SlideShare a Scribd company logo

STIX Patterning: Viva la revolución!

Download as PPTX, PDF
T
treyka

FIRST Technical Symposium and OASIS Borderless Cyber Conference, 08 December 2017, Prague, Czech Republic

Technology
1 of 27
STIX Patterning: Viva la revolución! Cyber Threat Intelligence Matters FIRST Technical Symposium and OASIS Borderless Cyber Conference Jason Keirstead - STSM, IBM Security Trey Darley - Director of Standards Development, New Context
History vs. mystery "What the hell were you guys smoking?!"
What was wrong in STIX 1.x ● Too many ways to define matches (multiple meanings of "Equals") ● Too many ways to define expressions (ANDs and ORs in both Indicators and Observables) ○ One analysis found twelve different ways to compare two IP addresses ● Lists are just plain "weird" ( ##comma## - need I say more?) ● Despite all this complexity, lacked fundamental capabilities such as temporal matching (A followed by B)
But (Snort|YARA|OpenIOC|Sigma) already exist?! ● Snort only makes sense on the network ● YARA library only works on a file-like blob ○ Neither allows encoding of malware behaviour information ● OpenIOC limited in expressivity; also limited in network coverage ● Basic use case: malware matching signature X will beacon with traffic that looks like Y before dropping Z ○ Combination of file attributes, network attributes, sequential / temporal matching ○ This extremely simple use case is impossible to model using any of these standards ● Sigma: https://github.com/Neo23x0/sigma ○ Their effort started after we'd already achieved our Committee Specification Draft. We reached out to collaborate but got zero acknowledgement. :-(
Questions we asked ● Should we think beyond simple CTI use cases of "find this IOC" ? ● What if our cybersecurity tools could share rules and searches for analytics and correlations? ● What factors have been preventing this from emerging in the industry? Could we have an opportunity to finally move the needle? ● What if SIEM vendor lock-in were to just die in a fire? "We're here to put a dent in the universe." — Steve Jobs
Basic design principles ● One way to do things (not 12)! ● Base things on a grammar, not nested XML or JSON ○ Makes things easier for humans to understand, and for machines to parse! ● Base that grammar on something that as many folks are familiar with as possible ○ Candidates: SQL, Lucene, YARA, Snort/OpenSig… ○ We ended with SQL-like after some debate ● Define a grammar that allows sharing descriptions of advanced threats, not just simple atomic IOCs (ip = 1.2.3.4) ● Define it in a way that was expandable in the future without "breaking changes"
Overview of STIX Patterning "What's the frequency, Kenneth?"
Basic structure of a STIX Pattern
How this ties to STIX Cyber Observables ● Cyber Observables provide a data model for describing things you've actually seen. ● STIX Patterning is a language for describing chaotic maliciousness one might see. ● SCO (STIX Cyber Observables) : nouns :: STIX Patterning : language ● SCO : DB Tables :: STIX Patterning : SQL
THIS SOUNDS INCREDIBLY COMPLICATED, I JUST WANTED TO FIND AN IP ADDRESS
It's not that bad, see! Finding an IP Finding a URL Finding one of two registry keys [ip-addr.value = '8.8.8.8'] [url:value MATCHES '^(?:https?://)?(?:www.)?example.com/.*'] [windows-registry-key:key = 'HKEY_CURRENT_USERSoftwareCryptoLockerFiles ' OR windows-registry-key:key = 'HKEY_CURRENT_USERSoftwareMicrosoftCurrentV ersionRunCryptoLocker_0388']
Currently-defined Cyber Observables ● Artifact ● AS ● Directory ● Email Address ● Email Message ● File ○ Archive Extension ○ NTFS File Extension ○ PDF File Extension ○ Raster Image File Extension ○ Windows PE Binary File Extension ● IPv4 Address ● IPv6 Address ● MAC Address ● Mutex ● Network Traffic ○ HTTP Request Extension ○ ICMP Extension ○ Network Socket Extension ○ TCP Extension ● Process ○ Windows Process Extension ○ Windows Service Extension ● Software ● User Account ○ UNIX Account Extension ● Windows Registry Key ● X.509 Certificate
Use cases and examples
File-based Pattern (vs. YARA) ​​Basic File with Hexadecimal Payload STIX Indicator Pattern [file:contents_ref.payload_bin MATCHES 'x65x78x61x6dx70x6cx65' AND file:size > '31284'] Corresponding YARA Rule rule Example { strings: $hex_string = { 65 78 61 6d 70 6c 65 } condition: $hex_string and filesize > 31284 } Basic File with Textual Payload STIX Indicator Pattern [file:contents_ref.payload_bin MATCHES 'this is an example'] Corresponding YARA Rule rule Example { strings: $text_string = “this is an example” condition: $text_string }
Network-based Pattern (vs. Snort) ​Basic TCP Network Traffic STIX Indicator Pattern [network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '192.0.2.1' AND network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.0.113.10' AND network-traffic:dst_port = '21' AND network-traffic:protocols[*] = 'tcp'] Corresponding Snort Rule alert tcp 192.0.2.1 any -> 203.0.113.10 21 ​​HTTP Network Traffic with User Agent STIX Indicator Pattern [network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.0.113.11' AND network-traffic:dst_port = '80' AND network-traffic:protocols[*] = 'tcp' AND network-traffic:extended_properties.http-ext.request_header.User-Agent = 'Mazilla/5.0'] Corresponding Snort Rule alert tcp any any -> 203.0.113.11 80 (content:"User-Agent|3a| Mazilla/5.0"; http_header;)
