Cyber Standards User Council CTI-TC STIX Subcommittee Update

Slides:



Advertisements
Similar presentations
OpenDOAR The Directory of Open Access Repositories Bill Hubbard SHERPA Manager University of Nottingham.
Advertisements

1 An Update on XML.org Registry and Repository Una Kearns Documentum, Inc.
ISO DSDL ISO – Document Schema Definition Languages (DSDL) Martin Bryan Convenor, JTC1/SC18 WG1.
Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.
Sound Practice Guidance update Glasgow, 7 th November 2014 IOR Scottish Chapter The Institute of Operational Risk Brian Rowlands FIOR ©
IBM Security Network Protection (XGS)
Norman SecureSurf Protect your users when surfing the Internet.
Malware Hunter How To Guide for SecurityCenter Continuous View™
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
OASIS ebXML Registry Standard Open Forum 2003 on Metadata Registries 10:30 – 11:15 January 20, 2003 Kathryn Breininger The Boeing Company Chair, OASIS.
Introducing Reporting Services for SQL Server 2005.
Case study: A DSL for normalization of financial data sets Software Development Automation 2014 Edwin Hautus The Science of Finance.
CTI STIX SC Monthly Meeting August 19, 2015.
© 2009 WatchGuard Technologies WatchGuard ReputationAuthority Rejecting Unwanted & Web Traffic at the Perimeter.
1 Registry Services Overview J. Steven Hughes (Deputy Chair) Principal Computer Scientist NASA/JPL 17 December 2015.
Sky Advanced Threat Prevention
TAXII SC Call Agenda Administrivia Month Behind Discussion Month Ahead.
CTI STIX SC Monthly Meeting October 21, 2015.
CTI CybOX SC Meeting November 19, 2015.
CTI CybOX SC Meeting October 29, 2015.
CTI CybOX SC Meeting August 27, 2015.
CTI STIX SC Status Report October 22, 2015.
Chapter 6 Discovering the Scope of the Incident Spring Incident Response & Computer Forensics.
OASIS ebXML Registry Standard Open Forum 2003 on Metadata Registries 10:30 – 11:15 January 20, 2003 Kathryn Breininger The Boeing Company Chair, OASIS.
CTI CybOX SC Meeting December 17, 2015.
Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.
Blue Coat Cloud Continuum
©2014 Check Point Software Technologies Ltd Security Report “Critical Security Trends and What You Need to Know Today” Nick Hampson Security Engineering.
1 OASIS BDX TC - March BDX Technical Committee Addressing Mechanism or BDX Technical Committee Addressing Mechanism or "how do I find where to send.
Cyber Security Phillip Davies Head of Content, Cyber and Investigations.
Quality Management System Deliverable Software 9115 revision A Key changes presentation IAQG 9115 Team March 2017.
Network Security Expertise
SHARING CYBER THREAT INTELLIGENCE JUST GOT A LOT EASIER
Cyber Observable Patterning
Intercept X Early Access Program Root Cause Analysis
CTI STIX SC Monthly Meeting
ISO Smart and Sustainable Cities developments
Security Issues Formalization
MIS 322 – Enterprise Business Process Analysis
CREATIVE COMMONS FOR CULTURAL HERITAGE
BotCatch: A Behavior and Signature Correlated Bot Detection Approach
Cloud Application Marketplaces
THE DEVELOPMENT SERVICE
Software Requirements analysis & specifications
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
Intercept X Early Access Program Root Cause Analysis
Claire NAUWELAERS, independent policy expert
CTI TC Monthly Meeting Updates Session #1: 11:00 AM EST
Cloud Application Marketplaces
Briefing on STIX | TAXII
Cloud Application Marketplaces
The Next Generation Cyber Security in the 4th Industrial Revolution
Organization for the Advancement of Structured Information Standards 23 September 2015 Thank you for being here today for the.
CTI Specification Organization
Republic of Korea (KHOA)
OASIS CTI Face-to-face May 16-17
Sightings and Observations
Agenda (AM) 9:30-10:15 Introduction to RDA
ISO Smart and Sustainable Cities developments
CTI STIX SC Monthly Meeting
RDA cataloguing and linked data
A Lightweight Markup Language for Graph-Structured Threat Sharing
Global Inventory of Statistical Standards
Delivering great hardware solutions for Windows
CTI STIX SC Monthly Meeting
M6: Advanced Identity Management topics for Office 365
The Domain Abuse Activity Reporting System (DAAR)
Cloud Application Marketplaces
An overview over Botnets
Presentation transcript:

