Soltra edge open cyber intelligence platform...

Soltra edge open cyber intelligence platform report

Prepared By: Alan Magar Sphyrna Security 340 Ridgeside Farm Drive Kanata, Ontario K2W 0A1

PWGSC Contract Number: W7714-08FE01/001/ST Task 33 CSA: Melanie Bernier, Defence Scientist, 613-996-3937

Scientific Authority: Melanie Bernier Defence Scientist DRDC – CORA Research Centre

The scientific or technical validity of this Contract Report is entirely the responsibility of the Contractor and the contents do not necessarily have the approval or endorsement of the Department of National Defence of Canada.

Contract Report

DRDC-RDDC-2015-C204

March 2015

This Contract Report was produced for the Cyber Decision Making and Response project (05ac) under the DRDC Cyber Operations S&T program.

© Her Majesty the Queen in Right of Canada, as represented by the Minister of National Defence, 2015

© Sa Majesté la Reine (en droit du Canada), telle que représentée par le ministre de la Défense nationale, 2015

Soltra Edge Open Cyber Intelligence

Platform Report

prepared for

Defence Research and Development Canada

prepared by

Marc

ch 2015

Be

16

Ott

ell Canad

60 Elgin Stre

17th Floor

tawa, Ontar

K1S 5N4

B

da

et

rio

Soltra Ed

Bell Canada

dge Open C

a

Sphy

340 Rid

Ka

Cyber IntelliRe

yrna Sec

dgeside Farm

anata, Ontar

K2W 0A1

igence Platevision: 1.0

urity

m Drive

rio

March 2

tform Final

ii

2015

Soltra Edge Open Cyber Intelligence Platform

Revision: 1.0 Final

March 2015 Bell Canada iii

Confidentiality

This document is UNCLASSIFIED.

Authors

Bell / Sphyrna Team Role

Alan Magar Security Architect

Revision Control

Revision Date Modifications

0.1 12 March 2015 Draft Report

1.0 27 March 2015 Final Report


Revision: 1.0 Final

March 2015 Bell Canada iv

Table of Contents

1.0 INTRODUCTION .................................................................................................................... 1

1.1 BACKGROUND .............................................................................................................................. 1

1.2 PURPOSE ..................................................................................................................................... 1

1.3 DOCUMENT STRUCTURE ................................................................................................................ 2

2.0 TECHNICAL OVERVIEW ......................................................................................................... 3

2.1 ARCHITECTURE ............................................................................................................................. 3

2.2 STANDARDS ................................................................................................................................. 4

2.2.1 STIX ................................................................................................................................... 6

2.2.2 TAXII ................................................................................................................................. 7

2.2.3 TLP .................................................................................................................................... 8

2.3 CAPABILITIES ................................................................................................................................ 8

3.0 PRODUCT EVALUATION ...................................................................................................... 10

3.1 DEPLOYED ENVIRONMENT ............................................................................................................ 10

3.2 CONFIGURED FEEDS .................................................................................................................... 11

3.3 ADAPTERS ................................................................................................................................. 19

3.4 ASSESSMENT .............................................................................................................................. 22

3.4.1 Release Cycle .................................................................................................................. 22

3.4.2 User Community ............................................................................................................. 23

3.4.3 Functionality ................................................................................................................... 23

3.4.4 Alternatives .................................................................................................................... 24

4.0 CONCLUSION & RECOMMENDATIONS ................................................................................ 26

5.0 ACRONYMS & ABBREVIATIONS .......................................................................................... 27


Revision: 1.0 Final

March 2015 Bell Canada v

List of Figures

Figure 1 – Soltra Edge Cyber Intelligence Platform ................................................................................ 4

Figure 2 – Soltra Edge Upgrade ............................................................................................................ 10

Figure 3 – Adding a Site ........................................................................................................................ 11

Figure 4 – Site Added ............................................................................................................................ 12

Figure 5 – Unconfigured Feeds ............................................................................................................. 13

Figure 6 – Configure Feed ..................................................................................................................... 14

Figure 7 – Configured Feed .................................................................................................................. 14

Figure 8 – Downloaded Feed ................................................................................................................ 15

Figure 9 – Indicator Catalog .................................................................................................................. 16

Figure 10 – Specific Indicator ............................................................................................................... 17

Figure 11 – Observable Catalog ............................................................................................................ 18

Figure 12 – Specific Observable ............................................................................................................ 19

Figure 13 – Adapters Installed .............................................................................................................. 20

Figure 14 – CSV Indicators Import ........................................................................................................ 21

Figure 15 – CSV Indicators Preview ...................................................................................................... 22

Figure 16 ‐ Soltra Edge STIX/TAXII Integrations.................................................................................... 24


Revision: 1.0 Final

March 2015 Bell Canada vi


Revision: 1.0 Final

March 2015 Bell Canada 1

1.0 Introduction

Cyber threat intelligence has received a great deal of publicity of late. This is not surprising given the

number of high profile cyber attacks that have figured prominently in the news over the past year.