Watching for "Fileless" UAC Bypass [ ( windows-registry-key:key = 'HKEY_CURRENT_USERSoftwareClassesexefileshellrunascommand' AND windows-registry- key:values[*].name = 'isolatedCommand' ) ] OR [ ( windows-registry-key:key = 'HKEY_CURRENT_USERMicrosoftWindowsCurrentVersionApp Pathscontrol.exe' AND windows-registry-key:values[*].data != "C:WindowsSystem32cmd.exe" ) ]
Bad Powershell! Suspicious Powershell has been used [ process:command_line MATCHES '((.*NewObject(System)?NetWebClient.*DownloadFile.*((StartProcess)|(shellexecute)|(win32_proc ess)|(start)|(saps)).*)|(.*((iex)|(InvokeExpression)).*NewObject(System)?NetWebClient.*Downlo adString.*)|(.*NewObject(System)?NetWebClient.*DownloadString.*((iex)|(InvokeExpression)).*)| (.*IEX.*[SystemDiagnosticsProcess]::Start.*)|(.*StartBitsTransfer.*InvokeItem.*))' ]
Necurs Botnet Looks for a particular malware payload followed by HTTP beaconing traffic generated by the payload: [file:name = 'rekakva32.exe' AND file:parent_directory_ref.path MATCHES 'C:Users[ws]+AppDataLocalTemp'] FOLLOWEDBY [network- traffic:protocols[*] = 'http' AND network-traffic:extensions.'http-request- ext'.request_method = 'post' AND network-traffic:extensions.'http-request- ext'.request_header.'User-Agent' = 'Windows-Update-Agent'] Source: https://isc.sans.edu/forums/diary/Necurs+Botnet+malspam+pushes+Locky+using+DDE+attack/22946/
OSS tools and libs
Github all the things! OASIS Open Repository: TAXII 2 Server Library Written in Python cti-taxii-server: https://github.com/oasis-open/cti-taxii-server OASIS Open Repository: TAXII 2 Client Library Written in Python cti-taxii-client: https://github.com/oasis-open/cti-taxii-client OASIS Open Repository: Python APIs for STIX 2 cti-python-stix2: https://github.com/oasis-open/cti-python-stix2 OASIS Open Repository: Match STIX content against STIX patterns cti-pattern-matcher: https://github.com/oasis-open/cti-pattern-matcher OASIS Open Repository: Convert STIX 1.2 XML to STIX 2.0 JSON cti-stix-elevator: https://github.com/oasis-open/cti-stix-elevator
Github all the things (2)! Translate STIX 2 Patterning Queries Into Splunk and ElasticSearch stix2patterns_translator: https://github.com/mitre/stix2patterns_translator Downgrade STIX2 content to STIX1 cti-stix-slider: https://github.com/oasis-open/cti-stix-slider Malware Information Sharing Platform & Threat Sharing MISP: https://github.com/MISP/MISP A cyber threat intelligence server based on TAXII 2 and written in Golang freetaxii-server: https://github.com/freetaxii/freetaxii-server APIs for generating STIX 2.x messages with Go (Golang) libstix2: https://github.com/freetaxii/libstix2 The CaRT file format is used to store/transfer malware and its associated metadata cse cart: https://bitbucket.org/cse-assemblyline/cart
Github all the things (3)! Convert STIX2 to GraphML or GEXF (Gephi format) StixConvert: https://github.com/workingDog/StixConvert Convert STIX2 and load into Neo4j graph database StixToNeoDB: https://github.com/workingDog/StixToNeoDB Browser-based STIX2 editor, with ability to publish to a TAXII2 server cyberstation: https://github.com/workingDog/cyberstation STIX2 Scala library scalastix: https://github.com/workingDog/scalastix TAXII2 Scala library Taxii2LibScala: https://github.com/workingDog/Taxii2LibScala TAXII2 JS library taxii2lib: https://github.com/workingDog/taxii2lib
We're Not Done!
Beyond indicators - analytics use cases ● Threat Intelligence sharing has received a lot of focus; however the analytics to actually find things, not so much ● People re-build the same analytics over and over because they either don't know of, or have access to, what has been done many times before ● In order to share analytics in a scalable fashion, a vendor-neutral language for said analytics has to be developed ● We believe SCO Pattern could be the basis for this ● CAR - The MITRE Cyber Analytics Repository ○ PRE-ATT&CK and ATT&CK based analytics ○ Long-term goal: ability to define the analytics in STIX Patterning ○ Collaborative ecosystem for analytics development
Correlation rules ● SIEM correlation rules share a lot of the same challenges as analytics ○ In fact, they are analytics! Imagine! ● Future vision / desire is for SIEM vendors to support SCO Pattern as a method to define rules ○ Reduce / eliminate vendor lock-in ○ Enable broader ecosystem of cross-vendor solutions sharing tools ○ Seamless integration of STIX 2.0 compatible threat intelligence with SIEM correlation engines ● Again, speak to your vendor! ○ Nothing moves ahead without customers demanding it
It's not perfect...yet. ● Known gaps in SCO object model itself ● Known gaps in language ● We need your help! ● While we believe that STIX Patterning is amongst the most long-term significant innovations in STIX 2.x, it is nevertheless a work product coming out of a very small team of people. If we have succeeded in convincing you that we are not in fact smoking crazy goat-weed, please come join the party!
tl;dr ● Make sure to grab a quick reference card. ● We're having a ½ day STIX/TAXII 2.0 training followed by a ½ day hackathon Friday where you can learn more and try out the tools we discussed. ● Kudos to our colleagues from CIRCL for being so supportive and for early adoption in MISP. ● Thanks to FIRST and OASIS for making this event happen and to you for giving us your attention today! Thank you!

