Table 6.3 below shows a list of popular cyber threat intelligence frameworks or standards to describe, aggregate, and exchange cyber threats. A sample of those will be covered below with few details.
Open Indicators of Compromise (OpenIOC) Framework
Indicators of compromise (IOCs), introduced first in 2011 (OpenIOC, 2011), indi- cate possible evidence (that exist in the network traffic, files, hashes, registry keys, Dynamic link libraries (DLLs), Mutual exclusion (mutex), etc.) that can identify potentially malicious activity on a system or a network. They can help detecting data breaches, malware infections, or other security threat activities. IOCs are examples of actional types of cyber threat intelligence (CTI). In comparison with anti-malware systems, using IOC methods can help us look at the symptoms or indicators of malicious activities rather than on their outputs or payloads. IOCs can help answering details about how attacks and malwares occurred. Table 6.4 shows
Table 6.3 A sample of cyber threat frameworks and standards
OpenIOC—Open Indicators of Compromise framework VERIS—Vocabulary for Event Recording and Incident Sharing
CybOX—Cyber Observable eXpression
IODEF—Incident Object Description and Exchange Format TAXII—Trusted Automated eXchange of Indicator Information
MITRE Common Vulnerabilities and Exposures (CVE) STIX—Structured threat Information Expression MILE—Managed Incident Lightweight Exchange TLP—Traffic Light Protocol
OTX—Open Threat Exchange
CIF—Collective Intelligence Framework
Table 6.4 Examples of IOCs (Chickowski 2013)
Unusual outbound network traffic Mismatched port-application traffic Anomalies in privileged user account activity Suspicious registry or system file changes Geographical irregularities Unusual DNS requests
Log-in red flags Unexpected patching of systems
Increases in database read volume Mobile device profile changes HTML response sizes Bundles of data in the wrong place Large numbers of requests for the same file Web traffic with unhuman behavior Signs of DDoS activity
K0577: Knowledge of the Intelligence Frameworks, Processes, and Related Systems
examples of IOCs (Chickowski 2013). Similar to IOCs, indicators of attack focus on identifying attacker activity while an attack is in process.
Public repositories such as: MISP and Virustotal can be used to extract historical network and file-based IOCs. Many open source tools such as Loki (https://github.
com/Neo23x0/Loki) can be used to extract IOCs from public repositories and test systems where they are victims of such IOCs or not. The knowledge of IOCs can help security experts understand malwares and design mechanisms to defense sys- tem from future similar threats. They can also be used for threats’ triage and reme- diation. IOC supports different formats related to OpenIOC, TAXII, STIX, CybOX, Yara, IETF, Tardis, etc (Fig. 6.17).
Collective Intelligence Framework (CIF)
Collective Intelligence Framework (CIF) is developed by REN-ISAC (https://csirt- gadgets.com/collective-intelligence-framework). It allows to combine known mali- cious information from many sources and use such information for incident response, IDS\IPS, or mitigation. One of the main goals of CIF and similar frame- works is to create a unified structure that can allow security analysts to aggregate, integrate, or exchange information about the different malicious threats. CIF can
Network IOCs
LR data review Forensic analysis
ITERATIVE PROCESS Log analysis
Malware analysis False positive identification
IOC Creation
Analyze Data Initial Leads
Preserve/Collect Evidence Identify Suspect Systems Deploy IOCs Host IOCs
IDS/IPS HIDS/HIPS SIEM Investigation tools
Forensic image LR data collection Log data
Fig. 6.17 OpenIOC process flow (OpenIOC 2011)
131
integrate with many other tools such as: Kibana, Snort, Bro, Bind, Tipping Point, PassiveDNS, and FireEye (https://github.com/csirtgadgets/massive-octo-spice/
wiki/The-CIF-Book). Data types in CIF include URLs, Domains, IPs, or MD5s (Fig. 6.18).
