Transcript Cyber Threat Intelligence Sharing - FS-ISAC

Cyber Threat Intelligence Sharing
Standards-based Repository
July 16, 2015
[Classification]
© DTCC
Cyber Intelligence Sharing
Sharing is Essential to the Industry and Core to the FS-ISAC
•
Intelligence sharing is the primary method of:
•
•
•
•
Detecting industry targeting
Detecting institution targeting
Identifying new Techniques, Tactics and Procedures
Locating Advanced Persistent Threats
Issues Today with Sharing
•
Bad
Things
Bad
Events
Threat
Intelligence
Today the industry processes very little of the intelligence it receives
•
•
•
Bad
People
Manual, Time Consuming, Costly
Practicing cost avoidance
Industry average of 7 man hours to process a single intelligence document
•
•
Only a fraction of the documents are processed
Manually processing the entire CISCP document would cost over $10 million per
Financial Institution
© DTCC
2
Cyber Intelligence Sharing
Solution
•
•
Let machines do machine work – process all intelligence at wire speed
Use standards whenever possible to support Machine-to-Machine (M2M)
•
•
Make intelligence more accessible to those with less resources
•
•
•
•
DHS Sponsored Mitre standards, STIX & TAXII
Small/ Medium Member Institutions
Little security resources available
Drive adoption through high-level service & ease of use for all types of
member institutions
Innovate - Incrementally increase adoption, fidelity, and automation
More on STIX Standards
Right-click to
open PDF
© DTCC
Threat
Intelligence
Detail Today’s
with Initial
Cyber
Intel Repository
Early
Manual
adopters
Sharing
integrate
– You can
withonly
the process
repository,
a handful
sightingthreat
sameindicators
malicious activity
Although
Thestill
threat
unclear,
landscape
there is
is aopaque
level of automation
IP Address:
172.198.1.1
Member
We just got
#2 pwned
We
 also see this!!
© DTCC
Next Version of Cyber Intel Repository
Better capabilities with bi-directional machine-to-machine support
Visibility and confirmation of the threat increases
IP Address:
Member
#1
IP Address:
172.198.1.1
172.198.1.1
Port
80
Port 80
Member #2
Sighting
We
also see
8/5/18:
this!!
Member #5
Sighting 8/8/18:
Member #3
© DTCC
5
Next Year
Significant portion of large financial institutions share their threats
Detail of malicious activity and actor becomes clearer
IP Address:
172.198.1.1
Port 80
User-Agent: Foo
Get Vars: fun=2
Actor: Abe Lincoln
Alias: L1c0lN
Campaign: Occupy
Whitehouse
© DTCC
Security Standards Proliferation
Multiple industries utilizing repositories sharing detailed sightings
A clear picture of many malicious actors, activities, and threats
IP Address:
172.198.1.1
Port 80
User-Agent: Foo
Get Vars: fun=2
Actor: Abe Lincoln
Alias: L1c0lN
Campaign: Occupy
Whitehouse
© DTCC
Logical Solution
One firm’s incident is another firm’s defense
• Federation of repositories serve as community hubs
• Detection of a threat, instantly shared to trusted members
• Cost to adversaries increased; cost to firms decreased
Organization A
1
Detect a Threat
2
Enrich Threat Data
Filter Policy for Sharing
Machine-to-Machine API
ISAC
3
Repository
Store,
Maintain Trust,
Build Confidence
in Threat Data
Machine-to-Machine API
ISAC – Information Sharing Analysis Center
FI – Financial Institution
US-CERT – US Computer Emergency Response Team
4
Consume & Analyze
5
Actionable Intel =
Proactive Defense
Many Other Organizations
© DTCC
Benefits
Save Time  Lower Costs  Reduce Risk
•
•
One Firm’s Incident/ Exploit becomes Another’s Control/ Defense
Less time & effort needed to:
–
–
–
–
•
•
Aggregate, Store, Understand Threat Data
Enrich/ Increase Fidelity of Threat Data
Communicate Threat Data
Action to Defend or Mitigate
Security analysts would focus on analysis instead of machine work
Reinvest time to improve risk posture
– Improving analytics of threats, linking TTPs to indicators, identifying new tool kits
– Become more pre-emptive, breaking the kill-chain earlier
•
Better intelligence  better defense  increases cost of malicious activity
Moving to the Left of the Hack
Eliminates Threats Before Being Compromised
© DTCC
9
Where We are Today
•
•
•
Active working group, multiple meetings per month, interest and adoption
growing across multiple industries and countries
Working closely with DHS, US-CERT, and Mitre to create and align
intelligence sharing standards
Launched initial Repository – more coming
•
Version 1: released in May
•
•
•
Right-click to
open PDF
Version 2: release in Fall 2013
•
•
•
First standards based repository, first TAXII implementation
Tracking 37,000 Indicators
Full STIX backend, supporting all STIX object types
Bi-directional TAXII support
Visit our webpage for more information
www.fsisac.com/CyberIntelligenceRepository
© DTCC