OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-users] Help me


Sotiris:

Do you have access to the most current STIX 2.0 Specification? There is some good normative text in that 5-part Spec that explains how top level objects (TLOs) are handled.  In the 2.0 Spec we are calling them STIX Data Objects (SDOs). Examples of SDOs are Indicator, Threat Actor, Course of Action and others. 

The data objects formerly known as CybOX are now being called cyber_observables and they are included as Parts 3 & 4 in the STIX 2.0 Spec. This answers the question of "WHAT" is being seen on the network and endpoints of victim infrastructure.  Also, we have a new Patterning language that is detailed in Part 5.    

If you do not have that link, let me know, I'll send it.  

Also, in response to your final question, the ability to aggregate darknet artifacts would be very useful to this Community. Think of it in terms of how it could be used as a feed ingested into a Threat Intelligence Platform and correlated with other data from victim infrastructure for comparison; so look at the properties of the SDOs and the cyber_observables and build your data model from there.

Good luck!


Jane Ginn, MSIA, MRP
Cyber Threat Intelligence Network (CTIN)





On Thu, Jun 22, 2017 at 6:39 AM, Sotirios Raptis <sraptis@uom.edu.gr> wrote:

Hi, 


I am currently investigating(PhD student) using STIX and TAXII to facilitate sharing data 

from a wide range of Darknet(as honeypot). 

One fact I find confusing is how one is expected to nest the different 

types of observables, indicators, incidents, etc. 

I would like to create a “use case” or some desired action. Is it a big issue? Is the CTI community hoping for an analysis like this?


Any hints or guidance would be highly appreciated. 


regards, 

Sotiris

-- 

Σωτήριος Μ. Ράπτης
--
Sotirios M. Raptis
ICT Security Researcher
Member of Information Security Research Group (InfoSec) (http://infosec.uom.gr)
University of Macedonia (UOM), 156 Egnatia str, 54006 Thessaloniki, Greece



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]