Collaborative Cyber Threat Intelligence Collaborative Cyber Threat Intelligence Detecting and Responding to Advanced Cyber Attacks at the National Level Edited by Florian Skopik CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2018 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S Government works Printed on acid-free paper International Standard Book Number-13: 978-1-138-03182-1 (Hardback) This book contains information obtained from authentic and highly regarded sources Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained If any copyright material has not been acknowledged, please write and let us know so that we may rectify in any future reprint Except as permitted under U.S Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400 CCC is a not-for-profit organization that provides licenses and registration for a variety of users For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe Library of Congress Cataloging-in-Publication Data Names: Skopik, Florian, editor Title: Collaborative cyber threat intelligence : detecting and responding to advanced cyber attacks at the national level / [edited by] Florian Skopik Description: Boca Raton, FL : CRC Press, 2017 Identifiers: LCCN 2017025820 | ISBN 9781138031821 (hb : alk paper) Subjects: LCSH: Cyber intelligence (Computer security) | Cyberspace operations (Military science) | Cyberterrorism Prevention | National security Classification: LCC QA76.9.A25 C6146 2017 | DDC 005.8 dc23 LC record available at https://lccn.loc.gov/2017025820 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Contents Foreword Preface Acknowledgment About the Editor Contributors Introduction FLORIAN SKOPIK A Systematic Study and Comparison of Attack Scenarios and Involved Threat Actors TIMEA PAHI AND FLORIAN SKOPIK From Monitoring, Logging, and Network Analysis to Threat Intelligence Extraction IVO FRIEDBERG, MARKUS WURZENBERGER, ABDULLAH AL BALUSHI, AND BOOJOONG KANG The Importance of Information Sharing and Its Numerous Dimensions to Circumvent Incidents and Mitigate Cyber Threats FLORIAN SKOPIK, GIUSEPPE SETTANNI, AND ROMAN FIEDLER Cyber Threat Intelligence Sharing through National and SectorOriented Communities FRANK FRANSEN AND RICHARD KERKDIJK Situational Awareness for Strategic Decision Making on a National Level MARIA LEITNER, TIMEA PAHI, AND FLORIAN SKOPIK Legal Implications of Information Sharing JESSICA SCHROERS AND DAMIAN CLIFFORD Implementation Issues and Obstacles from a Legal Perspective ERICH SCHWEIGHOFER, VINZENZ HEUSSLER, AND WALTER HÖTZENDORFER Real-World Implementation of an Information Sharing Network: Lessons Learned from the Large-Scale European Research Project ECOSSIAN GIUSEPPE SETTANNI AND TIMEA PAHI Index Foreword This book provides a valuable foundation for the future development of cybersecurity information sharing both within and between nation-states This work is essential—unless we can identify common threats and share common mitigation then there is a danger that we will become future victims of previous attack vectors Without shared situation awareness, it is likely that different organizations facing the same threat will respond in inconsistent ways—and the lessons learned in combatting earlier incidents will be repeated and repeated until we develop more coordinated responses There are further motivations for reading this work Existing standards across many industries and continents agree on the need for risk-based approaches to cybersecurity Too often these are based on subject introspection; they can be little more than the best guesses of chief information security officers If we can encourage information sharing, then our assessments of probability, consequence, and our identification of potential vulnerabilities can be based on previous experience All of these benefits will only be realized if we can address a number of barriers to information sharing First, it is clear that there may be limited benefits from sharing information about every potential attack The sheer scale of automated phishing and DDoS (Distributed Denial-of-Service Attacks) means that without considerable support we may lose cyber situation awareness as we are overwhelmed by a mass of well-understood incidents Second, the focus must never be on recording the incidents—the utility of these systems is derived from the decisions that they inform We must allocate resources to identifying mitigations and preventing future incidents Third, a host of questions must be addressed about the disclosure of