Cyber Standards User Council CTI-TC STIX Subcommittee Update www.oasis-open.org Cyber Standards User Council CTI-TC STIX Subcommittee Update Co-Chairs: John Wunder and Sarah Kelley 4 December 2017

Agenda STIX 2.0 - Lessons Learned STIX 2.0 - Objects www.oasis-open.org Agenda STIX 2.0 - Lessons Learned STIX 2.0 - Objects STIX 2.1 - New Objects and Features STIX 2.1 - What’s in progress STIX 2 modeling example

Lessons Learned from STIX 1.x JSON, not XML: Preferred by developers, easier to understand Simplicity and Clarity: Less flexibility, more standardization Pragmatism: Fewer, but better-understood objects and properties One Standard: Merge CybOX into STIX Relationships as first-class objects: Easier for the community to contribute

STIX 2.0 Domain Objects I

STIX 2.0 Domain Objects II

STIX 2.0 Status As of Oct 2017, STIX 2.0 has been published as an Oasis Committee Specification!

STIX 2.1 - New Objects Location Malware (expanded) Note Opinion Lat/Long and Address information Malware (expanded) Much more full featured, can capture sandbox output, etc. Note For add-on intelligence related to an object Opinion third party opinion, allows for feedback from others Grouping for sets of related information

STIX 2.1 - New Features Confidence Internationalization Contains a number scale and a mapping to other scales Internationalization Allows for multi-language content Time- bound relationships Specify when a relationship is/was considered valid

STIX 2.1 - In Progress Infrastructure Categorizations Course of Action Focus on malicious/adversary infrastructure Categorizations risk scoring, etc Course of Action Patterning Changes

When will STIX 2.1 be done? We’re estimating spring 2018 for STIX 2.1.

Modeling a cyber Threat Intelligence Report in STIX 2 The IMDDOS Report: https://www.coresecurity.com/publication/imddos-botnet-discovery-and-analysis

IMDDOS: The Big Picture* * Created directly from the JSON via the STIX Viewer: https://oasis-open.github.io/cti-stix-visualization/

Bundle & Marking Definition { "type": "bundle", "id": "bundle--9f0725cb-4bc3-47c3-aba6-99cb97ba4f52", "spec_version": "2.0", "objects": [ "type": "marking-definition", "id": "marking-definition--dc1b5371-1918-4e57-93f2-25d1d78d983f", "created": "2017-07-18T22:00:30.404Z", "definition_type": "statement", "definition": { "statement": "Copyright 2010, Damballa, Inc All Rights Reserved" } }, ...

Report "type": "report", … "name": "IMDDOS Botnet", "labels": [ "threat-report" ], "description": "The newly-uncovered IMDDOS Botnet is a commercial DDOS service hosted in China.", "published": "2010-09-13T00:00:00.000Z", "object_refs": [ "malware--efd5ac80-79ba-45cc-9293-01460ad85303", "threat-actor--e234c322-0981-4aa4-ae03-f4037e6be83f", "indicator--691d06b5-aa1d-46ec-97d6-e59ef9411b8a", ... ], "object_marking_refs": [ "marking-definition--dc1b5371-1918-4e57-93f2-25d1d78d983f" "external_references": [ { "source_name": "Damballa, Inc.", "url": "https://www.coresecurity.com/system/files/publications/2017/03/Damballa_Report_IMDDOS.pdf", "hashes": { "SHA-1": "4e0f4197d6d61f52f80a5560d78af599a37277c0" }

