Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Standards User Council CTI-TC STIX Subcommittee Update

Published byBenedict Gordon Modified over 6 years ago

Similar presentations

Presentation on theme: "Cyber Standards User Council CTI-TC STIX Subcommittee Update"— Presentation transcript:

1 Cyber Standards User Council CTI-TC STIX Subcommittee Update
Cyber Standards User Council CTI-TC STIX Subcommittee Update Co-Chairs: John Wunder and Sarah Kelley 4 December 2017

2 Agenda STIX 2.0 - Lessons Learned STIX 2.0 - Objects
Agenda STIX Lessons Learned STIX Objects STIX New Objects and Features STIX What’s in progress STIX 2 modeling example

3 Lessons Learned from STIX 1.x
JSON, not XML: Preferred by developers, easier to understand Simplicity and Clarity: Less flexibility, more standardization Pragmatism: Fewer, but better-understood objects and properties One Standard: Merge CybOX into STIX Relationships as first-class objects: Easier for the community to contribute

4 STIX 2.0 Domain Objects I

5 STIX 2.0 Domain Objects II

6

7 STIX 2.0 Status As of Oct 2017, STIX 2.0 has been published as an Oasis Committee Specification!

8 STIX 2.1 - New Objects Location Malware (expanded) Note Opinion
Lat/Long and Address information Malware (expanded) Much more full featured, can capture sandbox output, etc. Note For add-on intelligence related to an object Opinion third party opinion, allows for feedback from others Grouping for sets of related information

9 STIX 2.1 - New Features Confidence Internationalization
Contains a number scale and a mapping to other scales Internationalization Allows for multi-language content Time- bound relationships Specify when a relationship is/was considered valid

10 STIX 2.1 - In Progress Infrastructure Categorizations Course of Action
Focus on malicious/adversary infrastructure Categorizations risk scoring, etc Course of Action Patterning Changes

11 When will STIX 2.1 be done? We’re estimating spring 2018 for STIX 2.1.

12 Modeling a cyber Threat Intelligence Report in STIX 2
The IMDDOS Report:

13 IMDDOS: The Big Picture*
* Created directly from the JSON via the STIX Viewer:

14 Bundle & Marking Definition
{ "type": "bundle", "id": "bundle--9f0725cb-4bc3-47c3-aba6-99cb97ba4f52", "spec_version": "2.0", "objects": [ "type": "marking-definition", "id": "marking-definition--dc1b e57-93f2-25d1d78d983f", "created": " T22:00:30.404Z", "definition_type": "statement", "definition": { "statement": "Copyright 2010, Damballa, Inc All Rights Reserved" } }, ...

15 Report "type": "report", … "name": "IMDDOS Botnet",
"labels": [ "threat-report" ], "description": "The newly-uncovered IMDDOS Botnet is a commercial DDOS service hosted in China.", "published": " T00:00:00.000Z", "object_refs": [ "malware--efd5ac80-79ba-45cc ad85303", "threat-actor--e234c aa4-ae03-f4037e6be83f", "indicator--691d06b5-aa1d-46ec-97d6-e59ef9411b8a", ... ], "object_marking_refs": [ "marking-definition--dc1b e57-93f2-25d1d78d983f" "external_references": [ { "source_name": "Damballa, Inc.", "url": " "hashes": { "SHA-1": "4e0f4197d6d61f52f80a5560d78af599a37277c0" }

16 Threat Actor & Location
{ "type": "threat-actor", "id": "threat-actor--e234c aa4-ae03-f4037e6be83f", "created": " T22:00:30.405Z", "modified": " T22:00:30.405Z", "name": "(Unnamed) IMDDOS Threat Actor", "labels": [ "criminal" ] }, "type": "location", "id": "location e-434c-9cbd-bf a0", "country": "China"

17 Indicator: TLHD { "type": "indicator",
"id": "indicator--691d06b5-aa1d-46ec-97d6-e59ef9411b8a", "created": " T22:00:30.406Z", "modified": " T22:00:30.406Z", "name": "IMDDOS THLD", "labels": [ "malicious-activity" ], "description": "References to this domain are indicative of the presence of the IMDDOS malware in the environment", "valid_from": " T00:00:00.000Z", "kill_chain_phases": [ "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "exploit" } "pattern": "[ domain-name:value = 'imddos.my03.com' ]" },

18 Indicator: TLHD Traffic
{ "type": "indicator", "id": "indicator--b2ab314f-3a97-44d4-bfca-6a9857a6fe17", "created": " T22:00:30.406Z", "modified": " T22:00:30.406Z", "name": "IMDDOS THLD Traffic", "labels": [ "malicious-activity" ], "description": "Traffic to this domain indicates the source host is infected with IMDDOS malware", "valid_from": " T00:00:00.000Z", "kill_chain_phases": [ "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "exploit" } "pattern": "[ network-traffic:dst_ref.type = 'domain-name' AND network- traffic:dst_ref.value = 'imddos.my03.com' AND network-traffic:dst_port = 9090 ]" },