President Obama recently (February 2015) signed an executive order to improve the sharing of

cyber threat information within the private sector and between the private sector and government.

Specifically, the executive order enables the Department of Homeland Security (DHS) to share

classified intelligence with the private sector and to develop standards to facilitate the sharing of

cyber threat information.1 Later the same month, President Obama announced the establishment of

a cyber threat intelligence integration center “aimed at coordinating ongoing federal efforts to

counter hackers and other cyber threats aimed at the U.S. government and private industry”.2

1.1 Background

The Centre for Operational Research and Analysis (CORA), which is a Defence Research &

Development Canada (DRDC) research centre for systems analysis and operational research, is in the

process of characterizing threat and building a Department of National Defence (DND)‐specific cyber

threat model. The aggregation of cyber threat intelligence information from a variety of reputable

sources and the ability to act on this information are likely to be important aspects of the overall

cyber threat model being developed.

1.2 Purpose

Soltra Edge is intended to serve as the intelligence hub for an organization, connecting to all threat

intelligence communities and providing actionable data back to the organization’s environment for

integration with internal security tools/appliances. The intent is that Soltra Edge will allow

organizations to receive, store and send cyber security threat intelligence automatically, allowing

these organizations to better deploy safeguards against a potential cyber attack.

1 This announcement is mentioned in numerous locations including

http://www.politico.com/story/2015/02/obama‐cyberthreat‐executive‐order‐115187.html

2 This announcement is mentioned in numerous locations including

http://www.washingtontimes.com/news/2015/feb/25/obama‐create‐new‐cyber‐threat‐center


Revision: 1.0 Final


The purpose of this report is to review and analyze the Soltra Edge Open Cyber Intelligence Platform

and its components (Structured Threat Information eXpression (STIX)/Trusted Automated eXchange

of Indicator Information (TAXII)).

1.3 Document Structure

This report consists of the following sections:

Section 1.0 – Introduction: provides an overview of the report;

Section 2.0 – Technical Overview: provides a high‐level overview of Soltra Edge including its

architecture, standards and capabilities;

Section 3.0 – Product Evaluation: documents the evaluation of the platform, including the

deployed environment, configured feeds, adapters and an assessment of the product;

Section 4.0 – Conclusions & Recommendations: summarizes the conclusions and

recommendations derived from the development of this report; and

Section 5.0 – Acronyms & Abbreviations: lists the acronyms and abbreviations used

throughout this report.


Revision: 1.0 Final


2.0 Technical Overview

The Security Automation Working Group (SAWG) within the Financial Services Information Sharing

and Analysis Center (FS‐ISAC) initiated a project code‐named Avalanche to champion the use of

standards‐based cyber threat intelligence sharing. In September 2014, FS‐ISAC and the Depository

Trust & Clearing Corporation (DTCC) announced a joint effort to “develop and market automation

solutions that advance cyber security capabilities and the resilience of critical infrastructure

organizations”. The resulting solution, Soltra Edge, is based on the requirements, standards and

overall roadmap from the SAWG group within FS‐ISAC. This section of the report will provide a

technical overview of the product, including an examination of its architecture, standards and

capabilities.

2.1 Architecture

Soltra Edge, which runs on CentOS 6.5 3 and utilizes MongoDB 4 for storage, is administered through

a web interface. In terms of cyber threat intelligence services, Soltra Edge can be configured to

accept structured (e.g., STIX/TAXIII) threat intelligence feeds and other file types through adapters.

The threat information can be managed and then exported in STIX format to various STIX‐

compatible security tools/appliances including firewalls or proxy servers, Mail Transfer Agents

(MTAs) and Security Incident and Event Management (SIEMs). It is the security appliances that are

responsible for taking the threat information provided by Soltra Edge and acting upon it. For

example, a list of malicious URLs could be sent to firewalls/proxy servers, which would then proceed

to block traffic originating from those network addresses. The Soltra Edge Cyber Intelligence

Platform is illustrated in Figure 1.

