OneFirewall supports STIX 2.0

Wednesday, Oct 21, 2020| Tags: STIX, STIX2

Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange Cyber Threat Intelligence (CTI). Since September 2020 OneFirewall Alliance (OFA) released a support to offer Cyber Threat Intelligence feeds also STIX v2.0 format, this is great news for us as we are now able to integrate CTI feeds using STIX format, but is also great for our alliance members and customers who are now able to read our feeds in the standard STIX v2.0 format.

At the time of writing this article OneFirewall offers Threat intelligence in three formats:

Active Feeds

Contains minimum information that is mainly used from World Crime Feeds (WCF) Agent to prevent malicious traffic directed to the alliance members network. The information provided in this format are the minimum indispensable intel for network protection against cyber-attacks.

Using the public available API (license is needed for real time data), you will be able to extract information similar to the payload shown below:


Full Feeds

Similar to the active feeds, OneFirewall Alliance provides the same information in extended version, including the motivation, tags, the numbers of members and CTI events captured by the platform and the alliance members.

The full information are available via the same API, is enough to provide in the GET request the value ‘yes’ on the variable ‘full’, that will provide the same information as the payload example below:

You can know more about how to use the API via this documentation: API Documentation


STIX2.0 Feeds

While we were working on the Cyber Threat Alliance, we started a project to offer OneFirewall Feeds in STIX2.0 format, this work lately has been appreciated for the already established customers who had the need to receive feeds in a standard format. Therefore since September 2020, OneFirewall Alliance offers feeds in the version 2.0 of STIX, although at the moment we are supporting only Attack Patterns (mainly due to the nature of our Threat intelligence), we planned in our roadmap to extend the patterns to cover more intelligence.