19 Indicator: IMDDOS Infected Host
{ "type": "indicator", "id": "indicator--ca26195e-e3c e21-0af90c89bd27", "created": " T22:00:30.407Z", "modified": " T22:00:30.407Z", "name": "IMDDOS Infected Host", "labels": [ "malicious-activity" ], "description": "Presence of this registry key on a host indicates it is infected with the IMDDOS malware", "valid_from": " T00:00:00.000Z", "kill_chain_phases": [ "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "exploit" } "pattern": "[windows-registry-key:key LIKE 'HKEY_LOCAL_MACHINE\\\\System\\\\CurrentControlSet\\\\Services\\\\SafePrec%' ]" },

20 Indicator: IMDDOS C2 Traffic
{ "type": "indicator", "id": "indicator--644bc5dc c3a-b9d8-bb2a9fa30567", "created": " T22:00:30.407Z", "modified": " T22:00:30.407Z", "name": "IMDDOS C2 Traffic", "labels": [ "malicious-activity" ], "description": "Traffic to these domains indicates that the source host is under the control of the IMDDOS malware", "valid_from": " T00:00:00.000Z", "kill_chain_phases": [ "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "control" } "pattern": "[ network-traffic:dst_ref.type = 'domain-name' AND network- traffic:dst_ref.value IN ('dns.ddos.im', 'win2003ddos.3322.org', 'woshindi.3322.org', 'pk org', 'huanjue org', 'qq org', 'qq org', 'hjff.3322.org', ' org', 'ankankan.3322.org', 'yinn.3322.org') ]" },

21 External Relationships
{ "type": "relationship", ... "relationship_type": "indicates", "source_ref": "indicator--691d06b5-aa1d-46ec-97d6-e59ef9411b8a", "target_ref": "malware--efd5ac80-79ba-45cc ad85303" }, <other indicates Relationships omitted for clarity> "relationship_type": "located-at", "source_ref": "threat-actor--e234c aa4-ae03-f4037e6be83f", "target_ref": "location e-434c-9cbd-bf a0" "relationship_type": "uses", }

22 Cyber Threat Intelligence
Q & A Cyber Threat Intelligence Technical Committee

Download ppt "Cyber Standards User Council CTI-TC STIX Subcommittee Update"

Similar presentations

OpenDOAR The Directory of Open Access Repositories Bill Hubbard SHERPA Manager University of Nottingham.

OpenDOAR The Directory of Open Access Repositories Bill Hubbard SHERPA Manager University of Nottingham.
1 An Update on XML.org Registry and Repository Una Kearns Documentum, Inc.

1 An Update on XML.org Registry and Repository Una Kearns Documentum, Inc.
ISO 19757 - DSDL ISO 19757 – Document Schema Definition Languages (DSDL) Martin Bryan Convenor, JTC1/SC18 WG1.

ISO DSDL ISO – Document Schema Definition Languages (DSDL) Martin Bryan Convenor, JTC1/SC18 WG1.
Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.

Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.
Sound Practice Guidance update Glasgow, 7 th November 2014 IOR Scottish Chapter The Institute of Operational Risk Brian Rowlands FIOR ©

Sound Practice Guidance update Glasgow, 7 th November 2014 IOR Scottish Chapter The Institute of Operational Risk Brian Rowlands FIOR ©
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Malware Hunter How To Guide for SecurityCenter Continuous View™

Malware Hunter How To Guide for SecurityCenter Continuous View™
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
OASIS ebXML Registry Standard Open Forum 2003 on Metadata Registries 10:30 – 11:15 January 20, 2003 Kathryn Breininger The Boeing Company Chair, OASIS.

OASIS ebXML Registry Standard Open Forum 2003 on Metadata Registries 10:30 – 11:15 January 20, 2003 Kathryn Breininger The Boeing Company Chair, OASIS.
Introducing Reporting Services for SQL Server 2005.

Introducing Reporting Services for SQL Server 2005.
Case study: A DSL for normalization of financial data sets Software Development Automation 2014 Edwin Hautus The Science of Finance.

Case study: A DSL for normalization of financial data sets Software Development Automation 2014 Edwin Hautus The Science of Finance.
CTI STIX SC Monthly Meeting www.oasis-open.org August 19, 2015.

CTI STIX SC Monthly Meeting August 19, 2015.
© 2009 WatchGuard Technologies WatchGuard ReputationAuthority Rejecting Unwanted Email & Web Traffic at the Perimeter.

© 2009 WatchGuard Technologies WatchGuard ReputationAuthority Rejecting Unwanted & Web Traffic at the Perimeter.
1 Registry Services Overview J. Steven Hughes (Deputy Chair) Principal Computer Scientist NASA/JPL 17 December 2015.

1 Registry Services Overview J. Steven Hughes (Deputy Chair) Principal Computer Scientist NASA/JPL 17 December 2015.
Sky Advanced Threat Prevention

Sky Advanced Threat Prevention
TAXII SC Call 2015-10-13. Agenda Administrivia Month Behind Discussion Month Ahead.

TAXII SC Call Agenda Administrivia Month Behind Discussion Month Ahead.
CTI STIX SC Monthly Meeting www.oasis-open.org October 21, 2015.

CTI STIX SC Monthly Meeting October 21, 2015.
CTI CybOX SC Meeting www.oasis-open.org November 19, 2015.

CTI CybOX SC Meeting November 19, 2015.

Similar presentations

Ads by Google