Download presentation
Presentation is loading. Please wait.
1
Briefing on STIX | TAXII
Presented by: Jane Ginn, MSIA, MRP Co-Founder, Cyber Threat Intelligence Network, Inc. Secretary, Cyber Threat Intelligence Technical OASIS Briefing on STIX | TAXII Release Candidate 4 – January, 2017 A standard of the Organization for Advanced Structured Information Systems (OASIS)
2
Structured threat information exchange
3
Source: Struse, R. (2016). SANS Cyber Threat Intelligence Summit
4
Structured threat information exchange: STIX Ver 2.0
STIX Version 2.0 Part 1: STIX Core Concepts STIX Version 2.0 Part 2: STIX Objects STIX Version 2.0 Part 3: Cyber Observable Core Concepts STIX Version 2.0 Part 4: Cyber Observable Objects STIX Version 2.0 Part 5: STIX Patterning
5
Design Goals (SLIDE 1 of 2) Clarity Modularity
Easy to implement and understand One way to perform a use case where possible Simple things should be simple, simple is better than complex Avoid excessive nesting Well understood definitions Consistent structures and names Explicit is better than implicit Modularity Provide building blocks that can be reused elsewhere Ensure tight cohesion, and low coupling of those building blocks Support customization in a consistent way Use semantic versioning Design Goals (SLIDE 1 of 2)
6
Design Goals (SLIDE 2 of 2) Pragmatism Analysis
Concentrate on current problems not theoretical ones Focus on the common problems not the edge cases (the 80/20 rule) Work on improving the edge cases in subsequent releases Analysis Enable sharing of higher order analysis Make it easy to graph relationships Make it easy to track changes over time Design Goals (SLIDE 2 of 2)
7
STIX 2.0 Core concepts (slide 1 of 2)
Graph-based Data Model Contains Cyber Observables Includes STIX Patterning MTI JSON Data Markings (Object & Granular) Uses Open Vocabularies Nodes (SDOs) & Edges (SROs) Was CybOX New in Ver. 2.0 Not backward compatible Governs sharing restrictions Eleven defined (-ov)
8
STIX 2.0 Core concepts (Slide 2 of 2)
Defines Producers & Consumers Timestamps Defined Kill Chain Phase Designations Reserved Property Names Defines Versioning & Object Revocation Defines Common Relationships MRTI & Human Consumers Zulu & Millisecond Precision Can be Producer Defined Future Versions Creator of Object Only Extensible
9
Stix 2.0 architecture
10
STIX 2.0 data objects (SDO)
Attack Pattern Campaign Course of Action (Stub) Identity Indicator Intrusion Set Malware (Stub) Observed Data Report Threat Actor Tool Vulnerability
11
Example diagrams: Indicator SDO
12
Example Spec Language: Indicator SDO
13
Example diagrams: Threat Actor SDO
14
Example Spec Language: threat actor SDO
15
Threat actor labels
16
STIX 2.0 RELATIONSHIP OBJECTS (sro)
Embedded Relationships created_by_ref object_markings_refs Common Relationship Types: derived-from duplicate-of related-to Sightings: Object Type & ID Count
17
Specific RELATIONSHIP OBJECTS (sro)
Source: STIX™ 2.0 Specification – rc4 Part 2
18
Cyber observables (slide 1 of 2)
Artifact AS Directory Domain Name Address Message File Archive File Extension NTFS File Extension PDF File Extension Raster Image File Extension Windows ™ File Extension IPV4 Address IPV6 Address MAC Address MUTEX Network Traffic HTTP ICMP Network Socket TCP Process
19
Cyber observables (slide 2 of 2)
Software URL User Account Windows Registry Key X509 Certificate
20
STIX PATTERNING Supports STIX patterns for Indicator sharing
Expressed using Cyber Observables Enhances detection of malicious activity on endpoints & networks Abstraction layer capable of serializing proprietary correlation rules Expressed as Unicode – Using ANTLR Grammar Based on key building blocks Pattern Expression + Observation Expression + Comparison Expression With Observation Operators + Qualifiers
21
STIX PATTERNING Source: STIX™ 2.0 Specification – rc4 Part 5
22
STIX ONLINE RESOURCES OASIS CTI TC Public Website GITHUB SITE
open.org/committees/tc_home.php?wg_abbrev=cti GITHUB SITE Cosive STIX Data Generator Open Source TAXII Server
23
TAXII Ver 2.0 Source: Jordan, B. & Davidson, M. (2016). STIX, TAXII, CISA: The impact of the US Cybersecurity Information Sharing Act of RSA Presentation.
24
TAXII Ver. 2.0 Roadmap Source:
Jordan, B. & Davidson, M. (2016). STIX, TAXII, CISA: The impact of the US Cybersecurity Information Sharing Act of RSA Presentation.
25
Candidate objects for STIX Ver 2.1
Incident & Event Confidence Opinion Location Malware (Flush Out) Course of Action (OpenC2) Infrastructure Internationalization
26
Science of security Source:
Science of Security: Developing Scientific Foundations for the Operational Cybersecurity Ecosystem by Shawn Riley The Center for Strategic Cyberspace + Security Science
27
Tip Design dictated by needs of end users
Source: Chismon, D. & Ruks, M. (2015). Threat Intelligence: Collecting, Analyzing, Evaluating
28
Threat intel platform (TIP) design
Ease of Process for On-Boarding New Users Threat Analysts, Fraud Analysts, Malware Analysts, Network Analysts, Data Scientists Automated & Manual Ingestion – Automated & Manual Exporting APIs for SIEMs & Other 3rd-Party Tools (IDS/IPS Network Devices) Redaction Capability Crowd-Sourcing Visual Analysis Integration with Incident Response Tools
29
Join oasis to participate in cti tc
260+ Members & Observers 78 Companies & Organizations Borderless Cyber in New York
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.