RE: [cti-users] How does CybOX data is generated?

[Terry MacDonald <terry@soltra.com>]

Hi Alexander,

 

There are many different types of analysts J. What you are describing I would classify as more of an incident response role – specifically performing ‘hunting’ where they inspect logs looking for anomalies, and monitoring tools that are performing a ‘detection’ role (with the rules that you have been describing).

 

There are also nowadays threat analyst roles, which are designed to understand the threats that an organisation faces, and try to understand and research which threat actors are most likely trying to target the organisation, and to track them. Their purpose is to eliminate most of the unnecessary threat intelligence and distil it down to the small amount of threat intelligence that is most likely to affect the organisation. The incident response role then takes that reduced set of data and tries to find it within the org.

 

It’s a combination of the two functions that makes the overall process stronger. The Threat Analyst works out who we should be looking for, and the Incident Responder tries to find them.

 

Cheers

 

Terry MacDonald

Senior STIX Subject Matter Expert

SOLTRA | An FS-ISAC and DTCC Company

+61 (407) 203 206 | terry@soltra.com

 

 

From: alexander kipnis [mailto:alexander.kipnis85@gmail.com]
Sent: Monday, 7 March 2016 8:20 AM
To: Terry MacDonald <terry@soltra.com>
Cc: cti-users@lists.oasis-open.org
Subject: Re: [cti-users] How does CybOX data is generated?

 

Hi,

 

Thanks for the detailed answer.

 

Correct if I am wrong, but as far as I understand the cyber analyst work is going through logs of some detection systems and identifying abnormal behavior, then creating CybOX observables and generalizing them to STIX Indicator and so on?

 

Further more, it means that cyber analyst crafts these observables by hand (or with some algorithms)?

 

I thought there are some rules like YARA that generate the observables and the analysts try to identify patterns of generalize it to bigger threats.

 

Cheers, 

Alexander

 

 

 

On Mon, Feb 29, 2016 at 12:14 AM, Terry MacDonald <terry@soltra.com> wrote:

Hi Alexander,

 

CybOX Objects are used within STIX and within another protocol called MAEC. STIX is all about sharing threat intel, so it uses CybOX objects to both describe what has happened as well as what you should be looking for. MAEC is more about describing what malware is doing, and uses CybOX objects to describe that.

 

CybOX objects are used in two different ways within STIX. As Observable Instances they record what happened in the past. As Observable Patterns they inform the recipient on what to look for in the future.

 

STIX Indicators use CybOX Observable Instance objects (and Observable Compositions) to describe the logic for things you should be looking for. At present a lot of this pattern development is done manually, and I expect that to happen for some time to come, at least until analysis systems become so smart that they can automatically cluster malicious traffic and software definitively into accurate groupings. Currently you really need an analyst in the loop to understand the malicious behaviour, then craft a pattern that describes it accurately.

 

Detection systems such as IDS will then use those patterns developed to detect and identify situations that require further investigation by incident response staff.

 

Development of new patterns requires that threat intelligence analysts in my opinion requires a hunting capability within your organization: http://detect-respond.blogspot.com.au/2015/10/a-simple-hunting-maturity-model.html. By looking at your logs and looking for anomalies one is able to identify badness, and after establishing the uniqueness that would allow detection of it, one can create a pattern to do exactly that.

 

Cheers

 

Terry MacDonald

Senior STIX Subject Matter Expert

SOLTRA | An FS-ISAC and DTCC Company

+61 (407) 203 206 | terry@soltra.com

 

 

From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of alexander kipnis
Sent: Monday, 29 February 2016 8:55 AM
To: cti-users@lists.oasis-open.org
Subject: [cti-users] How does CybOX data is generated?

 

Hi,

 

I am new to the field.

 

I have read the whitepapers of STIX and CybOX, and currently trying to understand from what data cyber analysts craft the CybOX observables?

 

For example, do they have an IDS system or a phishing detection system from which they extract the observables and then create patterns?

 

It seems like a chicken and egg problem, when one of the main use cases of STIX and CybOX is to create patterns for observables.

 

Thanks,

Alexander Kipnis