sri monthly presentation 2015
TRANSCRIPT
STIX CYBOX CREATOR
Dr. Brian LeeAkash Rajguru
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
Advanced Persistent Threat
Cyber Threat Intelligence
Analysis driven understanding of:
•What activity are we seeing?
•What threat I should look for in my network and systems and why?
•Where has this threat been seen?
•What does it do?
•What weaknesses does this threat exploit?
•Who is responsible for this threat?
•What can I do about it?
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
Taxonomy of Threat Intelligence
Threat Intelligence Sharing
•Cyber threat information sharing is not new
•But it is atomic and very limited in sophistication
Atomic because the information about threat is relatively very less .
Limited in sophistication because it is unstructured and less expressive.
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
Problem faced by Cyber Security Experts
• Most sharing is unstructured and human-to-human
does not cover broad dimension of cyber threat
information sharing
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
Threat Intelligence Sharing Mechanisms
STIX as a Solution Structured Threat Information eXpression
STIX aims to enable sharing of more expressive cyber
threat information as well as other full-spectrum of cyber
threat information.
SITX is a language developed for:
Specify, Capture, Characterize, Communicate
Cyber Threat Information
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
STIX as a Solution
Implementations
Initial implementation has been done in XMl Schema
•Ubiquitous, portable and structured
STIX can also be implemented using JSON
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
Enabling Utilities
Utilities provided enable’s easier prototyping and use of
the language.
Utilities consist of:
•Programmatic Language (python) bindings for STIX,
cyBox, etc.
•High-level API’s for common needs/activities.
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
Product build on STIX Specification
Product name: STIX CYBOX CREATOROVERVIEW
The STIX CybOX creator is a python based GUI application which generates CybOX xml output from rfc822 email. the email is read from gmail IMAP server and the CybOX output file is created. file is created in xml format.
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
What is CybOX
Cyber Observable eXpression
It is a base construct within the STIX.
Language for communicating standardized information about Cyber observable (basically it a Schema for representing cyber
observables).Examples: Information about file (name, size, hash, etc.), a registry key value,
a service being stared.
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
Dependencies
• Python-cybox - A python library for cybox
• Http://cybox.Readthedocs.Org/en/latest/installation.Ht
ml
• Python IMAP client library
• Pip install imapclient
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
Architecture
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
LIVE DEMO
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
Where to Learn More
STIX Website ( Whitepapers, documentation, schemas, etc.)
http://stix.mitre.org
STIX GitHub site (bindings, APIs, utilities)https://github.com/STIXProject
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
Thank YouQUESTIONS?
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
References
• HTTPS://WWW.RSACONFERENCE.COM/WRITABLE/PRESENTATIONS/FILE_UPLOAD/DSP-R31.PDF
• HTTPS://WWW.YOUTUBE.COM/WATCH?V=XM3QHSZHUAA
• HTTP://STIXPROJECT.GITHUB.IO/SUPPORTERS/
• HTTP://STIXPROJECT.GITHUB.IO/DOCUMENTATION/
• HTTP://STIXPROJECT.GITHUB.IO/ABOUT/
• HTTPS://CYBOX.MITRE.ORG/DOCUMENTS/CYBER%20OBSERVABLE%20EXPRESSION%20%28CYBOX%29%20USE%20CASES%20-%20%28ITSAC%202011%29%20-%20SEAN%20BARNUM.PDF
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru