Re: [cti-users] How does CybOX data is generated?

[Shawn Riley <shawn.p.riley@gmail.com>]

Alexander, 

Prior to the late 1990s the analysis of cyber threats was mainly performed by analyzing internal security logs and sensor output. As Terry notes, this is more commonly associated with incident response today. After the discovery of advanced threat campaigns such as TITAN RAIN in the late 1990s things changed and you had teams that started focusing more on malware analysis and analysis the infrastructure that supported the malware. Many of these teams didn't even look at internal logs or sensors but focused exclusively on the data sets attributed to the threat actors to produce analytic insights and intelligence. It really depends on the industry you are in as to what level of maturity the organization is in understanding the need to look at different types of data for full spectrum threat analysis. CYBOX and STIX was designed to support organizations at all levels of maturity from those still doing things like it was the early 1990s as well as those who more using more advanced tradecraft and science. 

Best, 

Shawn

On Sun, Mar 6, 2016 at 4:43 PM, Terry MacDonald <terry@soltra.com> wrote:

Hi Alexander,

 

There are many different types of analysts J. What you are describing I would classify as more of an incident response role – specifically performing ‘hunting’ where they inspect logs looking for anomalies, and monitoring tools that are performing a ‘detection’ role (with the rules that you have been describing).

 

There are also nowadays threat analyst roles, which are designed to understand the threats that an organisation faces, and try to understand and research which threat actors are most likely trying to target the organisation, and to track them. Their purpose is to eliminate most of the unnecessary threat intelligence and distil it down to the small amount of threat intelligence that is most likely to affect the organisation. The incident response role then takes that reduced set of data and tries to find it within the org.

 

It’s a combination of the two functions that makes the overall process stronger. The Threat Analyst works out who we should be looking for, and the Incident Responder tries to find them.

 

Cheers

 

Terry MacDonald

Senior STIX Subject Matter Expert

SOLTRA | An FS-ISAC and DTCC Company

+61 (407) 203 206 | terry@soltra.com

 

 

From: alexander kipnis [mailto:alexander.kipnis85@gmail.com]
Sent: Monday, 7 March 2016 8:20 AM
To: Terry MacDonald <terry@soltra.com>
Cc: cti-users@lists.oasis-open.org
Subject: Re: [cti-users] How does CybOX data is generated?

 

Hi,

 

Thanks for the detailed answer.

 

Correct if I am wrong, but as far as I understand the cyber analyst work is going through logs of some detection systems and identifying abnormal behavior, then creating CybOX observables and generalizing them to STIX Indicator and so on?

 

Further more, it means that cyber analyst crafts these observables by hand (or with some algorithms)?

 

I thought there are some rules like YARA that generate the observables and the analysts try to identify patterns of generalize it to bigger threats.

 

Cheers, 

Alexander

 

 

 

On Mon, Feb 29, 2016 at 12:14 AM, Terry MacDonald <terry@soltra.com> wrote:

Hi Alexander,

 

CybOX Objects are used within STIX and within another protocol called MAEC. STIX is all about sharing threat intel, so it uses CybOX objects to both describe what has happened as well as what you should be looking for. MAEC is more about describing what malware is doing, and uses CybOX objects to describe that.

 

CybOX objects are used in two different ways within STIX. As Observable Instances they record what happened in the past. As Observable Patterns they inform the recipient on what to look for in the future.

 

STIX Indicators use CybOX Observable Instance objects (and Observable Compositions) to describe the logic for things you should be looking for. At present a lot of this pattern development is done manually, and I expect that to happen for some time to come, at least until analysis systems become so smart that they can automatically cluster malicious traffic and software definitively into accurate groupings. Currently you really need an analyst in the loop to understand the malicious behaviour, then craft a pattern that describes it accurately.

 

Detection systems such as IDS will then use those patterns developed to detect and identify situations that require further investigation by incident response staff.

 

Development of new patterns requires that threat intelligence analysts in my opinion requires a hunting capability within your organization: http://detect-respond.blogspot.com.au/2015/10/a-simple-hunting-maturity-model.html. By looking at your logs and looking for anomalies one is able to identify badness, and after establishing the uniqueness that would allow detection of it, one can create a pattern to do exactly that.

 

Cheers

 

Terry MacDonald

Senior STIX Subject Matter Expert

SOLTRA | An FS-ISAC and DTCC Company

+61 (407) 203 206 | terry@soltra.com

 

 

From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of alexander kipnis
Sent: Monday, 29 February 2016 8:55 AM
To: cti-users@lists.oasis-open.org
Subject: [cti-users] How does CybOX data is generated?

 

Hi,

 

I am new to the field.

 

I have read the whitepapers of STIX and CybOX, and currently trying to understand from what data cyber analysts craft the CybOX observables?

 

For example, do they have an IDS system or a phishing detection system from which they extract the observables and then create patterns?

 

It seems like a chicken and egg problem, when one of the main use cases of STIX and CybOX is to create patterns for observables.

 

Thanks,

Alexander Kipnis