Recommended

Mining Your Logs - Gaining Insight Through Visualization
Mining Your Logs - Gaining Insight Through VisualizationMining Your Logs - Gaining Insight Through Visualization
Mining Your Logs - Gaining Insight Through Visualization
Raffael Marty
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Yossi Sassi
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt Scanner
Florian Roth
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
amiable_indian
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Data Encryption at Rest
Data Encryption at RestData Encryption at Rest
Data Encryption at Rest
All Things Open
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
Christopher Gerritz
 
RSA APJ Velociraptor Lab
RSA APJ Velociraptor LabRSA APJ Velociraptor Lab
RSA APJ Velociraptor Lab
Velocidex Enterprises
 

Recommended

Mining Your Logs - Gaining Insight Through Visualization
Mining Your Logs - Gaining Insight Through VisualizationMining Your Logs - Gaining Insight Through Visualization
Mining Your Logs - Gaining Insight Through Visualization
Raffael Marty
 
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering TracksTry {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Try {stuff} Catch {hopefully not} - Evading Detection & Covering Tracks
Yossi Sassi
 
THOR Apt Scanner
THOR Apt ScannerTHOR Apt Scanner
THOR Apt Scanner
Florian Roth
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
amiable_indian
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Data Encryption at Rest
Data Encryption at RestData Encryption at Rest
Data Encryption at Rest
All Things Open
 
Incident Response for the Work-from-home Workforce
Incident Response for the Work-from-home WorkforceIncident Response for the Work-from-home Workforce
Incident Response for the Work-from-home Workforce
Christopher Gerritz
 
RSA APJ Velociraptor Lab
RSA APJ Velociraptor LabRSA APJ Velociraptor Lab
RSA APJ Velociraptor Lab
Velocidex Enterprises
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Christopher Gerritz
 
PKI token as a secure mechanism of Keystone authentication system for OpenStack
PKI token as a secure mechanism of Keystone authentication system for OpenStackPKI token as a secure mechanism of Keystone authentication system for OpenStack
PKI token as a secure mechanism of Keystone authentication system for OpenStack
shaerraezzaty
 
Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017
Mohamad Hassan
 
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchManaging Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
Vic Hargrave
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]
Phil Huggins FBCS CITP
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
Michael Gough
 
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
James Bromberger
 
Как разработать DBFW с нуля
Как разработать DBFW с нуляКак разработать DBFW с нуля
Как разработать DBFW с нуля
Positive Hack Days
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!
Jerod Brennen
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
CODE BLUE
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaserNotSoSecure Global Services
 
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
Jared Atkinson
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
Automated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget ChainsAutomated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget Chains
Priyanka Aash
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
Raffael Marty
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian Malware
Kaspersky
 
OSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdfOSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdf
Mohamed Taoufik TEKAYA
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector
Rishi Bhargava
 

More Related Content

What's hot

Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Christopher Gerritz
 
PKI token as a secure mechanism of Keystone authentication system for OpenStack
PKI token as a secure mechanism of Keystone authentication system for OpenStackPKI token as a secure mechanism of Keystone authentication system for OpenStack
PKI token as a secure mechanism of Keystone authentication system for OpenStack
shaerraezzaty
 
Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017
Mohamad Hassan
 
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchManaging Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
Vic Hargrave
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]
Phil Huggins FBCS CITP
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
NotSoSecure Global Services
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
Michael Gough
 
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
James Bromberger
 
Как разработать DBFW с нуля
Как разработать DBFW с нуляКак разработать DBFW с нуля
Как разработать DBFW с нуля
Positive Hack Days
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!
Jerod Brennen
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
CODE BLUE
 
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
Jared Atkinson
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
Deploy360 Programme (Internet Society)
 
Automated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget ChainsAutomated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget Chains
Priyanka Aash
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
Damir Delija
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicJaime Blasco
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
Raffael Marty
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian Malware
Kaspersky
 

What's hot (20)

Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
 
PKI token as a secure mechanism of Keystone authentication system for OpenStack
PKI token as a secure mechanism of Keystone authentication system for OpenStackPKI token as a secure mechanism of Keystone authentication system for OpenStack
PKI token as a secure mechanism of Keystone authentication system for OpenStack
 
Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017Splunk n-box-splunk conf-2017
Splunk n-box-splunk conf-2017
 
Managing Your Security Logs with Elasticsearch
Managing Your Security Logs with ElasticsearchManaging Your Security Logs with Elasticsearch
Managing Your Security Logs with Elasticsearch
 
First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]First Responders Course - Session 7 - Incident Scope Assessment [2004]
First Responders Course - Session 7 - Incident Scope Assessment [2004]
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
 
Как разработать DBFW с нуля
Как разработать DBFW с нуляКак разработать DBFW с нуля
Как разработать DBFW с нуля
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
BSidesDC - **** it, Do It Live (PowerShell Digital Forensics)
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
ION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSECION Bucharest - Deploying DNSSEC
ION Bucharest - Deploying DNSSEC
 
Automated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget ChainsAutomated Discovery of Deserialization Gadget Chains
Automated Discovery of Deserialization Gadget Chains
 
LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation LTEC 2013 - EnCase v7.08.01 presentation
LTEC 2013 - EnCase v7.08.01 presentation
 
Wtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_publicWtf is happening_inside_my_android_phone_public
Wtf is happening_inside_my_android_phone_public
 
Workshop: Big Data Visualization for Security
Workshop: Big Data Visualization for SecurityWorkshop: Big Data Visualization for Security
Workshop: Big Data Visualization for Security
 
Syrian Malware
Syrian MalwareSyrian Malware
Syrian Malware
 

Similar to STIX Patterning: Viva la revolución!

OSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdfOSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdf
Mohamed Taoufik TEKAYA
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector
Rishi Bhargava
 
Total E(A)gression defcon
Total E(A)gression defconTotal E(A)gression defcon
Total E(A)gression defcon
Alvaro Folgado Rueda
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsRod Soto
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
Priyanka Aash
 
Toorcon - Purple Haze: The Spear Phishing Experience
Toorcon - Purple Haze: The Spear Phishing ExperienceToorcon - Purple Haze: The Spear Phishing Experience
Toorcon - Purple Haze: The Spear Phishing Experience
Jesse Nebling
 
stackconf 2021 | Why you should take care of infrastructure drift
stackconf 2021 | Why you should take care of infrastructure driftstackconf 2021 | Why you should take care of infrastructure drift
stackconf 2021 | Why you should take care of infrastructure drift
NETWAYS
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
Angelo Dell'Aera
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat
Shawn Wells
 
Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019
Dave Stokes
 
aleph - Malware analysis pipelining for the masses
aleph - Malware analysis pipelining for the massesaleph - Malware analysis pipelining for the masses
aleph - Malware analysis pipelining for the masses
Jan Seidl
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
Narudom Roongsiriwong, CISSP
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
Apostolos Giannakidis
 
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
Demi Ben-Ari
 
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
Codemotion
 
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Demi Ben-Ari
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
CloudVillage
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Jose Hernandez
 
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
Shawn Wells
 

Similar to STIX Patterning: Viva la revolución! (20)

OSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdfOSSEC Holidaycon 2020.pdf
OSSEC Holidaycon 2020.pdf
 
sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector sf bay area dfir meetup (2016-04-30) - OsxCollector
sf bay area dfir meetup (2016-04-30) - OsxCollector
 
Total E(A)gression defcon
Total E(A)gression defconTotal E(A)gression defcon
Total E(A)gression defcon
 
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOsSPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
SPO2-T11_Automated-Prevention-of-Ransomware-with-Machine-Learning-and-GPOs
 
Automated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gposAutomated prevention of ransomware with machine learning and gpos
Automated prevention of ransomware with machine learning and gpos
 
Toorcon - Purple Haze: The Spear Phishing Experience
Toorcon - Purple Haze: The Spear Phishing ExperienceToorcon - Purple Haze: The Spear Phishing Experience
Toorcon - Purple Haze: The Spear Phishing Experience
 
stackconf 2021 | Why you should take care of infrastructure drift
stackconf 2021 | Why you should take care of infrastructure driftstackconf 2021 | Why you should take care of infrastructure drift
stackconf 2021 | Why you should take care of infrastructure drift
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat2012-03-15 What's New at Red Hat
2012-03-15 What's New at Red Hat
 
Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019
 
aleph - Malware analysis pipelining for the masses
aleph - Malware analysis pipelining for the massesaleph - Malware analysis pipelining for the masses
aleph - Malware analysis pipelining for the masses
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Milan 2017 - D...
 
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
Demi Ben-Ari - Monitoring Big Data Systems Done "The Simple Way" - Codemotion...
 
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
Monitoring Big Data Systems Done "The Simple Way" - Codemotion Berlin 2017
 
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security postureUsing Splunk or ELK for Auditing AWS/GCP/Azure Security posture
Using Splunk or ELK for Auditing AWS/GCP/Azure Security posture
 
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security postureUsing Splunk/ELK for auditing AWS/GCP/Azure security posture
Using Splunk/ELK for auditing AWS/GCP/Azure security posture
 
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
2012-10-16 Mil-OSS Working Group: Introduction to SCAP Security Guide
 

Recently uploaded

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 

Recently uploaded (20)

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 

STIX Patterning: Viva la revolución!

