CTI Midterm2

What are the main capabilities of TAXII?

*Discovery* - for communication, need to discover TAXII services, a TAXII user fields, and network address and supported bindings, does not remove need for humans involvement, sharing agreement negotiation outside of scope of TAXII, allow for automated exchange of info about which TAXII capabilities a producer might support and technical mechanisms they employ *Push* - CTI can be pushed from producer to consumer, automated most likely they may have pre existing relationship to receive periodic content such as in a subscription but CTI is sent out as the producer decides to all consumers or maybe consumer is wiling to accept any contributions from any part and any producer can volunteer content at any time *Pull* - consumer can request to pull CTI from producer, allows consumer to control when they receive CTI, also allows them to revive without having to listen for incoming connections, producer and consumer can still have pre-exisitng relationship where consumer has access when requested, or producer can make it public and any consumer can contact for data

Please compare and contrast two TAXII architectures.

*Source / Subscriber model* One source of information [producer] and consumers all receive information in a unidirectional flow -all orgs with commercial feeds with source without feeding back *Hub and Spoke* one organization is the clearing house or hub for all sharing participants, spokes share with hub and then hub reshares with other spokes, hub may run analytics or filtering before re sharing ex. FireEye may be hub *peer to peer* any number of organizations act as both producer and consumer, information flows from one peer to another decentralized no singular point of failure!! individuals are both producer and consumer

Please compare and contrast the strengths and weaknesses of at least two threat analytic techniques.

1. Summary Statistics - basic statistics about collected data, ex. number of blocked IP's, locations. strength: good overview of activity on a network and there value for strategy, can be updated real time, weakness: does not provide much detail on classifying these threats, number of blocked IP's while useful does not indicate which IP's we should be blocking or which in particular pose greater threats 2. Reputation services / IP reputation analysis ie. identifying the quality of an IP, helps us see which IP address to block by analyzing the type of content eg. payloads, amount of traffic, sites visited, etc. study type of content sent to and from within and external to network, shows which are malicious, can create automated response [block] based on How many abandoned email addresses is this IP attempting to deliver to? How many "known bad" email addresses (spamtraps) is this IP attempting to deliver to? Does this IP retry deliveries too aggressively? Is this IP address listed on blocklists we use? AlienVault IP rep weakness: narrow in approach as its IP address focused and does not provide a very broad view of what all the threat data is, the same attacker may utilize multiple different IP addresses and this would be hard to trace back to one individual with IP reputation analysis 3. Anomoly Detection - identification of items, events, or observations which do not conform to an expected pattern or other items in dataset to ID any event falling outside normal -point, contextual, collective -unsupervised, supervised, semi-supervised strength: translate to critical and actionable CTI, applicable in various domains [intrusion detection, fraud, fault detection] weakness: huge volume of data difficult to analyze, requires highly efficient computational analysis, concept of outlier or anomaly varies, labelled anomalies not readily available for training and validation

Metrics for evaluation: Please explain precision, recall, and F-measure. How are they calculated?

Be able to describe a scenario that would require these three values (ie. Misclassifying an innocent user on a network as malicious and locking them out) and why they're needed for that scenario. Precision Exactness - % of tuples the classifier labeled as positive are actually positive TP/(TP+FP) Recall Completeness - % of positive tuples the classifier actually labeled as positive TP/(TP+FN) F-Measure Harmonic mean of precision and recall (2∗𝑅𝑒𝑐𝑎𝑙𝑙∗𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛)/(𝑅𝑒𝑐𝑎𝑙𝑙+ 𝑃𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛)

Please describe 2-3 applications of classification in CTI analytics. Which algorithms would be suited for these? Why?

Be able to present a scenario, determine its data type (qualitative or quantitative), and the best algorithm for that type of data. 1. Determine if email is malicious or not - qualitative, naive bays 2. Identify a phishing website from a real one - qualitative, decision tree 3. Identify malicious v benign network traffic - quantitative / qualitative, random forest 4. Categorize threat actors - qualitative, naive bases

Please differentiate between clustering and classification. Please be as detailed as possible.

Classification - Predictive (supervised), Use some variables (attributes, features) to predict unknown or future values of a particular variable (target, dependent variable), two-step process: model construction {learning} and model usage {applying} phase, trained model applied to unseen data to classify into predefined classes, model should fit well to training data and have strong predictive power, don't overfit model, can help if determine is something is malicious, ID phishing v real site, ID malicious v benign network traffic, categorize threat actors, no best method, can select based on metrics, some are: decision tree, random forest, naive babes Clustering- Descriptive (unsupervised), stand alone tool to get insight into data distribution, preprocessing step for other algorithms, group similar events, group threat actors in social media, categorize similar log files together, produce high quality clusters, depends on similarity metric used, one method if K-means, not goof for data of diff size and density or odd shape

Please describe a situation in which you would merge multiple types of threat analytic techniques together.

If there is a data breach that utilized malware we would need to run malware analysis such as decompiling ransomware but we might also want to use forensics to preserve digital evidence to persecute the attacker, we might also want to use machine learning to classify malware for automated analysis

What is the role of operational intelligence in CTI?

Operational intelligence utilizes the intelligence from the first three stages to aid the organization's cyber defenses. Assumes you have ranked threats based on severity There are several key activities: Actionable intelligence and course of action Automated and manual proactive defenses Threat dissemination Intelligence sharing Intelligence strategy, process, and systems review

What value can data mining play in cyber threat intelligence? Please be as detailed as possible.

Recent years there has been an explosion of security related data Sorting through large amounts of cyber threat data for meaningful insights is time consuming Data mining/machine learning can aid in that Companies that provide these services: Splunk, IBM, Sqrrl Data mining: the process of discovering knowledge in large data repositories Predictive: use some variables to predict unknown or future values of a particular variable Descriptive: find general properties that describe the data pattern discovery in large dataset. aids in analytics in the future for meaning

Please describe an end-to-end scenario of the cyber kill chain

Right Wing Delivers Easy Impeachment Churning America Scenario - hack an org through USB drop Reconissance - plan phase, do research on the company or the organization, identify high traffic areas for USB drop, or key employees we want to pick them up -difficult to detect at this phase but when they find it can reveal intent. Course of action: detect (web analytics), Deny (firewall ACL), or look for suspicious people monitoring by detecting Weaponization - add malware to a pdf the USB. course of action: cannot detect as it happens but can infer bu analyzing malware artifacts, detect with full malware analysis, analyze timeline when malware is created, collect files and metadata for future analysis, detect w/ NIDS, deny with NIPS, Delivery - drop the USB's in said high traffic areas or nearby key employees office -first and most important opportunity for defenders to block the operation, fraction of intrusion attempts blocked, can detect a suspicious USB, can deny but not inserting it, degrade by queuing, Exploit - when PDF is clicked on it executes a malicious program with a trojan spy. course of action: detect with HIDS, deny with patch, disrupt with DEP Installation- backdoor installed onto the victim computer for remote monitoring, course of action: detect with HIDS, deny with chroot jail, disrupt with AV Command and Control - remotely control and monitor the machine, course of action: detect with NIDS, deny with firewall, disrupt with NIPS, degrade in tarpit, deceive with DNS redirect Actions - gain user credentials, spread malware to other computers on the network, detect with audit log, decieve with honeypot

Describe actionable intelligence and its value.

Some of the intelligence which we have generated can be responded to right away. Such intelligence is referred to as "actionable intelligence" Actionable intelligence assumes that there is a course of action to follow for certain types of threats. A course of action is a set of steps (preferably pre-determined) designed to dissolve identified threats or perform certain actions. Not every threat is worth addressing, course of action can be as early or late as we choose -prevent an intrusion -detect website crawling and block address -advise staff of heightened phishing threats -track attacker y logging IP address -inform board, regulators

What are the key components of TAXII?

