soltra edge open cyber intelligence platform...
TRANSCRIPT
Soltra edge open cyber intelligence platform report
Prepared By: Alan Magar Sphyrna Security 340 Ridgeside Farm Drive Kanata, Ontario K2W 0A1
PWGSC Contract Number: W7714-08FE01/001/ST Task 33 CSA: Melanie Bernier, Defence Scientist, 613-996-3937
Scientific Authority: Melanie Bernier Defence Scientist DRDC – CORA Research Centre
The scientific or technical validity of this Contract Report is entirely the responsibility of the Contractor and the contents do not necessarily have the approval or endorsement of the Department of National Defence of Canada.
Contract Report
DRDC-RDDC-2015-C204
March 2015
This Contract Report was produced for the Cyber Decision Making and Response project (05ac) under the DRDC Cyber Operations S&T program.
© Her Majesty the Queen in Right of Canada, as represented by the Minister of National Defence, 2015
© Sa Majesté la Reine (en droit du Canada), telle que représentée par le ministre de la Défense nationale, 2015
Soltra Edge Open Cyber Intelligence
Platform Report
prepared for
Defence Research and Development Canada
prepared by
Marc
ch 2015
Be
16
Ott
ell Canad
60 Elgin Stre
17th Floor
tawa, Ontar
K1S 5N4
B
da
et
rio
Soltra Ed
Bell Canada
dge Open C
a
Sphy
340 Rid
Ka
Cyber IntelliRe
yrna Sec
dgeside Farm
anata, Ontar
K2W 0A1
igence Platevision: 1.0
urity
m Drive
rio
March 2
tform Final
ii
2015
Soltra Edge Open Cyber Intelligence Platform
Revision: 1.0 Final
March 2015 Bell Canada iii
Confidentiality
This document is UNCLASSIFIED.
Authors
Bell / Sphyrna Team Role
Alan Magar Security Architect
Revision Control
Revision Date Modifications
0.1 12 March 2015 Draft Report
1.0 27 March 2015 Final Report
Soltra Edge Open Cyber Intelligence Platform
Revision: 1.0 Final
March 2015 Bell Canada iv
Table of Contents
1.0 INTRODUCTION .................................................................................................................... 1
1.1 BACKGROUND .............................................................................................................................. 1
1.2 PURPOSE ..................................................................................................................................... 1
1.3 DOCUMENT STRUCTURE ................................................................................................................ 2
2.0 TECHNICAL OVERVIEW ......................................................................................................... 3
2.1 ARCHITECTURE ............................................................................................................................. 3
2.2 STANDARDS ................................................................................................................................. 4
2.2.1 STIX ................................................................................................................................... 6
2.2.2 TAXII ................................................................................................................................. 7
2.2.3 TLP .................................................................................................................................... 8
2.3 CAPABILITIES ................................................................................................................................ 8
3.0 PRODUCT EVALUATION ...................................................................................................... 10
3.1 DEPLOYED ENVIRONMENT ............................................................................................................ 10
3.2 CONFIGURED FEEDS .................................................................................................................... 11
3.3 ADAPTERS ................................................................................................................................. 19
3.4 ASSESSMENT .............................................................................................................................. 22
3.4.1 Release Cycle .................................................................................................................. 22
3.4.2 User Community ............................................................................................................. 23
3.4.3 Functionality ................................................................................................................... 23
3.4.4 Alternatives .................................................................................................................... 24
4.0 CONCLUSION & RECOMMENDATIONS ................................................................................ 26
5.0 ACRONYMS & ABBREVIATIONS .......................................................................................... 27
Soltra Edge Open Cyber Intelligence Platform
Revision: 1.0 Final
March 2015 Bell Canada v
List of Figures
Figure 1 – Soltra Edge Cyber Intelligence Platform ................................................................................ 4
Figure 2 – Soltra Edge Upgrade ............................................................................................................ 10
Figure 3 – Adding a Site ........................................................................................................................ 11
Figure 4 – Site Added ............................................................................................................................ 12
Figure 5 – Unconfigured Feeds ............................................................................................................. 13
Figure 6 – Configure Feed ..................................................................................................................... 14
Figure 7 – Configured Feed .................................................................................................................. 14
Figure 8 – Downloaded Feed ................................................................................................................ 15
Figure 9 – Indicator Catalog .................................................................................................................. 16
Figure 10 – Specific Indicator ............................................................................................................... 17
Figure 11 – Observable Catalog ............................................................................................................ 18
Figure 12 – Specific Observable ............................................................................................................ 19
Figure 13 – Adapters Installed .............................................................................................................. 20
Figure 14 – CSV Indicators Import ........................................................................................................ 21
Figure 15 – CSV Indicators Preview ...................................................................................................... 22
Figure 16 ‐ Soltra Edge STIX/TAXII Integrations.................................................................................... 24
Soltra Edge Open Cyber Intelligence Platform
Revision: 1.0 Final
March 2015 Bell Canada vi
Soltra Edge Open Cyber Intelligence Platform
Revision: 1.0 Final
March 2015 Bell Canada 1
1.0 Introduction
Cyber threat intelligence has received a great deal of publicity of late. This is not surprising given the
number of high profile cyber attacks that have figured prominently in the news over the past year.