Example of Attack Pattern


{
  "type": "bundle",
  "spec_version": "2.0",
  "id": "bundle--657b1ffc-94cc-460f-8571-2d3ef55e39fc",
  "objects": [
    {
      "id": "attack-pattern--6b7b7196-42d1-41c6-823f-f9e29397b9c6",
      "name": "External Remote Services",
      "created_by_ref": "identity--dfc487b4-7606-403a-8679-bf2274baf8fa",
      "type": "attack-pattern",
      "created": "2017-05-31T21:31:44.421Z",
      "modified": "2020-06-19T20:07:09.600Z",
      "revoked": false,
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1133",
          "url": "https://attack.mitre.org/techniques/T1133"
        },
        {
          "external_id": "CAPEC-555",
          "source_name": "capec",
          "url": "https://capec.mitre.org/data/definitions/555.html"
        },
        {
          "url": "https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/",
          "description": "Adair, S. (2015, October 7). Virtual Private Keylogging: Cisco Web VPNs Leveraged for Access and Persistence. Retrieved March 20, 2017.",
          "source_name": "Volexity Virtual Private Keylogging"
        }
      ],
      "description": "Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) can also be used externally.\n\nAccess to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.",
      "kill_chain_phases": [
        {
          "kill_chain_name": "mitre-attack",
          "phase_name": "persistence"
        },
        {
          "kill_chain_name": "mitre-attack",
          "phase_name": "initial-access"
        }
      ],
      "x_mitre_is_subtechnique": false,
      "x_mitre_platforms": [
        "Windows",
        "Linux"
      ],
      "x_mitre_permissions_required": [
        "User"
      ],
      "x_mitre_detection": "Follow best practices for detecting adversary use of [Valid Accounts](https://attack.mitre.org/techniques/T1078) for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.",
      "x_mitre_data_sources": [
        "Authentication logs"
      ],
      "x_mitre_contributors": [
        "Daniel Oakley",
        "Travis Smith, Tripwire"
      ],
      "x_mitre_version": "2.1"
    },
    {
      "id": "attack-pattern--2a337b4b-1579-4cee-a4e1-70f835d059e9",
      "name": "Network Sniffing",
      "created_by_ref": "identity--dfc487b4-7606-403a-8679-bf2274baf8fa",
      "type": "attack-pattern",
      "created": "2017-05-31T21:30:41.399Z",
      "modified": "2020-03-25T21:03:49.610Z",
      "revoked": false,
      "external_references": [
        {
          "source_name": "mitre-attack",
          "url": "https://attack.mitre.org/techniques/T1040",
          "external_id": "T1040"
        },
        {
          "external_id": "CAPEC-158",
          "source_name": "capec",
          "url": "https://capec.mitre.org/data/definitions/158.html"
        }
      ],
      "description": "Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.",
      "kill_chain_phases": [
        {
          "kill_chain_name": "mitre-attack",
          "phase_name": "credential-access"
        },
        {
          "kill_chain_name": "mitre-attack",
          "phase_name": "discovery"
        }
      ],
      "x_mitre_version": "1.1",
      "x_mitre_data_sources": [
        "Network device logs",
        "Host network interface",
        "Netflow/Enclave netflow",
        "Process monitoring"
      ],
      "x_mitre_detection": "Detecting the events leading up to sniffing network traffic may be the best method of detection. From the host level, an adversary would likely need to perform a man-in-the-middle attack against other devices on a wired network in order to capture traffic that was not to or from the current compromised system. This change in the flow of information is detectable at the enclave network level. Monitor for ARP spoofing and gratuitous ARP broadcasts. Detecting compromised network devices is a bit more challenging. Auditing administrator logins, configuration changes, and device images is required to detect malicious changes.",
      "x_mitre_permissions_required": [
        "Administrator",
        "SYSTEM"
      ],
      "x_mitre_platforms": [
        "Linux",
        "macOS",
        "Windows"
      ],
      "x_mitre_system_requirements": [
        "Network interface access and packet capture driver"
      ],
      "x_mitre_is_subtechnique": false
    },
    {
      "id": "attack-pattern--5feeb7cb-274c-400f-a88a-a57764ff9f59",
      "name": "Default Accounts",
      "created_by_ref": "identity--dfc487b4-7606-403a-8679-bf2274baf8fa"
      "type": "attack-pattern",
      "created": "2020-03-13T20:15:31.974Z",
      "modified": "2020-03-23T21:37:34.567Z",
      "revoked": false,
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1078.001",
          "url": "https://attack.mitre.org/techniques/T1078/001"
        },
        {
          "source_name": "Microsoft Local Accounts Feb 2019",
          "url": "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts",
          "description": "Microsoft. (2018, December 9). Local Accounts. Retrieved February 11, 2019."
        },
        {
          "source_name": "Metasploit SSH Module",
          "url": "https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh",
          "description": "undefined. (n.d.). Retrieved April 12, 2019."
        }
      ],
      "description": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems or default factory/provider set accounts on other types of systems, software, or devices.(Citation: Microsoft Local Accounts Feb 2019)\n\nDefault accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)",
      "kill_chain_phases": [
        {
          "kill_chain_name": "mitre-attack",
          "phase_name": "defense-evasion"
        },
        {
          "kill_chain_name": "mitre-attack",
          "phase_name": "persistence"
        },
        {
          "kill_chain_name": "mitre-attack",
          "phase_name": "privilege-escalation"
        },
        {
          "kill_chain_name": "mitre-attack",
          "phase_name": "initial-access"
        }
      ],
      "x_mitre_version": "1.0",
      "x_mitre_is_subtechnique": true,