3 CentOS is an open source Linux distribution derived from the sources of Red Hat Enterprise Linux

(RHEL). Additional information on CentOS can be found at http://www.centos.org

4 MongoDB (from “humongous”) is an open‐source document database, and the leading NoSQL

database. Additional information on MongoDB can be found at http://www.mongodb.org

Marc

2.2 Soltra

Specif

Note

It sho

by So

devel

comp

stand

•

comp

analys

defen

ch 2015

Standa

a Edge is inten

fically, it curr

Structured

Trusted Au

Traffic Ligh

– Other Cybe

uld be noted

ltra Edge. W

opment of th

anies and the

ards identifie

Common A

rehensive dic

sts, develope

nces;

Fi

ards

nded to supp

ently support

d Threat Infor

utomated eXc

htweight Prot

er Threat Stan

that there ar

hile there are

his report. Inte

en transitione

ed include the

Attack Pattern

ctionary and c

ers, testers, an

B

gure 1 – Soltra E

ort a variety o

ts the followi

rmation eXpre

change of Ind

tocol (TLP).

ndards

re other cybe

e likely many

erestingly en

ed to the ope

e following:

n Enumeratio

classification

nd educators

Soltra Ed

Bell Canada

Edge Cyber Inte

of open stand

ng standards

ession (STIX);

dicator Inform

r threat stand

such standar

ough, most o

n source com

on and Classif

taxonomy of

to advance c

dge Open C

a

elligence Platfor

dards for cybe

:

mation (TAXII)

dards that ar

rds, a few wer

of these stand

mmunity to va

fication (CAPE

f known attac

community un

Cyber IntelliRe

m

er threat info

); and

e supported t

re identified d

dards have or

arious degree

EC) – CAPEC

cks that can b

nderstanding


ormation shar

to varying de

during the

riginated in pr

es. The other

C is a

be used by

g and enhance

tform Final

4

ring.

grees

rivate

e


Revision: 1.0 Final


Cyber Information Sharing and Collaboration Program (CISCP) 5 ‐ The Critical Infrastructure

and Key Resource (CIKR) CISCP is a DHS program to improve the security posture of organizations by

providing threat data in the form of indicator bulletins, analysis bulletins, alert bulletins and

recommended practices to participating organizations. It should be noted that Soltra Edge supports

the conversion of CISCP indicators to a STIX list through the use of an adapter;

Cyber Observable eXpression (CybOX) 6 – CybOX is a standardized schema for the

specification, capture, characterization, and communication of events or stateful properties that are

observable in the operational domain. It should be noted that STIX uses CybOX language to describe

observables;

alware Attribute Enumeration and Characterization (MAEC) 7 – MAEC is a standardized

language for encoding and communicating high‐fidelity information about malware based upon

attributes such as behaviours, artefacts, and attack patterns. It should be noted that STIX can

describe malware using MAEC characterizations through the use of the MAEC schema extension;

OpenIOC8 9 – OpenIOC is an extensible XML schema for the description of technical

characteristics that identify a known threat, an attacker’s methodology, or other evidence of

compromise. It should be noted that STIX provides a default extension for OpenIOC; and

Open Threat eXchange (OTX) 10 – OTX is an open threat information sharing and analysis

network that provides real‐time, actionable cyber threat information.

5 Additional information on CISCP can be found at

http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2013‐

06/ispab_june2013_menna_ciscp_one_pager.pdf

6 Additional information on CybOX can be found at https://cybox.mitre.org and

https://github.com/CybOXProject

7 Additional information on MAEC can be found at http://maec.mitre.org and

http://maecproject.github.io

8 IOC stands for Indicators of Compromise

9 Additional information on OpenIOC can be found at http://www.openioc.org

10 Additional information on OTX can be found at https://www.alienvault.com/open‐threat‐

exchange


Revision: 1.0 Final


2.2.1 STIX STIX 11 is a collaborative community‐driven effort to define and develop a standardized language to

represent structured cyber threat information. STIX characterizes an extensive set of cyber threat

information, to include indicators of adversary activity (e.g., IP addresses and file hashes) as well as

additional contextual information regarding threats (e.g., adversary Tactics, Techniques and

Procedures [TTPs]; exploitation targets; Campaigns; and Courses of Action [COA]) that together more

completely characterize the cyber adversary’s motivations, capabilities, and activities, and thus, how

to best defend against them.12 STIX, which is XML‐based, is sponsored by the office of Cybersecurity

and Communications at the DHS. Soltra Edge supports the latest version (version 1.1.1) of STIX,

including all 1.1.1 objects.

