Invincea: Reasoning in Incident Response in Tapio

Reasoning in Incident Response in TAPIO#CSAW14

Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)

The views, opinions, and/or findings contained in this article/presentation are those of the author(s)/presenter(s) and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.


Source: MANDIANT M-Trends Report 2014


Example Investigator Questions

What executables were installed that were

received via email?

What programs that were installed an

hour ago are now talking to the network?

What newly registered domains were in

chat links clicked by my employees?


Ontologies

• Vocabulary used to describe a domain of concern

• Maps concepts, relationships, constraints


Why an Ontology?• Linked data

• Disparate sources, common language

• Facilitates reasoning

• Scale the analyst - millions of nodes and relationships

• Replication of analysis

• Hypothesis testing

• Supports concrete and abstract, high and low confidence data


Previous Cybersec Ontologies

• NRL

• CSI iSecurity

• Herzog


Previous Cybersec Ontologies

• NRL

• CSI iSecurity

• Herzog

All centered on threats, alerts, and attacks}


ICAS/TAPIO Goals

• Models arbitrary security relevant data

• Events from appliances

• Host data - state, logs, etc

• Marshals into one ontology to facilitate reasoning

• Separates threats, alerting and reasoning


OWL and RDF Basics• From the semantic web, W3C standards

• Classes, properties, relationships

• Subclassing possible

• Constraints possible

• Represented as triples - subject, predicate, object

• Powerful transitive properties possible


Data Example

:UserAccount-000000005 a user:UserAccount, owl:NamedIndividual ; rdfs:label "urn:x-tapio:test#UserAccount-000000005"@en ; authentication:hasCredential :LoginCredential-000000006 ; user:hasFullName "sshd privsep"^^xsd:string ; user:hasName "sshd"^^user:userName ; user:hasUID "S-1-5-21-37870939-2949504085-1600402019-1001"^^user:UID ; user:homeDir <urn:x-tapio:test#Directory-C:%5Ccygwin%5Cvar%5Cempty> ;


SPARQL ExampleSELECT DISTINCT ?process

WHERE {

?proc a process:Process .

?proc process:displayName ?process .

?proc process:hasConnection ?conn .

}

“Show me processes with a network connection”


Reasoning

• Deductive

• Specify logic predicates, see what matches

• Inductive

• Associations begin to appear based on past relationships

• Associations have a probability of truth

• Use a confidence threshold to look for matches


Why Reasoning?• Enables us to scale through tools

• Indicator/observable heavy workflow at present

• OpenIOC, CyBOX, etc

• Easy to evade with minor effort

• Experts use behavior patterns to detect events of interest

• Reasoners capture expert’s knowledge, apply it repeatedly


TAPIO Research Goals

• Can we facilitate the analyst and speed up investigations significantly?

• Can we spot things they might have missed?

• Can we capture expert reasoning and transfer it to junior analysts?

• Can we infer new knowledge and present it to the analyst?


Design Choices• OWL and RDF

• Standards from W3C

• Mature query language (SPARQL)

• Flexible

• World-state vs alert correlation or attacks

• Support analyst inquiries about alert context

• Not an enumeration


TAPIO Ontology Foundations

• Support for existing MITRE schemas

• OWL foundations

• Thing

• Event (which includes Time)


TAPIO/ICAS OntologyACL DNS MAEC Process

Authentication Email Memory Registry

CAPEC Filesystem Memory Artifacts SCAP

Controls Filesystem artifacts MIME Software

CWE Hardware NIC STIX

CyBOX Host OSPlatform URI

Datastream Indicators OUI User

DHCP IPNet Privilege


Approved for Public Release, Distribution UnlimitedThis research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)19

Small excerpt from authentication and user

ontologies



ICAS Data Sources

® ® ®

Two Step Process

Text Input

HTML Input

Structured RecordsStructured Records

Structured Record Detection

Schema mapping

Approved for Public Release, Distribution Unlimited

This research was developed with funding from the Defense Advanced Research Projects Agency (DARPA)


Step 1: Structured Record Detection

• Use several record separation and extraction algorithms

• Score results

• Return best results if above threshold

Table Table ExtractorExtractorTable Table

ExtractorExtractorKey-Value Key-Value ExtractorExtractor

Key-Value Key-Value ExtractorExtractor

HTML HTML ExtractorExtractorHTML HTML

ExtractorExtractor

Record SeparationRecord SeparationRecord SeparationRecord Separation

Scoring AlgorithmsScoring AlgorithmsScoring AlgorithmsScoring Algorithms


Step 2: Schema Mapping• Map data found in records to concepts in our

ontologies

• Goal is to go from structured records to linked RDF data minimizing incorrect translation

• Ultimately this is ontology transformation

• The source ontology is vendor defined

• The destination ontology is ours


Example

Ontology Ontology IndexIndex

Ontology Ontology IndexIndex

{“Current Netmask”: “255.255.255.0”, “Current IP”: “192.168.1.126”}

[Current, Netmask, IP]

1111

2222

[Current, Netmask]

IPNet IndexIPNet IndexIPNet IndexIPNet Index

[Current, IP]

3333

4444

Address: 2.28Address: 2.28Layer4: 1.49Layer4: 1.49

onSubnet: 1.44onSubnet: 1.44……

hasNameServer: 1.29hasNameServer: 1.29

SubNet: 3.64SubNet: 3.64onSubnet: 3.63onSubnet: 3.63

hasSubnet: 1.86hasSubnet: 1.86……

hasRoute: 1.26hasRoute: 1.26

ipnet: 4.02ipnet: 4.02dhcp: 1.97dhcp: 1.97

dns: 1.63dns: 1.63……

uri: 1.11uri: 1.11


TAPIO Agent

Host

Security Appliance

Marrying host observations and device data


TAPIO Agent

Host

Security Appliance

Flow 5.6.7.8...4.3.2.1 Alert 1234


TAPIO Agent

Host

Security Appliance

Login from 4.3.2.1 Login at 2014-10-20T08:09:10 User AbcXyz Process Foo.exe [9876] Flow 5.6.7.8...4.3.2.1 Alert 1234


Next Steps

• Complete the testing of the ontology within TAPIO

• Integrate correlation and causation ontologies

• Adapt reasoners for within TAPIO and the ontology


Thank You

Invincea: Reasoning in Incident Response in Tapio

Software

public release

department of defense

reasoning scale

reasoning separates

string user

possible constraints

appliances host data

linked data disparate