      "x_mitre_permissions_required": [
        "Administrator",
        "User"
      ],
      "x_mitre_detection": "Monitor whether default accounts have been activated or logged into. These audits should also include checks on any appliances and applications for default credentials or SSH keys, and if any are discovered, they should be updated immediately.",
      "x_mitre_data_sources": [
        "AWS CloudTrail logs",
        "Stackdriver logs",
        "Authentication logs",
        "Process monitoring"
      ],
      "x_mitre_platforms": [
        "Linux",
        "macOS",
        "Windows",
        "AWS",
        "GCP",
        "Azure",
        "Office 365",
        "Azure AD",
        "SaaS"
      ]
    },
    {
      "id": "attack-pattern--1d15994e-fe26-484a-ab68-037982803ccf",
      "name": "External Proxy",
      "created_by_ref": "identity--dfc487b4-7606-403a-8679-bf2274baf8fa",
      "type": "attack-pattern",
      "created": "2020-03-14T23:12:18.466Z",
      "modified": "2020-03-27T17:50:37.411Z",
      "revoked": false,
      "external_references": [
        {
          "source_name": "mitre-attack",
          "external_id": "T1090.002",
          "url": "https://attack.mitre.org/techniques/T1090/002"
        },
        {
          "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/",
          "description": "Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015.",
          "source_name": "Trend Micro APT Attack Tools"
        },
        {
          "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf",
          "description": "Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.",
          "source_name": "University of Birmingham C2"
        }
      ],
      "description": "Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.\n\nExternal connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.",
      "kill_chain_phases": [
        {
          "kill_chain_name": "mitre-attack",
          "phase_name": "command-and-control"
        }
      ],
      "x_mitre_platforms": [
        "Linux",
        "macOS",
        "Windows"
      ],
      "x_mitre_data_sources": [
        "Process use of network",
        "Process monitoring",
        "Network protocol analysis",
        "Netflow/Enclave netflow",
        "Packet capture"
      ],
      "x_mitre_detection": "Analyze network data for uncommon data flows, such as a client sending significantly more data than it receives from an external server. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)"
    },
    {
      "id": "indicator--51a3723f-5849-46a2-81e6-d0414aec22dc",
      "name": "indicator--OFA-RULE-GID-6MUIZgt8uUl9IiUa",
      "created_by_ref": "identity--dfc487b4-7606-403a-8679-bf2274baf8fa",
      "type": "indicator",
      "created": "2020-08-27T15:00:49.000Z",
      "modified": "2020-10-03T09:08:26.000Z",
      "revoked": false,
      "labels": [
        "malicious-activity",
        "anomalous-activity"
      ],
      "description": "OneFirewall indicator for 49.205.182.223",
      "pattern": "[ipv4-addr:value = '49.205.182.223']",
      "valid_from": "2020-08-27T15:00:49.000Z",
      "valid_until": "2020-10-03T09:08:26.000Z",
      "kill_chain_phases": [
        {
          "kill_chain_name": "lockheed-martin-cyber-kill-chain",
          "phase_name": "exploitation"
        }
      ]
    },
    {
      "id": "sighting--5a7e7e36-50e3-46d3-af29-ca1ec8550e68",
      "created_by_ref": "identity--dfc487b4-7606-403a-8679-bf2274baf8fa"
      "type": "sighting",
      "summary": false,
      "created": "2020-08-27T15:00:49.000Z",
      "modified": "2020-10-03T09:08:26.000Z",
      "revoked": false,
      "first_seen": "2020-10-03T09:08:26.000Z",
      "last_seen": "2020-10-03T09:08:26.000Z",
      "count": 1,
      "sighting_of_ref": "indicator--51a3723f-5849-46a2-81e6-d0414aec22dc"
    },
    {
      "source_ref": "indicator--51a3723f-5849-46a2-81e6-d0414aec22dc",
      "target_ref": "attack-pattern--5feeb7cb-274c-400f-a88a-a57764ff9f59",
      "id": "relationship--e3d5ef9f-ace9-4041-9052-37b683216899",
      "relationship_type": "indicates",
      "type": "relationship",
      "created": "2020-08-27T15:00:49.000Z",
      "modified": "2020-10-03T09:08:26.000Z",
      "created_by_ref": "identity--dfc487b4-7606-403a-8679-bf2274baf8fa",
      "spec_version": "2.0"
    },
    {
      "source_ref": "indicator--51a3723f-5849-46a2-81e6-d0414aec22dc",
      "target_ref": "attack-pattern--6b7b7196-42d1-41c6-823f-f9e29397b9c6",
      "id": "relationship--9f43cdbe-2cde-4195-aec8-e74aba79743a",
      "relationship_type": "indicates",
      "type": "relationship",
      "created": "2020-08-27T15:00:49.000Z",
      "modified": "2020-10-03T09:08:26.000Z",
      "created_by_ref": "identity--dfc487b4-7606-403a-8679-bf2274baf8fa",
      "spec_version": "2.0"
    },
    {
      "source_ref": "indicator--51a3723f-5849-46a2-81e6-d0414aec22dc",
      "target_ref": "attack-pattern--2a337b4b-1579-4cee-a4e1-70f835d059e9",
      "id": "relationship--2122a55f-0fef-4a99-a443-d7d2e93725ee",
      "relationship_type": "indicates",
      "type": "relationship",
      "created": "2020-08-27T15:00:49.000Z",
      "modified": "2020-10-03T09:08:26.000Z",
      "created_by_ref": "identity--dfc487b4-7606-403a-8679-bf2274baf8fa",
      "spec_version": "2.0"
    },
    {
      "source_ref": "indicator--51a3723f-5849-46a2-81e6-d0414aec22dc",
      "target_ref": "attack-pattern--1d15994e-fe26-484a-ab68-037982803ccf",
      "id": "relationship--6c10e88a-1554-470d-844d-37ccd8f58e3b",
      "relationship_type": "indicates",
      "type": "relationship",
      "created": "2020-08-27T15:00:49.000Z",
      "modified": "2020-10-03T09:08:26.000Z",
      "created_by_ref": "identity--dfc487b4-7606-403a-8679-bf2274baf8fa",
      "spec_version": "2.0"
    }
  ]
}

In any circumstances, OneFirewall does not disclose any information about alliance members or information related (directly or indirectly) to cyber security events captured by alliance members and customers

Access Now

Register and access OneFirewall Shared Threat intelligence data lake
Cloud Solution