President Obama recently (February 2015) signed an executive order to improve the sharing of
cyber threat information within the private sector and between the private sector and government.
Specifically, the executive order enables the Department of Homeland Security (DHS) to share
classified intelligence with the private sector and to develop standards to facilitate the sharing of
cyber threat information.1 Later the same month, President Obama announced the establishment of
a cyber threat intelligence integration center “aimed at coordinating ongoing federal efforts to
counter hackers and other cyber threats aimed at the U.S. government and private industry”.2
1.1 Background
The Centre for Operational Research and Analysis (CORA), which is a Defence Research &
Development Canada (DRDC) research centre for systems analysis and operational research, is in the
process of characterizing threat and building a Department of National Defence (DND)‐specific cyber
threat model. The aggregation of cyber threat intelligence information from a variety of reputable
sources and the ability to act on this information are likely to be important aspects of the overall
cyber threat model being developed.
1.2 Purpose
Soltra Edge is intended to serve as the intelligence hub for an organization, connecting to all threat
intelligence communities and providing actionable data back to the organization’s environment for
integration with internal security tools/appliances. The intent is that Soltra Edge will allow
organizations to receive, store and send cyber security threat intelligence automatically, allowing
these organizations to better deploy safeguards against a potential cyber attack.
1 This announcement is mentioned in numerous locations including
http://www.politico.com/story/2015/02/obama‐cyberthreat‐executive‐order‐115187.html
2 This announcement is mentioned in numerous locations including
http://www.washingtontimes.com/news/2015/feb/25/obama‐create‐new‐cyber‐threat‐center
Soltra Edge Open Cyber Intelligence Platform
Revision: 1.0 Final
March 2015 Bell Canada 2
The purpose of this report is to review and analyze the Soltra Edge Open Cyber Intelligence Platform
and its components (Structured Threat Information eXpression (STIX)/Trusted Automated eXchange
of Indicator Information (TAXII)).
1.3 Document Structure
This report consists of the following sections:
Section 1.0 – Introduction: provides an overview of the report;
Section 2.0 – Technical Overview: provides a high‐level overview of Soltra Edge including its
architecture, standards and capabilities;
Section 3.0 – Product Evaluation: documents the evaluation of the platform, including the
deployed environment, configured feeds, adapters and an assessment of the product;
Section 4.0 – Conclusions & Recommendations: summarizes the conclusions and
recommendations derived from the development of this report; and
Section 5.0 – Acronyms & Abbreviations: lists the acronyms and abbreviations used
throughout this report.
Soltra Edge Open Cyber Intelligence Platform
Revision: 1.0 Final
March 2015 Bell Canada 3
2.0 Technical Overview
The Security Automation Working Group (SAWG) within the Financial Services Information Sharing
and Analysis Center (FS‐ISAC) initiated a project code‐named Avalanche to champion the use of
standards‐based cyber threat intelligence sharing. In September 2014, FS‐ISAC and the Depository
Trust & Clearing Corporation (DTCC) announced a joint effort to “develop and market automation
solutions that advance cyber security capabilities and the resilience of critical infrastructure
organizations”. The resulting solution, Soltra Edge, is based on the requirements, standards and
overall roadmap from the SAWG group within FS‐ISAC. This section of the report will provide a
technical overview of the product, including an examination of its architecture, standards and
capabilities.
2.1 Architecture
Soltra Edge, which runs on CentOS 6.5 3 and utilizes MongoDB 4 for storage, is administered through
a web interface. In terms of cyber threat intelligence services, Soltra Edge can be configured to
accept structured (e.g., STIX/TAXIII) threat intelligence feeds and other file types through adapters.
The threat information can be managed and then exported in STIX format to various STIX‐
compatible security tools/appliances including firewalls or proxy servers, Mail Transfer Agents
(MTAs) and Security Incident and Event Management (SIEMs). It is the security appliances that are
responsible for taking the threat information provided by Soltra Edge and acting upon it. For
example, a list of malicious URLs could be sent to firewalls/proxy servers, which would then proceed
to block traffic originating from those network addresses. The Soltra Edge Cyber Intelligence
Platform is illustrated in Figure 1.