Since STIX basically provides a common language for describing cyber threat information so that it

can be automatically shared, stored and used consistently, the following STIX definitions 13 have

been included in the report:

Observable ‐ An Observable is an event or stateful property that is observed or may be

observed in the operational cyber domain, such as a registry key value, an IP address,

deletion of a file, or the receipt of an http GET. STIX uses Cyber Observable eXpression

(CybOX) to represent Observables;

Indicator ‐ An Indicator is a pattern of relevant observable adversary activity in the

operational cyber domain along with contextual information regarding its interpretation

(e.g., this domain has been compromised, this email is spoofed, this file hash is associated

with this trojan, etc.), handling, etc. An Observable pattern captures what may be seen; the

Indicator enumerates why this is Observable pattern is of interest;

11 Additional information on STIX can found at https://stix.mitre.org and

https://github.com/STIXProject Samples of STIX content can be found at

https://stix.mitre.org/language/version1.0.1/samples.html

12 https://stix.mitre.org/about/faqs.html#A1

13 These definitions are STIX language definitions that were taken directly from

http://stix.mitre.org/about/faqs.html#B1


Revision: 1.0 Final


Incident ‐ An Incident is a set of related system and network activity that is associated with

the same adversary activity and/or attack along with contextual information such as who is

involved, when it occurred, what was affected, what was the impact, what actions were

taken in response, etc.;

TTP ‐ Tactics, Techniques and Procedures are a representation of the behaviour or modus

operandi of a cyber adversary including the use of particular attack patterns, malware,

exploits, tools, infrastructure, or the targeting of particular victims;

ExploitTarget ‐ An ExploitTarget is something about a potential victim that may make them

susceptible to a particular adversary TTP (e.g., a system vulnerability, weakness or

configuration issue);

CourseOfAction ‐ A CourseOfAction captures a particular action that could be taken to

prevent, mitigate or remediate the effects of a given cyber threat. These actions could be

remedial to proactively address known issues a priori or could be responses to specific

adversary activity;

Campaign ‐ A Campaign is a set of related adversary activity, to include TTPs, indicators,

exploit targets, and incidents. It characterizes the modus operandi of a particular adversary

in executing a particular intent; and

ThreatActor ‐ A ThreatActor is a cyber adversary and his or her known characteristics. It is

who is perpetrating the cyber attacks.

2.2.2 TAXII TAXII 14 defines a set of services and message exchanges that, when implemented, enable sharing of

actionable cyber threat information across organization and product/service boundaries.

Specifically, TAXII defines an XML data format and message protocols (Hypertext Transfer Protocol

(HTTP)/Hypertext Transfer Protocol Secure (HTTPS)) for transporting STIX information. TAXII is

14 Additional information on TAXII can be found at https://taxii.mitre.org and

https://github.com/TAXIIProject


Revision: 1.0 Final


sponsored by the office of Cybersecurity and Communications at the DHS. Soltra Edge supports the

latest version (version 1.1) of TAXII.

2.2.3 TLP TLP 15, which was developed by the U.S. Computer Emergency Readiness Team (US‐CERT), is a

simple standard that is used to control the dissemination of shared data. It uses four distinct colours

to distinguish how the information may be shared. Data that is tagged white can be distributed

without restriction. Data that is tagged green can be shared within the community, but not publicly.

Data that is tagged amber can only be shared within an organization. Data that is tagged red cannot

be shared. TLP has been adopted within Soltra Edge to allow automated filtering of data by

sensitivity level and for user access control.

2.3 Capabilities

Soltra Edge is intended to be an aggregator of cyber threat intelligence information and the primary

data store for structured intelligence within an organization. Consequently, it is intended to accept

cyber intelligence feeds, in the form of STIX/TAXII feeds, from a variety of sources including the

following:

Commercial Feeds – Commercial feeds are feeds that are purchased from professional

intelligence providers;

Organizational Feeds – Organizational feeds are feeds that exist within the organizational

environment;

Open Source Feeds – Open source feeds are Open Source Intelligence (OSINT) feeds

provided by the open source community;

Community Feeds – Community feeds are feeds provided by business partners, associates,

sharing communities or Information Sharing and Analysis Centers (ISACs); and

Government Feeds – Government feeds are typically provided by the federal government

for the benefit of private industry.

Soltra Edge is also capable of manually importing threat information using the web interface from a

Comma‐Separated Values (CSV) file, a STIX file or CISCP indicators. In addition, organizations can

export data from Soltra Edge in STIX formatted XML. Soltra has also demonstrated the creation of

15 Additional information on TLP can be found at https://www.us‐cert.gov/tlp


Revision: 1.0 Final


SNORT 16 rules from threat intelligence data. This was accomplished using a SNORT adapter that has

yet to be released.

16 SNORT is an open source, lightweight network intrusion detection system. Additional information

on SNORT can be found at https://www.snort.org

Marc

3.0 This s

will de

the so

3.1 Soltra

enviro

Febru

deplo

the la

identi

was s

ch 2015

Produ

ection will do

escribe the d

olution.

