CTI STIX Subcommittee

  • 1.  Deconstruction of Cybox observables from STIX reports

    Posted 10-29-2015 19:53
    Hi, I brought this up during the Cybox call today and taking it offline for further discussion. To recap, we are looking into deconstructing Cybox observables from STIX IOCs for distribution to disparate systems that can deal with them and then at a later point in time, re-construct them back thereby enriching the original IOC. Instead of re-inventing the wheel on this, I was wondering if there is a tool out there that can handle comprehensive use cases. Would love to hear the approach and challenges faced in this process by folks who do this currently.  Thanks, Jyoti


  • 2.  RE: Deconstruction of Cybox observables from STIX reports

    Posted 10-29-2015 20:58
    Hi Jyoti,   If I am reading you correctly you are wanting to take a STIX feed and pull out the CybOX objects, then send those to the security tools you have in order to monitor for those Observables? And then when you get a Sighting, send the updated information back into STIX?   Is that right?   Are you feeding this into a ‘STIX database’ at any stage for long term storage?   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206 terry@soltra.com     From: Jyoti Verma (jyoverma) [mailto:jyoverma@cisco.com] Sent: Friday, 30 October 2015 6:53 AM To: Barnum, Sean D. <sbarnum@mitre.org>; joep@eclecticiq.com; Terry MacDonald <terry@soltra.com> Cc: cti-stix@lists.oasis-open.org Subject: Deconstruction of Cybox observables from STIX reports   Hi,   I brought this up during the Cybox call today and taking it offline for further discussion. To recap, we are looking into deconstructing Cybox observables from STIX IOCs for distribution to disparate systems that can deal with them and then at a later point in time, re-construct them back thereby enriching the original IOC. Instead of re-inventing the wheel on this, I was wondering if there is a tool out there that can handle comprehensive use cases. Would love to hear the approach and challenges faced in this process by folks who do this currently.    Thanks, Jyoti    


  • 3.  Re: Deconstruction of Cybox observables from STIX reports

    Posted 10-29-2015 21:03
    Hi Terry, That’s right. And yes there will be a database to store the STIX indicators. Thanks, Jyoti From: Terry MacDonald < terry@soltra.com > Date: Thursday, October 29, 2015 at 1:58 PM To: Jyoti Verma < jyoverma@cisco.com >, "Barnum, Sean D." < sbarnum@mitre.org >, " joep@eclecticiq.com " < joep@eclecticiq.com > Cc: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Subject: RE: Deconstruction of Cybox observables from STIX reports Hi Jyoti,   If I am reading you correctly you are wanting to take a STIX feed and pull out the CybOX objects, then send those to the security tools you have in order to monitor for those Observables? And then when you get a Sighting, send the updated information back into STIX?   Is that right?   Are you feeding this into a ‘STIX database’ at any stage for long term storage?   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206 terry@soltra.com     From: Jyoti Verma (jyoverma) [ mailto:jyoverma@cisco.com ] Sent: Friday, 30 October 2015 6:53 AM To: Barnum, Sean D. < sbarnum@mitre.org >; joep@eclecticiq.com ; Terry MacDonald < terry@soltra.com > Cc: cti-stix@lists.oasis-open.org Subject: Deconstruction of Cybox observables from STIX reports   Hi,   I brought this up during the Cybox call today and taking it offline for further discussion. To recap, we are looking into deconstructing Cybox observables from STIX IOCs for distribution to disparate systems that can deal with them and then at a later point in time, re-construct them back thereby enriching the original IOC. Instead of re-inventing the wheel on this, I was wondering if there is a tool out there that can handle comprehensive use cases. Would love to hear the approach and challenges faced in this process by folks who do this currently.    Thanks, Jyoti    


  • 4.  RE: Deconstruction of Cybox observables from STIX reports

    Posted 10-29-2015 21:25
    Can you wait until STIX v2.0 ? :D   At present you would import the data into a STIX compatible data system, would create a feed for each of your tools you need, and would then connect them to your tools. This part is available in a few different tools, Soltra and EclecticIQ come to mind.   If the integration/adapter supports it, you could have alerting from your security tool pulled into the STIX compatible data system, which hopefully will recognize the IP address and will create a Sighting under the Indicator object ( http://stixproject.github.io/data-model/1.2/indicator/SightingType/ ). TBH I’m not actually sure which adapters in which products support ingesting Sightings at present. I believe most are one way – outbound – although very happy to be told otherwise!   In STIX v2.0 as you’ve seen we are discussing making the Sightings object a top-level object, and as such I expect there will be a lot more use of that ‘feedback loop’. I know I really want to see it as it’s a key part of automating our security tools and getting to that cherished HMM Level 4 ( http://detect-respond.blogspot.com.au/2015/10/a-simple-hunting-maturity-model.html ).   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206 terry@soltra.com     From: Jyoti Verma (jyoverma) [mailto:jyoverma@cisco.com] Sent: Friday, 30 October 2015 8:03 AM To: Terry MacDonald <terry@soltra.com>; Barnum, Sean D. <sbarnum@mitre.org>; joep@eclecticiq.com Cc: cti-stix@lists.oasis-open.org Subject: Re: Deconstruction of Cybox observables from STIX reports   Hi Terry,   That’s right. And yes there will be a database to store the STIX indicators.   Thanks, Jyoti   From: Terry MacDonald < terry@soltra.com > Date: Thursday, October 29, 2015 at 1:58 PM To: Jyoti Verma < jyoverma@cisco.com >, "Barnum, Sean D." < sbarnum@mitre.org >, " joep@eclecticiq.com " < joep@eclecticiq.com > Cc: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Subject: RE: Deconstruction of Cybox observables from STIX reports   Hi Jyoti,   If I am reading you correctly you are wanting to take a STIX feed and pull out the CybOX objects, then send those to the security tools you have in order to monitor for those Observables? And then when you get a Sighting, send the updated information back into STIX?   Is that right?   Are you feeding this into a ‘STIX database’ at any stage for long term storage?   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206 terry@soltra.com     From: Jyoti Verma (jyoverma) [ mailto:jyoverma@cisco.com ] Sent: Friday, 30 October 2015 6:53 AM To: Barnum, Sean D. < sbarnum@mitre.org >; joep@eclecticiq.com ; Terry MacDonald < terry@soltra.com > Cc: cti-stix@lists.oasis-open.org Subject: Deconstruction of Cybox observables from STIX reports   Hi,   I brought this up during the Cybox call today and taking it offline for further discussion. To recap, we are looking into deconstructing Cybox observables from STIX IOCs for distribution to disparate systems that can deal with them and then at a later point in time, re-construct them back thereby enriching the original IOC. Instead of re-inventing the wheel on this, I was wondering if there is a tool out there that can handle comprehensive use cases. Would love to hear the approach and challenges faced in this process by folks who do this currently.    Thanks, Jyoti    