Open Threat Exchange (OTX)
Open Threat Exchange (OTX) from AlienVault provides an open access mechanism to a global community of threat researchers and security professionals to aggregate and exchange security threats. In addition to creating a unified communication mechanism and language, OTX tries to provide actionable advices for security com- munity to follow in order to learn from historical threats or attacks. OTX tries also to enable preventative response through an automated, real-time, threat exchange framework.
Private Feed/Data
Your own data source can be
added Use Any public threat intel
CIF Server
Mitigation Equipment (dnsSinkHole,Firewall,IDS)
Users Querying indexed Feeds
Pushed Daily Feeds Using CIF clients Perl Browser Plugin API
Public Feeds/ Data
Fig. 6.18 CIF architecture, (Bambenek 2013)
K0577: Knowledge of the Intelligence Frameworks, Processes, and Related Systems
Security analysts who want to collect data from those different frameworks can build their own crawlers or use APIs provided by some malware analysis providers such as MISP and Virustotal, malwr.com, etc., Table 6.5.
Bibliography
Bambenek J (2013) Hacker hotshots, 11/27/2013
Barger DG (2005) Toward a revolution in intelligence affairs, RAND corporations
Bianco D (2017) The pyramid of pain: threat hunting edition, Huntpedia: your threat hunting knowledge compendium
Brown AE (Georgetown University, 2009) Directed or diffuse? Chinese human intelligence target- ing of US defense technology
Chickowski E (2013) Top 15 Indicators of Compromise, darkreading.com, 10/9/2013
Chismon D, Ruks M (2015) Threat intelligence: collecting, analyzing, evaluating. MWR InfoSecurity Ltd. https://www.gpo.gov/fdsys/pkg/GPO-IC21
DoD Joint Publication 2-01, Joint and National Intelligence Support to Military Operations, 22 October 2013. https://fas.org/irp/doddir/dod/jp2_0.pdf
Fischer EA (2014) Federal laws relating to cybersecurity: overview of major issues, current laws, and proposed legislation. https://fas.org/sgp/crs/natsec/R42114.pdf
Gellman B, Poitras L (2013) U.S., British intelligence mining data from nine U.S. Internet compa- nies in broad secret program. Washington post, June 7, 2013
Grant J (2010) Will there be cybersecurity legislation? 4 J. NAT’L SECURITY L. & POL’Y 103, 111
Information Collection, FM 3-55, Department of the Army, No. 3-55 Washington, DC, 23, April 2012. https://fas.org/irp/doddir/army/fm3-55.pdf
Table 6.5 A sample of open
malware scanners Malwr—Cuckoo https://malwr.com
Hybrid analysis https://www.hybrid-analysis.com PE dump https://github.com/zed-0xff/pedump Yararules https://analysis.yararules.com/
Virscan http://www.virscan.org/
Virusade http://virusade.com/
VirusTotal http://www.virustotal.com/
AndroTotal https://andrototal.org/
Comodo https://cit.valkyrie.comodo.com/
VirScan http://r.virscan.org/
ID Ransomware https://id-ransomware.
malwarehunterteam.com/
Document Analyzer http://www.document-analyzer.net/
Malware tracker http://www.cryptam.com/
Jotti http://virusscan.jotti.org/it ViCheck https://www.vicheck.ca/
PDF examiner http://www.pdfexaminer.com/
Malware tracker https://www.malwaretracker.com
133
Information technology industry council: the IT Industry’s Cybersecurity Principles for Industry and Government (2011) https://www.itic.org/dotAsset/31bcabf8-514e-498e-a0af-7ed37e- 3a92ef.pdf, www.itic.org, version 3
Intelligence analysis, Department of the army, FM 34-3 https://www.globalsecurity.org/intell/
library/policy/army/fm/34-3/fm34-3.pdf
Interagency Threat Assessment and Coordination Group (2009) Homeland security digital library.
https://www.hsdl.org/?view&did=33087
IRTPA (2004) The Intelligence Reform and Terrorism Prevention Act, DNI.gov, https://www.dni.