compromising information and the violation of intellectual property through incident reporting Simply revealing that an organization has been the target of an attack may encourage others to focus on them Fourth, there are questions about what should be shared The information needs are different both horizontally—between companies in different industries—and vertically between companies addressing different needs within the same supply chain Finally, we must be sensitive to the limitations of incident reporting—it can be retrospective, focusing on gathering information about the previous generation of attacks rather than the next—which may be very different especially when state actors are involved The chapters of this book provide, arguably for the first time, a coherent and sustained view of these many different opportunities and potential pitfalls It investigates the potential benefits of peer-to-peer systems as well as the legal obstacles that must be overcome It looks at the key determinants of situation awareness at a national level and beyond It does all of this in an accessible manner—focusing on generic issues rather than particular technologies I recommend it to you Chris Johnson Head of Computing Science at Glasgow University Glasgow, UK ICSs (industrial control systems), 28, 37 ICT (information and communication technology) security, 21 Identification, 79 Identifiers, 79 IDS (intrusion detection systems) adaptive approaches, 110–112 anomaly-based detection, 109 cross-layer, 110 data types, 110 host level, 109 network level, 109 self-learning, 110–112 sharing, 112–113 signature-based detection, 108 stateful protocol analysis, 109 Incident reports, 268 Indicators, Industrial network, 73 Information and communication technology, see ICT security Information flow, 101 Information leakage, 328 IP address leakage Budapest Convention, 331 communication, 330 CSIRT, 328, 331, 332 employee carelessly, 333 GDPR, 330–331 illegal access, 332 infringements, 330 organizational measures, 333 personal data breach, 329 technical measures, 333 product vulnerability leakage, 334–336 Information modeling, 267–268 Information security, see IS Information sharing breach notification obligations BIPT, 287 CJEU, 288 competent regulatory authority, 286 data protection authorities, 291 Data Protection Directive 95/46/EC, 290–291 economic interests, 305–306 ENISA, 287 personal data, 288, 290 telecommunication sector, 286, 289–290 data protection CJEU judgement, 303 GDPR, 299 information transfer, 304 lawful grounds, 302 legal basis, 303 limitations, 301 Member States, 301 personal data, 300 requirements, 301 subjects, 300–301 EU cybersecurity legal framework, 279 applicable framework, 281–285 moves toward coordinate, 280–281 national scope responsibilities, 383–384 roles, 383–384 strategic level, 385–388 tactical level, 388–390 national security confidentiality, 297 intellectual property, 295 public–private overlap, 297–299 trade secrets, 296–297 proactive, 291–292 CERTs, 293 CSIRTs, 294 EU Member States, 292 hard law, 294 incident report, 306–308 Information technology, see IT Insiders, 58–59 Installation, 33 Intellectual property, 295 International cooperations cyber incident information-sharing, 175–176 regional implementations, 162–163 International implementations, see Regional implementation dimensions Internet Control Message Protocol, see ICMP Internet Relay Chat (IRC) server, 47 Intrusion detection systems, see IDS IoCs (indicators of compromise), 188 IoT (Internet of Things), 26 IoT DDoS attack, 27 attack illustration, 48 Botmasters, 49 IRC server, 47 large-scale IoT botnet, 46 Mirai malware, 47 services and platforms, 46–47 IP (Internet Protocol) address leakage Budapest Convention, 331 communication, 330 CSIRT, 328, 331, 332 employee carelessness, 333 GDPR, 330–331 illegal access, 332 infringements, 330 organizational measures, 333 personal data breach, 329 technical measures, 333 IS (information security), 21, 387 ISO/OSI model, 88 IT (information technology), 21 crisis management, 164 ITIL (Information Technology Infrastructure Library), 77 ITU-T X.1500, 157–159 J JDL DFM (Joint Directors of Laboratories Data Fusion Model), 251–252 K KillDisk, 43 L Lateral movement, 34–35 Legacy systems, 110 Legal landscape dimensions, 134 EU cybersecurity strategy, 147–148 EU Network Information Security Directive, 148–149 European Commission, 146 Executive Order, 146–147, 149–150 U.S Presidential Policy Directive, 150–153 Linux malware, 47 Log data application, 86–87 