3 CentOS is an open source Linux distribution derived from the sources of Red Hat Enterprise Linux
(RHEL). Additional information on CentOS can be found at http://www.centos.org
4 MongoDB (from “humongous”) is an open‐source document database, and the leading NoSQL
database. Additional information on MongoDB can be found at http://www.mongodb.org
Marc
2.2 Soltra
Specif
Note
It sho
by So
devel
comp
stand
•
comp
analys
defen
ch 2015
Standa
a Edge is inten
fically, it curr
Structured
Trusted Au
Traffic Ligh
– Other Cybe
uld be noted
ltra Edge. W
opment of th
anies and the
ards identifie
Common A
rehensive dic
sts, develope
nces;
Fi
ards
nded to supp
ently support
d Threat Infor
utomated eXc
htweight Prot
er Threat Stan
that there ar
hile there are
his report. Inte
en transitione
ed include the
Attack Pattern
ctionary and c
ers, testers, an
B
gure 1 – Soltra E
ort a variety o
ts the followi
rmation eXpre
change of Ind
tocol (TLP).
ndards
re other cybe
e likely many
erestingly en
ed to the ope
e following:
n Enumeratio
classification
nd educators
Soltra Ed
Bell Canada
Edge Cyber Inte
of open stand
ng standards
ession (STIX);
dicator Inform
r threat stand
such standar
ough, most o
n source com
on and Classif
taxonomy of
to advance c
dge Open C
a
elligence Platfor
dards for cybe
:
mation (TAXII)
dards that ar
rds, a few wer
of these stand
mmunity to va
fication (CAPE
f known attac
community un
Cyber IntelliRe
m
er threat info
); and
e supported t
re identified d
dards have or
arious degree
EC) – CAPEC
cks that can b
nderstanding
igence Platevision: 1.0
ormation shar
to varying de
during the
riginated in pr
es. The other
C is a
be used by
g and enhance
tform Final
4
ring.
grees
rivate
e
Soltra Edge Open Cyber Intelligence Platform
Revision: 1.0 Final
March 2015 Bell Canada 5
Cyber Information Sharing and Collaboration Program (CISCP) 5 ‐ The Critical Infrastructure
and Key Resource (CIKR) CISCP is a DHS program to improve the security posture of organizations by
providing threat data in the form of indicator bulletins, analysis bulletins, alert bulletins and
recommended practices to participating organizations. It should be noted that Soltra Edge supports
the conversion of CISCP indicators to a STIX list through the use of an adapter;
Cyber Observable eXpression (CybOX) 6 – CybOX is a standardized schema for the
specification, capture, characterization, and communication of events or stateful properties that are
observable in the operational domain. It should be noted that STIX uses CybOX language to describe
observables;
alware Attribute Enumeration and Characterization (MAEC) 7 – MAEC is a standardized
language for encoding and communicating high‐fidelity information about malware based upon
attributes such as behaviours, artefacts, and attack patterns. It should be noted that STIX can
describe malware using MAEC characterizations through the use of the MAEC schema extension;
OpenIOC8 9 – OpenIOC is an extensible XML schema for the description of technical
characteristics that identify a known threat, an attacker’s methodology, or other evidence of
compromise. It should be noted that STIX provides a default extension for OpenIOC; and
Open Threat eXchange (OTX) 10 – OTX is an open threat information sharing and analysis
network that provides real‐time, actionable cyber threat information.
5 Additional information on CISCP can be found at
http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2013‐
06/ispab_june2013_menna_ciscp_one_pager.pdf
6 Additional information on CybOX can be found at https://cybox.mitre.org and
https://github.com/CybOXProject
7 Additional information on MAEC can be found at http://maec.mitre.org and
http://maecproject.github.io
8 IOC stands for Indicators of Compromise
9 Additional information on OpenIOC can be found at http://www.openioc.org
10 Additional information on OTX can be found at https://www.alienvault.com/open‐threat‐
exchange
Soltra Edge Open Cyber Intelligence Platform
Revision: 1.0 Final
March 2015 Bell Canada 6
2.2.1 STIX STIX 11 is a collaborative community‐driven effort to define and develop a standardized language to
represent structured cyber threat information. STIX characterizes an extensive set of cyber threat
information, to include indicators of adversary activity (e.g., IP addresses and file hashes) as well as
additional contextual information regarding threats (e.g., adversary Tactics, Techniques and
Procedures [TTPs]; exploitation targets; Campaigns; and Courses of Action [COA]) that together more
completely characterize the cyber adversary’s motivations, capabilities, and activities, and thus, how
to best defend against them.12 STIX, which is XML‐based, is sponsored by the office of Cybersecurity
and Communications at the DHS. Soltra Edge supports the latest version (version 1.1.1) of STIX,
including all 1.1.1 objects.
