Building a Cyber Threat Intelligence Knowledge Graph
•
0 likes•174 views
Knowledge of cyber threats is a key focus in cyber security. In this talk, we present TypeDB CTI, which is an open source threat intelligence platform to store and manage such knowledge. It enables Cyber Security Intelligence (CTI) professionals to bring together their disparate CTI information into one platform, enabling them to more easily manage such data and discover new insights about cyber threats. We will describe how we use TypeDB to represent STIX 2.1, the most widely used language and serialization format used to exchange cyber threat intelligence. We cover how we leverage TypeDB's modelling constructs such as type hierarchies, nested relations, hyper relations, unique attributes, and logical inference to build this threat intelligence platform. Speaker: Tomás Sabat Tomás is the Chief Operating Officer at Vaticle. He works closely with TypeDB's open source and enterprise users who use TypeDB to build applications in a wide number of industries including financial services, life sciences, cyber security and supply chain management. A graduate of the University of Cambridge, Tomás has spent the last seven years founding and building businesses in the technology industry.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Building a Cyber Threat Intelligence Knowledge Graph
Similar to Building a Cyber Threat Intelligence Knowledge Graph (20)
More from Vaticle
More from Vaticle (20)
Recently uploaded
Recently uploaded (20)
Building a Cyber Threat Intelligence Knowledge Graph
- 1. Building an Open Source Threat Intelligence Platform Tomás Sabat
- 3. Demo…
- 4. Datasets Data Model Database TypeDB is a strongly-typed database and TypeQL is its query language Based on STIX 2.1 to enable ingestion of heterogeneous CTI data Includes a connector to load MITRE ATT&CK (other datasets to follow) A knowledge graph to manage CTI knowledge and discover new insights about cyber threats TypeDB Data - CTI
- 5. Why TypeDB? Expressivity Logical Inference An expressive data model to represent complex data and enable contextualization of CTI data Discover previously unknown insights from existing data to detect and respond to new threats
- 6. Structured Threat Information Expression (STIX™) uses Intrusion Set Entity Uses Relationship Malware Entity Embedded Relationship
- 7. Modelling STIX in TypeDB
- 8. Modelling STIX in TypeDB define stix-domain-object sub stix-core-object, owns created, owns modified, owns revoked, owns confidence, owns langs, plays indication:indicated;
- 9. Modelling STIX in TypeDB define stix-domain-object sub stix-core-object, owns created, owns modified, owns revoked, owns confidence, owns langs, plays indication:indicated; intrusion-set sub stix-domain-object, owns name, owns description, owns alias, owns first-seen, owns last-seen, owns goals, owns resource-level, owns primary-motivation, owns secondary-motivation, plays attribution:attributing, plays comprise:comprising, plays host:hosting, plays ownership:owning, plays origination:originating, plays target:targetting, plays use:used-by;
- 10. stix-object Modelling STIX in TypeDB
- 12. stix-object stix-core-object stix-cyber- observable-object stix-domain-object stix-meta-object marking-definition external-reference kill-chain-phase Modelling STIX in TypeDB
- 13. stix-object stix-core-object stix-cyber- observable-object stix-domain-object stix-meta-object marking-definition statement-marking tlp-marking external-reference kill-chain-phase Modelling STIX in TypeDB … course-of- action campaign … directory autonomous- system attack-pattern artifact
- 14. stix-object stix-core-object stix-cyber- observable-object stix-domain-object stix-meta-object marking-definition statement-marking tlp-marking tlp-amber tlp-red tlp-white tlp-green external-reference kill-chain-phase Modelling STIX in TypeDB … course-of- action campaign … directory autonomous- system attack-pattern artifact
- 15. define stix-object sub entity; Modelling STIX in TypeDB
- 16. define stix-object sub entity; stix-core-object sub stix-object; stix-meta-object sub stix-object; Modelling STIX in TypeDB
- 17. define stix-object sub entity; stix-core-object sub stix-object; stix-domain-object sub stix-core-object; stix-cyber-observable-object sub stix-core-object; stix-meta-object sub stix-object; marking-definition sub stix-meta-object; external-reference sub stix-meta-object; kill-chain-phase sub stix-meta-object; Modelling STIX in TypeDB
- 18. define stix-object sub entity; stix-core-object sub stix-object; stix-domain-object sub stix-core-object; stix-cyber-observable-object sub stix-core-object; stix-meta-object sub stix-object; marking-definition sub stix-meta-object; statement-marking sub marking-definition; tlp-marking sub marking-definition; external-reference sub stix-meta-object; kill-chain-phase sub stix-meta-object; Modelling STIX in TypeDB