Deploy

a Edge was do

onment. The

uary 2015. Ho

oyed environm

test release.

ified bugs. It

eamless. The

uct Evaluat

ocument the

eployed envi

yed Environ

ownloaded an

initial evalua

owever, versi

ment was upg

Version 2.1.

is worth men

e successful u

B

tion

results of the

ronment, con

nment

nd deployed a

tion was of S

on 2.1.1 of So

graded to this

1 contains ma

ntioning that

upgrade of the

Figure 2

Soltra Ed

Bell Canada

e product eva

nfiguring feed

as a VMware

oltra Edge 2.1

oltra Edge wa

s version so th

any security u

the upgrade

e Soltra Edge

2 – Soltra Edge U

dge Open C

a

luation perfo

ds, installing a

Virtual Mach

1, which was

as released on

hat the evalu

updates as w

process, whic

e can be seen

Upgrade

Cyber IntelliRe

ormed. Specif

adapters, and

hine (VM) in a

available for

n 24 February

ation could b

ell as fixes fro

ch is accompl

as Figure 2.


fically, this se

d an assessme

a virtualized la

download as

y 2015. The

be completed

om member

lished using y

tform Final

10

ction

ent of

ab

s of 6

on

yum,

Marc

3.2 Soltra

produ

to the

Cyber

neces

The fi

was a

Site. F

config

ch 2015

Configu

a recommend

uct. Unfortun

e FS‐ISAC mem

r Threat Intell

ssary to config

rst step in th

dded as illust

Figure 4 show

gured.

ured Feeds

ds configuring

nately, one of

mbership. Th

ligence feeds

gure this feed

e process of c

trated in Figu

ws that the sit

B

g two STIX/TA

f the two reco

he remaining

in STIX forma

d on Soltra Ed

configuring a

re 3. The Add

te has been a

Figu

Soltra Ed

Bell Canada

AXII feeds in o

ommended fe

feed, Hail a T

at. This sectio

dge.

feed is to ad

d Site window

dded but tha

ure 3 – Adding a

dge Open C

a

order to start

eeds, FS‐ISAC

TAXII.com, is a

on of the repo

d a site. In th

w is accessible

t no feeds fro

Site

Cyber IntelliRe

experimentin

C intelligence,

a repository o

ort will docum

his case, the H

e through Adm

om the site ha


ng with their

is only availa

of Open Sour

ment the step

Hailataxii.com

min – Sites –

ave been

tform Final

11

able

ce

ps

m site

Add

Marc

The n

availa

emerg

manu

ch 2015

ext step is to

able from the

ging threats f

ually. This is il

configure fee

hailataxii site

feed was sele

lustrated in F

B

Fig

eds from the

e. One merel

cted for conf

Figure 6.

Soltra Ed

Bell Canada

ure 4 – Site Add

remote site.

ly clicks to co

figuration. Fee

dge Open C

a

ded

Figure 5 show

nfigure the fe

eds can be se

Cyber IntelliRe

ws the ten un

eed of choice

et to update a


nconfigured fe

e. In this case

automatically

tform Final

12

eeds

e, the

y or

Marc

ch 2015 B

Figure 5

Soltra Ed

Bell Canada

5 – Unconfigured

dge Open C

a

d Feeds

Cyber IntelliRe


tform Final

13

Marc

The co

inform

seen i

ch 2015

onfigured fee

mation can be

in Figure 8.

ed can be see

e downloaded

B

Figur

n in Figure 7.

d for this feed

Figure

Soltra Ed

Bell Canada

re 6 – Configure

. By clicking o

d. The succes

e 7 – Configured

dge Open C

a

Feed

on “poll now”

ssful completi

d Feed

Cyber IntelliRe

the latest th

ion of this op


reat intelligen

eration can b

tform Final

14

nce

be

Marc

Once

for th

admin

2.2.1)

packa

For ex

be see

doma

indica

Conse

indica

seen i

malw

The o

in Figu

Doma

denot

12. Un

availa

catalo

17 A d

http:/

ch 2015

a site has bee

e feed, an ex

nistrators to b

) including ca

ages, threat a

xample, the in

en in Figure 9

ain watchlist,

ator. Most ind

equently, this

ators listed in

in Figure 10.

are.17

bservable cat

ure 11. The re

ainNameObje

te observed e

nfortunately,

able. This lack

og from the H

escription of

//www.arbor

en added, a f

amination of

browse the ca

mpaigns, cou

ctors and TTP

ndicator cata

9. The reader

URL watchlist

dicators are u

s information

the catalog,

Apparently, t

talog, which i

eader will not

ectType, URIO

events in the

aside from a

k of additiona

Hail a TAXII.co

the Athena m

networks.com

B

Figure

feed configure

f the threat in

atalog of obje

urses of action

Ps.