gov/index.php/ic-legalreference-book/intelligence-reform-and-terrorism-prevention-act- of-2004
ITACG intelligence guide for first responders, 2nd edn (2011) National Counterterrorism Center (NCTC). http://www.ise.gov/sites/default/files/ITACG_Guide_2ed.pdf
Joint Publication 2-01, Joint and National Intelligence Support to Military Operations, 5 July 2017.
https://fas.org/irp/doddir/dod/jp2_01.pdf
Joint Publication 3-13 “Information Operations”—27 Nov. 2012. http://www.jcs.mil/Portals/36/
Documents/Doctrine/pubs/jp3_13.pdf
Kenny MT (2006) Leveraging operational preparation of the environment in the GWOT, School of advanced military studies, AY 05-06
Keys RE (4 February 2005) Air Force Policy Directive 10-35: Battlefield Airmen
Kuyers J (2013) ‘Operational preparation of the environment’: ‘intelligence activity’ or ‘covert action’ by any other name? 4 Am. U. Nat’l Security Law Brief 21 (Winter 2013). Available at SSRN: https://ssrn.com/abstract=2398500
Lingel S, Rhodes C, Cordova A, Hagen J, Kvitky J, Menthe L (2008) Methodology for improv- ing the planning, execution, and assessment of intelligence, surveillance, and reconnaissance operations, RAND project airforce. www.rand.org
Lowenthal MM (2008) Towards a reasonable standard for analysis: how right, how often on which issues? Intell Natl Secur 23(3):303–315
Lowenthal MM (2012) Intelligence: from secrets to policy, 5th edn. SAGE/CQ Press, Los Angeles, p 252
Lowenthal MM (2009) Intelligence: from secrets to policy. CQ Press, Washington, D.C. JK 468.
I6 L69.
Lowenthal MM, Clark RM (2016) The five disciplines of intelligence collection. CQ Press, Washington DC
Military Decision-making Process (2014) https://usacac.army.mil/sites/default/files/publica- tions/15-06_0.pdf
Miller JP (1999) Millennium intelligence: understanding and conducting competitive intelligence in the digital age, 1st edn. Information Today, Inc.
Naval war college, Maritime component commander guidebook, July 2014
NSA slides explain the PRISM data-collection program (2013) Washington post, June 7, 2013 OpenIOC (2011, October) An introduction to openioc. Retrieved from http://openioc.org/
resources/An_Introduction_to_OpenIOC.pdf
SANS Digital Forensics and Incident Response Blog (2009) https://digital-forensics.sans.org, https://digital-forensics.sans.org/blog/2009/10/14/security-intelligence-attacking-the-kill- chain/
Senkowski RM, Dawson MW (2009) Cybersecurity: a briefing—part II. Wiley Rein LLP, August 5, 2009. http://ccbjournal.com/articles/11615/cybersecurity-briefing-part-ii
Stech F, Heckman K, Strom BE (2016) Integrating cyber-D&D into adversary modeling for active cyber defense. In: Cyber deception, July 2016
Strategic Intelligence, JP 1-02, 509, John G. Heidenrich, “The intelligence community’s neglect of strategic intelligence”, Studies in intelligence, cia.gov. https://www.cia.gov/library/center-for- the-study-of-intelligence/csi-publications/csi-studies/studies/vol51no2/the-state-of-strategic- intelligence.html#2-strategic-intelligence-jp
Bibliography
Suspicious Activity Reporting, Process Implementation Checklist, Nationwide SAR initiative, NSI. https://nsi.ncirc.gov/documents/sar_implementation_checklist.pdf
Tanner (2014) Examining the need for a cyber intelligence discipline. J Homeland Natl Secur Perspect 1:1
U.S. Department of Homeland Security, Target Capabilities List, A companion to the National Preparedness Guidelines (2007)
Vez J-L (2017) Guidance on Public Private Information Sharing against Cybercrime, World eco- nomic forum
White paper: “Sophisticated indicators for the modern threat landscape: an introduction to OpenIOC” (2013) www.openioc.org
135
© Springer Nature Switzerland AG 2019 I. Alsmadi, The NICE Cyber Security Framework, https://doi.org/10.1007/978-3-030-02360-7_7