Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Observable Patterning

Published byAlfred Turner Modified over 6 years ago

Similar presentations

Presentation on theme: "Cyber Observable Patterning"— Presentation transcript:

1 Cyber Observable Patterning
October 20th, 2016

2 Why are we discussing patterning?

3 Patterning Background
Complete refactoring of CybOX 2.x patterning syntax Spun up as a separate specification vJ84jfGuxSYZjOQlw5leCswPY/edit#heading=h.t32x0azc539r Syntax inspired by SQL-92 Integrated with Cyber Observable Object data models Allows patterns to be written against any Object, e.g., File, IPv4 Address, Network Traffic, etc. One string = one pattern Primarily authored by John-Mark Gurney and Jason Keirstead Many thanks!

4 Pattern Building Blocks

5 Comparison Expressions
The most basic components of Observation Expressions Consist of an Object Path and a constant joined by a Comparison Operator Comparison Expression file:hashes.md5 = 'y' Object Path Comparison Operator Constant A Comparison Expression states which Object property to look for and the constant that its value should be compared against

6 Observation Expressions I
One or more Comparison Expressions, joined via Boolean Operators The most basic valid Cyber Observable pattern is an Observation Expression with a single Comparison Expression: Observation Expressions may be Qualified in order to further constrain the matching set: [file:mime_type = 'image\bmp' AND file:magic_number = 'ffd8'] [file:size = 25536] [file:file_name = 'foo.dll'] START ' T00:00:00Z' STOP ' T00:00:00Z'

7 Observation Expressions II
Multiple Observation Expressions may be joined using an Observation Operator to enable pattern- matching across multiple Observations: Observation Expression Qualifiers and Operators are non-greedy, so parentheses may be used to achieve the desired logic: [ipv4-addr:value = ' '] ALONGWITH [ipv4-addr:value = ' '] ([ a ] ALONGWITH [ b ] REPEAT 5 TIMES) WITHIN 5 MINUTES

8 Operators and Qualifiers
Comparison Operators = != > < <= >= IN LIKE MATCHES CONTAINS Observation Expression Qualifiers REPEATED WITHIN START/STOP Observation Expression Operators ALONGWITH FOLLOWEDBY

9

10 Key Questions Specification Implementation
MVP operators Stateful operators – REPEATED, FOLLOWEDBY, etc. Context-specific operators such as CONTAINS Implementation As an implementer, must you support the full patterning spec? Observable Object classes? E.g., as a HIDS vendor, must you support ALL of the network Objects? Obviously not – but how do we communicate that in terms of conformance? Stateful Operators? E.g., as a firewall vendor, must you support FOLLOWEDBY? This question is not constrained to patterning It highlights critical, cross-cutting questions of how to handle conformance in STIX Level of specification – are things properly specified so that they can implemented correctly? Are they overspecified? Underspecified? What do we need in an implementer’s guide? Do we need more examples? ANTLR grammar – where should it be stored? STIX 2.0 Schemas GitHub repo? Elsewhere?

11 Conformance (notional)
Level 1N Purely Network Devices/Sensors E.g., Firewalls, IDS, etc. Level 1H Purely Host-based Devices/Sensors E.g., AV, HIDS, etc. Level 2 Host-based + Network Aggregator Devices/Sensors E.g., SIEM, TIP, etc. Individual patterns could be “tagged” with their level of applicability (host-based, network-based, or both): {H}[(file:file_name = 'pdf.exe' OR file:size = '371712') AND file:created = ' T07:03:17Z'] {N}[network-traffic:dst_ref.type = 'ipv4-address' AND network-traffic:dst_ref.value = ' '] {HN}[file:hashes.SHA-256 = 'aec070645fe53ee3b f058cc337247c978add178b6ccdfb0019f']

12 Path forward Specification review Finish remaining work items
Conformance Update ANTLR grammar Specification review We need YOUR feedback Remember, patterning is fundamental to STIX 2.0 Indicators

Download ppt "Cyber Observable Patterning"

Similar presentations

XML III. Learning Objectives Formatting XML Documents: Overview Using Cascading Style Sheets to format XML documents Using XSL to format XML documents.