drawback, 82 evasion techniques, 86 monitoring infrastructure, 83, 85–86 observables, 82, 84–85 sensitive information, 82 sources, 82 M Mailing, 267–268 Malware creators, 53–54 Malware files and processes binary patterns, 98 detection, 97–98 information flow, 101 obfuscation methods, 102 operation codes, 98–99 system calls, 99–101 MELANI (Melde- und Analysestelle Informationssicherung), 243–244 Metamorphic malware, 102 Mimikatz tools, 51 Mirai malware, 47 MISP (Malware Information Sharing Platform), 208–210 Mobile malware, 3–4 Modern economic systems, 227 N National cybersecurity centers, 253–255 National cybersecurity strategies, 233–234 Germany, 235–236 structure, 234 Switzerland, 236–238 United Kingdom, 238 United States of America, 239–240 Nationales Cyber-Abwehrzentrum, 243 National security confidentiality, 297 intellectual property, 295 public–private overlap, 297–299 trade secrets, 296–297 NCC (National Coordinating Center for Communications), 245 NCCIC (National Cybersecurity and Communications Integration Center), 245 NCCIC Operations & Integration (NO&I), 245 NCSC (National Cyber Security Center), 244 NDN (National Detection Network), 213–215 NetFlow, 96 Network traffic application, 91–92 corporate IT networks, 87 evasion techniques, 96–97 ISO/OSI model, 88 monitoring, 88, 95–96 packet-switched networks, 93–94 payload, 92–93 transmission of packets, 87–88 transport-oriented, 89–91 Newsletters, 268 NIDS (network-based IDS), 109 NIST (National Institute of Technology), 28, 156–157 NRRA (National Railway and Road Administration), 403–408 attack, 408–409 detection, 409 incident response E-SOC level, 411–412 N-SOC level, 411 O-SOC level, 409–411 N-SOC (national SOC), 357, 411 O Obfuscation methods, 102 Ontology attributes, 114 axioms, 114 classes, 113 cyber security domain, 114 cybersecurity information sharing, 117–118 defined, 113 design, 117 features, 115–116 implementation, 117 instances, 114 limitations, 119 objectives, 116 powerful capabilities, 116 research challenges, 119 rules, 114 OODA Loop, 249–250 Open-source tools, 165–169 Open web-platforms, 165–169 Operation codes (opcodes), 98–99 OSINT (open source intelligence), 31 O-SOC (organization SOC), 357, 409–411 Owner, 79 Ownership, 268–269 P Packet captures, 96 Packet headers, 97 Packet-switched networks, 93–94 Payload, 92–93 Peer-to-peer model, 203, 204 PLCs (programmable logic controllers), 37 Point anomaly, 107 Power outage in Ukraine, 226 attack illustration, 41 BlackEnergy malware, 42 critical infrastructure, 40 DSOs, 40 information, 42 KillDisk, 43 RTUs, 43 Private sector cooperation, 174–175 Proactive information sharing, 291–292 CERTs, 293 CSIRTs, 294 EU Member States, 292 hard law, 294 incident report, 306–308 PSD II (Payment Services II Directive), 323 Public domain, 71 Public sector cooperation, 174–175 R Recent attacks IoT DDoS attack, 27 attack illustration, 48 botmasters, 49 IRC server, 47 large-scale IoT botnet, 46 Mirai malware, 47 services and platforms, 46–47 power outage in Ukraine attack illustration, 41 BlackEnergy malware, 42 critical infrastructure, 40 DSOs, 40 information, 42 KillDisk, 43 RTUs, 43 RUAG cyber espionage (see RUAG cyber espionage) Sony Hack attack illustration, 45 initial intrusion, 44 The Interview, 43 threat actors, 46 victim’s network, 43–44 wiper malware, 44 Stuxnet (see Stuxnet) Reconnaissance, 30–31 Regional implementation dimensions, 134 CERTs, 160–162 international cooperations, 162–163 IT crisis management, 164 Regulatory landscape, see Legal landscape dimensions Reputational damage, 324 civil law, 325–327 criminal law, 325 Responsibility, 79 RTU (remote terminal units), 43 RUAG cyber espionage basic reconnaissance tools, 51 challenge, 49 drones mark, 52 fingerprinting, 50 investigations, 53 privilege escalation, 51 watering holes, 50 Rule-based analysis black-listing advantages, 106 disadvantages, 106 forbid, 104–105 security solutions, 104 vs white-listing, 105, 106 SIEM systems, 106–107 white-listing advantages, 106 approaches, 105 black- vs., 105, 106 disadvantages, 106 S SA (situational awareness) application, 257 CCOP information (see CCOP) cybersecurity centers Germany, 243 responsibilities, 242 stakeholders, 241–242 Switzerland, 243–244 tasks, 242 United Kingdom, 244 United States of America, 244–245 definitions, 246–247 gaining, 256–257 international cybersecurity strategies, 229–233 international organizations, 228 models cognitive, 248–250 CSAM, 252 ECSA, 252–253 focus analysis, 256–257 JDL data fusion model, 251–252 national