Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sightings and Observations

Published byOddvar Noah Berntsen Modified over 5 years ago

Similar presentations

Presentation on theme: "Sightings and Observations"— Presentation transcript:

1 Sightings and Observations

2 Use Cases UC1: Basic Sighting, +1: no count, times, CybOX
I’ve seen this indicator UC2: Sighting w/ count I saw this indicator 154 times UC3: Sighting w/ what was seen I saw this indicator [154 times], and here’s the network capture from it UC4: Observation for some other use case (e.g. artifacts captured during IR, logs triggered by analytics or heuristics) I saw this network capture

3 Definitions Observation: The fact that something in cyber was seen
Network traffic, File, etc. was observed Sighting: A cyber threat object was sighted Indicator, Malware, Tool, etc. was sighted, potentially X number of times Observation + Sighting: Indicator, Malware, Tool, etc. was sighted in the given cyber observations

4 Option 1: Current Approach
UC1: +1 UC2: Sighting Counts UC3: Sighting Counts+CybOX UC4: Observation Indicator Indicator Indicator Observation Count = 154 Start = … End = … CybOX = {} sighting_of_ref sighting_of_ref sighting_of_ref Sighting Sighting Sighting observation_ref observation_ref Observation Count = 154 Start = … End = … Observation Count = 154 Start = … End = … CybOX = {}

5 Opt 2: Count on Sightings (required fields)
UC1: +1 UC2: Sighting Counts UC3: Sighting Counts+CybOX UC4: Observation Indicator Indicator Indicator Observation Count = 154 Start = … End = … CybOX = {} sighting_of_ref sighting_of_ref sighting_of_ref Sighting Count = 154 Start = … End = … Sighting Sighting Count = 154 Start = … End = … observation_ref Observation Count = 154 Start = … End = … CybOX = {}

6 Opt 2: Count on Sightings (optional fields)
UC1: +1 UC2: Sighting Counts UC3: Sighting Counts+CybOX UC4: Observation Indicator Indicator Indicator Observation Count = 154 Start = … End = … CybOX = {} sighting_of_ref sighting_of_ref sighting_of_ref Sighting Sighting Sighting Count = 154 Start = … End = … observation_ref Observation Count = 154 Start = … End = … CybOX = {}

7 Opt 2: Count on Sightings (optional fields)
UC1: +1 UC2: Sighting Counts UC3: Sighting Counts+CybOX UC4: Observation Indicator Indicator Indicator Observation Count = 154 Start = … End = … CybOX = {} sighting_of_ref sighting_of_ref sighting_of_ref Sighting Count = 154 Start = … End = … Sighting Sighting Count = 154 Start = … End = … observation_ref Observation CybOX = {}

8 Option 3: Merge Sighting and Observation
UC1: +1 UC2: Sighting Counts UC3: Sighting Counts+CybOX UC4: Observation Indicator Indicator Indicator Sighting Count = 154 Start = … End = … CybOX = {} sighting_of_ref sighting_of_ref sighting_of_ref Sighting Count = 154 Start = … End = … CybOX = {} Sighting Sighting Count = 154 Start = … End = …

9 Opt 4: Count on Sighting, not Observation
UC1: +1 UC2: Sighting Counts UC3: Sighting Counts+CybOX UC4: Observation Not possible, requires multiple observations Indicator Indicator Indicator sighting_of_ref sighting_of_ref sighting_of_ref Sighting Count = 154 Start = … End = … Sighting Sighting Count = 154 Start = … End = … observation_ref Observation Start = … End = … CybOX = {}

10 Decisions Is it important that CybOX be required on an Observation?
Are there any use cases other than sightings where you need to report an observation without a count? Is it important to be able to have a count on Observation? Are there use cases other than sightings where you need a count on Observations? Can we come up with coherent semantics if count is on both Sighting and Observation?

Download ppt "Sightings and Observations"

Similar presentations

EFI Analytics - TunerStudio MegaMeet 2009 Phil Tobin April 20, 2008.

EFI Analytics - TunerStudio MegaMeet 2009 Phil Tobin April 20, 2008.
Being Proactive and Less Reactive in Security Operations and Cyber Attack Response Christina Raftery, MCSE, CISSP FBI Los Angeles Field Office.