XML III. Learning Objectives Formatting XML Documents: Overview Using Cascading Style Sheets to format XML documents Using XSL to format XML documents.
Approaches to EJB Replication. Overview J2EE architecture –EJB, components, services Replication –Clustering, container, application Conclusions –Advantages.

Approaches to EJB Replication. Overview J2EE architecture –EJB, components, services Replication –Clustering, container, application Conclusions –Advantages.
Variable Length Data and Records Eswara Satya Pavan Rajesh Pinapala CS 257 ID: 221.

Variable Length Data and Records Eswara Satya Pavan Rajesh Pinapala CS 257 ID: 221.
Discover, Master, InfluenceSlide 1 SQL Server Compact Edition and the Entity Framework Rob Sanders Readify.

Discover, Master, InfluenceSlide 1 SQL Server Compact Edition and the Entity Framework Rob Sanders Readify.
Filters using Regular Expressions grep: Searching a Pattern.

Filters using Regular Expressions grep: Searching a Pattern.
TIBCO Designer TIBCO BusinessWorks is a scalable, extensible, and easy to use integration platform that allows you to develop, deploy, and run integration.

TIBCO Designer TIBCO BusinessWorks is a scalable, extensible, and easy to use integration platform that allows you to develop, deploy, and run integration.
XP New Perspectives on XML Tutorial 4 1 XML Schema Tutorial – Carey ISBN 0-619- 10187-3 Working with Namespaces and Schemas.

XP New Perspectives on XML Tutorial 4 1 XML Schema Tutorial – Carey ISBN Working with Namespaces and Schemas.
Why XML ? Problems with HTML HTML design - HTML is intended for presentation of information as Web pages. - HTML contains a fixed set of markup tags. This.

Why XML ? Problems with HTML HTML design - HTML is intended for presentation of information as Web pages. - HTML contains a fixed set of markup tags. This.
Introduction to Databases Chapter 7: Data Access and Manipulation.

Introduction to Databases Chapter 7: Data Access and Manipulation.
Web Application Firewall (WAF) RSA ® Conference 2013.

Web Application Firewall (WAF) RSA ® Conference 2013.
Chapter 6 of the Executive Guide manual Technology.

Chapter 6 of the Executive Guide manual Technology.
CODD’s 12 RULES OF RELATIONAL DATABASE

CODD’s 12 RULES OF RELATIONAL DATABASE
Chapter 27 The World Wide Web and XML. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.27-2 Topics in this Chapter The Web and the Internet.

Chapter 27 The World Wide Web and XML. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.27-2 Topics in this Chapter The Web and the Internet.
XQL, OQL and SQL Xia Tang Sixin Qian Shijun Shen Feb 18, 2000.

XQL, OQL and SQL Xia Tang Sixin Qian Shijun Shen Feb 18, 2000.
Oracle Data Integrator Transformations: Adding More Complexity

Oracle Data Integrator Transformations: Adding More Complexity
Chapter 27 The World Wide Web and XML. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.27-2 Topics in this Chapter The Web and the Internet.

Chapter 27 The World Wide Web and XML. Copyright © 2004 Pearson Addison-Wesley. All rights reserved.27-2 Topics in this Chapter The Web and the Internet.
Metadata Mòrag Burgon-Lyon University of Glasgow.

Metadata Mòrag Burgon-Lyon University of Glasgow.
Working with XML Schemas ©NIITeXtensible Markup Language/Lesson 3/Slide 1 of 36 Objectives In this lesson, you will learn to: * Declare attributes in an.

Working with XML Schemas ©NIITeXtensible Markup Language/Lesson 3/Slide 1 of 36 Objectives In this lesson, you will learn to: * Declare attributes in an.
34 Copyright © 2007, Oracle. All rights reserved. Module 34: Siebel Business Services Siebel 8.0 Essentials.

34 Copyright © 2007, Oracle. All rights reserved. Module 34: Siebel Business Services Siebel 8.0 Essentials.
Virtual Local Area Networks In Security By Mark Reed.

Virtual Local Area Networks In Security By Mark Reed.

Similar presentations

Ads by Google