The document discusses STIX (Structured Threat Information eXpression), a language for specifying and sharing cyber threat information. It describes a STIX CybOX Creator tool that generates CybOX XML files from email to express cyber observables. The tool uses Python libraries to read email from Gmail and produce XML output using the STIX and CybOX specifications to structure threat intelligence in a standard, machine-readable format.
3. Cyber Threat Intelligence
Analysis driven understanding of:
•What activity are we seeing?
•What threat I should look for in my network and systems and why?
•Where has this threat been seen?
•What does it do?
•What weaknesses does this threat exploit?
•Who is responsible for this threat?
•What can I do about it?
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
5. Threat Intelligence Sharing
•Cyber threat information sharing is not new
•But it is atomic and very limited in sophistication
Atomic because the information about threat is relatively very less .
Limited in sophistication because it is unstructured and less expressive.
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
6. Problem faced by Cyber Security Experts
• Most sharing is unstructured and human-to-human
does not cover broad dimension of cyber threat
information sharing
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
8. STIX as a Solution
Structured Threat Information eXpression
STIX aims to enable sharing of more expressive cyber
threat information as well as other full-spectrum of cyber
threat information.
SITX is a language developed for:
Specify, Capture, Characterize, Communicate
Cyber Threat Information
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
10. Implementations
Initial implementation has been done in XMl Schema
•Ubiquitous, portable and structured
STIX can also be implemented using JSON
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
11. Enabling Utilities
Utilities provided enable’s easier prototyping and use of
the language.
Utilities consist of:
•Programmatic Language (python) bindings for STIX,
cyBox, etc.
•High-level API’s for common needs/activities.
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
12. Product build on STIX Specification
Product name: STIX CYBOX CREATOR
OVERVIEW
The STIX CybOX creator is a python based GUI
application which generates CybOX xml output from
rfc822 email. the email is read from gmail IMAP server
and the CybOX output file is created. file is created in
xml format.
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
13. What is CybOX
Cyber Observable eXpression
It is a base construct within the STIX.
Language for communicating standardized information
about Cyber observable (basically it a Schema for representing cyber
observables).
Examples: Information about file (name, size, hash, etc.), a registry key value,
a service being stared.
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
14. Dependencies
• Python-cybox - A python library for cybox
• Http://cybox.Readthedocs.Org/en/latest/installation.Ht
ml
• Python IMAP client library
• Pip install imapclient
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru
17. Where to Learn More
STIX Website ( Whitepapers, documentation, schemas, etc.)
http://stix.mitre.org
STIX GitHub site (bindings, APIs, utilities)
https://github.com/STIXProject
SRI Monthly Presentation2015 | Dr. Brian Lee, Akash Rajguru