Since STIX basically provides a common language for describing cyber threat information so that it
can be automatically shared, stored and used consistently, the following STIX definitions 13 have
been included in the report:
Observable ‐ An Observable is an event or stateful property that is observed or may be
observed in the operational cyber domain, such as a registry key value, an IP address,
deletion of a file, or the receipt of an http GET. STIX uses Cyber Observable eXpression
(CybOX) to represent Observables;
Indicator ‐ An Indicator is a pattern of relevant observable adversary activity in the
operational cyber domain along with contextual information regarding its interpretation
(e.g., this domain has been compromised, this email is spoofed, this file hash is associated
with this trojan, etc.), handling, etc. An Observable pattern captures what may be seen; the
Indicator enumerates why this is Observable pattern is of interest;
11 Additional information on STIX can found at https://stix.mitre.org and
https://github.com/STIXProject Samples of STIX content can be found at
https://stix.mitre.org/language/version1.0.1/samples.html
12 https://stix.mitre.org/about/faqs.html#A1
13 These definitions are STIX language definitions that were taken directly from
http://stix.mitre.org/about/faqs.html#B1
Soltra Edge Open Cyber Intelligence Platform
Revision: 1.0 Final
March 2015 Bell Canada 7
Incident ‐ An Incident is a set of related system and network activity that is associated with
the same adversary activity and/or attack along with contextual information such as who is
involved, when it occurred, what was affected, what was the impact, what actions were
taken in response, etc.;
TTP ‐ Tactics, Techniques and Procedures are a representation of the behaviour or modus
operandi of a cyber adversary including the use of particular attack patterns, malware,
exploits, tools, infrastructure, or the targeting of particular victims;
ExploitTarget ‐ An ExploitTarget is something about a potential victim that may make them
susceptible to a particular adversary TTP (e.g., a system vulnerability, weakness or
configuration issue);
CourseOfAction ‐ A CourseOfAction captures a particular action that could be taken to
prevent, mitigate or remediate the effects of a given cyber threat. These actions could be
remedial to proactively address known issues a priori or could be responses to specific
adversary activity;
Campaign ‐ A Campaign is a set of related adversary activity, to include TTPs, indicators,
exploit targets, and incidents. It characterizes the modus operandi of a particular adversary
in executing a particular intent; and
ThreatActor ‐ A ThreatActor is a cyber adversary and his or her known characteristics. It is
who is perpetrating the cyber attacks.
2.2.2 TAXII TAXII 14 defines a set of services and message exchanges that, when implemented, enable sharing of
actionable cyber threat information across organization and product/service boundaries.
Specifically, TAXII defines an XML data format and message protocols (Hypertext Transfer Protocol
(HTTP)/Hypertext Transfer Protocol Secure (HTTPS)) for transporting STIX information. TAXII is
14 Additional information on TAXII can be found at https://taxii.mitre.org and
https://github.com/TAXIIProject
Soltra Edge Open Cyber Intelligence Platform
Revision: 1.0 Final
March 2015 Bell Canada 8
sponsored by the office of Cybersecurity and Communications at the DHS. Soltra Edge supports the
latest version (version 1.1) of TAXII.
2.2.3 TLP TLP 15, which was developed by the U.S. Computer Emergency Readiness Team (US‐CERT), is a
simple standard that is used to control the dissemination of shared data. It uses four distinct colours
to distinguish how the information may be shared. Data that is tagged white can be distributed
without restriction. Data that is tagged green can be shared within the community, but not publicly.
Data that is tagged amber can only be shared within an organization. Data that is tagged red cannot
be shared. TLP has been adopted within Soltra Edge to allow automated filtering of data by
sensitivity level and for user access control.
2.3 Capabilities
Soltra Edge is intended to be an aggregator of cyber threat intelligence information and the primary
data store for structured intelligence within an organization. Consequently, it is intended to accept
cyber intelligence feeds, in the form of STIX/TAXII feeds, from a variety of sources including the
following:
Commercial Feeds – Commercial feeds are feeds that are purchased from professional
intelligence providers;
Organizational Feeds – Organizational feeds are feeds that exist within the organizational
environment;
Open Source Feeds – Open source feeds are Open Source Intelligence (OSINT) feeds
provided by the open source community;
Community Feeds – Community feeds are feeds provided by business partners, associates,
sharing communities or Information Sharing and Analysis Centers (ISACs); and
Government Feeds – Government feeds are typically provided by the federal government
for the benefit of private industry.
Soltra Edge is also capable of manually importing threat information using the web interface from a
Comma‐Separated Values (CSV) file, a STIX file or CISCP indicators. In addition, organizations can
export data from Soltra Edge in STIX formatted XML. Soltra has also demonstrated the creation of
15 Additional information on TLP can be found at https://www.us‐cert.gov/tlp
Soltra Edge Open Cyber Intelligence Platform
Revision: 1.0 Final
March 2015 Bell Canada 9
SNORT 16 rules from threat intelligence data. This was accomplished using a SNORT adapter that has
yet to be released.
16 SNORT is an open source, lightweight network intrusion detection system. Additional information
on SNORT can be found at https://www.snort.org
Marc
3.0 This s
will de
the so
3.1 Soltra
enviro
Febru
deplo
the la
identi
was s
ch 2015
Produ
ection will do
escribe the d
olution.
Deploy
a Edge was do
onment. The
uary 2015. Ho
oyed environm
test release.
ified bugs. It
eamless. The
uct Evaluat
ocument the
eployed envi
yed Environ
ownloaded an
initial evalua
owever, versi
ment was upg
Version 2.1.
is worth men
e successful u
B
tion
results of the
ronment, con
nment
nd deployed a
tion was of S
on 2.1.1 of So
graded to this
1 contains ma
ntioning that
upgrade of the
Figure 2
Soltra Ed
Bell Canada
e product eva
nfiguring feed
as a VMware
oltra Edge 2.1
oltra Edge wa
s version so th
any security u
the upgrade
e Soltra Edge
2 – Soltra Edge U
dge Open C
a
luation perfo
ds, installing a
Virtual Mach
1, which was
as released on
hat the evalu
updates as w
process, whic
e can be seen
Upgrade
Cyber IntelliRe
ormed. Specif
adapters, and
hine (VM) in a
available for
n 24 February
ation could b
ell as fixes fro
ch is accompl
as Figure 2.
igence Platevision: 1.0
fically, this se
d an assessme
a virtualized la
download as
y 2015. The
be completed
om member
lished using y
tform Final
10
ction
ent of
ab
s of 6
on
yum,
Marc
3.2 Soltra
produ
to the
Cyber
neces
The fi
was a
Site. F
config
ch 2015
Configu
a recommend
uct. Unfortun
e FS‐ISAC mem
r Threat Intell
ssary to config
rst step in th
dded as illust
Figure 4 show
gured.
ured Feeds
ds configuring
nately, one of
mbership. Th
ligence feeds
gure this feed
e process of c
trated in Figu
ws that the sit
B
g two STIX/TA
f the two reco
he remaining
in STIX forma
d on Soltra Ed
configuring a
re 3. The Add
te has been a
Figu
Soltra Ed
Bell Canada
AXII feeds in o
ommended fe
feed, Hail a T
at. This sectio
dge.
feed is to ad
d Site window
dded but tha
ure 3 – Adding a
dge Open C
a
order to start
eeds, FS‐ISAC
TAXII.com, is a
on of the repo
d a site. In th
w is accessible
t no feeds fro
Site
Cyber IntelliRe
experimentin
C intelligence,
a repository o
ort will docum
his case, the H
e through Adm
om the site ha
igence Platevision: 1.0
ng with their
is only availa
of Open Sour
ment the step
Hailataxii.com
min – Sites –
ave been
tform Final
11
able
ce
ps
m site
Add
Marc
The n
availa
emerg
manu
ch 2015
ext step is to
able from the
ging threats f
ually. This is il
configure fee
hailataxii site
feed was sele
lustrated in F
B
Fig
eds from the
e. One merel
cted for conf
Figure 6.
Soltra Ed
Bell Canada
ure 4 – Site Add
remote site.
ly clicks to co
figuration. Fee
dge Open C
a
ded
Figure 5 show
nfigure the fe
eds can be se
Cyber IntelliRe
ws the ten un
eed of choice
et to update a
igence Platevision: 1.0
nconfigured fe
e. In this case
automatically
tform Final
12
eeds
e, the
y or
Marc
ch 2015 B
Figure 5
Soltra Ed
Bell Canada
5 – Unconfigured
dge Open C
a
d Feeds
Cyber IntelliRe
igence Platevision: 1.0
tform Final
13
Marc
The co
inform
seen i
ch 2015
onfigured fee
mation can be
in Figure 8.
ed can be see
e downloaded
B
Figur
n in Figure 7.
d for this feed
Figure
Soltra Ed
Bell Canada
re 6 – Configure
. By clicking o
d. The succes
e 7 – Configured
dge Open C
a
Feed
on “poll now”
ssful completi
d Feed
Cyber IntelliRe
the latest th
ion of this op
igence Platevision: 1.0
reat intelligen
eration can b
tform Final
14
nce
be
Marc
Once
for th
admin
2.2.1)
packa
For ex
be see
doma
indica
Conse
indica
seen i
malw
The o
in Figu
Doma
denot
12. Un
availa
catalo
17 A d
http:/
ch 2015
a site has bee
e feed, an ex
nistrators to b
) including ca
ages, threat a
xample, the in
en in Figure 9
ain watchlist,
ator. Most ind
equently, this
ators listed in
in Figure 10.
are.17
bservable cat
ure 11. The re
ainNameObje
te observed e
nfortunately,
able. This lack
og from the H
escription of
//www.arbor
en added, a f
amination of
browse the ca
mpaigns, cou
ctors and TTP
ndicator cata
9. The reader
URL watchlist
dicators are u
s information
the catalog,
Apparently, t
talog, which i
eader will not
ectType, URIO
events in the
aside from a
k of additiona
Hail a TAXII.co
the Athena m
networks.com
B
Figure
feed configure
f the threat in
atalog of obje
urses of action
Ps.
log, which is
will note tha
t indicators. T
used to denot
could be use
there is addit
this site is be
is simply a list
te that there
ObjectType an
operational c
a domain nam
al information
om feed.
malware is av
m/asert/2013
Soltra Ed
Bell Canada
8 – Downloade
ed and the th
ntelligence inf
ects by any of
n, exploit targ
simply a list o
t of the indica
The remainin
te domains or
ed to update f
tional informa
ing used as a
t of observab
are three typ
nd AddressOb
cyber domain
me for a botne
n was standar
ailable at
3/11/athena‐a
dge Open C
a
d Feed
hreat intellige
formation is p
f the STIX par
gets, incident
of indicators f
ators listed in
g indicator is
r IPs that hav
firewalls and
ation availab
command an
bles from the
pes of observ
bjectType. Mo
n. A specific o
et site there i
rd across the
a‐ddos‐malw
Cyber IntelliRe
ence informat
possible. Solt
rameters (disc
ts, indicators,
from the con
n Figure 9, all
an IP watchl
e been comp
proxy servers
le. A specific
nd control sit
configured fe
ables listed in
ost observabl
bservable can
s no addition
observables
ware‐odyssey
igence Platevision: 1.0
tion dowload
ra Edge allow
cussed in Sec
observables,
figured feeds
but one are
ist, URL watc
promised.
s. For each of
indicator can
e for Athena
eeds, can be s
n Figure 11;
les are used t
n be seen in F
nal informatio
listed in the
tform Final
15
ed
ws
ction
,
s, can
hlist
f the
n be
seen
to
Figure
on
Marc
ch 2015 B
Figure
Soltra Ed
Bell Canada
e 9 – Indicator Ca
dge Open C
a
atalog
Cyber IntelliRe
igence Platevision: 1.0
tform Final
16
Marc
ch 2015 B
Figure
Soltra Ed
Bell Canada
10 – Specific Ind
dge Open C
a
dicator
Cyber IntelliRe
igence Platevision: 1.0
tform Final
17
Marc
ch 2015 B
Figure 1
Soltra Ed
Bell Canada
11 – Observable
dge Open C
a
Catalog
Cyber IntelliRe
igence Platevision: 1.0
tform Final
18
Marc
3.3 Soltra
conve
threat
were
Appar
additi
Altho
separ
of res
respo
can b
ch 2015
Adapte
a has made av
ersion of CISC
t information
unable to tes
rently, US‐Ce
ion, the CSV a
ugh this prob
ate forums),
solution for th
onsive in reso
e seen in Figu
ers
vailable two a
CP indicators t
n. The two ad
st the CISCP a
rt files are cla
adapter failed
blem has been
at the time o
his issue is so
lving outstan
ure 14 and Fig
B
Figure 1
adapters for d
to a STIX list,
dapters were
adapter as no
assified TLP A
d to import th
n reported to
of writing this
mewhat surp
ding issues. T
gure 15 respe
Soltra Ed
Bell Canada
12 – Specific Obs
download on
while the oth
both installed
CISCP indicat
Amber meanin
he CSV test fil
o Soltra (by th
problem had
prising given t
The import an
ectively.
dge Open C
a
servable
their site. O
her allows for
d successfully
tor file has be
ng that they c
le provided. I
hree other me
d yet to be res
that Soltra sta
nd preview o
Cyber IntelliRe
ne adapter su
r the import o
y (see Figure
een made ava
cannot be sha
t resulted in a
embers of the
solved by Sol
aff are usually
f the CSV ind
igence Platevision: 1.0
upports the
of CSV‐based
13). Howeve
ailable for tes
ared publicly.
an adapter er
e forum unde
tra staff. The
y extremely
icators test fi
tform Final
19
r, we
sting.
. In
rror.
er two
lack
ile
Marc
ch 2015 B
Figure 1
Soltra Ed
Bell Canada
13 – Adapters In
dge Open C
a
nstalled
Cyber IntelliRe
igence Platevision: 1.0
tform Final
20
Marc
ch 2015 B
Figure 14
Soltra Ed
Bell Canada
4 – CSV Indicator
dge Open C
a
rs Import
Cyber IntelliRe
igence Platevision: 1.0
tform Final
21
Marc
3.4 This s
3.4.Soltra
The fr
conta
under
comm
Febru
releas
ch 2015
Assessm
ection of the
Release Cy
User Comm
Functional
Alternative
.1 Releaa Edge will ev
ree communi
in “the featu
rgone a numb
mitment to th
uary 2015 and
sed once the
ment
report will as
ycle;
munity;
lity; and
es.
ase Cycleentually be re
ty version, w
res most nee
ber of release
e product. V
d version 2.1.
product has m
B
Figure 15
ssess Soltra E
e eleased in tw
hich is the ve
ded by many
e cycles in a re
ersion 2.0 wa
1 on 24 Febru
matured, will
Soltra Ed
Bell Canada
– CSV Indicator
Edge in terms
o versions; a
ersion that is c
y organization
elatively shor
as released on
uary 2015. Th
l “support the
dge Open C
a
rs Preview
of the follow
free commun
currently ava
ns”. This vers
rt period of ti
n 4 Decembe
he paid versio
e requiremen
Cyber IntelliRe
wing:
nity version a
ilable for dow
sion of Soltra
me, demonst
er 2014, versio
on, which will
nts of larger e
igence Platevision: 1.0
and a paid ver
wnload, will
Edge has
trating Soltra
on 2.1 on 6
be presumab
entities”. In al
tform Final
22
rsion.
’s
bly
l
Soltra Edge Open Cyber Intelligence Platform
Revision: 1.0 Final
March 2015 Bell Canada 23
likelihood this will create a two‐tiered solution in which users of the community version are forced
to upgrade to the paid version to take advantage of additional functionality.
3.4.2 User Community The Soltra Edge user community currently has 1720 members who have made in excess of eight
hundred posts on the Soltra forum.18 Given the relative infancy of the product these numbers are
quite impressive. Furthermore, the Soltra staff (technical and business) are quite responsive in
addressing both technical problems and business‐related issues.
3.4.3 Functionality In terms of functionality, Soltra Edge is currently somewhat hindered at this point due to its close
integration with STIX/TAXII due to the lack of available threat intelligence feeds in this format and
the relative lack of availability of security tools/appliances supporting these standards. A list of
intelligence providers and security tool vendors that have validated STIX/TAXII implementations and
integration with Soltra Edge is available on the Soltra site.19 Unfortunately, the list, which was last
updated on 18 December 2014, is not extensive. The list has also been included as Figure 16.
However, it is worth mentioning that what current functionality is provided by Soltra Edge in terms
of supporting/configuring STIX/TAXII feeds and aggregating/storing threat intelligence information
seems to work quite well. Furthermore, the product is quite stable and quite easy to use.
18 The Soltra Edge forum is available at https://forums.soltra.com
19 The Soltra Edge STIX/TAXII integrations list is available at
https://forums.soltra.com/index.php?/topic/196‐vendor‐stix‐taxii‐integrations/
Marc
3.4.This r
Specif
Soltra
3.
Micro
worki
there
20 This
http:/
sharin
http:/
21 Add
https:
ch 2015
.4 Alterneport would
fically, this se
a Edge:
Microsoft
ThreatCon
Vorstack A
.4.4.1 M
osoft announc
ng in cyberse
has been ver
s announcem
//www.darkre
ng‐platform/d
//blogs.techn
ditional inform
://technet.mi
natives be remiss if it
ection of the r
Interflow;
nnect; and
Automation a
Microsoft In
ced 20 their se
ecurity, called
ry little additi
ment can be fo
eading.com/a
d/d‐id/12787
et.com/b/ms
mation on the
icrosoft.com/
B
Figure 16 ‐ Soltr
t did not men
report will pro
nd Collaborat
nterflow
ecurity and th
d Microsoft In
ional informa
ound in many
analytics/thre
81 and
src/archive/20
e Microsoft In
/en‐us/library
Soltra Ed
Bell Canada
ra Edge STIX/TA
ntion cyber th
ovide a brief
tion Platform
hreat informa
nterflow 21, in
tion provided
y places includ
eat‐intelligenc
014/06/23/a
nterflow Platf
y/dn750892.a
dge Open C
a
AXII Integrations
hreat intellige
overview of t
m (ACP).
ation exchang
June 2014. U
d except that
ding
ce/microsoft‐
nnouncing‐m
form can be f
aspx
Cyber IntelliRe
s
ence platform
the following
ge platform fo
Unfortunately
t the platform
‐unveils‐new
microsoft‐inte
found at
igence Platevision: 1.0
m alternatives
g alternatives
or professiona
y, since that d
m is currently
‐intelligence‐
rflow.aspx
tform Final
24
.
to
als
date
‐
Soltra Edge Open Cyber Intelligence Platform
Revision: 1.0 Final
March 2015 Bell Canada 25
available for private preview. Interflow uses industry specifications to create an automated,
machine‐readable feed of threat and security information that can be shared across industries and
groups in near real‐time. The goal of the platform is to help security professionals respond more
quickly to threats. It will also help reduce cost of defense by automating processes that are currently
performed manually.22 In terms of industry specifications, Interflow will support STIX, TAXII and
CybOX. It will also provide a means to feed threat and security information into firewalls, Intrusion
Detection Systems (IDS), Intrusion Prevention Systems (IPS), and SIEMS. Interflow will run on the
Microsoft Azure public cloud. While the data feeds will be free, organizations will require an Azure
subscription to receive them.
3.4.4.2 ThreatConnect
ThreatConnect 23 is a threat intelligence platform that allows an organization to aggregate, analyze,
and act on all of the threat intelligence data it receives. While ThreatConnect supports the ingest of
multiple data formats, including emerging standards such as STIX, the focus seems to be on
integration with commercial threat intelligence feeds (e.g., CrowdStrike’s Falcon Intelligence,
iSIGHT’s ThreatScape, Wapack Labs ThreatRecon) and products. There is a free community version,
along with three paid versions (basic, team and enterprise) of the product. ThreatConnect also
supports a variety of deployment models, including on‐premises, private cloud and public cloud.
3.4.4.3 Vorstack ACP
Vorstack ACP 24 connects to third‐party (e.g., HP ArcSight, IBM QRadar, RSA Security Analytics,
Splunk) SIEM and security log management tools to automate the ingestion, querying and reporting
of threat intelligence data. Specifically, Vorstack ACP can automate the queries against these log
management and analytics tools and then correlate the responses against other data points. The
product supports STIX/TAXII, even providing a bridge to other software (e.g., Hadoop) so that the
software doesn’t have to support the standards directly.
22 http://blogs.technet.com/b/msrc/archive/2014/06/23/announcing‐microsoft‐interflow.aspx
23 Additional information on ThreatConnect can be found at http://www.threatconnect.com
24 Additional information of Vorstack ACP can be found at https://vorstack.com
Soltra Edge Open Cyber Intelligence Platform
Revision: 1.0 Final
March 2015 Bell Canada 26
4.0 Conclusion & Recommendations
The Centre for Operational Research and Analysis (CORA), which is a Defence Research &
Development Canada (DRDC) research centre for systems analysis and operational research, is in the
process of characterizing threat and building a Department of National Defence (DND)‐specific cyber
threat model. The aggregation of cyber threat intelligence information from a variety of reputable
sources and the ability to act on this information are likely to be important aspects of the overall
cyber threat model being developed.
Soltra Edge is intended to serve as the intelligence hub for an organization, connecting to all threat
intelligence communities and providing actionable data back to the organization’s environment for
integration with internal security tools/appliances. The intent is that Soltra Edge will allow
organizations to receive, store and send cyber security threat intelligence automatically, allowing
these organizations to better deploy safeguards against a potential cyber attack.
To realize these goals, Soltra Edge has been designed to support the STIX/TAXII standards almost
exclusively. While this may prove to be the prudent long‐term approach, as these standards seem
to be getting a considerable amount of traction, it does limit what can be accomplished in the short‐
term due to the lack of STIX/TAXII threat intelligence feeds and STIX/TAXII‐compliant security
tools/appliances. It is anticipated that as Soltra Edge matures it will increase its support for
commercial feeds and security tools/appliances, thus improving its overall utility as the central
threat intelligence hub for an organization.
This report makes the following recommendations:
DRDC should continue to actively monitor Soltra Edge and STIX/TAXII development;
DRDC should review and analyze the community version of ThreatConnect to ascertain how
it compares to Soltra Edge; and
DRDC should implement a virtualized, cyber threat intelligence proof‐of‐concept to
demonstrate cyber threat intelligence capabilities and how they can be used to
automatically configure an organization’s security tools/appliances to thwart a cyber attack.
Soltra Edge Open Cyber Intelligence Platform
Revision: 1.0 Final
March 2015 Bell Canada 27
5.0 Acronyms & Abbreviations
ACP Automation and Collaboration Platform
CAPEC Common Attack Pattern Enumeration and Classification
CERT Computer Emergency Readiness Team
CIKR Critical Infrastructure and Key Response
CISCP Cyber Information Sharing and Collaboration Program
COA Courses of Action
CORA Centre for Operational Research and Analysis
CSV Comma Separated Values
CyBOX Cyber Observable eXpression
DHS Department of Homeland Security
DRDC Defence Research & Development Canada
DTCC Depository Trust & Clearing Corporation
FS‐ISAC Financial Services Information Sharing and Analysis Center
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
IDS Intrusion Detection System
IOC Indicators of Compromise
IPS Intrusion Prevention System
ISAC Information Sharing and Analytics Center
MAEC Malware Attribute Enumeration and Characterization
Soltra Edge Open Cyber Intelligence Platform
Revision: 1.0 Final
March 2015 Bell Canada 28
MTA Mail Transfer Agent
OSINT Open Source Intelligence
OTX Open Threat eXchange
RHEL Red Hat Enterprise Linux
SAWG Security Automation Working Group
SIEM Security Incident and Event Management
STIX Structured Threat Information eXpression
TAXII Trusted Automated eXchange of Indicator Information
TLP Traffic Lightweight Protocol
TTPs Tactics, Techniques and Procedures
VM Virtual Machine