Copyright

2014 Splunk Inc.

Threat Intelligence:
STIX and Stones Will
Break Your Foes
Fred Wilmot
Director, Global Security PracCce

Brad Lindow a.k.a. Superman

Global Security Strategist, Splunk

Disclaimer
During the course of this presentaCon, we may make forward looking statements regarding future events or the
expected performance of the company. We cauCon you that such statements reect our current expectaCons and
esCmates based on factors currently known to us and that actual events or results could dier materially. For
important factors that may cause actual results to dier from those contained in our forward-looking statements,
please review our lings with the SEC. The forward-looking statements made in the this presentaCon are being made as
of the Cme and date of its live presentaCon. If reviewed aTer its live presentaCon, this presentaCon may not contain
current or accurate informaCon. We do not assume any obligaCon to update any forward looking statements we may
make. In addiCon, any informaCon about our roadmap outlines our general product direcCon and is subject to change
at any Cme without noCce. It is for informaConal purposes only and shall not, be incorporated into any contract or
other commitment. Splunk undertakes no obligaCon either to develop the features or funcConality described or to
include any such feature or funcConality in a future release.

Fred Wilmot | Director, Global Security PracCce

(fred|Securityczar)@splunk.com

Strategy

Electric Mayhem
@fewdisc

Drives Security PracCce Strategy globally

Works on Splunks hardest Security Use Cases
VisualizaCon and AnalyCcs using Splunk
Solves strategic product/implementaCon challenges

Research

Digital Forensics /Assessment Tools

Social Risk/User behavior modeling
ML/Advanced StaCsCcal Analysis
Threat Intelligence

Product

Inuence product strategy for security content and features

in the eld and through the factory.
3

Brad Lindow | Global Security Strategist

blindow@splunk.com

Minister of JusCce
a.k.a Superman

Former aeorney, current aeending SecPrax LegalDr.Strangepork

Worked with some of the largest compuCng environments in the
world: Orbitz, Department of Commerce, ConsulCng organizaCon,
and Sears
Global Security Strategist for Splunk
Drive customer success and security innovaCon around
Splunks products, customers, partners and the worldwide
security community.
Research
Threat Intelligence
Enterprise Security
Hadoop Security Use Cases
4

Agenda
"
"
"
"
"
"

Threat intelligence today

Challenges with todays threat intelligence
What should next generaCon threat intelligence look like?
How can you uClize these threat intelligence sources despite
their complexity?
SPLICE - Splunks soluCon for IOC threat intelligence
SPLICE Demo

Todays Threat Landscape

"

Youve all heard this many Cmes before (and you probably live it)
but:

Bad guys are genng more sophisCcated and organized

Its genng increasingly more dicult to defend
Tools, tacCcs and procedures change during the course of campaign aeacks

"

We need to move quicker and share informaCon

Bad guys are watching us and we need to be watching them

Threat Intelligence is old in a week
Triaging mulCple sources of Threat Intel makes them hard to acCon on YOUR
data
This is where Threat Intelligence comes in
6

Current Threat Intelligence

"

Some intelligence sharing is happening but:

Limited in detail and simplisCc (lists, spreadsheets)

Human readable only
Derived from various sources (.xls,.PDF,RSS, XML objects,e-mail)
Intel Not leveraged fast enough in the SOC
Not leveraged historically AND in real-Cme
Requires manicuring (watchlists arent good forever)
No context to any other indicator
Shortage in talented analysts reduces kill chain visibility

Watchlists of 10,000 IP addresses or Hashes are not enough, we need

context
7

External Threat Intelligence Sources

Open-Source & Commercial Oerings
"
"
"
"
"
"
"
"
"
"

OSINT
Dell SecureWorks
Verisign iDefense
Symantec Deepsight
McAfee Threat Intelligence
SANS
CVEs, CWEs, OSVDB (Vulns)
iSight Partners
ThreatStream
OpenDNS

"
"
"
"
"
"
"
"
"
"
8

Palo Alto Wildre

Crowdstrike
AlienVault OTX
RecordedFuture
Team Cymru
ISACs / US-CERT
FireEye/Mandiant
Vorstack
cyberUnited
Norse IPViking/Darklist

Internal Threat Intelligence Sources

Providing Context for Security
"

Directory user informaCon (personal

e-mail, access, user privilege,
start/end date)

"

Proxy informaCon (content)

DLP & business unit risk
(trade secrets / IP sensiCve docs)

"

IT Case history / Ccket tracking

"

Malware detecCon / AV alerts

"

SensiCve business roles

"

"

ApplicaCon usage & consumpCon

events (in-house)

"

Database usage / access monitoring

(privileged)

"

EnCtlements / access outliers (in-

house)

"

User behavior associaCon based on

geography, frequency, uniqueness,
and privilege

Challenges InteracCng with Threat Intel

Most complete

Least Complete
10

Next GeneraCon Threat Intelligence

"

In todays threat landscape, threat intelligence using structured

indicators of compromise (IOC) should enable:

AutomaCc consumpCon and parsing (at least largely)

Shareable IOCs, internally and externally
NormalizaCon of key indicators
Contextual enrichment for data in Splunk
CreaCon of STIX objects from internal Threat Intelligence and Incidents
Ecient use of Internal Threat Intelligence as context sources
MulCple chains of indicators increase urgency for invesCgaCon
Indicators with Deeper Meaning than a list of IP addresses

11

Threat Intelligence Standards

STIX - Structured Threat InformaEon eXpression

"
"

A standardized language uClizing XML to represent structured cyber threat informaCon.

Conveys the full range of potenCal cyber threat informaCon and strives to be fully expressive,
exible, extensible, automatable, and as human-readable as possible.

