continuing our conversation about operational sharing. I'd like to talk a little bit now about sy box, the cyber observable expression,
and this is a language created in order to address
some of the compatibility problems with between different vendors products and be able to share information back and forth.
We can see that side box supports things like threat assessment, characterization, malware, characterization, logging, operational event management, cyber situational awareness, forensics and even incident response.
We could have a look at the website
and Sigh box. As it says, it's standardized language for encoding and communicating Heifer Deli information about cyber observable Sze,
whether they are dynamic or state full measures in the observable domain.
It's pretty a laudable goal, in my opinion
and because I was just mentioning these different areas where it's effective
could also take a quick look at the repositories on Get Hub. We saw get up earlier for
and so there are several different side box related development projects, as I was mentioning about Get up before. This is a great platform to explore
because you might be using a tool
that can you lie side box.
And there might be other people who have created
plug ins or other pieces to add to this community
side box ht Mao and so on.
So is a bunch of things out here to look at
that's well worth doing.
In addition to the gift of resources, you might also consider these related efforts that are trying to do something similar,
like the coming Attack a pattern enumeration classification
event manager in automation, Pro Call Open Bowler, Open Vulnerability Assessment language. Some of you many probably heard of all these are most of these
the, um, our attribution in new Marais Shin Characterization Standard. He's a lots of other efforts to do something somewhere, trying to find a way to, uh,
make the sharing of information between vendors between vendor products much more efficient
and therefore more productive for the practitioner.
Next, we'll have a look
now Sticks is called the structure and structure threat information expression.
You know, the language
and side box, because it was so useful was actually incorporated into the latest version of sticks.
This way, the sticks platform, maybe was a little bit larger, maybe had more adherence, so
integrating side box into it must have made sense for all the developers nor to do this.
One advantage of sticks is that it can produce a machine readable format for
the information that's utilized by the different vendor tools
and even ways to serialize each
item that's being investigator. Each item that has a signature
so we can go ahead and have a look at the specifications for sticks.
It's up here on Google docks.
We see that taxi is also mentioned. Well, look at that shortly.
But it goes into a nice bit of detail, showing you the core concepts,
how the patterns work
a little bit more about the specifications itself.
So let's see what a man says about cyber observable objects.
It's fairly, uh, fairly new
and give some good information about
what a suburb. Zahra Logic is how it's actually used
like an artifact object.
So depending on your level of expertise, you can dig down into
quite a few areas to find all these different things. What isn't email address object looks like
look of syntax is used for that
and someone, so there's a good information thio
We'll also have a look at
at these other areas shortly.
So one of the characteristics of sticks is that allows these diagrams the relationship diagrams to be created.
If you recall, we talked about the diamond model
and how you could trace the activity of a threat or vulnerability through its various paths on its way to either causing some kind of problem or compromising a system and so on.
And so these relationship diagrams can help
showing. Okay, there's been a sighting of a crypto locker hash, which
maybe an indicated that the crypt, a locker malware, is present.
This could be obviously a lot more useful for things like I Wanna Cry that we took a brief look at earlier.
The syntax is also very simple when when compared to things like Jara, rules and so on
anyone who's done some basic script and we should be very comfortable with this kind of syntax. We simply have some labels and some information
showing a little bit of ah, unique serialization that was mentioned earlier
to make sure that this particular
entry is clearly unique against any other entries that are seen
so sticks is something worth looking into,
And now that you've seen the website, you can go and have a look at the documentation to get a bit more knowledge. It could be something
very valuable to bring into your bag of tools.