CTI: Cyber Threat Intelligence

CTI: Cyber Threat Intelligence
- Enabling Predictive Defense by
Reading Attackers’ Intent
Ryusuke Masuoka
Fujitsu System Integration Laboratories, Ltd.
November 2016
Copyright 2016 FUJITSU LIMITED
https://en.wikipedia.org/wiki/Euthalia_aconthea
Copyright 2016 FUJITSU LIMITED
Cyber Threat Intelligence (CTI)
Definition: Product of collecting, processing, integrating, analyzing, evaluating,
interpreting data and information
5Ws1H of Cyber Attacks
Lets you determine
who the adversary is
what their purpose is
how serious it is
Two Elements of Cyber Threat Intelligence (CTI)
• Data/Information like IP addresses and malware hash values:
CTI Level 1 (L1) – Observables
• Cyber Threat Intelligence in its real meaning:
CTI Level 2 (L2) – Contextual CTI
12
Copyright 2016 FUJITSU LIMITED
Two Elements: CTI L1 and L2
Attack from Attacker’s Point of View
Who
Why
CTI L2
(Contextual CTI)
Where
How
Links between
observables
and information
pieces
Target Region, Industry,
Organization
TTP - Tactics, Techniques,
Procedures
Phishing Email
What
Watering Hole
Observables
CVE2014-6324
New Indicators
Malware Hash
C&C IP Address
5
CTI L1
(Observables)
Copyright 2016 FUJITSU LIMITED
CTIM: CTI-Driven Platform for Proactive Defense
CTI Gateway
ICT
Environment
CTI Store
CTI Distribution → Detection → Block
IDS/IPS
CTI Registration
Evaluation
CTI Matching
AntiVirus
Alert/Ticket
Registration
Alerts
Incident
Tracking
Automation
Engine
Artifact
Analysis
Firewall
Escalation
Monitoring
Incident Management
Triage
Artifact Store
(SOC)
• Operator
• 1st Tier Analyst
Attack Log
PCs
SIEM
Artifacts (Memory, Log, Disks, Malware, etc.)
Decoy System
Disconnecting from Network, Shutting down, Locking Accounts, etc.
Information
Detection
Artifacts
Analysis
6
CTI
Analysis
Response
Mitigation
Information
Artifacts
Logs
Machine
Learning
Observation
Sandbox
CTI
Sources
Communities
Proxy
Servers
CTI Sharing
External
Network
Analysis
C2 Analysis
Services
OSINT
Senior Analyst
(SIC)
Manual
Artifact
Analysis
Analysis Environment
Malware Analysis
Memory Analysis
Log Analysis
Disk Forensics
Attack Campaign Analysis
Information
Collection
Web News, Blogs, SNS
Security Reports
Vulnerability information
Communities
Copyright 2016 FUJITSU LIMITED
Sharing Policy Enforcement
Sample Similarity Scoring System
OASIS CTI Standardization
Bi-Directional CTI Sharing
Private Translator
CTI Graph Analytics and Editing
Automation Engine
CTIM: CTI-Driven Platform for Proactive Defense
Pushing the Boundaries – Phased Adoption
 Unlock the true potential of structured contextual CTI
 Phase 1 - Accumulate CTI in STIX
 Phase 2 + Consume External CTI
 Phase 3 + Share Observables/Indicators
 Phase 4 + Share Technical Context
 Phase 5 + Sharing Adversarial Context
Adversarial Context
Technical Context
Indicators
Observables
8
Copyright 2016 FUJITSU LIMITED
Copyright 2016 FUJITSU LIMITED