log, which is

will note tha

t indicators. T

used to denot

could be use

there is addit

this site is be

is simply a list

te that there

ObjectType an

operational c

a domain nam

al information

om feed.

malware is av

m/asert/2013

Soltra Ed

Bell Canada

8 – Downloade

ed and the th

ntelligence inf

ects by any of

n, exploit targ

simply a list o

t of the indica

The remainin

te domains or

ed to update f

tional informa

ing used as a

t of observab

are three typ

nd AddressOb

cyber domain

me for a botne

n was standar

ailable at

3/11/athena‐a

dge Open C

a

d Feed

hreat intellige

formation is p

f the STIX par

gets, incident

of indicators f

ators listed in

g indicator is

r IPs that hav

firewalls and

ation availab

command an

bles from the

pes of observ

bjectType. Mo

n. A specific o

et site there i

rd across the

a‐ddos‐malw

Cyber IntelliRe

ence informat

possible. Solt

rameters (disc

ts, indicators,

from the con

n Figure 9, all

an IP watchl

e been comp

proxy servers

le. A specific

nd control sit

configured fe

ables listed in

ost observabl

bservable can

s no addition

observables

ware‐odyssey


tion dowload

ra Edge allow

cussed in Sec

observables,

figured feeds

but one are

ist, URL watc

promised.

s. For each of

indicator can

e for Athena

eeds, can be s

n Figure 11;

les are used t

n be seen in F

nal informatio

listed in the

tform Final

15

ed

ws

ction

,

s, can

hlist

f the

n be

seen

to

Figure

on

Marc

ch 2015 B

Figure

Soltra Ed

Bell Canada

e 9 – Indicator Ca

dge Open C

a

atalog

Cyber IntelliRe


tform Final

16

Marc

ch 2015 B

Figure

Soltra Ed

Bell Canada

10 – Specific Ind

dge Open C

a

dicator

Cyber IntelliRe


tform Final

17

Marc

ch 2015 B

Figure 1

Soltra Ed

Bell Canada

11 – Observable

dge Open C

a

Catalog

Cyber IntelliRe


tform Final

18

Marc

3.3 Soltra

conve

threat

were

Appar

additi

Altho

separ

of res

respo

can b

ch 2015

Adapte

a has made av

ersion of CISC

t information

unable to tes

rently, US‐Ce

ion, the CSV a

ugh this prob

ate forums),

solution for th

onsive in reso

e seen in Figu

ers

vailable two a

CP indicators t

n. The two ad

st the CISCP a

rt files are cla

adapter failed

blem has been

at the time o

his issue is so

lving outstan

ure 14 and Fig

B

Figure 1

adapters for d

to a STIX list,

dapters were

adapter as no

assified TLP A

d to import th

n reported to

of writing this

mewhat surp

ding issues. T

gure 15 respe

Soltra Ed

Bell Canada

12 – Specific Obs

download on

while the oth

both installed

CISCP indicat

Amber meanin

he CSV test fil

o Soltra (by th

problem had

prising given t

The import an

ectively.

dge Open C

a

servable

their site. O

her allows for

d successfully

tor file has be

ng that they c

le provided. I

hree other me

d yet to be res

that Soltra sta

nd preview o

Cyber IntelliRe

ne adapter su

r the import o

y (see Figure

een made ava

cannot be sha

t resulted in a

embers of the

solved by Sol

aff are usually

f the CSV ind


upports the

of CSV‐based

13). Howeve

ailable for tes

ared publicly.

an adapter er

e forum unde

tra staff. The

y extremely

icators test fi

tform Final

19

r, we

sting.

. In

rror.

er two

lack

ile

Marc

ch 2015 B

Figure 1

Soltra Ed

Bell Canada

13 – Adapters In

dge Open C

a

nstalled

Cyber IntelliRe


tform Final

20

Marc

ch 2015 B

Figure 14

Soltra Ed

Bell Canada

4 – CSV Indicator

dge Open C

a

rs Import

Cyber IntelliRe


tform Final

21

Marc

3.4 This s

3.4.Soltra

The fr

conta

under

comm

Febru

releas

ch 2015

Assessm

ection of the

Release Cy

User Comm

Functional

Alternative

.1 Releaa Edge will ev

ree communi

in “the featu

rgone a numb

mitment to th

uary 2015 and

sed once the

ment

report will as

ycle;

munity;

lity; and

es.

ase Cycleentually be re

ty version, w

res most nee

ber of release

e product. V

d version 2.1.

