Understanding CybOX

Going through a transition from CMS/Commerce platforms to cyber security/big data, there are many technical aspects of security I’m still trying to grasp. One of them is is CybOX or Cyber Observable eXpression. It is a “standardized language for encoding and communicating” cyber observables. An observable, by definition, is a dynamic variable that can be measured so cyber observables are used for analysis and detection in the following domains:

  • Threat assessment & characterization (detailed attack patterns)
  • Malware characterization
  • Operational event management
  • Logging
  • Cyber situational awareness
  • Incident response
  • Indicator sharing
  • Digital forensics
  • And more…

In my work, cybOX cyber observables are used for setting conditions so that certain events will trigger “behaviors”that will alert analysts of potential threats in their network. There is, however, much more complexity and flexibility than how I’ve described it, but that is the gist of it. Reading only the CybOX about page is a bit difficult to digest on its own.

Those familiar with XML will immediately understand the schema of CybOX observables. Here is one simple example for detecting file patterns via regex:

<?xml version="1.0" encoding="UTF-8"?>
<cybox:Observables xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:cybox="http://docs.oasis-open.org/cti/ns/cybox/core-2"
    xmlns:cyboxCommon="http://docs.oasis-open.org/cti/ns/cybox/common-2"
    xmlns:FileObj="http://docs.oasis-open.org/cti/ns/cybox/objects/file-2"
    xmlns:example="http://example.com/"
    xsi:schemaLocation="
    http://docs.oasis-open.org/cti/ns/cybox/core-2 ../core.xsd
    http://docs.oasis-open.org/cti/ns/cybox/objects/file-2 ../objects/File_Object.xsd"
    cybox_major_version="2" cybox_minor_version="1" cybox_update_version="1">
    <cybox:Observable id="example:Observable-9769042a-294d-4f2c-963b-579702df0472">
        <cybox:Description>
            This observables specifies a pattern for a file with a file name that fits a certain pattern.
            The file name starts with &apos;bad_file&apos;, ends with &apos;.exe&apos;, and has
            between two and five numbers in it.
        </cybox:Description>
        <cybox:Object id="example:Object-dae8802e-b0df-4989-9ac3-d816b153842b">
            <cybox:Properties xsi:type="FileObj:FileObjectType">
                <FileObj:File_Name pattern_type="Regex">bad_file[0-9]{2,5}\.exe</FileObj:File_Name>
            </cybox:Properties>
        </cybox:Object>
    </cybox:Observable>
</cybox:Observables>

So a dev could use this schema for whatever purpose in his application, such as generate an alert if some process generates this file pattern.

I’m still trying to wrap my head around the depth and numerous use cases for cyber observables, but from my understanding this is a good place to start if you want to get a better understanding what cyber security analysts are using and relying on, especially when security has become much more important for many large and enterprise-level companies and organizations.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s