  • 5.  Re: [cti-stix] Deconstruction of Cybox observables from STIX reports

    Posted 10-30-2015 06:12
      |   view attached
    For reference, attached is the representation of one use case over the XORCISM architecture. (The XORCISM API contains a representation of the STIX objects and acts as a 'translator', with the use of Plugins, to do the translation job like STIX2ToolA, STIX2ToolB, or XORCISM2STIX) 2015-10-29 22:52 GMT+03:00 Jyoti Verma (jyoverma) <jyoverma@cisco.com>: > Hi, > > I brought this up during the Cybox call today and taking it offline for > further discussion. To recap, we are looking into deconstructing Cybox > observables from STIX IOCs for distribution to disparate systems that can > deal with them and then at a later point in time, re-construct them back > thereby enriching the original IOC. Instead of re-inventing the wheel on > this, I was wondering if there is a tool out there that can handle > comprehensive use cases. Would love to hear the approach and challenges > faced in this process by folks who do this currently. > > Thanks, > Jyoti > > Attachment: XORCISM_Technical_Architecture_CTI.jpg Description: JPEG image


  • 6.  Re: [cti-stix] Deconstruction of Cybox observables from STIX reports

    Posted 10-30-2015 06:19
      |   view attached
    In case it could be somehow useful (maybe for the Interoperability TC), attached is an ongoing effort (aka DRAFT/Incomplete documentation, meaning mappings are already there in XORCISM but not reflected in the doc) of mappings in order to demonstrates the level of compatibility/interoperability) of XORCISM with CTI. 2015-10-30 9:12 GMT+03:00 Jerome Athias <athiasjerome@gmail.com>: > For reference, attached is the representation of one use case over the > XORCISM architecture. > (The XORCISM API contains a representation of the STIX objects and > acts as a 'translator', with the use of Plugins, to do the translation > job like STIX2ToolA, STIX2ToolB, or XORCISM2STIX) > > 2015-10-29 22:52 GMT+03:00 Jyoti Verma (jyoverma) <jyoverma@cisco.com>: >> Hi, >> >> I brought this up during the Cybox call today and taking it offline for >> further discussion. To recap, we are looking into deconstructing Cybox >> observables from STIX IOCs for distribution to disparate systems that can >> deal with them and then at a later point in time, re-construct them back >> thereby enriching the original IOC. Instead of re-inventing the wheel on >> this, I was wondering if there is a tool out there that can handle >> comprehensive use cases. Would love to hear the approach and challenges >> faced in this process by folks who do this currently. >> >> Thanks, >> Jyoti >> >> Attachment: XORCISM_CTI_STIX_CybOX_MAEC_Mapping.xlsx Description: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet

    Attachment(s)



  • 7.  Re: [cti-stix] Deconstruction of Cybox observables from STIX reports

    Posted 10-30-2015 20:06
    Hi Jerome, Thanks for passing along information on XORCISM. I didn¹t hear about it till now. Will do some reading to see if it can help. Thanks, Jyoti On 10/29/15, 11:18 PM, "Jerome Athias" <athiasjerome@gmail.com> wrote: >In case it could be somehow useful (maybe for the Interoperability >TC), attached is an ongoing effort (aka DRAFT/Incomplete >documentation, meaning mappings are already there in XORCISM but not >reflected in the doc) of mappings in order to demonstrates the level >of compatibility/interoperability) of XORCISM with CTI. > >2015-10-30 9:12 GMT+03:00 Jerome Athias <athiasjerome@gmail.com>: >> For reference, attached is the representation of one use case over the >> XORCISM architecture. >> (The XORCISM API contains a representation of the STIX objects and >> acts as a 'translator', with the use of Plugins, to do the translation >> job like STIX2ToolA, STIX2ToolB, or XORCISM2STIX) >> >> 2015-10-29 22:52 GMT+03:00 Jyoti Verma (jyoverma) <jyoverma@cisco.com>: >>> Hi, >>> >>> I brought this up during the Cybox call today and taking it offline for >>> further discussion. To recap, we are looking into deconstructing Cybox >>> observables from STIX IOCs for distribution to disparate systems that >>>can >>> deal with them and then at a later point in time, re-construct them >>>back >>> thereby enriching the original IOC. Instead of re-inventing the wheel >>>on >>> this, I was wondering if there is a tool out there that can handle >>> comprehensive use cases. Would love to hear the approach and challenges >>> faced in this process by folks who do this currently. >>> >>> Thanks, >>> Jyoti >>> >>>