sri monthly presentation 2015

STIX CYBOX CREATOR

Dr. Brian LeeAkash Rajguru

SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru

Advanced Persistent Threat

Cyber Threat Intelligence

Analysis driven understanding of:

•What activity are we seeing?

•What threat I should look for in my network and systems and why?

•Where has this threat been seen?

•What does it do?

•What weaknesses does this threat exploit?

•Who is responsible for this threat?

•What can I do about it?



Taxonomy of Threat Intelligence

Threat Intelligence Sharing

•Cyber threat information sharing is not new

•But it is atomic and very limited in sophistication

Atomic because the information about threat is relatively very less .

Limited in sophistication because it is unstructured and less expressive.


Problem faced by Cyber Security Experts

• Most sharing is unstructured and human-to-human

does not cover broad dimension of cyber threat

information sharing



Threat Intelligence Sharing Mechanisms

STIX as a Solution Structured Threat Information eXpression

STIX aims to enable sharing of more expressive cyber

threat information as well as other full-spectrum of cyber

threat information.

SITX is a language developed for:

Specify, Capture, Characterize, Communicate

Cyber Threat Information



STIX as a Solution

Implementations

Initial implementation has been done in XMl Schema

•Ubiquitous, portable and structured

STIX can also be implemented using JSON


Enabling Utilities

Utilities provided enable’s easier prototyping and use of

the language.

Utilities consist of:

•Programmatic Language (python) bindings for STIX,

cyBox, etc.

•High-level API’s for common needs/activities.


Product build on STIX Specification

Product name: STIX CYBOX CREATOROVERVIEW

The STIX CybOX creator is a python based GUI application which generates CybOX xml output from rfc822 email. the email is read from gmail IMAP server and the CybOX output file is created. file is created in xml format.


What is CybOX

Cyber Observable eXpression

It is a base construct within the STIX.

Language for communicating standardized information about Cyber observable (basically it a Schema for representing cyber

observables).Examples: Information about file (name, size, hash, etc.), a registry key value,

a service being stared.


Dependencies

• Python-cybox - A python library for cybox

• Http://cybox.Readthedocs.Org/en/latest/installation.Ht

ml

• Python IMAP client library

• Pip install imapclient


https://pypi.python.org/pypi/cybox

Architecture


LIVE DEMO


Where to Learn More

STIX Website ( Whitepapers, documentation, schemas, etc.)

http://stix.mitre.org

STIX GitHub site (bindings, APIs, utilities)https://github.com/STIXProject


http://stix.mitre.org/

https://github.com/STIXProject

Thank YouQUESTIONS?


References

• HTTPS://WWW.RSACONFERENCE.COM/WRITABLE/PRESENTATIONS/FILE_UPLOAD/DSP-R31.PDF

• HTTPS://WWW.YOUTUBE.COM/WATCH?V=XM3QHSZHUAA

• HTTP://STIXPROJECT.GITHUB.IO/SUPPORTERS/

• HTTP://STIXPROJECT.GITHUB.IO/DOCUMENTATION/

• HTTP://STIXPROJECT.GITHUB.IO/ABOUT/

• HTTPS://CYBOX.MITRE.ORG/DOCUMENTS/CYBER%20OBSERVABLE%20EXPRESSION%20%28CYBOX%29%20USE%20CASES%20-%20%28ITSAC%202011%29%20-%20SEAN%20BARNUM.PDF


https://www.rsaconference.com/writable/presentations/file_upload/dsp-r31.pdf

https://www.rsaconference.com/writable/presentations/file_upload/dsp-r31.pdf

https://www.youtube.com/watch?v=XM3QhszHUAA

https://www.youtube.com/watch?v=XM3QhszHUAA

http://stixproject.github.io/supporters/

sri monthly presentation 2015

Technology