Presentation is loading. Please wait.

Presentation is loading. Please wait.

Briefing on STIX | TAXII

Published bySucianty Sumadi Modified over 6 years ago

Similar presentations

Presentation on theme: "Briefing on STIX | TAXII"— Presentation transcript:

1 Briefing on STIX | TAXII
Presented by: Jane Ginn, MSIA, MRP Co-Founder, Cyber Threat Intelligence Network, Inc. Secretary, Cyber Threat Intelligence Technical OASIS Briefing on STIX | TAXII Release Candidate 4 – January, 2017 A standard of the Organization for Advanced Structured Information Systems (OASIS)

2 Structured threat information exchange

3 Source: Struse, R. (2016). SANS Cyber Threat Intelligence Summit

4 Structured threat information exchange: STIX Ver 2.0
STIX Version 2.0 Part 1: STIX Core Concepts STIX Version 2.0 Part 2: STIX Objects STIX Version 2.0 Part 3: Cyber Observable Core Concepts STIX Version 2.0 Part 4: Cyber Observable Objects STIX Version 2.0 Part 5: STIX Patterning

5 Design Goals (SLIDE 1 of 2) Clarity Modularity
Easy to implement and understand One way to perform a use case where possible Simple things should be simple, simple is better than complex Avoid excessive nesting Well understood definitions Consistent structures and names Explicit is better than implicit Modularity Provide building blocks that can be reused elsewhere Ensure tight cohesion, and low coupling of those building blocks Support customization in a consistent way Use semantic versioning Design Goals (SLIDE 1 of 2)

6 Design Goals (SLIDE 2 of 2) Pragmatism Analysis
Concentrate on current problems not theoretical ones Focus on the common problems not the edge cases (the 80/20 rule) Work on improving the edge cases in subsequent releases Analysis Enable sharing of higher order analysis Make it easy to graph relationships Make it easy to track changes over time Design Goals (SLIDE 2 of 2)

7 STIX 2.0 Core concepts (slide 1 of 2)
Graph-based Data Model Contains Cyber Observables Includes STIX Patterning MTI JSON Data Markings (Object & Granular) Uses Open Vocabularies Nodes (SDOs) & Edges (SROs) Was CybOX New in Ver. 2.0 Not backward compatible Governs sharing restrictions Eleven defined (-ov)

8 STIX 2.0 Core concepts (Slide 2 of 2)
Defines Producers & Consumers Timestamps Defined Kill Chain Phase Designations Reserved Property Names Defines Versioning & Object Revocation Defines Common Relationships MRTI & Human Consumers Zulu & Millisecond Precision Can be Producer Defined Future Versions Creator of Object Only Extensible

9 Stix 2.0 architecture

10 STIX 2.0 data objects (SDO)
Attack Pattern Campaign Course of Action (Stub) Identity Indicator Intrusion Set Malware (Stub) Observed Data Report Threat Actor Tool Vulnerability

11 Example diagrams: Indicator SDO

12 Example Spec Language: Indicator SDO

13 Example diagrams: Threat Actor SDO

14 Example Spec Language: threat actor SDO

15 Threat actor labels

16 STIX 2.0 RELATIONSHIP OBJECTS (sro)
Embedded Relationships created_by_ref object_markings_refs Common Relationship Types: derived-from duplicate-of related-to Sightings: Object Type & ID Count

17 Specific RELATIONSHIP OBJECTS (sro)
Source: STIX™ 2.0 Specification – rc4 Part 2

18 Cyber observables (slide 1 of 2)
Artifact AS Directory Domain Name Address Message File Archive File Extension NTFS File Extension PDF File Extension Raster Image File Extension Windows ™ File Extension IPV4 Address IPV6 Address MAC Address MUTEX Network Traffic HTTP ICMP Network Socket TCP Process

19 Cyber observables (slide 2 of 2)
Software URL User Account Windows Registry Key X509 Certificate

20 STIX PATTERNING Supports STIX patterns for Indicator sharing
Expressed using Cyber Observables Enhances detection of malicious activity on endpoints & networks Abstraction layer capable of serializing proprietary correlation rules Expressed as Unicode – Using ANTLR Grammar Based on key building blocks Pattern Expression + Observation Expression + Comparison Expression With Observation Operators + Qualifiers

21 STIX PATTERNING Source: STIX™ 2.0 Specification – rc4 Part 5

22 STIX ONLINE RESOURCES OASIS CTI TC Public Website GITHUB SITE
open.org/committees/tc_home.php?wg_abbrev=cti GITHUB SITE Cosive STIX Data Generator Open Source TAXII Server

23 TAXII Ver 2.0 Source: Jordan, B. & Davidson, M. (2016). STIX, TAXII, CISA: The impact of the US Cybersecurity Information Sharing Act of RSA Presentation.

24 TAXII Ver. 2.0 Roadmap Source:
Jordan, B. & Davidson, M. (2016). STIX, TAXII, CISA: The impact of the US Cybersecurity Information Sharing Act of RSA Presentation.

25 Candidate objects for STIX Ver 2.1
Incident & Event Confidence Opinion Location Malware (Flush Out) Course of Action (OpenC2) Infrastructure Internationalization

26 Science of security Source:
Science of Security: Developing Scientific Foundations for the Operational Cybersecurity Ecosystem by Shawn Riley The Center for Strategic Cyberspace + Security Science

27 Tip Design dictated by needs of end users
Source: Chismon, D. & Ruks, M. (2015). Threat Intelligence: Collecting, Analyzing, Evaluating

28 Threat intel platform (TIP) design
Ease of Process for On-Boarding New Users Threat Analysts, Fraud Analysts, Malware Analysts, Network Analysts, Data Scientists Automated & Manual Ingestion – Automated & Manual Exporting APIs for SIEMs & Other 3rd-Party Tools (IDS/IPS Network Devices) Redaction Capability Crowd-Sourcing Visual Analysis Integration with Incident Response Tools

29 Join oasis to participate in cti tc
260+ Members & Observers 78 Companies & Organizations Borderless Cyber in New York

Download ppt "Briefing on STIX | TAXII"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Identity & Security. Today's IT Security challenges Rising Internal Attacks 75% of companies report insiders responsible for breaches Growing headcount.

Identity & Security. Today's IT Security challenges Rising Internal Attacks 75% of companies report insiders responsible for breaches Growing headcount.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
FI-WARE – Future Internet Core Platform FI-WARE Security July 2011 High-level Description.

FI-WARE – Future Internet Core Platform FI-WARE Security July 2011 High-level Description.
Threat Intelligence with Open Source tools Cornerstones of

Threat Intelligence with Open Source tools Cornerstones of
* The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era Ted Gruenloh Director of Operations Sentinel.

* The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era Ted Gruenloh Director of Operations Sentinel.
Incident Object Description and Exchange Format TF-CSIRT at TERENA IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer.

Incident Object Description and Exchange Format TF-CSIRT at TERENA IODEF Editorial Group Jimmy Arvidsson Andrew Cormack Yuri Demchenko Jan Meijer.
DEV 303 Visual Studio Whidbey Enterprise Tools: Source Control and Work Item Tracking Brian Harry Product Unit Manager Microsoft Visual Studio.

DEV 303 Visual Studio "Whidbey" Enterprise Tools: Source Control and Work Item Tracking Brian Harry Product Unit Manager Microsoft Visual Studio.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
CTI STIX SC Monthly Meeting www.oasis-open.org August 19, 2015.

CTI STIX SC Monthly Meeting August 19, 2015.
Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.
1 / Name / Date IDA Interface for Distributed Automation The journey toward Distributed Intelligence.

1 / Name / Date IDA Interface for Distributed Automation The journey toward Distributed Intelligence.
User Profiling using Semantic Web Group members: Ashwin Somaiah Asha Stephen Charlie Sudharshan Reddy.

User Profiling using Semantic Web Group members: Ashwin Somaiah Asha Stephen Charlie Sudharshan Reddy.
TAXII SC Call 2015-10-13. Agenda Administrivia Month Behind Discussion Month Ahead.

TAXII SC Call Agenda Administrivia Month Behind Discussion Month Ahead.
CTI STIX SC Monthly Meeting www.oasis-open.org October 21, 2015.

CTI STIX SC Monthly Meeting October 21, 2015.
CTI CybOX SC Meeting www.oasis-open.org November 19, 2015.

CTI CybOX SC Meeting November 19, 2015.
CTI CybOX SC Meeting www.oasis-open.org August 27, 2015.

CTI CybOX SC Meeting August 27, 2015.
CTI STIX SC Status Report www.oasis-open.org October 22, 2015.

CTI STIX SC Status Report October 22, 2015.
© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited: 12-4167 The MITRE Corporation TAXII: An Overview.

© 2013 The MITRE Corporation. All rights reserved.Approved for Public Release; Distribution Unlimited: The MITRE Corporation TAXII: An Overview.
2© Copyright 2013 EMC Corporation. All rights reserved. Cyber Intelligence Fighting Cyber Crime Insert Event Date LEADERS EDGE.

2© Copyright 2013 EMC Corporation. All rights reserved. Cyber Intelligence Fighting Cyber Crime Insert Event Date LEADERS EDGE.

Similar presentations

Ads by Google