TAXII - Trusted Automated eXchange of Indicator InformaEon

"
"

Transport mechanism for cyber threat informaCon represented as STIX. Through the use of
TAXII services, organizaCons can share cyber threat informaCon in a secure and automated
manner.

OpenIOC Open sourced schema from Mandiant

"
"

An extensible XML schema that enables you to describe the technical characterisCcs that
idenCfy a known threat, an aeackers methodology, or other evidence of compromise.

12

InteracCng with IOCs in Splunk

MILE
VERIS
13

InteracCng with threat IOCs in Splunk (current)

Predominant
in condenCal
informaCon-
sharing
associaCons

Predominant
in vendor and
researcher
world lots of
useful data
available on
the public
internet

Start with the most

widely adopted
14

15

Example of STIX object

...
<stix:Observables cybox_major_version="2" cybox_minor_version="1">
<cybox:Observable id="mandiant:observable-b7013416-7e77-4078-a0bd-a33b49c7cb2f">
<cybox:Object>
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type>MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value>b305b543da332a2fcf6e1ce55ed2ea79</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
<cybox:Observable id="mandiant:observable-749eea4e-2812-4b4d-bba9-4292bedc05a2">
...

16

Raw IOC

17

Splunking IOCs with

SPLICE

What is SPLICE?

SPLICE is a free Splunk App that enables you to easily consume IOCs
(STIX, CybOX, OpenIOC) and use them to quickly evaluate your own
environment for potenCal security issues

SPLICE easily installs like any other Splunk App and just requires an
instance of MongoDB on the search head Splice is installed on
Get Splice RIGHT NOW by following @SplunkSec at
hPps://twiPer.com/SplunkSec

19

How can SPLICE help you?

"

Facilitates automated IOC consumpCon

Provides you richer threat intelligence data
Provides the intel in Splunk to correlate with all of your other data
Provides searching, reporCng and visualizaCon capabiliCes
Enables less experienced personnel to uClize the data

"

Reduces the complexity of IOCs to atomic, consumable indicators

"
"
"
"

20

How does it reduce the complexity?

"

Splunk has chosen to iniCally reduce the IOC surface area to atomic
indicators for usability and to allow for more exibility in IOC
analyCcs

"

Splunk has also partnered with FS-ISAC (who have also chosen the
same approach) to integrate with their Avalanche product for IOC
federaCon and collaboraCon

21

SPLICE Supported Indicators

"

Supports STIX 1.1 (more than 80 Objects!)

FileObjectType (Hash values, File names)

Examples: 64ef07ce3e4b420c334227eecb3b3f4c or virus.exe

DomainNameObjectType (Domains, URLs)

Examples: malicious1.example.com or h9p://malicious1.example.com/

clickme.html

URIObjectType (Domains, URLs)

Examples: h9p://malicious1.example.com/clickme.html or >p://

badles.example.com/data.txt

AddressObjectType (IP Addresses)

Example: 1.2.3.4

"

(STIX 1.0 not supported)

22

SPLICE Supported Indicators

"

Supports CybOX 2.1

Same indicators as STIX

"

Supports OpenIOC 1.0, 1.1

23

SPLICE Architecture
1.

2.

3.

SPLICE consumes IOCs (STIX, CybOX,

OpenIOC) through either a monitored
directory path or via TAXII (including
Avalanche)
IOCs are parsed and the atomic
indicators (along with the raw IOC) are
stored in MongoDB
Security Analyst uses the Splice Splunk
App to search, report, visualize and alert
on the IOCs
24

*currently tested on Linux only

Using SPLICE Searching Your Data

iocsearch

sourcetype=access_combined_wcookie | iocsearch map="clienCp:ipv4-addr

| search ioc_indicators_count>0 | `parse_ioc_indicators_json`

Screenshot here

25

Using SPLICE Searching IOCs

ioclter | ioclter regex=1.2.3.4"

Screenshot here

26

Using SPLICE Retrieve the full raw IOC data

iocdisplay | iocdisplay object_id="example:Object-12c760ba-cd2c-4f5d-a37d-18212eac7928"

Screenshot here

27

Using SPLICE StaCsCcs about ingested IOCs

iocstats | iocstats stat=list

Screenshot here

28

Using SPLICE Export atomic indicators as a CSV

iocexportcsv

| iocexportcsv value_type="ipv4-addr" alias="ip" directory="/tmp" lename="myIpList.csv"

Screenshot here

29

Demo Time!

30

SPLICE Challenges
"
"
"

SPLICE has been largely tested against public datasets, requires

more sample data
Some IOCs cannot be converted due to parser errors
STIX libraries, framework, other standards are sCll works in progress
in the community

31

SPLICE Future
"

Next Steps:

Support addiConal indicators

Improved dashboards and default searches
Export Splunk content as a STIX object
UClize TAXII to serve IOC data FROM Splunk
Beeer Enterprise Security integraCon
Improved features around how closely data matches IOCs
Improved support for addiConal indicators

32

How you can get involved

We are looking for feedback to further enhance SPLICE

" Download Splice and play with it! Tell us what you want and how
you want Splice or IOCs to interoperate with your data.
"
"
"

Get a demo of how Splice works from the Security PracCce

GIVE US FEEDBACK! security@splunk.com is a perfect way!
Support the STIX community heps://github.com/STIXProject

33

Summary
"
"
"
"
"
"

Threat Landscape is rapidly changing, threat data from yesterday,

may not be valuable today
Threat Intelligence provides context, but formats, diversity limit
adopCon to lowest common denominator
TradiConal things like IP lists are ineecCve without context
IOCs through STIX gives us context
SPLICE gives you a way to uClize IOCs across your Splunk data today
Get Splice RIGHT NOW by following @SplunkSec at
hPps://twiPer.com/SplunkSec
34

QuesCons?

THANK YOU