Sightings and Observations

Slides:

Advertisements

Similar presentations

EFI Analytics - TunerStudio MegaMeet 2009 Phil Tobin April 20, 2008.

Advertisements

Being Proactive and Less Reactive in Security Operations and Cyber Attack Response Christina Raftery, MCSE, CISSP FBI Los Angeles Field Office.

Advanced Web Metrics with Google Analytics By: Carley Brown.

9 x9 81 4/12/2015 Know Your Facts!. 9 x2 18 4/12/2015 Know Your Facts!

Test practice Multiplication. Multiplication 9x2.

1 x0 0 4/15/2015 Know Your Facts!. 9 x1 9 4/15/2015 Know Your Facts!

1 x0 0 4/16/2015 Know Your Facts!. 1 x8 8 4/16/2015 Know Your Facts!

3 x0 0 7/18/2015 Know Your Facts!. 4 x3 12 7/18/2015 Know Your Facts!

The Most Analytical and Comprehensive Defense Network in a Box.

Web Metrics October 26, 2006 Steven Schwartz President, PowerWebResults.com Southeastern Massachusetts E-Commerce Network University of Massachusetts –

Correlations, Alarms and Policies

CENTER FOR NONPROFIT EXCELLENCE EVALUATION WORKSHOP SERIES Session IV: Analyzing and Reporting Your Data Presenters: Patty Emord.

EXCEL TIPS. Moving around the spreadsheet quickly Home key: moves the active cell highlight to column A without changing rows. Ctrl + Home keys: moves.

Multiplication Facts. 1 x3 3 Think Fast… 2 x4 8.

4 x1 4 10/18/2015 Know Your Facts!. 5 x /18/2015 Know Your Facts!

3 x0 0 10/18/2015 Know Your Facts!. 11 x /18/2015 Know Your Facts!

Path Analysis. Remember What Multiple Regression Tells Us How each individual IV is related to the DV The total amount of variance explained in a DV Multiple.

MapReduce Kristof Bamps Wouter Deroey. Outline Problem overview MapReduce o overview o implementation o refinements o conclusion.

Selected Responses How deep does the question dig?????

Multiplication Facts X 3 = 2. 8 x 4 = 3. 7 x 2 =

Multiplication Facts. 9 6 x 4 = 24 5 x 9 = 45 9 x 6 = 54.

Producing a Mail Merged Letter Step 1 Create an Access database for Names and Addresses you can use the ‘Customers’ template in Group Work. Enter the necessary.

CTI CybOX SC Meeting November 19, 2015.

CTI CybOX SC Meeting September 24, 2015.

CTI CybOX SC Meeting August 27, 2015.

CTI STIX SC Status Report October 22, 2015.

22 Copyright © 2008, Oracle. All rights reserved. Multi-User Development.

Current State of the Research –Use summarizing, defining, argumentation, analytical skills Recommended Future Research –Mainly analytical skills Analysis.

Use Case Diagrams. Introduction In the previous Lecture, you saw a brief review of the nine UML diagrams. Now that you have the clear, you'll start to.

Multiplication Facts. 2x2 4 8x2 16 4x2 8 3x3.

Multiplication Facts Review: x 1 = 1 10 x 8 =

CTI CybOX SC Meeting December 17, 2015.

Multiplication Multiplying by multiples of 10. Multiplying by 10 and 100: Count by each number 5 times. 5 x 1 =5 5 x 10 = 50 5 x 100 =500 5 x 1,000 =

EI Design Review Tool Solution. Objectives of the tool 1.Option for reviewers and developers to log and view edits on the live course 2.Online collaboration.

Open the Mozilla Firefox browser, then press "Ctrl-T.” The browser will open a new tab that can be used for separate surfing within the browser window.

A Basic Guide OBSERVATION & INFERENCE.  Inference comes from the verb “to infer” which means to conclude by using logic  Therefore, inference (n.) is.

Multiplication Facts All Facts. 0 x 1 2 x 1 10 x 5.

Security in Internet of Things Begins with the Data

Parallel Autonomous Cyber Systems Monitoring and Protection

Multiplication Facts.

Multiplication Facts.

Lesson Objectives Aims You should be able to:

Multiplication Facts.

Type Topic in here! Created by Educational Technology Network

What if you hit back? Counter-intelligence and Counter-attack

A Sensor Location Decision Model for Truck Flow Measurement: Kyung (Kate) Hyun, UC Irvine Previous studies Goal Identifiability of ODs and routes (i.e.,

Malware, Malicious Tools, and Tools

Briefing on STIX | TAXII

Logarithms (2) Laws of logarithms.

