Reasoning in Incident Response in TAPIO #CSAW14 Approved for Public Release, Distribution Unlimited This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA) The views, opinions, and/or findings contained in this article/presentation are those of the author(s)/presenter(s) and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Reasoning in Incident Response in TAPIO#CSAW14
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
The views, opinions, and/or findings contained in this article/presentation are those of the author(s)/presenter(s) and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Source: MANDIANT M-Trends Report 2014
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Example Investigator Questions
What executables were installed that were
received via email?
What programs that were installed an
hour ago are now talking to the network?
What newly registered domains were in
chat links clicked by my employees?
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Ontologies
• Vocabulary used to describe a domain of concern
• Maps concepts, relationships, constraints
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Why an Ontology?• Linked data
• Disparate sources, common language
• Facilitates reasoning
• Scale the analyst - millions of nodes and relationships
• Replication of analysis
• Hypothesis testing
• Supports concrete and abstract, high and low confidence data
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Previous Cybersec Ontologies
• NRL
• CSI iSecurity
• Herzog
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Previous Cybersec Ontologies
• NRL
• CSI iSecurity
• Herzog
All centered on threats, alerts, and attacks}
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
ICAS/TAPIO Goals
• Models arbitrary security relevant data
• Events from appliances
• Host data - state, logs, etc
• Marshals into one ontology to facilitate reasoning
• Separates threats, alerting and reasoning
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
OWL and RDF Basics• From the semantic web, W3C standards
• Classes, properties, relationships
• Subclassing possible
• Constraints possible
• Represented as triples - subject, predicate, object
• Powerful transitive properties possible
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
SPARQL ExampleSELECT DISTINCT ?process
WHERE {
?proc a process:Process .
?proc process:displayName ?process .
?proc process:hasConnection ?conn .
}
“Show me processes with a network connection”
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Reasoning
• Deductive
• Specify logic predicates, see what matches
• Inductive
• Associations begin to appear based on past relationships
• Associations have a probability of truth
• Use a confidence threshold to look for matches
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Why Reasoning?• Enables us to scale through tools
• Indicator/observable heavy workflow at present
• OpenIOC, CyBOX, etc
• Easy to evade with minor effort
• Experts use behavior patterns to detect events of interest
• Reasoners capture expert’s knowledge, apply it repeatedly
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
TAPIO Research Goals
• Can we facilitate the analyst and speed up investigations significantly?
• Can we spot things they might have missed?
• Can we capture expert reasoning and transfer it to junior analysts?
• Can we infer new knowledge and present it to the analyst?
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Design Choices• OWL and RDF
• Standards from W3C
• Mature query language (SPARQL)
• Flexible
• World-state vs alert correlation or attacks
• Support analyst inquiries about alert context
• Not an enumeration
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
TAPIO Ontology Foundations
• Support for existing MITRE schemas
• OWL foundations
• Thing
• Event (which includes Time)
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
TAPIO/ICAS OntologyACL DNS MAEC Process
Authentication Email Memory Registry
CAPEC Filesystem Memory Artifacts SCAP
Controls Filesystem artifacts MIME Software
CWE Hardware NIC STIX
CyBOX Host OSPlatform URI
Datastream Indicators OUI User
DHCP IPNet Privilege
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)19
Small excerpt from authentication and user
ontologies
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
ICAS Data Sources
® ® ®
Two Step Process
Text Input
HTML Input
Structured RecordsStructured Records
Structured Record Detection
Schema mapping
Approved for Public Release, Distribution Unlimited
This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)
Step 1: Structured Record Detection
• Use several record separation and extraction algorithms