false positives (count by exclusion);
- false negatives
- Quantity of connected entities;
- Feeds usage by entity
- Quantity of feed categories (botnet, virus etc);
- Quantity of feed types (ip, url, md5 etc);
- Quantity of feed sources (FSISAC, Kaspersky )
41. Lessons learned: concerns and considerations
q Overlapping of IP addresses feeds
from Provider A, Provider B and
Provider C less than 5%. For open
sourced feeds – about 1% overlap
q Some indicators are merely that –
indicators:
• is either aged or is not currently
tied to active malware
participation;
• is not prioritized (have no
reputation or severity level);
• have no context;
• is generic, in the sense of not
being associated with any
particular type of enterprise;
David Bianco - Pyramid of Pain
42. Lessons learned: concerns and considerations
q A lot of indicators are public services.
q Indicator life time is tough question
q Too much false-positive alarms especially on Domain Watchlist, URL Watchlist
43. 43
CTI advantages
§ Changing the security model from reactive to proactive (if we understand
our adversaries we can develop tactics to combat current attacks and
plan better for future threats)
§ Setting up a CTI process assures that all indicators of compromise are
shared in the Group and the security alert problem that is overwhelming
most security teams is shrinked
§ Driving better, more informed responses to security incidents.
§ Extending the life of aging security technologies and improve defenses by
feeding IOCs with the ability to block rapidly emerging threats.
§ Enhance communications between the security team, management and
board members on threats for the bank
§ Enable better security investment strategies (more directly connected to
security priorities with business risk management priorities)
§ High potential to support future Digital Security process of the bank
44. Reinhold Wochner, MSc., MBA
CRISC, CRMA, CISM, CGEIT, CISSP, CISA
speaker.wochner@web.de
Thank you J