  • 1. STIX Patterning: Viva la revolución! Cyber Threat Intelligence Matters FIRST Technical Symposium and OASIS Borderless Cyber Conference Jason Keirstead - STSM, IBM Security Trey Darley - Director of Standards Development, New Context
  • 2. History vs. mystery "What the hell were you guys smoking?!"
  • 3. What was wrong in STIX 1.x ● Too many ways to define matches (multiple meanings of "Equals") ● Too many ways to define expressions (ANDs and ORs in both Indicators and Observables) ○ One analysis found twelve different ways to compare two IP addresses ● Lists are just plain "weird" ( ##comma## - need I say more?) ● Despite all this complexity, lacked fundamental capabilities such as temporal matching (A followed by B)
  • 4. But (Snort|YARA|OpenIOC|Sigma) already exist?! ● Snort only makes sense on the network ● YARA library only works on a file-like blob ○ Neither allows encoding of malware behaviour information ● OpenIOC limited in expressivity; also limited in network coverage ● Basic use case: malware matching signature X will beacon with traffic that looks like Y before dropping Z ○ Combination of file attributes, network attributes, sequential / temporal matching ○ This extremely simple use case is impossible to model using any of these standards ● Sigma: https://github.com/Neo23x0/sigma ○ Their effort started after we'd already achieved our Committee Specification Draft. We reached out to collaborate but got zero acknowledgement. :-(
  • 5. Questions we asked ● Should we think beyond simple CTI use cases of "find this IOC" ? ● What if our cybersecurity tools could share rules and searches for analytics and correlations? ● What factors have been preventing this from emerging in the industry? Could we have an opportunity to finally move the needle? ● What if SIEM vendor lock-in were to just die in a fire? "We're here to put a dent in the universe." — Steve Jobs
  • 6. Basic design principles ● One way to do things (not 12)! ● Base things on a grammar, not nested XML or JSON ○ Makes things easier for humans to understand, and for machines to parse! ● Base that grammar on something that as many folks are familiar with as possible ○ Candidates: SQL, Lucene, YARA, Snort/OpenSig… ○ We ended with SQL-like after some debate ● Define a grammar that allows sharing descriptions of advanced threats, not just simple atomic IOCs (ip = 1.2.3.4) ● Define it in a way that was expandable in the future without "breaking changes"
  • 7. Overview of STIX Patterning "What's the frequency, Kenneth?"
  • 8. Basic structure of a STIX Pattern
  • 9. How this ties to STIX Cyber Observables ● Cyber Observables provide a data model for describing things you've actually seen. ● STIX Patterning is a language for describing chaotic maliciousness one might see. ● SCO (STIX Cyber Observables) : nouns :: STIX Patterning : language ● SCO : DB Tables :: STIX Patterning : SQL
  • 10. THIS SOUNDS INCREDIBLY COMPLICATED, I JUST WANTED TO FIND AN IP ADDRESS
  • 11. It's not that bad, see! Finding an IP Finding a URL Finding one of two registry keys [ip-addr.value = '8.8.8.8'] [url:value MATCHES '^(?:https?://)?(?:www.)?example.com/.*'] [windows-registry-key:key = 'HKEY_CURRENT_USERSoftwareCryptoLockerFiles ' OR windows-registry-key:key = 'HKEY_CURRENT_USERSoftwareMicrosoftCurrentV ersionRunCryptoLocker_0388']
  • 12. Currently-defined Cyber Observables ● Artifact ● AS ● Directory ● Email Address ● Email Message ● File ○ Archive Extension ○ NTFS File Extension ○ PDF File Extension ○ Raster Image File Extension ○ Windows PE Binary File Extension ● IPv4 Address ● IPv6 Address ● MAC Address ● Mutex ● Network Traffic ○ HTTP Request Extension ○ ICMP Extension ○ Network Socket Extension ○ TCP Extension ● Process ○ Windows Process Extension ○ Windows Service Extension ● Software ● User Account ○ UNIX Account Extension ● Windows Registry Key ● X.509 Certificate
  • 13. Use cases and examples
  • 14. File-based Pattern (vs. YARA) ​​Basic File with Hexadecimal Payload STIX Indicator Pattern [file:contents_ref.payload_bin MATCHES 'x65x78x61x6dx70x6cx65' AND file:size > '31284'] Corresponding YARA Rule rule Example { strings: $hex_string = { 65 78 61 6d 70 6c 65 } condition: $hex_string and filesize > 31284 } Basic File with Textual Payload STIX Indicator Pattern [file:contents_ref.payload_bin MATCHES 'this is an example'] Corresponding YARA Rule rule Example { strings: $text_string = “this is an example” condition: $text_string }
  • 15. Network-based Pattern (vs. Snort) ​Basic TCP Network Traffic STIX Indicator Pattern [network-traffic:src_ref.type = 'ipv4-addr' AND network-traffic:src_ref.value = '192.0.2.1' AND network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.0.113.10' AND network-traffic:dst_port = '21' AND network-traffic:protocols[*] = 'tcp'] Corresponding Snort Rule alert tcp 192.0.2.1 any -> 203.0.113.10 21 ​​HTTP Network Traffic with User Agent STIX Indicator Pattern [network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '203.0.113.11' AND network-traffic:dst_port = '80' AND network-traffic:protocols[*] = 'tcp' AND network-traffic:extended_properties.http-ext.request_header.User-Agent = 'Mazilla/5.0'] Corresponding Snort Rule alert tcp any any -> 203.0.113.11 80 (content:"User-Agent|3a| Mazilla/5.0"; http_header;)
