Abstract
Nowadays, attacks against single computer systems or whole infrastructures pose a significant risk. Although deployed security systems are often able to prevent and detect standard attacks in a reliable way, it is not uncommon that more sophisticated attackers are capable to bypass these systems and stay undetected. To support the prevention and detection of attacks, the sharing of cyber threat intelligence information becomes increasingly important. Unfortunately, the currently available threat intelligence formats, such as YARA or STIX (Structured Threat Information eXpression), cannot be used to describe complex patterns that are needed to share relevant attack details about more sophisticated attacks.
In this paper, we propose an extension for the standardized STIX format that allows the description of complex patterns. With this extension it is possible to tag attributes of an object and use these attributes to describe precise relations between different objects. To evaluate the proposed STIX extension we analyzed the API calls of the credential dumping tool Mimikatz and created a pattern based on these calls. This pattern precisely describes the performed API calls of Mimikatz to access the LSASS (Local Security Authority Subsystem Service) process, which is responsible for authentication procedures in Windows. Due to the specified relations, it is possible to detect the execution of Mimikatz in a reliable way.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
AlienVault: AlienVault Open Threat Exchange (OTX)\(^{\rm TM}\) User Guide, October 2015. https://www.alienvault.com/doc-repo/OTX/user-guides/AlienVault-OTX-User-Guide.pdf
Alvarez, V.M.: Yara User’s Manual (2011). https://yara-project.googlecode.com/files/YARA%20User’s%20Manual%201.6.pdf
Barnum, S.: Standardizing Cyber Threat Intelligence Information with the Structured Threat Information eXpression (STIX\(^{\rm TM}\)). MITRE Corporation, February 2014. https://stixproject.github.io/getting-started/whitepaper/
Costa, D.L., Collins, M.L., Perl, S.J., Albrethsen, M.J., Silowash, G.J., Spooner, D.L.: An ontology for insider threat indicators: development and application. In: Proceedings of the 9th Conference on Semantic Technology for Intelligence, Defense, and Security (2014)
Cylance: Operation Cleaver, December 2014. http://www0.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
FireEye Labs: APT28: A Window Into Russia’s Cyber Espionage Operations? October 2014. https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
Haass, J.C., Ahn, G.J., Grimmelmann, F.: Actra: a case study for threat information sharing. In: Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security, pp. 23–26. ACM (2015)
IBM: IBM X-Force Exchange Data Sheet, April 2015. http://public.dhe.ibm.com/common/ssi/ecm/wg/en/wgd03055usen/WGD03055USEN.PDF
Kampanakis, P.: Security Automation and Threat Information-Sharing Options. Security Privacy, 42–51. IEEE, September 2014
Kul, G., Upadhyaya, S.: A preliminary cyber ontology for insider threats in the financial sector. In: Proceedings of the 7th ACM CCS International Workshop on Managing Insider Security Threats, pp. 75–78. ACM (2015)
Mandiant: An Introduction to OpenIOC (2011). http://openioc.org/resources/An_Introduction_to_OpenIOC.pdf
Meier, M.: A model for the semantics of attack signatures in misuse detection systems. In: Information Security. Lecture Notes in Computer Science. Springer, Berlin, Heidelberg (2004)
MITRE Corporation: Object Relationships. http://cyboxproject.github.io/documentation/object-relationships/
Serrano, O., Dandurand, L., Brown, S.: On the design of a cyber security data sharing system. In: Proceedings of the 2014 ACM Workshop on Information Sharing and Collaborative Security, pp. 61–69. ACM (2014)
Shackleford, D.: Who’s Using Cyberthreat Intelligence and How? SANS Institute, February 2015. http://www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Ussath, M., Jaeger, D., Cheng, F., Meinel, C. (2016). Pushing the Limits of Cyber Threat Intelligence: Extending STIX to Support Complex Patterns. In: Latifi, S. (eds) Information Technology: New Generations. Advances in Intelligent Systems and Computing, vol 448. Springer, Cham. https://doi.org/10.1007/978-3-319-32467-8_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-32467-8_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-32466-1
Online ISBN: 978-3-319-32467-8
eBook Packages: EngineeringEngineering (R0)