3.2 Common CTI Standards Part 1

00:00

Hello and welcome to the second module data processing. This is the second video about common standards used in cyber threat intelligence.

00:10

Let me start. It's introducing data standard. So basically a data standards defines how practical or information elements are represented and fines or in communications.

00:23

The EU's off common standards is important for exchange off any information

00:28

and cyber threat Intelligence, particularly standards, were created to represent actionable information, including their contacts to facilitate their storage. And Scherick,

00:40

using a standard format, has mainly three advantages over using at hawk representations.

00:48

First, the use off existent processing tools, both to support the standard.

00:53

Second, the interpretation off the description should be less subject to misinterpretation because the standard defines of the semantics for information elements

01:06

and, third, the ease off sharing and integration.

01:10

And this lesson we will discover together

01:12

different standards. Use it for cyber threat intelligence. We will start with scoring standards. Then we'll see thread description or taxonomy standards and finally will close with transport senders or particles. One off the most known scoring systems is CVS s

01:32

CVS says distance for common vulnerability scoring system and is currently maintained by the form off incident response and security teams first. The current version off, CVS says, is version 3.1

01:47

and was released in June 2090.

01:49

CVS s measures three areas off concerts, bays, metrics, temporal metrics and environmental metrics. The base core has the most significant influence all the final score. The based group represents the intrinsic qualities off of vulnerability.

02:07

The temporal group reflects the characteristics off of vulnerability that change over the time,

02:15

and the environmental group represents the correct the characteristics off vulnerability that are unique to users. Environment scores range from 0 to 10 where tanker response to the most critical vulnerability.

02:30

A CVS test score is also represented as a vector string. A compressive textile representation. Off values use it to the arrives. The score.

02:40

The numerical score can also be translated into a qualitative representation in such low, medium high and critical. As an example, I took the recently discovered vulnerability called Blue Keep or CV 2019 0708

03:00

This is a remote code, execution or air see vulnerability in remote desktop protocol Rdp, where an unauthenticated removed attacker can exploit the flow via Siri's off, especially crafted requests to execute arbitrary coat

03:19

I hear the vector string

03:21

off CBSS 3.1 is attack Vector is network at that. Complexity is low privileges record non user interactions, non scope and changed confidentiality, high integrity, high and availability. Hi!

03:40

And the score here is 9.8, which is critical. If we choose to add a temporal or in very mental metric, the score will change.

03:53

The second type off standards is thread description or taxonomy. Standers. The motivations for developing taxonomy standards. Waas to find a common language to describe malware infections and all their cyber events

04:10

here. We're going to start with the first standards, which is open IOC so open. IOC stands for open indicators off compromise and was introduced by Manion into 2000 and 11. It is used in many in products but has also Bean released as an open standard.

04:29

Open, you see

04:30

provides a standard format and terms for describing the artifacts encountered during course. Often investigation open IOC is focused on describe and technical characteristics off threat. Through an Extensible XML schema. You can produce or edit

04:49

open fire, see files

04:53

using the tools provided by fire. These tools can be used for free

04:58

hair is an example off threat representation Using open IOC standard.

05:03

This example can be found on Forget her purpose it Terry mentioned on the slide and viewed using the tool I see editor mentioned other previous slide or through with all line website are you see back a dot com.

05:18

The next thundered from the same category is Sai box

05:23

Cyber observable expression or side box is standardized language for representing observable ZX. It was introduced by miter on 2000 and 12 and now maintained by always is now Cy Box has been integrated into sticks to standard side box is used for the finding details

05:43

regard unmeasurable events and state ful properties.

05:46

The object that can be defined in Sai box can be used in higher level schema like sticks.

05:54

Harry's a basic example of side box representation off i p address object. The second standard from the same category is sticks,

06:05

sticks, tents for stretcher threat information expression and it is stretchered language for describing cyber threat information so it can be shared, stored and analyzed in a consistent manner. Sticks

06:20

is also introduced by miter and now maintained by Oasis. The current version off sticks is 2.0. It uses Jeez on schema for the second version.

06:33

The structure of nature off sticks architecture allows it to define relationship between constructs. For example, a campaign can be attributed to a threat. Actor

06:46

As I tried several tools dedicated to threat intelligence and some solutions. Sticks is being widely accepted by industry leaders. Sticks to defines 12 sticks domain objects,

06:59

sticks objects, categorize each piece of information with specific attributes to be populated,

07:05

training multiple objects together through relationships, although for easy or complex representations. Off threat intelligence sticks to domain objects include campaign course of action, identity, Muller, Threat, actor, tool, vulnerability and others.

07:25

Sticks to also defines

07:27

two sticks relationship or rejects.

07:30

The first is a relationship on the Second is citing. Here is a basic example off sticks representation where the first sticks domain object is threat. Actor on the second sticks domain object is identity and varies

07:46

sticks relationship object. Linking the first