Threat Actor & Location { "type": "threat-actor", "id": "threat-actor--e234c322-0981-4aa4-ae03-f4037e6be83f", "created": "2017-07-18T22:00:30.405Z", "modified": "2017-07-18T22:00:30.405Z", "name": "(Unnamed) IMDDOS Threat Actor", "labels": [ "criminal" ] }, "type": "location", "id": "location--07608992-927e-434c-9cbd-bf45274290a0", "country": "China"

Indicator: TLHD { "type": "indicator", "id": "indicator--691d06b5-aa1d-46ec-97d6-e59ef9411b8a", "created": "2017-07-18T22:00:30.406Z", "modified": "2017-07-18T22:00:30.406Z", "name": "IMDDOS THLD", "labels": [ "malicious-activity" ], "description": "References to this domain are indicative of the presence of the IMDDOS malware in the environment", "valid_from": "2010-04-01T00:00:00.000Z", "kill_chain_phases": [ "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "exploit" } "pattern": "[ domain-name:value = 'imddos.my03.com' ]" },

Indicator: TLHD Traffic { "type": "indicator", "id": "indicator--b2ab314f-3a97-44d4-bfca-6a9857a6fe17", "created": "2017-07-18T22:00:30.406Z", "modified": "2017-07-18T22:00:30.406Z", "name": "IMDDOS THLD Traffic", "labels": [ "malicious-activity" ], "description": "Traffic to this domain indicates the source host is infected with IMDDOS malware", "valid_from": "2010-04-01T00:00:00.000Z", "kill_chain_phases": [ "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "exploit" } "pattern": "[ network-traffic:dst_ref.type = 'domain-name' AND network- traffic:dst_ref.value = 'imddos.my03.com' AND network-traffic:dst_port = 9090 ]" },

Indicator: IMDDOS Infected Host { "type": "indicator", "id": "indicator--ca26195e-e3c0-4139-8e21-0af90c89bd27", "created": "2017-07-18T22:00:30.407Z", "modified": "2017-07-18T22:00:30.407Z", "name": "IMDDOS Infected Host", "labels": [ "malicious-activity" ], "description": "Presence of this registry key on a host indicates it is infected with the IMDDOS malware", "valid_from": "2010-04-01T00:00:00.000Z", "kill_chain_phases": [ "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "exploit" } "pattern": "[windows-registry-key:key LIKE 'HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\SafePrec%' ]" },

Indicator: IMDDOS C2 Traffic { "type": "indicator", "id": "indicator--644bc5dc-1627-4c3a-b9d8-bb2a9fa30567", "created": "2017-07-18T22:00:30.407Z", "modified": "2017-07-18T22:00:30.407Z", "name": "IMDDOS C2 Traffic", "labels": [ "malicious-activity" ], "description": "Traffic to these domains indicates that the source host is under the control of the IMDDOS malware", "valid_from": "2010-04-01T00:00:00.000Z", "kill_chain_phases": [ "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "control" } "pattern": "[ network-traffic:dst_ref.type = 'domain-name' AND network- traffic:dst_ref.value IN ('dns.ddos.im', 'win2003ddos.3322.org', 'woshindi.3322.org', 'pk518.3322.org', 'huanjue6369029.3322.org', 'qq603535.3322.org', 'qq188588.3322.org', 'hjff.3322.org', '198600.3322.org', 'ankankan.3322.org', 'yinn.3322.org') ]" },

External Relationships { "type": "relationship", ... "relationship_type": "indicates", "source_ref": "indicator--691d06b5-aa1d-46ec-97d6-e59ef9411b8a", "target_ref": "malware--efd5ac80-79ba-45cc-9293-01460ad85303" }, <other indicates Relationships omitted for clarity> … "relationship_type": "located-at", "source_ref": "threat-actor--e234c322-0981-4aa4-ae03-f4037e6be83f", "target_ref": "location--07608992-927e-434c-9cbd-bf45274290a0" "relationship_type": "uses", }

Cyber Threat Intelligence Q & A Cyber Threat Intelligence Technical Committee

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.