Trusted Automated eXchange of Indicator Information fundamental protocols, services, and messages to exchange CTI for detection, prevention, and mitigation of threats how ISAC is implemented today: time consuming, manual, or separate automated solutions so we need TAXII made broad sharing possible info shared in STIX format share cyber threat info broadly with many sharing partners in an automated way producer consumer *can be both* 3 capabilities: push, pull, discovery NOT info sharing initiative or application - no governance, trust agreements, or non tech aspects empowers organization to achieve improved situational awareness about emerging threats and share with partners

What value can clustering play in CTI?

Typical applications: As a stand-alone tool to get insight into data distribution As a preprocessing step for other algorithms Clustering applications in CTI: Grouping similar types of network events together Grouping similar threat actors together in social media Categorizing similar log files together

Please describe some possible course of action for the kill chain

can provide actionable intelligence when linked to courses of action. identify particular measures that can be used for particular stages of an attack. -Detect -Deny -Disrupt -Degrade -Deceive -Destroy

What is the purpose of CTI analytics?

data has absolutely no meaning without analytics, we want to leverage the data for relevant, timely, and actionable threat intelligence to better the organization with insight that enhances cybersecurity decision making

How can the cyber kill chain be linked to the diamond model?

diamond model illustrates specific cyber events and those activities and activity groups are linked to certain parts of the cyber kill chain - can construct activity graphs based on diamonds and relationships -attack graphs: ID and enumerate paths an adversary could take, exhaustive -activity threads: define paths adversary HAS taken -if you overlay what could and what hs you get activity-attack graph to highlight attacker preferences alongside possible alternative paths and enables better mitigation strategies by mitigating current threats and taking into account reactions or alternate adversary tactics the activity-attack graph goes through and documents the attack graph and the activity thread overlay across each step of the cyber kill chain based on the relationship between diamonds

[not a formal question on slides but could be in composite] List and describe the TAXII functional units

functional units are discrete sets of functionality required to support TAXII one component with well defined role TTA - TAXII Transfer Agent: network connected functional unit that sends or recieves TAXII messages, interacts with other TTA's over the network and handles the details of the protocol requirements from one or more TAXII protocol binding specifications, provides TAXII messages to the MH to be agnostic to the utilized network protocol TMH: TAXII message handler produces and consumes TAXII messages, parsing inbound messages and constructs outbound in conformance with binding specifications, interacts with TTA TAXII Back-end: ineracts with TMH to turn info from back end to TAXII messages and perform activities based on TAXI messages that TMH receives, all roles not TMH or TTA [ access control, data storage] decide which backends to have by each implementer TAXII architecture - all functional units of single producer or consumer's infrastructure that provide and utilize TAXII services

Please describe the value the cyber kill chain provides in CTI.

if you want to analyze threats you can map the event data into a cyber kill chain , it provides a systematic process to target and engage an object to create desired effect phases of cyber attack - 7 phases [US military doctrine defines steps to find, fix, track, target, engage, and asses] chain bc any deficiency interrupts the entire process, adapted to fit cyber applications allows organizations to track an attackers behavior and patterns to identify what stage of an attack an attacker might be at in the CKC and to also identify what actions need to be taken at that specific step to stop an attack and mitigate the threat from proceeding any further. goal is to catch an attack as early as possible not every stage is followed step-by-step

What are some considerations when sharing intelligence? Why?

recommend sharing with industry, partner, suppliers, customers, regulators but know it loses value as you share, attacker can use against you but not sharing means you are dependent on what you get from yourself, value wanes over time, recent most valuable, IP have diff users over time, browser fingerprints evolve -TAXII for sharing STIX DATA standardized

Discuss threat dissemination strategies.

who to disseminate threat info to not everyone needs to know eveything critical questions: who to tell, when to tell them, what to tell them, how to tell them depends on the types of threats ex. client data must be tactfully disseminated