Friday, November 2, 2012

Verizon Business Security Blog ? Blog Archive ? Everyday I'm CIFfling

So as we?ve talked about before, preventive controls by themselves do not provide sufficient defense in today?s threat environment. Instead, defenders must continually adapt to their adversaries, and this includes sharing threat intelligence with trusted partners.

The open-source Collective Intelligence Framework (CIF), developed by the REN-ISAC with support from the National Science Foundation, Internet2, and Indiana University, enables the sharing of basic technical indicators between systems. This post will give an overview of the system and its usage, discuss tools we have developed to extend and integrate it, and lay out a roadmap for future development with plenty of opportunity for community involvement.

Fundamentals

As previously discussed, when planning a framework for sharing intelligence, operational security (OPSEC) concerns require significant thought and consideration. CIF tries to reduce the opportunities for an analyst to leak information out to attackers by downloading data and performing the lookups locally rather than perform remote lookups.

Just as (or perhaps more) importantly, CIF enables the inter-system exchange of threat data. This enables faster reactions by bringing data immediately into a watch list or even a block list, though you must take care to choose which data to use for blocking. Waiting for an analyst to have time to download the data manually and then enter it into your systems introduces too much chance for problems, whether related to the analyst?s workload, typical hours, or just human error.

CIF Dev team

The core Collective Intelligence Framework is primarily developed at the REN-ISAC by a team headed by Wes Young. Other committers include Gabriel Iovino, Jeff Murphy, and Kevin Benton.

The Verizon RISK team focuses on two development roles around CIF: QA / debugging and contributing to the ecosystem of tools that work with CIF. (We have some posts lined up to discuss some of these tools like CIFGlue, IOC Extractor, and integration with other analysis tools in greater detail.) Generally, that means we try to make CIF more usable in our environment and contribute this work back out to the broader community. We believe that making these capabilities more widely accessible will improve the overall state of security. We also help maintain a bleeding-edge repository of additional OSINT sources.

Tech

CIF currently runs on a typical LAPP (LAMP-type) stack: Linux / Apache / PostgreSQL / Perl. Internally, the data is stored in an IODEF-like format as JSON. However, according to the roadmap, the framework will soon be rewritten in C and the data structures will use protocol buffers, though JSON output will of course continue to be supported.

We?ve worked with it for quite a few months now, and we?ll tell you that the suggested system specifications definitely matter. You?ll want to run CIF on a server with multiple cores, lots of RAM, and good I/O throughput. Separating out the database from the application server may also improve performance significantly once you need to scale past a pilot deployment.

Usage concepts

CIF works by ingesting public or private feeds of structured threat data. It can handle most delimited and non-delimited text formats (CSV, tab, etc.) as well as RSS/XML and JSON. Other formats can be parsed with helper scripts written in whatever language you prefer.

Analysts can issue two core query types: searches for specific indicators or feeds for particular indicator types subject to parameters. CIF has a command-line tool for interactive use (or building into local tools) as well as support for a RESTful API for integration into other web interfaces. A prototype web interface exists, but your environment may already allow for using the API in conjunction with your SIEM or similar tool.

To properly understand the data contained within CIF, analysts must understand the defined taxonomies: impact, severity, and confidence. Impact describes the general type of threat; examples might include phishing-related indicators, botnets, scanners, or perhaps even informational only. Severity is relatively straightforward: how much pain could this cause a victim? Confidence is slightly more subtle and represents your belief in the accuracy of the indicator. Information that an investigator has thoroughly vetted might carry a score of 95 (on a scale of 0-99), whereas public lists of scanning IP addresses might instead have a score of 50.

Community

As open-source (libre/free) software, CIF relies on community help to grow. Contributing back to the project in the form of testing, documentation, code, or (at a minimum) discussing your use cases and deployments helps everyone. The ROI from assisting the project may surprise you.

?

Source: http://securityblog.verizonbusiness.com/2012/11/01/everyday-im-ciffling/

brady quinn brady quinn bloom box fat tuesday obama sweet home chicago accenture match play george washington carver

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.