  • 16. Watching for "Fileless" UAC Bypass [ ( windows-registry-key:key = 'HKEY_CURRENT_USERSoftwareClassesexefileshellrunascommand' AND windows-registry- key:values[*].name = 'isolatedCommand' ) ] OR [ ( windows-registry-key:key = 'HKEY_CURRENT_USERMicrosoftWindowsCurrentVersionApp Pathscontrol.exe' AND windows-registry-key:values[*].data != "C:WindowsSystem32cmd.exe" ) ]
  • 17. Bad Powershell! Suspicious Powershell has been used [ process:command_line MATCHES '((.*NewObject(System)?NetWebClient.*DownloadFile.*((StartProcess)|(shellexecute)|(win32_proc ess)|(start)|(saps)).*)|(.*((iex)|(InvokeExpression)).*NewObject(System)?NetWebClient.*Downlo adString.*)|(.*NewObject(System)?NetWebClient.*DownloadString.*((iex)|(InvokeExpression)).*)| (.*IEX.*[SystemDiagnosticsProcess]::Start.*)|(.*StartBitsTransfer.*InvokeItem.*))' ]
  • 18. Necurs Botnet Looks for a particular malware payload followed by HTTP beaconing traffic generated by the payload: [file:name = 'rekakva32.exe' AND file:parent_directory_ref.path MATCHES 'C:Users[ws]+AppDataLocalTemp'] FOLLOWEDBY [network- traffic:protocols[*] = 'http' AND network-traffic:extensions.'http-request- ext'.request_method = 'post' AND network-traffic:extensions.'http-request- ext'.request_header.'User-Agent' = 'Windows-Update-Agent'] Source: https://isc.sans.edu/forums/diary/Necurs+Botnet+malspam+pushes+Locky+using+DDE+attack/22946/
  • 20. Github all the things! OASIS Open Repository: TAXII 2 Server Library Written in Python cti-taxii-server: https://github.com/oasis-open/cti-taxii-server OASIS Open Repository: TAXII 2 Client Library Written in Python cti-taxii-client: https://github.com/oasis-open/cti-taxii-client OASIS Open Repository: Python APIs for STIX 2 cti-python-stix2: https://github.com/oasis-open/cti-python-stix2 OASIS Open Repository: Match STIX content against STIX patterns cti-pattern-matcher: https://github.com/oasis-open/cti-pattern-matcher OASIS Open Repository: Convert STIX 1.2 XML to STIX 2.0 JSON cti-stix-elevator: https://github.com/oasis-open/cti-stix-elevator
  • 21. Github all the things (2)! Translate STIX 2 Patterning Queries Into Splunk and ElasticSearch stix2patterns_translator: https://github.com/mitre/stix2patterns_translator Downgrade STIX2 content to STIX1 cti-stix-slider: https://github.com/oasis-open/cti-stix-slider Malware Information Sharing Platform & Threat Sharing MISP: https://github.com/MISP/MISP A cyber threat intelligence server based on TAXII 2 and written in Golang freetaxii-server: https://github.com/freetaxii/freetaxii-server APIs for generating STIX 2.x messages with Go (Golang) libstix2: https://github.com/freetaxii/libstix2 The CaRT file format is used to store/transfer malware and its associated metadata cse cart: https://bitbucket.org/cse-assemblyline/cart
  • 22. Github all the things (3)! Convert STIX2 to GraphML or GEXF (Gephi format) StixConvert: https://github.com/workingDog/StixConvert Convert STIX2 and load into Neo4j graph database StixToNeoDB: https://github.com/workingDog/StixToNeoDB Browser-based STIX2 editor, with ability to publish to a TAXII2 server cyberstation: https://github.com/workingDog/cyberstation STIX2 Scala library scalastix: https://github.com/workingDog/scalastix TAXII2 Scala library Taxii2LibScala: https://github.com/workingDog/Taxii2LibScala TAXII2 JS library taxii2lib: https://github.com/workingDog/taxii2lib
  • 24. Beyond indicators - analytics use cases ● Threat Intelligence sharing has received a lot of focus; however the analytics to actually find things, not so much ● People re-build the same analytics over and over because they either don't know of, or have access to, what has been done many times before ● In order to share analytics in a scalable fashion, a vendor-neutral language for said analytics has to be developed ● We believe SCO Pattern could be the basis for this ● CAR - The MITRE Cyber Analytics Repository ○ PRE-ATT&CK and ATT&CK based analytics ○ Long-term goal: ability to define the analytics in STIX Patterning ○ Collaborative ecosystem for analytics development
  • 25. Correlation rules ● SIEM correlation rules share a lot of the same challenges as analytics ○ In fact, they are analytics! Imagine! ● Future vision / desire is for SIEM vendors to support SCO Pattern as a method to define rules ○ Reduce / eliminate vendor lock-in ○ Enable broader ecosystem of cross-vendor solutions sharing tools ○ Seamless integration of STIX 2.0 compatible threat intelligence with SIEM correlation engines ● Again, speak to your vendor! ○ Nothing moves ahead without customers demanding it
  • 26. It's not perfect...yet. ● Known gaps in SCO object model itself ● Known gaps in language ● We need your help! ● While we believe that STIX Patterning is amongst the most long-term significant innovations in STIX 2.x, it is nevertheless a work product coming out of a very small team of people. If we have succeeded in convincing you that we are not in fact smoking crazy goat-weed, please come join the party!
  • 27. tl;dr ● Make sure to grab a quick reference card. ● We're having a ½ day STIX/TAXII 2.0 training followed by a ½ day hackathon Friday where you can learn more and try out the tools we discussed. ● Kudos to our colleagues from CIRCL for being so supportive and for early adoption in MISP. ● Thanks to FIRST and OASIS for making this event happen and to you for giving us your attention today! Thank you!

