Introduction to STIX 101

HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
STIX Introduction
What is STIX and why is it relevant?

Balance of Inward & Outward Focus
 Traditional approach to security has been inward focused
– Understand ourselves: find all vulnerabilities, fix all vulnerabilities, et
voila we are magically “secure”
– This is based on a fallacy that we can know and/or fix all vulnerabilities
– Inward focus (hygiene) is necessary but inadequate.
 Need for a balancing outward focus on understanding the
adversary, their motivation, tactics, activity to make intelligent and
realistic defense decisions.
| 1 |

Proactive & Reactive Actions Needed
 Many attacks today are increasingly complex and multistage.
 Current visibility and ability to act is typically after exploit has
occurred
– Response is important but inadequate alone
 Need to balance response with proactive detection and
prevention of pre-exploit activity
| 2 |
Recon
Weaponize
Deliver
Exploit
Control
Execute
Maintain
Kill Chain or Cyber Attack Lifecycle

Need for Holistic Threat Intelligence
 Effective understanding, decision-making and action require a
holistic picture of both ourselves and the adversary.
– What are our assets? What are our missions and activities? What is our
attack surface? Where are we vulnerable?
– Who is the adversary? Where are they acting? How are they acting? What
does it look like when they act? What are they targeting? What actions
should we take to mitigate their actions?
 This is holistic threat intelligence
| 3 |

Need for Information Sharing
 Holistic threat intelligence is not a single player sport
 It depends on access to a wide range of information and no single
entity, no matter how large, has the full picture to be consistently
predictive or effective in prevention.
 It requires sharing of information between interested parties.
– Sharing applies both internally and externally
– Sharing is not completely new but is typically focused on very atomic, limited-
sophistication indicators (IP lists, file hashes, URLS, email addresses, etc.)
– Most sharing is unstructured and human-to-human
– There is a need to share more sophisticated behavioral and contextual information
 How can my detection today aid your prevention tomorrow?
| 4 |

Cost to Adversary
Trivial/cheap
to hop between
IP addresses
Slightly more
expensive to hop
between
domains
Difficult &
expensive:
Changing tactics and
procedures to evade
behavioral detection
| 5 |

Need for Automation
 Massive amounts of information, diverse sharing partners, rapid
tempo of attack and need to respond at machine speed require
automation
 Human interpretation and decision will always be involved but
we need to assist them in this by letting machines do what
machines do well.
| 6 |

Pulling it All Together
 Pursuing holistic threat intelligence
 Sharing of information among a diverse set of players
 Leveraging automation throughout
Standardized Representation of
Cyber Threat Information
STIX is intended to address this issue
| 7 |

What is STIX?
 A language for the characterization and communication of
cyber threat information
– NOT a sharing program, database, or tool
 …but supports all of those uses and more
 Developed with open community feedback
 Supports
– Clear understandings of cyber threat information
– Consistent expression of threat information
– Automated processing based on collected intelligence
– Advance the state of practice in threat analytics
| 8 |

 Analyzing Cyber Threats
 Specifying Indicator Patterns for Cyber Threats
 Managing Cyber Threat Operations/Response Activities
– Cyber Threat Prevention
– Cyber Threat Detection
– Incident Response (investigation, digital forensics, malware analysis,
etc.)
 Sharing Cyber Threat Information (internally and externally)
| 9 |
Use Cases

STIX provides a common mechanism for addressing structured cyber threat
information across and among this full range of use cases improving consistency,
efficiency, interoperability, and overall situational awareness.
STIX Use Cases Cover a Broad Spectrum
| 10 |

What is “Cyber (Threat) Intelligence?”
Consider these questions:
 What activity are we seeing?
 What threats should I look for on my
networks and systems and why?
 Where has this threat been seen?
 What does it do?
 What weaknesses does this threat exploit?
 Why does it do this?
 Who is responsible for this threat?
 What can I do about it?
| 11 |

STIX Architecture
| 12 |

| 13 |
Observable
 Primary intent:
 Primary content:
– Title/Description
– Information source
 Who, when, where, how (tools), etc.
– Object, Event or Composition
 Object
– Description
– Properties (extensible with
different object types)
» Each property can
express observed
value or rich
patterning for potential
observations
– Location
– Related Objects
 Event
– Type
– Description
– Actions
» Type
» Name
» Arguments
» Location
» Associated objects
» Related actions
– Location
 Composition
– Observables combined
using logical operators
(And/Or)
– Convey specific instances of cyber observation (either static or dynamic) or
patterns of what could potentially be observed.

