OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] Observed Data


For the capture of cyber observable properties, why not just embed an Observable Objects dictionary in each SDO as needed? That way you can capture whatever Cyber Observable Objects are pertinent to the SDO (e.g., IPv4 addresses) without having to redefine their properties in multiple places, which is essentially what this approach is advocating.

 

Regards,

Ivan

 

From: <cti-stix@lists.oasis-open.org> on behalf of "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Date: Tuesday, October 25, 2016 at 1:14 PM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Observed Data

 

All,

 

I spoke with John Wunder about how and when to embed Cyber Observable (formerly CybOX) properties directly on a SDO and when you would use Observed Data via a relationship.  We were talking about this in context with the upcoming Infrastructure SDO..  The rules we came up with, that we would like your feedback on are listed below.  It is important that we understand these rules now, so as to not cause a breaking change with Observed Data later on.  So yes, we are talking about an SDO that will not be in the next CSD release, but it is important to understand how it will work and this is the best way to illustrate the usages. 

 

Notes about using Observed Data with things like Infrastructure or Malware.  

1.    The Infrastructure or Malware object will have Cyber Observable properties directly on them. These fields will allow you to capture the data that characterises these objects.    

2.    So say that an Infrastructure is known to exist in S.Korea and it is using Linux based Web Cameras as a delivery point for C-n-C.  These IP addresses and the Make/Model of the Web Cams would all be on the Infrastructure Object itself.

3.    You may need to revision the Infrastructure object multiple times as you find or discover more things.  In this case, some fields on the Infrastructure object may need to be an array to allow for say thousands of IP address.  

4.    The way Observed Data fits in, is when you do a Sighting.  When you want to say you saw an instance of these things.  

  1. You may not want to capture all of the technical details on the object if you feel they’re too transitory. i.e. if a C2 network has a dynamic domain generation algorithm, capturing all of the actual domains it uses is probably not useful.  You would instead (probably in text for now) just capture the algorithm itself

 

An open question would be how to track things used as part of an infrastructure over time.  Meaning, if a threat actor moved from IoT Camera X to IoT DoorBell  Y 3 weeks later, how would you record this?  

 

Bret

 

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]