Time
3 hours 1 minute
Difficulty
Advanced
CEU/CPE
3

Video Transcription

00:04
continuing our conversation about operational sharing. I'd like to talk a little bit now about sy box, the cyber observable expression,
00:14
and this is a language created in order to address
00:18
some of the compatibility problems with between different vendors products and be able to share information back and forth.
00:26
We can see that side box supports things like threat assessment, characterization, malware, characterization, logging, operational event management, cyber situational awareness, forensics and even incident response.
00:41
We could have a look at the website
00:44
on miter dot org's
00:46
and Sigh box. As it says, it's standardized language for encoding and communicating Heifer Deli information about cyber observable Sze,
00:55
whether they are dynamic or state full measures in the observable domain.
01:00
It's pretty a laudable goal, in my opinion
01:03
and because I was just mentioning these different areas where it's effective
01:10
could also take a quick look at the repositories on Get Hub. We saw get up earlier for
01:15
the, uh,
01:19
AA Jara rules,
01:21
and so there are several different side box related development projects, as I was mentioning about Get up before. This is a great platform to explore
01:30
because you might be using a tool
01:33
that can you lie side box.
01:34
And there might be other people who have created
01:38
plug ins or other pieces to add to this community
01:42
side box ht Mao and so on.
01:45
So is a bunch of things out here to look at
01:48
that's well worth doing.
01:51
In addition to the gift of resources, you might also consider these related efforts that are trying to do something similar,
01:57
like the coming Attack a pattern enumeration classification
02:01
event manager in automation, Pro Call Open Bowler, Open Vulnerability Assessment language. Some of you many probably heard of all these are most of these
02:12
the, um, our attribution in new Marais Shin Characterization Standard. He's a lots of other efforts to do something somewhere, trying to find a way to, uh,
02:21
make the sharing of information between vendors between vendor products much more efficient
02:25
and therefore more productive for the practitioner.
02:30
Next, we'll have a look
02:31
at sticks
02:35
now Sticks is called the structure and structure threat information expression.
02:39
You know, the language
02:42
and side box, because it was so useful was actually incorporated into the latest version of sticks.
02:50
This way, the sticks platform, maybe was a little bit larger, maybe had more adherence, so
02:57
integrating side box into it must have made sense for all the developers nor to do this.
03:02
One advantage of sticks is that it can produce a machine readable format for
03:07
the information that's utilized by the different vendor tools
03:12
and even ways to serialize each
03:15
item that's being investigator. Each item that has a signature
03:21
so we can go ahead and have a look at the specifications for sticks.
03:24
It's up here on Google docks.
03:30
We see that taxi is also mentioned. Well, look at that shortly.
03:35
But it goes into a nice bit of detail, showing you the core concepts,
03:39
how the patterns work
03:43
a little bit more about the specifications itself.
03:49
So let's see what a man says about cyber observable objects.
03:55
It's fairly, uh, fairly new
04:01
and give some good information about
04:04
Oh,
04:06
what a suburb. Zahra Logic is how it's actually used
04:12
like an artifact object.
04:15
So depending on your level of expertise, you can dig down into
04:18
quite a few areas to find all these different things. What isn't email address object looks like
04:26
look of syntax is used for that
04:28
and someone, so there's a good information thio
04:30
to dig into.
04:34
We'll also have a look at
04:36
at these other areas shortly.
04:43
So one of the characteristics of sticks is that allows these diagrams the relationship diagrams to be created.
04:49
If you recall, we talked about the diamond model
04:53
in another section
04:55
and how you could trace the activity of a threat or vulnerability through its various paths on its way to either causing some kind of problem or compromising a system and so on.
05:11
And so these relationship diagrams can help
05:15
showing. Okay, there's been a sighting of a crypto locker hash, which
05:18
maybe an indicated that the crypt, a locker malware, is present.
05:24
This could be obviously a lot more useful for things like I Wanna Cry that we took a brief look at earlier.
05:31
The syntax is also very simple when when compared to things like Jara, rules and so on
05:39
anyone who's done some basic script and we should be very comfortable with this kind of syntax. We simply have some labels and some information
05:47
showing a little bit of ah, unique serialization that was mentioned earlier
05:54
to make sure that this particular
05:56
entry is clearly unique against any other entries that are seen
06:02
so sticks is something worth looking into,
06:05
And now that you've seen the website, you can go and have a look at the documentation to get a bit more knowledge. It could be something
06:13
very valuable to bring into your bag of tools.

Up Next

Advanced Cyber Threat Intelligence

The Cyber Threat Intelligence (CTI) course is taught by Cybrary SME, Dean Pompilio. It consists of 12 modules and provides a comprehensive introduction to CTI. The subject is an important one, and in addition to discussing tactics and methods, quite a bit of focus is placed on operational matters including the various CTI analyst roles.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor