invincea: reasoning in incident response in tapio
Post on 13-Jul-2015
599 Views
Preview:
TRANSCRIPT
Reasoning in Incident Response in TAPIO#CSAW14
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
The views, opinions, and/or findings contained in this article/presentation are those of the author(s)/presenter(s) and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Source: MANDIANT M-Trends Report 2014
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Example Investigator Questions
What executables were installed that were
received via email?
What programs that were installed an
hour ago are now talking to the network?
What newly registered domains were in
chat links clicked by my employees?
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Ontologies
• Vocabulary used to describe a domain of concern
• Maps concepts, relationships, constraints
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Why an Ontology?• Linked data
• Disparate sources, common language
• Facilitates reasoning
• Scale the analyst - millions of nodes and relationships
• Replication of analysis
• Hypothesis testing
• Supports concrete and abstract, high and low confidence data
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Previous Cybersec Ontologies
• NRL
• CSI iSecurity
• Herzog
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Previous Cybersec Ontologies
• NRL
• CSI iSecurity
• Herzog
All centered on threats, alerts, and attacks}
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
ICAS/TAPIO Goals
• Models arbitrary security relevant data
• Events from appliances
• Host data - state, logs, etc
• Marshals into one ontology to facilitate reasoning
• Separates threats, alerting and reasoning
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
OWL and RDF Basics• From the semantic web, W3C standards
• Classes, properties, relationships
• Subclassing possible
• Constraints possible
• Represented as triples - subject, predicate, object
• Powerful transitive properties possible
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Data Example
:UserAccount-000000005 a user:UserAccount, owl:NamedIndividual ; rdfs:label "urn:x-tapio:test#UserAccount-000000005"@en ; authentication:hasCredential :LoginCredential-000000006 ; user:hasFullName "sshd privsep"^^xsd:string ; user:hasName "sshd"^^user:userName ; user:hasUID "S-1-5-21-37870939-2949504085-1600402019-1001"^^user:UID ; user:homeDir <urn:x-tapio:test#Directory-C:%5Ccygwin%5Cvar%5Cempty> ;
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
SPARQL ExampleSELECT DISTINCT ?process
WHERE {
?proc a process:Process .
?proc process:displayName ?process .
?proc process:hasConnection ?conn .
}
“Show me processes with a network connection”
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Reasoning
• Deductive
• Specify logic predicates, see what matches
• Inductive
• Associations begin to appear based on past relationships
• Associations have a probability of truth
• Use a confidence threshold to look for matches
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Why Reasoning?• Enables us to scale through tools
• Indicator/observable heavy workflow at present
• OpenIOC, CyBOX, etc
• Easy to evade with minor effort
• Experts use behavior patterns to detect events of interest
• Reasoners capture expert’s knowledge, apply it repeatedly
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
TAPIO Research Goals
• Can we facilitate the analyst and speed up investigations significantly?
• Can we spot things they might have missed?
• Can we capture expert reasoning and transfer it to junior analysts?
• Can we infer new knowledge and present it to the analyst?
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Design Choices• OWL and RDF
• Standards from W3C
• Mature query language (SPARQL)
• Flexible
• World-state vs alert correlation or attacks
• Support analyst inquiries about alert context
• Not an enumeration
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
TAPIO Ontology Foundations
• Support for existing MITRE schemas
• OWL foundations
• Thing
• Event (which includes Time)
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
TAPIO/ICAS OntologyACL DNS MAEC Process
Authentication Email Memory Registry
CAPEC Filesystem Memory Artifacts SCAP
Controls Filesystem artifacts MIME Software
CWE Hardware NIC STIX
CyBOX Host OSPlatform URI
Datastream Indicators OUI User
DHCP IPNet Privilege
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)19
Small excerpt from authentication and user
ontologies
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
ICAS Data Sources
® ® ®
Two Step Process
Text Input
HTML Input
Structured RecordsStructured Records
Structured Record Detection
Schema mapping
Approved for Public Release, Distribution Unlimited
This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Step 1: Structured Record Detection
• Use several record separation and extraction algorithms
• Score results
• Return best results if above threshold
Table Table ExtractorExtractorTable Table
ExtractorExtractorKey-Value Key-Value ExtractorExtractor
Key-Value Key-Value ExtractorExtractor
HTML HTML ExtractorExtractorHTML HTML
ExtractorExtractor
Record SeparationRecord SeparationRecord SeparationRecord Separation
Scoring AlgorithmsScoring AlgorithmsScoring AlgorithmsScoring Algorithms
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Step 2: Schema Mapping• Map data found in records to concepts in our
ontologies
• Goal is to go from structured records to linked RDF data minimizing incorrect translation
• Ultimately this is ontology transformation
• The source ontology is vendor defined
• The destination ontology is ours
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Example
Ontology Ontology IndexIndex
Ontology Ontology IndexIndex
{“Current Netmask”: “255.255.255.0”, “Current IP”: “192.168.1.126”}
[Current, Netmask, IP]
1111
2222
[Current, Netmask]
IPNet IndexIPNet IndexIPNet IndexIPNet Index
[Current, IP]
3333
4444
Address: 2.28Address: 2.28Layer4: 1.49Layer4: 1.49
onSubnet: 1.44onSubnet: 1.44……
hasNameServer: 1.29hasNameServer: 1.29
SubNet: 3.64SubNet: 3.64onSubnet: 3.63onSubnet: 3.63
hasSubnet: 1.86hasSubnet: 1.86……
hasRoute: 1.26hasRoute: 1.26
ipnet: 4.02ipnet: 4.02dhcp: 1.97dhcp: 1.97
dns: 1.63dns: 1.63……
uri: 1.11uri: 1.11
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
TAPIO Agent
Host
Security Appliance
Marrying host observations and device data
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
TAPIO Agent
Host
Security Appliance
Flow 5.6.7.8...4.3.2.1 Alert 1234
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
TAPIO Agent
Host
Security Appliance
Login from 4.3.2.1 Login at 2014-10-20T08:09:10 User AbcXyz Process Foo.exe [9876] Flow 5.6.7.8...4.3.2.1 Alert 1234
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Next Steps
• Complete the testing of the ontology within TAPIO
• Integrate correlation and causation ontologies
• Adapt reasoners for within TAPIO and the ontology
top related