Top Level Sighting Object

Predictive Analysis of Massive Streaming Graphs

Task: Copy Pre-work and Additional Pay Requests

CTI Specification Organization

Multiplication Facts.

Multiplication of Decimals

Three methods of activating electronic collections in the consortial environment Yoel Kortick. Senior Librarian

Module 8- Stages in the Evaluation Process

30 A 30 B 30 C 30 D 30 E 77 TOTALS ORIGINAL COUNT CURRENT COUNT

Learn Your 2x Facts.

Grid Files (Another example)

In Pattern Matching Convolutions: O(n log m) using FFT b0 b1 b2

Multiplication Facts.

CTI STIX SC Monthly Meeting

11 Qualitative v. Quantitative Observations

Mental Strategies.

Multiplication Facts 3 x Table.

Presentation transcript:

Sightings and Observations

Use Cases UC1: Basic Sighting, +1: no count, times, CybOX I’ve seen this indicator UC2: Sighting w/ count I saw this indicator 154 times UC3: Sighting w/ what was seen I saw this indicator [154 times], and here’s the network capture from it UC4: Observation for some other use case (e.g. artifacts captured during IR, logs triggered by analytics or heuristics) I saw this network capture

Definitions Observation: The fact that something in cyber was seen Network traffic, File, etc. was observed Sighting: A cyber threat object was sighted Indicator, Malware, Tool, etc. was sighted, potentially X number of times Observation + Sighting: Indicator, Malware, Tool, etc. was sighted in the given cyber observations

Option 1: Current Approach UC1: +1 UC2: Sighting Counts UC3: Sighting Counts+CybOX UC4: Observation Indicator Indicator Indicator Observation Count = 154 Start = … End = … CybOX = {} sighting_of_ref sighting_of_ref sighting_of_ref Sighting Sighting Sighting observation_ref observation_ref Observation Count = 154 Start = … End = … Observation Count = 154 Start = … End = … CybOX = {}

Opt 2: Count on Sightings (required fields) UC1: +1 UC2: Sighting Counts UC3: Sighting Counts+CybOX UC4: Observation Indicator Indicator Indicator Observation Count = 154 Start = … End = … CybOX = {} sighting_of_ref sighting_of_ref sighting_of_ref Sighting Count = 154 Start = … End = … Sighting Sighting Count = 154 Start = … End = … observation_ref Observation Count = 154 Start = … End = … CybOX = {}

Opt 2: Count on Sightings (optional fields) UC1: +1 UC2: Sighting Counts UC3: Sighting Counts+CybOX UC4: Observation Indicator Indicator Indicator Observation Count = 154 Start = … End = … CybOX = {} sighting_of_ref sighting_of_ref sighting_of_ref Sighting Sighting Sighting Count = 154 Start = … End = … observation_ref Observation Count = 154 Start = … End = … CybOX = {}

Opt 2: Count on Sightings (optional fields) UC1: +1 UC2: Sighting Counts UC3: Sighting Counts+CybOX UC4: Observation Indicator Indicator Indicator Observation Count = 154 Start = … End = … CybOX = {} sighting_of_ref sighting_of_ref sighting_of_ref Sighting Count = 154 Start = … End = … Sighting Sighting Count = 154 Start = … End = … observation_ref Observation CybOX = {}

Option 3: Merge Sighting and Observation UC1: +1 UC2: Sighting Counts UC3: Sighting Counts+CybOX UC4: Observation Indicator Indicator Indicator Sighting Count = 154 Start = … End = … CybOX = {} sighting_of_ref sighting_of_ref sighting_of_ref Sighting Count = 154 Start = … End = … CybOX = {} Sighting Sighting Count = 154 Start = … End = …

Opt 4: Count on Sighting, not Observation UC1: +1 UC2: Sighting Counts UC3: Sighting Counts+CybOX UC4: Observation Not possible, requires multiple observations Indicator Indicator Indicator sighting_of_ref sighting_of_ref sighting_of_ref Sighting Count = 154 Start = … End = … Sighting Sighting Count = 154 Start = … End = … observation_ref Observation Start = … End = … CybOX = {}

Decisions Is it important that CybOX be required on an Observation? Are there any use cases other than sightings where you need to report an observation without a count? Is it important to be able to have a count on Observation? Are there use cases other than sightings where you need a count on Observations? Can we come up with coherent semantics if count is on both Sighting and Observation?