product has m

B

Figure 15

ssess Soltra E

e eleased in tw

hich is the ve

ded by many

e cycles in a re

ersion 2.0 wa

1 on 24 Febru

matured, will

Soltra Ed

Bell Canada

– CSV Indicator

Edge in terms

o versions; a

ersion that is c

y organization

elatively shor

as released on

uary 2015. Th

l “support the

dge Open C

a

rs Preview

of the follow

free commun

currently ava

ns”. This vers

rt period of ti

n 4 Decembe

he paid versio

e requiremen

Cyber IntelliRe

wing:

nity version a

ilable for dow

sion of Soltra

me, demonst

er 2014, versio

on, which will

nts of larger e


and a paid ver

wnload, will

Edge has

trating Soltra

on 2.1 on 6

be presumab

entities”. In al

tform Final

22

rsion.

’s

bly

l


Revision: 1.0 Final


likelihood this will create a two‐tiered solution in which users of the community version are forced

to upgrade to the paid version to take advantage of additional functionality.

3.4.2 User Community The Soltra Edge user community currently has 1720 members who have made in excess of eight

hundred posts on the Soltra forum.18 Given the relative infancy of the product these numbers are

quite impressive. Furthermore, the Soltra staff (technical and business) are quite responsive in

addressing both technical problems and business‐related issues.

3.4.3 Functionality In terms of functionality, Soltra Edge is currently somewhat hindered at this point due to its close

integration with STIX/TAXII due to the lack of available threat intelligence feeds in this format and

the relative lack of availability of security tools/appliances supporting these standards. A list of

intelligence providers and security tool vendors that have validated STIX/TAXII implementations and

integration with Soltra Edge is available on the Soltra site.19 Unfortunately, the list, which was last

updated on 18 December 2014, is not extensive. The list has also been included as Figure 16.

However, it is worth mentioning that what current functionality is provided by Soltra Edge in terms

of supporting/configuring STIX/TAXII feeds and aggregating/storing threat intelligence information

seems to work quite well. Furthermore, the product is quite stable and quite easy to use.

18 The Soltra Edge forum is available at https://forums.soltra.com

19 The Soltra Edge STIX/TAXII integrations list is available at

https://forums.soltra.com/index.php?/topic/196‐vendor‐stix‐taxii‐integrations/

Marc

3.4.This r

Specif

Soltra

3.

Micro

worki

there

20 This

http:/

sharin

http:/

21 Add

https:

ch 2015

.4 Alterneport would

fically, this se

a Edge:

Microsoft

ThreatCon

Vorstack A

.4.4.1 M

osoft announc

ng in cyberse

has been ver

s announcem

//www.darkre

ng‐platform/d

//blogs.techn

ditional inform

://technet.mi

natives be remiss if it

ection of the r

Interflow;

nnect; and

Automation a

Microsoft In

ced 20 their se

ecurity, called

ry little additi

ment can be fo

eading.com/a

d/d‐id/12787

et.com/b/ms

mation on the

icrosoft.com/

B

Figure 16 ‐ Soltr

t did not men

report will pro

nd Collaborat

nterflow

ecurity and th

d Microsoft In

ional informa

ound in many

analytics/thre

81 and

src/archive/20

e Microsoft In

/en‐us/library

Soltra Ed

Bell Canada

ra Edge STIX/TA

ntion cyber th

ovide a brief

tion Platform

hreat informa

nterflow 21, in

tion provided

y places includ

eat‐intelligenc

014/06/23/a

nterflow Platf

y/dn750892.a

dge Open C

a

AXII Integrations

hreat intellige

overview of t

m (ACP).

ation exchang

June 2014. U

d except that

ding

ce/microsoft‐

nnouncing‐m

form can be f

aspx

Cyber IntelliRe

s

ence platform

the following

ge platform fo

Unfortunately

t the platform

‐unveils‐new

microsoft‐inte

found at


m alternatives

g alternatives

or professiona

y, since that d

m is currently

‐intelligence‐

rflow.aspx

tform Final

24

.

to

als

date

‐


Revision: 1.0 Final


available for private preview. Interflow uses industry specifications to create an automated,

machine‐readable feed of threat and security information that can be shared across industries and

groups in near real‐time. The goal of the platform is to help security professionals respond more

quickly to threats. It will also help reduce cost of defense by automating processes that are currently

performed manually.22 In terms of industry specifications, Interflow will support STIX, TAXII and

CybOX. It will also provide a means to feed threat and security information into firewalls, Intrusion

Detection Systems (IDS), Intrusion Prevention Systems (IPS), and SIEMS. Interflow will run on the

Microsoft Azure public cloud. While the data feeds will be free, organizations will require an Azure

subscription to receive them.