- 19. define stix-object sub entity; stix-core-object sub stix-object; stix-domain-object sub stix-core-object; stix-cyber-observable-object sub stix-core-object; stix-meta-object sub stix-object; marking-definition sub stix-meta-object; statement-marking sub marking-definition; tlp-marking sub marking-definition; tlp-white sub tlp-marking; tlp-green sub tlp-marking; tlp-red sub tlp-marking; tlp-amber sub tlp-marking; external-reference sub stix-meta-object; kill-chain-phase sub stix-meta-object; Modelling STIX in TypeDB
- 20. Modelling STIX in TypeDB Threat Actor Entity Indication Relation Embedded Relation Embedded Relation Embedded Relation Nested Relations
- 21. Modelling STIX in TypeDB Nested Relations object- marking indication threat- actor indicator tlp-red indicating marking indicated marked
- 22. Nested Relations Modelling STIX in TypeDB match $indicator isa indicator, has name "Fake email address"; $threat-actor isa threat-actor, has name "The Joker"; $tlp isa tlp-red, has stix-id "marking- definition--5e57c739-391a-4eb3-b6be- 7d15ca92d5ed"; $ind (indicating: $indicator, indicated: $threat- actor) isa indication; $mark (marking: $tlp, marked: $ind) isa object- marking; object- marking indication threat- actor indicator tlp-red indicated indicating marking marked
- 23. network-traffic- source ipv4 payload network- traffic artifact source traffic Modelling STIX in TypeDB Hyper Relations
- 24. network-traffic- source ipv4 payload network- traffic artifact source traffic Modelling STIX in TypeDB Hyper Relations match $ipv4 isa ipv4-address, has stix-id "ipv4-addr-- e42c19c8-f9fe-5ae9-9fc8-22c398f78fb7"; $artifact isa artifact, has stix-id "artifact-- 6f437177-6e48-5cf8-9d9e-872a2bddd641"; $network-traffic isa network-traffic, has stix-id "network-traffic--2568d22a-8998-58eb-99ec- 3c8ca74f527d"; $hyper-relation (source: $ipv4, payload: $artifact, traffic: $network-traffic) isa network-traffic-source;
- 25. Type Hierarchies Modelling STIX in TypeDB network-traffic icmp http-request socket tcp
- 26. Type Hierarchies Modelling STIX in TypeDB network-traffic icm http-request socket tcp define network-traffic sub entity; http-request sub network-traffic; icmp sub network-traffic; socket sub network-traffic; tcp sub network-traffic;
- 27. Type Hierarchies Modelling STIX in TypeDB network-traffic icm http-request socket tcp define network-traffic sub entity, owns start, owns end, owns is-active, owns protocol; http-request sub network-traffic; icmp sub network-traffic; socket sub network-traffic; tcp sub network-traffic;
- 28. Type Hierarchies Modelling STIX in TypeDB network-traffic icm http-request socket tcp define network-traffic sub entity, owns start, owns end, owns is-active, owns protocol; http-request sub network-traffic, owns request-method; icmp sub network-traffic, owns icmp-type-hex; socket sub network-traffic, owns address-family; tcp sub network-traffic, owns src-flags-hex;
- 29. What are all the network traffic entities with protocol “ip”? Modelling STIX in TypeDB network-traffic icm http-request socket tcp match $network-traffic isa network-traffic, has protocol "ip"; $http-request isa http-request, has protocol "ip"; $icmp isa icmp, has protocol "ip"; $socket isa socket, has protocol "ip"; $tcp isa tcp, has protocol "ip";
- 30. What are all the network traffic entities with protocol “ip”? Modelling STIX in TypeDB network-traffic icm http-request socket tcp match $network-traffic isa network-traffic, has protocol "ip";
- 31. Inferring New Insights match $course isa course-of-action, has name "Restrict File and Directory Permissions"; $in isa intrusion-set, has name "BlackTech"; $mit (mitigating: $course, mitigated: $in) isa mitigation;
- 33. Inferring New Insights rule mitigating-course-of-action-with-intrusion-set: when { (mitigating: $course-of-action, mitigated: $sdo) isa mitigation; (used: $sdo, used-by: $intrusion-set) isa use; } then { (mitigating: $course-of-action, mitigated: $intrusion-set) isa inferred-mitigation; };
- 36. Inferring New Insights rule transitive-use: when { (used-by: $sdo-1, used: $sdo-2) isa use; (used-by: $sdo-2, used: $sdo-3) isa use; } then { (used-by: $sdo-1, used: $sdo-3) isa use; };
- 37. Why TypeDB? Expressivity Logical Inference An expressive data model to represent complex data and enable contextualization of CTI data Discover previously unknown insights from existing data to detect and respond to new threats
- 38. Usage Flow of TypeDB CTI Downloader.py Download the latest or a specific version of STIX packages. Migrate.py Explorer.py Explorer.py Ingest the data into TypeDB. Run a stat check on object counts. Input your techniques or sub- techniques. Retrieve list of groups. explorer.py --stat explorer.py --infer_group –ttp T1189 T1068
- 40. Discord is the community’s home for learning, ideation and collaboration.