Editor's Notes

  1. Do we need to introduce ourselves? Assuming so, try to do 20 seconds or less. TODO: add more cat memes!
  2. Trey presents
  3. Cool project but unfortunately it's typical OSS wheel reinvention.
  4. Jason presents
  5. A pattern consists of one or more observation expressions joined by observation operators. Valid observation operators are AND, OR, and FOLLOWEDBY Each one of those observation expressions may be a simple test (eg. ip-addr.value = '1.2.3.4'), or may be multiple tests that create a comparison expression. Comparisons within an expression are separated by comparison operators. There are several comparison operators, including things like =, >, <, IN, LIKE, etc. An entire observation expression MAY be followed by a qualifier, such as 'REPEATS X TIMES' or 'WITHIN Y SECONDS'.
  6. TODO: add a slide with what's currently defined in SCO <= WILL DO TODO: add a slide enumerating what we'd like help with adding to SCO TODO: define an additional example illustrating succinctly something like malware beaconing, with both host and network-based patterning TODO: consider ditching the Powershell and UAC bypass examples (per Ivan)
  7. tag-team present
  8. Point out here that we expect that many vendors will likely generate patterns automatically for you from SCO observations seen on the wire or endpoint When was the last time you wrote a YARA rule by hand, vs copy/paste it from somewhere, take it from a content package, or use a tool?
  9. Yes, Snort is more succinct. Yes, we are looking at refactoring how network traffic works in STIX Patterning. But there are still significant advantages to STIX Patterning over either Snort or Yara insofar as it provides the ability to correlate across both network and endpoint telemetry.
  10. Trey presents
  11. TODO: break this out into 3-4 pages with project descriptions TODO: review this stuff https://github.com/workingDog?tab=repositories
  12. TODO: break this out into 3-4 pages with project descriptions TODO: review this stuff https://github.com/workingDog?tab=repositories
  13. TODO: break this out into 3-4 pages with project descriptions TODO: review this stuff https://github.com/workingDog?tab=repositories
  14. Jason presents
  15. TODO: add an example!
  16. TODO: talk about integrating with osquery, Bro, and other OSS security tools