Being Proactive and Less Reactive in Security Operations and Cyber Attack Response Christina Raftery, MCSE, CISSP FBI Los Angeles Field Office.
Advanced Web Metrics with Google Analytics By: Carley Brown.

Advanced Web Metrics with Google Analytics By: Carley Brown.
9 x9 81 4/12/2015 Know Your Facts!. 9 x2 18 4/12/2015 Know Your Facts!

9 x9 81 4/12/2015 Know Your Facts!. 9 x2 18 4/12/2015 Know Your Facts!
Test practice Multiplication. Multiplication 9x2.

Test practice Multiplication. Multiplication 9x2.
1 x0 0 4/15/2015 Know Your Facts!. 9 x1 9 4/15/2015 Know Your Facts!

1 x0 0 4/15/2015 Know Your Facts!. 9 x1 9 4/15/2015 Know Your Facts!
1 x0 0 4/16/2015 Know Your Facts!. 1 x8 8 4/16/2015 Know Your Facts!

1 x0 0 4/16/2015 Know Your Facts!. 1 x8 8 4/16/2015 Know Your Facts!
3 x0 0 7/18/2015 Know Your Facts!. 4 x3 12 7/18/2015 Know Your Facts!

3 x0 0 7/18/2015 Know Your Facts!. 4 x3 12 7/18/2015 Know Your Facts!
The Most Analytical and Comprehensive Defense Network in a Box.

The Most Analytical and Comprehensive Defense Network in a Box.
Web Metrics October 26, 2006 Steven Schwartz President, PowerWebResults.com Southeastern Massachusetts E-Commerce Network University of Massachusetts –

Web Metrics October 26, 2006 Steven Schwartz President, PowerWebResults.com Southeastern Massachusetts E-Commerce Network University of Massachusetts –
Correlations, Alarms and Policies

Correlations, Alarms and Policies
CENTER FOR NONPROFIT EXCELLENCE EVALUATION WORKSHOP SERIES Session IV: Analyzing and Reporting Your Data Presenters: Patty Emord.

CENTER FOR NONPROFIT EXCELLENCE EVALUATION WORKSHOP SERIES Session IV: Analyzing and Reporting Your Data Presenters: Patty Emord.
EXCEL TIPS. Moving around the spreadsheet quickly Home key: moves the active cell highlight to column A without changing rows. Ctrl + Home keys: moves.

EXCEL TIPS. Moving around the spreadsheet quickly Home key: moves the active cell highlight to column A without changing rows. Ctrl + Home keys: moves.
Multiplication Facts. 1 x3 3 Think Fast… 2 x4 8.

Multiplication Facts. 1 x3 3 Think Fast… 2 x4 8.
4 x1 4 10/18/2015 Know Your Facts!. 5 x5 25 10/18/2015 Know Your Facts!

4 x1 4 10/18/2015 Know Your Facts!. 5 x /18/2015 Know Your Facts!
3 x0 0 10/18/2015 Know Your Facts!. 11 x7 77 10/18/2015 Know Your Facts!

3 x0 0 10/18/2015 Know Your Facts!. 11 x /18/2015 Know Your Facts!
Path Analysis. Remember What Multiple Regression Tells Us How each individual IV is related to the DV The total amount of variance explained in a DV Multiple.

Path Analysis. Remember What Multiple Regression Tells Us How each individual IV is related to the DV The total amount of variance explained in a DV Multiple.
MapReduce Kristof Bamps Wouter Deroey. Outline Problem overview MapReduce o overview o implementation o refinements o conclusion.

MapReduce Kristof Bamps Wouter Deroey. Outline Problem overview MapReduce o overview o implementation o refinements o conclusion.
Selected Responses How deep does the question dig?????

Selected Responses How deep does the question dig?????
Multiplication Facts. 1. 5 X 3 = 2. 8 x 4 = 3. 7 x 2 =

Multiplication Facts X 3 = 2. 8 x 4 = 3. 7 x 2 =

Similar presentations

Ads by Google