cybersecurity centers, 253–255 operator analysis, 257–258 national cybersecurity strategies, 233–234 Germany, 235–236 structure, 234 Switzerland, 236–238 United Kingdom, 238 United States of America, 239–240 national governments, 227–228 SCADA (supervisory control and data acquisition) systems, 37, 43, 73, 110, 407 Script kiddies, 59, 238 SD (signature-based detection), 108 Search engines, 268 Security-relevant information, data protection law, 318 Breyer, 316 command and control server, 316–317 controller, 320 exchange IP address, 319 identifiable, 315 statutory legal basis, 317 disproportionate mitigation measures DDoS attack, 338 DoS attack, 337–338 individual users, 339 information security legislation, 340–343 legal basis, 337 network, 340–343 self-defense, 343–344 service provider, 340 service user, 340 information duties eIDAS Regulation, 322 GDPR, 320–321 NIS Directive, 322–323 PSD II, 323 telecommunication framework directive, 321 information leakage (see Information leakage) IP address, 315 legal implications responsibility for notify, 349–350 service provider, 345–347 trade secret legislation, 347–349 Security vulnerabilities, Semi-supervised approaches, 111 Sensors, 268 Sequential anomaly, 108 Signature-based detection, see SD Social engineering, 31 tactics, Social media, Sony hack attack illustration, 45 initial intrusion, 44 The Interview, 43 threat actors, 46 victim’s network, 43–44 wiper malware, 44 SPA (stateful protocol analysis), 109 Standardization efforts dimensions, 134 different documents, 159 ENISA, 153–155 ISO/IEC27010, 155–156 NIST, 156–157 recommendation ITU-T X.1500, 157–159 Stateful protocol analysis, see SPA State-sponsored threat actors, 58 STIX (Structured Threat Information eXpression), 205 Structured Access to Asset Information, 79 Stuxnet, 36–37 DLL, 40 ICSs, 37 industrial network, 37–39 methods to attack, 38 PLC, 37 P2P communication, 39 Supervised self-learning approaches, 111 Switzerland cybersecurity centers, 243–244 national cybersecurity strategies, 236–238 System architecture, 366 E-SOC components, 374, 376–377 functional blocks, 369–373 N-SOC components, 374, 376–377 O-SOC components, 374, 375 security operation centers, 367–368 SOC architecture, 368–369 System calls clustering techniques, 99 dynamic analysis, 101 frequency distribution, 100 System information and event management (SIEM) systems, 106–107 T Tactics, techniques, and procedures, see TTPs TAXII (Trusted Automated eXchange of Indicator Information), 204–205 Technology integration in organization dimensions, 134 open-source tools, 165–169 open web-platforms, 165–169 protocols, 170–173 technical standards, 170–173 tools application, 173 Terrorists, 238 Threat actors, 10 attribution, 55 classification, 58 COTS hacker tools, 60 cover, 55 crackers, 59 cyber criminals (see Cyber criminals) cyberterrorists, 58 hacktivists, 58 impact, 60 insiders, 58–59 motivations, 60 profiles, 189 script kiddies, 59 state-sponsored, 58 tactics and procedures, 60 with unknown identity, 59 Threat information sharing advantages, 5–6 capabilities, 11–12 challenges, 6–7 CoA, 10 cybersecurity best practices, 10 external sources, indicators, internal sources, 7–8 IT operations, participants, 12–13 roles, 14 threat actor, 10 tools and analysis techniques, 10–11 TTPs, 9–10 vulnerability, 10 Transport-oriented observables, 89–91 Trojan Locky, TTPs (tactics, techniques and procedures), 9–10, 22, 189 cyber threat intelligence, 75–76 U United Kingdom cybersecurity centers, 244 national cybersecurity strategies, 238 United States of America cybersecurity centers, 244–245 Cybersecurity Information Sharing Act (CISA), national cybersecurity strategies, 239–240 Presidential Policy Directive, 150–153 White House Executive Order, 146–147, 149–150 Unsupervised self-learning, 111 US-CERT (United States Computer Emergency Readiness Team), 245 V Vulnerability, 10 Vulnerability databases, 267 W walls.bmp, 44 Weaponization, 31 ... Collaborative Cyber Threat Intelligence Collaborative Cyber Threat Intelligence Detecting and Responding to Advanced Cyber Attacks at the National Level Edited by Florian... Florian, editor Title: Collaborative cyber threat intelligence : detecting and responding to advanced cyber attacks at the national level / [edited by] Florian Skopik Description: Boca Raton, FL... attacks in their networks, to the state This data from every single organization is essential to create a clear picture of cyber threats and establish cyber situational awareness of the operational