[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-users] How does CybOX data is generated?
Great answers from Terry and Shawn so far.
Let me take a stab at answering your original question. Some of this will repeat what has been said already but hopefully add a little bit as well.
As Terry pointed out there are two sorts of observables in CybOX: observations (observable instances of things that were observed) and observable patterns (patterns of things that could be seen).
As a general rule, observable patterns are identified and abstracted from bodies of observations and can then be used for specifying Indicators to look for or as abstract characterization of things like attacker infrastructure, technologies targeted by
attackers, etc. As Terry and Shawn point out this abstraction is often performed by humans but can be augmented by various technologies like anomaly detection, machine learning, etc.
I think the root of your question was more aligned to where do the actual observations come from. As the guys have said there are different sorts of observations that come from different places and are leveraged by different functions and people.
The first main division would be observations that come from incident response triggered by some event and observations that come from proactive “hunting” without any specific trigger required.
Within incident response most observations are going to come from a combination of historical logs, security tool alerts, digital forensic analysis (host, network, memory, etc.), malware analysis, and proactive querying and searching in response to other
observations and interpretations discovered during the incident investigation. As you can imagine much of this could be machine generated with some human augmentation. The reality so far is that there are still few tools that output logs or alerts natively
in CybOX. The digital forensic analysis space is being targeted by a related effort called the Digital Forensics Analysis _expression_ (DFAX) which leverages CybOX for observations. The malware analysis space is being targeted by a related effort called the
Malware Atribute Enumeration and Characterization (MAEC) which also leverages CybOX for observations. CybOX is still a young representation but is making progress across this space. Much of incident response is about collecting and looking at relevant evidence
(observations) and interpreting what they mean in order to know where to look further and in order to determine what actually occurred. This interpretation and assertion of context for the observations is applied through various parts of STIX including the
incident itself, TTPs, threat actors, campaigns, indicators, etc. The really relevant bits and pieces out of all these observations can then be abstracted and captured as patterns to be applied within STIX to capture various forms of context.
Within hunting most observations are going to come from proactive querying and searching of various observation sources in response to higher-level threat intelligence context (the sort of thing Shawn describes). Observations from hunting may come from
different initiating events but are really mostly from the same sources and of the same forms as those collected as part of incident response.
I will try to avoid going too far down the rabbit hole and stop there.
Is that useful in helping to answer your question?
sean
From: <cti-users@lists.oasis-open.org> on behalf of Shawn Riley <shawn.p.riley@gmail.com>
Date: Sunday, March 6, 2016 at 6:48 PM To: alexander kipnis <alexander.kipnis85@gmail.com> Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org> Subject: Re: [cti-users] How does CybOX data is generated? Alexander,
Prior to the late 1990s the analysis of cyber threats was mainly performed by analyzing internal security logs and sensor output. As Terry notes, this is more commonly associated with incident response today. After the discovery of advanced threat campaigns
such as TITAN RAIN in the late 1990s things changed and you had teams that started focusing more on malware analysis and analysis the infrastructure that supported the malware. Many of these teams didn't even look at internal logs or sensors but focused exclusively
on the data sets attributed to the threat actors to produce analytic insights and intelligence. It really depends on the industry you are in as to what level of maturity the organization is in understanding the need to look at different types of data for full
spectrum threat analysis. CYBOX and STIX was designed to support organizations at all levels of maturity from those still doing things like it was the early 1990s as well as those who more using more advanced tradecraft and science.
Best,
Shawn
On Sun, Mar 6, 2016 at 4:43 PM, Terry MacDonald
<terry@soltra.com> wrote:
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]