3.4.4.2 ThreatConnect

ThreatConnect 23 is a threat intelligence platform that allows an organization to aggregate, analyze,

and act on all of the threat intelligence data it receives. While ThreatConnect supports the ingest of

multiple data formats, including emerging standards such as STIX, the focus seems to be on

integration with commercial threat intelligence feeds (e.g., CrowdStrike’s Falcon Intelligence,

iSIGHT’s ThreatScape, Wapack Labs ThreatRecon) and products. There is a free community version,

along with three paid versions (basic, team and enterprise) of the product. ThreatConnect also

supports a variety of deployment models, including on‐premises, private cloud and public cloud.

3.4.4.3 Vorstack ACP

Vorstack ACP 24 connects to third‐party (e.g., HP ArcSight, IBM QRadar, RSA Security Analytics,

Splunk) SIEM and security log management tools to automate the ingestion, querying and reporting

of threat intelligence data. Specifically, Vorstack ACP can automate the queries against these log

management and analytics tools and then correlate the responses against other data points. The

product supports STIX/TAXII, even providing a bridge to other software (e.g., Hadoop) so that the

software doesn’t have to support the standards directly.

22 http://blogs.technet.com/b/msrc/archive/2014/06/23/announcing‐microsoft‐interflow.aspx

23 Additional information on ThreatConnect can be found at http://www.threatconnect.com

24 Additional information of Vorstack ACP can be found at https://vorstack.com


Revision: 1.0 Final


4.0 Conclusion & Recommendations

The Centre for Operational Research and Analysis (CORA), which is a Defence Research &

Development Canada (DRDC) research centre for systems analysis and operational research, is in the

process of characterizing threat and building a Department of National Defence (DND)‐specific cyber

threat model. The aggregation of cyber threat intelligence information from a variety of reputable

sources and the ability to act on this information are likely to be important aspects of the overall

cyber threat model being developed.

Soltra Edge is intended to serve as the intelligence hub for an organization, connecting to all threat

intelligence communities and providing actionable data back to the organization’s environment for

integration with internal security tools/appliances. The intent is that Soltra Edge will allow

organizations to receive, store and send cyber security threat intelligence automatically, allowing

these organizations to better deploy safeguards against a potential cyber attack.

To realize these goals, Soltra Edge has been designed to support the STIX/TAXII standards almost

exclusively. While this may prove to be the prudent long‐term approach, as these standards seem

to be getting a considerable amount of traction, it does limit what can be accomplished in the short‐

term due to the lack of STIX/TAXII threat intelligence feeds and STIX/TAXII‐compliant security

tools/appliances. It is anticipated that as Soltra Edge matures it will increase its support for

commercial feeds and security tools/appliances, thus improving its overall utility as the central

threat intelligence hub for an organization.

This report makes the following recommendations:

DRDC should continue to actively monitor Soltra Edge and STIX/TAXII development;

DRDC should review and analyze the community version of ThreatConnect to ascertain how

it compares to Soltra Edge; and

DRDC should implement a virtualized, cyber threat intelligence proof‐of‐concept to

demonstrate cyber threat intelligence capabilities and how they can be used to

automatically configure an organization’s security tools/appliances to thwart a cyber attack.


Revision: 1.0 Final


5.0 Acronyms & Abbreviations

ACP Automation and Collaboration Platform

CAPEC Common Attack Pattern Enumeration and Classification

CERT Computer Emergency Readiness Team

CIKR Critical Infrastructure and Key Response

CISCP Cyber Information Sharing and Collaboration Program

COA Courses of Action

CORA Centre for Operational Research and Analysis

CSV Comma Separated Values

CyBOX Cyber Observable eXpression

DHS Department of Homeland Security

DRDC Defence Research & Development Canada

DTCC Depository Trust & Clearing Corporation

FS‐ISAC Financial Services Information Sharing and Analysis Center

HTTP Hypertext Transfer Protocol

HTTPS Hypertext Transfer Protocol Secure

IDS Intrusion Detection System

IOC Indicators of Compromise

IPS Intrusion Prevention System

ISAC Information Sharing and Analytics Center

MAEC Malware Attribute Enumeration and Characterization


Revision: 1.0 Final


MTA Mail Transfer Agent

OSINT Open Source Intelligence

OTX Open Threat eXchange

RHEL Red Hat Enterprise Linux

SAWG Security Automation Working Group

SIEM Security Incident and Event Management

STIX Structured Threat Information eXpression

TAXII Trusted Automated eXchange of Indicator Information

TLP Traffic Lightweight Protocol

TTPs Tactics, Techniques and Procedures

VM Virtual Machine

Soltra edge open cyber intelligence platform...

Documents

Transcript of Soltra edge open cyber intelligence platform...