STIX - Looking at a Campaign, Part 1
Dr. Peter Stephenson
Now we come to a useful application of STIX: characterizing a campaign.
For our model we will use the excellent and very well-known APT1 campaign from Mandiant. This is on the Mandiant site in the form of a complete report and the STIX files are on the Mitre web site. We picked the complete report for our 2-part example. There are several STIX files, however, and they each focus on a specific part of the campaign such as observables, indicators of compromise and so forth. We will be using a very high level report for our STIX analysis because it is easy to understand and representative of most of the types of things you would see typically in STIX characterizations.
Before we dig too deeply, though, Mitre has provided a graphic that applies the STIX process to the DoD computer network defense definition. That graphic is in Figure 1.
Figure 1 - DoD CND model applied to STIX
The DoD model breaks down into Protect, Monitor, Analyze and Detect, and Respond. In order to Protect, we are concerned with Tools, Techniques and Processes (TTPs), Observables, Exploit Targets and Courses of Action. The Monitor, Analyze & Detect phase brings Campaigns, Threat Actors, Indicators and Observables into the game and Respond adds Incident definitions and Courses of Action. All of these are represented easily within the STIX framework. Since they are in XML format, the Course of Action is an obvious candidate for consumption by a device such as a firewall.
Now, let's get started with the APT1 campaign. Note that not all campaigns have all of the STIX elements included. The only elements that you will find are those that you – or the author of the particular STIX profile that you are analyzing - have been able to extract from the event or from your threat research and analysis. This is a good time to point out that as you perform threat research the best way to collect and share your findings is with STIX. I use it extensively as I conduct threat actor research.
Threat actors are my particular area of research interest so I have myriad ways of collecting intelligence about actors that interest me. All of that information – the actor, his TTPs, observables and campaigns with which he has been involved fits nicely into a STIX profile. If I want to share the profile, rather tah writing a long complicated report, I just build a STIX profile. Using StixViz, the recipient of my profile can see at a glance the complete data set that I have developed out of my research. It is graphical for those not familiar with STIX and the HTML rendering of the XML adds depth and detail for those who are. Meanwhile, I am building a library of profiles that I can stitch together if necessary to characterize some mischief that a particular threat actor is up to or to work backwards from an incident to the actor.
Figure 2 shows a very top level view of the APT1 campaign using STIXViz.
Figure 2 - Top Level View of the APT1 Campaign Based Upon Mandiant Research
It's a little hard to read but the red boxes on the right are actors, the violet boxes are TTPs and the brown ones are attack patterns and malware behavior. We'll dig for more detail shortly. The next level of detail is the tree view in STIXViz. Figure 3 shows that but it is way too busy to read here. I am including it to give you a navigation reference as we dig deeper into the graphic.
Figure 3 - APT1 Campaign Viewed from the Tree Display in STIXViz
In this figure you can see – if nothing else – the hierarchical flow from the actors and the TTPs. In Figure 4 I have expanded a section of the tree that breaks down some of the threat actors. Don't worry that this is hard to read… this posting we're just getting the lay of the land. Next time I'll break out the pieces and follow a trail or two for you from the top level all the way to the HTML rendering of the XML profile.
Figure 4 - Breakout of a few of the APT1 Actors
We'll wrap up this orientation with a look at the HTML rendering of the XML showing the steps in the kill chain exploited by the APT1 actors and shown by the STIX profile. We can get a lot more detail here as well – and we will next time – but this will help for now. Figure 5 shows this pretty clearly. Also, remember that the whole STIX profile is XML so everything is nested. That's pretty helpful when reading STIX in HTML.
Figure 5 - HTML Rendering of the Kill Chains in APT1
This will get you going on this project. Go out to the Mitre Site and get the APT1 STIX file and plug it into STIXViz to see for yourself how easy this is. Next time we will do a deeper dive into APT1 and from that point on, when I present an actor or other observable to you it will be in STIX format with the file available for you.
To wrap up, here's this week's list of new malicious domains from http://www.malwaredomainlist.com/.
Table 1 The Past Week's New Malware Domains
So… until next time….
If you use Flipboard, you can find my pages at http://tinyurl.com/FlipThreats. Here I flip the interesting threat-related stories of the day – nothing particularly technical, but interesting stories none-the-less.