■ Account
■ Address
■ API
■ Archive File
■ ARP Cache Entry
■ Artifact
■ Autonomous System
■ Code
■ Custom
■ Device
■ Disk
■ Disk Partition
■ DNS Query
■ DNS Record
■ DNS Cache
■ Domain Name
■ Email Message
■ File
■ GUI
■ GUI Dialog Box
■ GUI Window
■ Hostname
■ HTTP Session
■ Image
■ Library
■ Link
■ Linux Package
■ Memory
■ Mutex
■ Network Connection
■ Network Flow
■ Network Packet
■ Network Route Entry
■ Network Route
■ Network Subnet
■ PDF File
■ Pipe
■ Port
■ Process
■ Product
■ Semaphore
■ SMS
■ Socket
■ Socket Address
■ System
■ Unix File
■ Unix Network Route Entry
■ Unix Pipe
■ Unix Process
■ Unix User Account
■ Unix Volume
■ URI
■ URL History
■ User Account
■ User Session
■ Volume
■ Whois
■ Win Computer Account
■ Win Critical Section
■ Win Driver
CybOX v2.1 Objects
■ Win Event
■ Win Event Log
■ Win Executable File
■ Win File
■ Win Filemapping
■ Win Handle
■ Win Hook
■ Win Kernel
■ Win Kernel Hook
■ Win Mailslot
■ Win Memory Page Region
■ Win Mutex
■ Win Network Route Entry
■ Win Pipe
■ Win Network Share
■ Win Prefetch
■ Win Process
■ Win Registry Key
■ Win Semaphore
■ Win Service
■ Win System
■ Win System Restore
■ Win Task
■ Win Thread
■ Win User Account
■ Win Volume
■ Win Waitable Timer
■ X509 Certificate
(more on the way)
| 14 |

| 15 |
Observable
 Simple examples
– A file with particular MD5 hash is seen
– An incoming network connection is seen from a particular IP address
– A particular registry key is modified
– A particular process is killed
– A pattern that might be seen for an email with a particular subject line and with a
.PDF file attached
– A pattern for an HTTP Get with a particular user agent

| 16 |
Indicator
 Primary intent:
– Title/Description/ShortDescription
– Type of Indicator
– Valid time range
– Observable pattern
– Indicated TTP
– Test mechanisms
 Non-CybOX pattern representation
(e.g. Snort, Yara, OpenIOC)
– Suggested course of action
– Confidence
– Sightings
– Kill chain phases
– Handling
– Convey specific Observable patterns with contextual information intended to
represent artifacts and/or behaviors of interest (“indicated” TTPs) within a cyber
security context

| 17 |
Indicator
 Simple examples
– If network traffic is seen from a particular range of IP addresses it indicates a
DDoS attack
– If a file is seen with a particular SHA256 hash it indicates the presence of Poison
Ivy
– If an email is seen with an attached file that has a particular string in the filename
and has a particular MD5 hash it indicates a phishing attack associated with a
particular campaign
– If an outgoing network connection to 218.077.079.034 is seen within the next week
there is a medium confidence that it indicates exfiltration from a Zeus infection
– If HTTP traffic is seen with particular characteristics including a particular user
agent it indicates a particular form of data exfiltration is occuring.

 Primary intent:
– Title/Description/ShortDescriptio
n
– Granular milestone timestamps
– Categories
– Role identities (CIQ extensible)
 Reporter/Responder/Coordinator
– Victim identity (CIQ extensible)
– Affected assets
– Impact assessment
– Status
– Related Indicators
– Related Observables
– Leveraged TTPs
| 18 |
Incident
– Attributed Threat Actor
– Intended effect
– Security compromise
– Course of Action requested/taken
– Confidence
– Contact information
– History
 Action entries
 Journal entries
– Handling
– Convey details of specific security events affecting an organization(s) along with
information discovered or decided during an incident response investigation

 Simple example
– A laptop assigned to Joe Smith was found on 4/30/14 to be
infected with a specific variant of Zeus using a specific range of
IPs for C2.
– The investigation coordinated by Jane Jones found that the initial
infection came from a phishing attack with malicious attachment
on 4/28/14.
– Authentication credentials to the FooBar system were found to
be compromised and exfiltrated to 123.54.33.234 on 4/29/14.
| 19 |
Incident

 Primary intent:
– Intended effect
– Behavior
 Attack patterns (CAPEC
extensible)
 Malware (MAEC extensible)
 Exploits
– Resources
 Tools
 Infrastructure
 Personas (CIQ extensible)
| 20 |
Tactics, Techniques & Procedures (TTP)
– Victim targeting
 Identity (CIQ extensible)
 Targeted systems
 Targeted information
 Technical targeting
– Exploit targets
– Related TTP
– Kill chains
– Handling
– Convey details of the behavior or modus operandi of cyber adversaries (e.g. what do
they do, what do they use to do it, who do they target, what do they target)

 Simple examples
– Characterization of a particular variant of Zeus
– Characterization of a particular attack pattern leveraging a
particular form of system misconfiguration for post-exploit lateral
movement and privilege escalation
– Characterization of particular range of IP address used for C2
infrastructure
– Characterization of LOIC as a tool used for DoS attacks
– Characterization of project managers on a particular defense
program being targeted
– Characterization of HR information on Oracle 10i systems being
targeted
| 21 |
Tactics, Techniques & Procedures (TTP)

