D4.1 Cybersecurity threat intelligence common data model Project number 830892 Project acronym SPARTA Strategic programs for advanced research and Project title technology in Europe Start date of the project 1st February, 2019 Duration 36 months Programme H2020-SU-ICT-2018-2020 Deliverable type Demonstrator Deliverable reference number SU-ICT-03-830892 / D4.1 / V1.0 Work package contributing to the WP4 deliverable Due date July 2020 – M18 Actual submission date 30th July, 2020 Responsible organisation CESNET Editor Martin Žádník Dissemination level PU Revision V1.0 There are many standards for sharing of operational cyber threat intelligence (CTI). The goal of this deliverable is to select a suitable candidate Abstract solution from the existing data models and provide its extensions and unification so it can become practical and unified data model. Keywords Data model, sharing, threat intelligence This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 830892. D4.1 – Cybersecurity threat intelligence common data model Editor Martin Žádník (CESNET) Contributors (ordered according to beneficiary numbers) Augustin Lemesle (CEA) Giorgos Papavassiliou (KEMEA) Juan Caubet (EUT) Antonio Pagano, Mauro Gil Cabeza, Rumen Daton Madenou (IND) Romain Ferrari, Olivier Bettan (TCS) Paolo Mori, Oleksii Osliak (CNR) Claudio Porretti (LEO) Šarūnas Grigaliūnas (KTU) Evaldas Bružė, Edmundas Piesarskas (L3CE) Jocelyn Aubert (LIST) Bertrand Lathoud, Tun Hirt (SMILE) Pawel Pawlinski (NASK) Filipe Apolinario (INOV) Reviewers (ordered according to beneficiary numbers) Mohammad Norouzian (TUM) Alessio Merlo (CINI) Disclaimer The information in this document is provided “as is”, and no guarantee or warranty is given that the information is fit for any particular purpose. The content of this document reflects only the author`s view – the European Commission is not responsible for any use that may be made of the information it contains. The users use the information at their sole risk and liability. SPARTA D4.1 Public Page II D4.1 – Cybersecurity threat intelligence common data model Executive Summary This deliverable documents our activities, findings and deployment while investigating a common data model for sharing of operational cyber threat intelligence (CTI). First, we collected requirements from the partners involved in T-SHARK Programme of SPARTA. These requirements arise from the development activities of comprehensive threat analysis, sharing and visual analytics. The common denominator of these activities is a complex use case of election interference with its specific sub-cases. In parallel, we collected related research, existing frameworks and tools to see our topic from various perspectives. Subsequently, we analysed strong and weak points as well as opportunities and threats of the existing works. We identified MISP and STIX as promising candidates. The results of our analysis serve as input for an expert workshop which makes a strategic decision to develop the data model using concepts available in MISP. The results also show that rather than the common data model, it is essential to introduce a methodology to create data models for specific use cases so that the data models are more consistent and exhibit better machine readability. Another result of the expert workshop is a vision of ontology that would enable mapping between the individual data models. We leave the latter result as our future work, then we introduce a methodology to prepare unified data models in MISP and we demonstrate our methodology on several selected sub-cases. Furthermore, we show its applicability in a production environment by deploying SPARTA MISP instance and extending it with the newly proposed data models. The demonstration is prepared using a fictional story of election interference and how the interference might reflect into CTI shared via MISP. We conclude the deliverable with future plans which arise from the activities related to the activities around the deliverable as well as from the activities within T-SHARK Programme. SPARTA D4.1 Public Page III D4.1 – Cybersecurity threat intelligence common data model Table of Content Chapter 1 Introduction .................................................................................................. 1 Chapter 2 CTI related work ........................................................................................... 3 2.1 Security Vocabularies ............................................................................................... 3 2.2 CTI formats ............................................................................................................... 4 2.3 CTI sharing and analysis platforms ........................................................................... 6 2.4 Actionable CTI........................................................................................................... 8 2.5 Existing frameworks .................................................................................................. 8 2.5.1 NIST Cybersecurity Framework ....................................................................................... 8 2.5.2 NATO AC/35-D/1017 ..................................................................................................... 10 2.5.3 EBIOS ........................................................................................................................... 10 2.5.4 MITRE att&ck ................................................................................................................ 10 2.5.5 ISO ................................................................................................................................ 11 2.5.6 ISA ................................................................................................................................ 13 2.5.7 EPRI .............................................................................................................................. 13 2.5.8 IEEE .............................................................................................................................. 13 2.5.9 ITU ................................................................................................................................ 13 Chapter 3 Use cases and requirements ..................................................................... 14 3.1 Methodology............................................................................................................ 14 3.2 Use cases ............................................................................................................... 14 3.3 Summary of requirements ....................................................................................... 17 Chapter 4 Strategic analysis ....................................................................................... 19 4.1 SWOT analysis ....................................................................................................... 19 4.1.1 Background ................................................................................................................... 19 4.1.2 SWOT of CTI common data model ................................................................................ 20 4.1.3 SWOT conclusions and convergence ............................................................................ 24 4.2 Expert workshop ..................................................................................................... 25 4.2.1 Methodology .................................................................................................................. 25 4.2.2 Summary of the work session ........................................................................................ 26 4.2.3 Identified key requirements for the data model .............................................................. 27 4.2.4 Next Steps ..................................................................................................................... 28 Chapter 5 Unification of data models ......................................................................... 29 5.1 Methodology............................................................................................................ 29 5.2 Data models ............................................................................................................ 32 SPARTA D4.1 Public Page IV D4.1 – Cybersecurity threat intelligence common data model 5.2.1 DDoS backscatter .......................................................................................................... 32 5.2.2 Twitter ........................................................................................................................... 36 5.2.3 Election interference ...................................................................................................... 39 5.2.4 BP-IDS .......................................................................................................................... 41 5.2.5 Malware ......................................................................................................................... 44 Chapter 6 Demonstration ............................................................................................ 48 6.1 Deployment ............................................................................................................. 48 6.2 Demonstration of election interference ...................................................................