CTI CybOX SC MeetingSeptember 24, 2015 Agenda CybOX Use Case Discussion CybOX 3.0 Object Discussion OASIS Work Product Status & Discussion CybOX Use Cases I Support capture of atomic observable data Support malicious activity detection Support event data correlation and analysis from diverse sensors: network-based endpoint-based CybOX Use Cases II Support capture of endpoint system state data PC-based BIOS state OS state, including artifacts such as: executable binary formats kernel artifacts general endpoint metadata Mobile-based Enable characterization of mobile device state Support malicious activity detection based on the above CybOX Use Cases III Support capture of cyber analysis data from malware analysis filesystem-based artifacts memory-based artifacts network-based artifact digital forensics analysis network metadata filesystem analysis format-specific metadata (ie,.png,.pdf, etc) general filesystem metadata memory forensics metadata characterization of analyis tool-specific metadata CybOX 3.0 Objects Refactoring and resolving existing issues with all objects is a significant undertaking Idea: focus on the core set of CybOX objects for the 3.0 release Top 20 objects from the survey Take an 80/20 approach to immediately improve things for most people's use cases Focus on refactoring additional subsets in future releases, i.e.: 3.1: endpoint-specific artifacts 3.2: network-specific artifacts Users dependent on objects pending refactoring can continue to use the 2.1.x data models Points for consideration... Notion of CybOX as the Dewey Decimal System of pwnage If CybOX can characterize bad state, it can also be used to represent healthy baseline state! Rome wasn't built in a day. Hubris doesn't lead to success. Does it really make sense to create XML-based representations of: pcap NetFlow protocol analyzer data YARA etc...? Maybe it makes more sense to encode higher-level metadata in CybOX and embed the rest base64-encoded in a field? Points for consideration... Constrain our focus for success! Forest first, then the trees! So we've been playing with Graphviz... CybOX 2.1 Objects CybOX 3.0 Core Objects I (notional) CybOX 3.0 Core Objects II (notional) Graphviz analysis, next steps We're finalizing the 2.1 and proposed 3.0 analysis. Once initial analysis completed, both the source and rendered graphs will be posted tofor comments and collaboration.http://cyboxproject.github.io/cybox3.0/ OASIS Work Product Discussion CybOX Multi-part specification Part 1: Overview Part 2: Common Part 3: Core Part 4: Default Extensions Part 5: Default Vocabularies Part 6: UML Model Parts 7-94: Objects XML Binding Specification Next meeting Thursday, October 1:00pm EDT