 Primary intent:
– Vulnerability (CVRF extensible)
 Title/Description/ShortDescription
 CVE ID
 OSVDB ID
 Source
 CVSS score
 Discovered date/time
 Published date/time
 Affected software
| 22 |
Exploit Target
– Weakness
– Configuration
– Potential Courses of Action
– Handling
– Convey vulnerabilities or weaknesses in software, systems, networks or
configurations that may be targeted for exploitation by the TTP of a ThreatActor

 Simple example
– CVE-2014-0160 (Heartbleed vulnerability in OpenSSL)
– Characterization of a 0-day vulnerability in a particular Industrial
Control System valve actuator
– Characterization of a system design weakness enabling
asymmetric resource consumption (amplification) attacks (CWE-
405)
– Characterization of a particular configuration of MongoDB that
makes its management console vulnerable to particular injection
attacks
| 23 |
Exploit Target

 Primary intent:
– Names
– Intended effect
– Status
– Related TTPs
– Related Incidents
| 24 |
Campaign
– Attribution (Threat Actor(s))
– Associated Campaigns
– Confidence
– Handling
– Convey perceived instances of Threat Actors pursuing an intent, as observed through
sets of Incidents and/or TTP, potentially across targeted organizations

 Simple example
– Characterization of the Operation Aurora campaign including
 Its victim targeting of Google, Adobe, Juniper, Rackspace, etc.
 Specific Incidents in the campaign
 Particular malware and attack pattern TTPs leveraged
 Particular IP addresses and Domain Names used infrastructure (TTP)
 Asserted attribution to particular Chinese Threat Actors with ties to the
PLA
 Asserted intent/motivation to access and potentially modify source code
repositories
| 25 |
Campaign

 Primary intent:
– Identity (CIQ extensible)
– Type of actor
– Motivation
– Sophistication
– Intended effect
– Planning and operational support
| 26 |
Threat Actor
– Observed TTPs
– Associated Campaigns
– Associated Threat Actors
– Confidence
– Handling
– Convey characterizations of malicious actors (or adversaries) representing a cyber
attack threat including presumed intent and historically observed behavior

 Simple example
– Characterization of Mandiant-dubbed APT1 including
 Assertions of it identity as Unit 61398 within the Chinese PLA
 Assertions to specific locations associated (address in Shanghai)
 Assertions to region (China), languages (Chinese&English), targeted
qualifications, etc.
 Assertions that it is the same Threat Actor also known by the names
Comment Crew, Comment Group and Shady Rat
 Assertions identifying particular individual Threat Actors associated with
APT1
 Asserted characterization of the intent/motivation oriented around trade
secrets and business advantage
 Assertions of particular TTP observed leveraged by APT1
| 27 |
Threat Actor

 Primary intent:
– Stage (preventative or responsive)
– Type of action to be taken
– Parameter Observables
 Structured parameters for the action
– Objective
| 28 |
Course of Action
– Impact
– Cost
– Efficacy
– Handling
– Convey specific actions to address threat whether preventative to address Exploit
Targets, or responsive to counter or mitigate the potential impacts of Incidents

 Simple examples
– Block outgoing network traffic to 218.077.079.034
– Redirect network traffic to/from 218.077.079.034 to denial/deception network
– Quarantine system containing file with MD5 = 2d75cc1bf8e57872781f9cd04a529256
– Reimage system to baseline
| 29 |
Course of Action

Expressing Relationships
“Bad Guy”
ObservedTTP
Backdoor
Infrastructure
Badurl.com,
10.3.6.23, …
“BankJob23”
RelatedTo
Indicator-985
Observables
MD5 hash…
RelatedTo
CERT-2013-03…
Indicator-9742
Observables
Email-Subject:
“Follow-up”
| 30 |

Pamina Republic
Army
Unit 31459
l33t007@badassin.com
Associated ActorLeet
Electronic Address
Initial Compromise
Indicator Observable
Spear Phishing Email
Establish Foothold
Observed TTP
Observed TTP
WEBC2
Malware
Behavior
Escalate Privilege
Observed TTP
Uses Tool
Uses Tool
cachedump
lslsass
MD5:
d8bb32a7465f55c368230bb52d52d885
Indicator
Observed TTP
Internal
Reconnaissance
Attack Pattern
ipconfig
net view
net group “domain admins”
Observed TTP
Exfiltration
Uses Tool
GETMAIL
Targets
Khaffeine
Bronxistan
Perturbia
Blahniks
. . .
Leverages
Infrastructure
IP Range:
172.24.0.0-112.25.255.255
C2 Servers
Observable
Sender: John Smith
Subject: Press Release
Expressing Relationships in STIX
| 31 |

Introduction to STIX 101

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Introduction to STIX 101

Similar to Introduction to STIX 101 (20)

Recently uploaded

Recently uploaded (20)

Introduction to STIX 101