Observed Data THE SAGA CONTINUES Overview Observed Data
Observed Data THE SAGA CONTINUES…
Overview Observed Data was initially designed to hold cyber observables, either as a stand alone object or as referenced by a Sighting The Observed Data object holds a list of cyber observables that can locally reference each other and must be part of one local graph As Malware, Infrastructure and other objects are created, we are looking at how Observed Data can be updated to support these objects as well Some properties within Observed Data cease to be meaningful in the new contexts and new use-cases may require creating additional properties within Observed Data
The Observed Data Object Property Name Type Description type (required) string The value of this property MUST be observed-data. first_seen (optional) timestamp The beginning of the time window during which the data was seenobserved. last_seen (optional) timestamp The end of the time window during which the data was seenobserved. This MUST be greater than or equal to the timestamp in the first_observed property. number_observed (required) integer The number of times the data represented in the objects property was seen. This MUST be an integer between 1 and 999, 999 inclusive. If the number_observed property is greater than 1, the data contained in the objects property was seen multiple times. In these cases, object creators MAY omit properties of the Cyber Observable object (such as timestamps) that are specific to a single instance of that observed data. objects (required) observable-objects A dictionary of Cyber Observable Objects representing the observation. The dictionary MUST contain at least one object. The observable-objects type is defined in STIX™ Version 2. 1. Part 3: Cyber Observable Core Concepts. The Cyber Observable content MAY include multiple objects if those objects are related as part of a single observation. Multiple objects not related to each other via Cyber Observable Relationships MUST NOT be contained within the same Observed Data instance.
Questions with Observed Data When a STIX object has a relationship to an Observed Data object, what is the relationship from that STIX object to all the cyber observables within the Observed Data object? Intrusion Set Krypto-Katz Observed-Data Owns Infrastructure Contains IP Address 1. 1 Contains Apache Web server version 1. 2. 3. 4 What Does This Mean: A. The cyber observables within Observed Data are equally connected to STIX object i. e. IPv 4 1. 1 is owned by Krypto Katz AND all Apache Web Servers of v. 1. 2. 3. 4 are owned by Krypto Katz 1. 1 Owns Krypto-Katz Contains Owns Apache v. 1. 2. 3. 4 B. One cyber observable within Observed Data is connected to the STIX object i. e. IPv 4 1. 1 is owned by Krypto Katz and contains an Apache Web Server v. 12. 3. 4 Apache v. 1. 2. 3. 4 1. 1 Krypto-Katz Owns Contains
This gets more complicated Currently, each Observed Data MUST only contain one graph. Observed-Data Intrusion Set Krypto-Katz Sighting of Sighting Observed Data Email File Contains If Observed Data is adopted for Malware and Infrastructure, we need to relax the constraint for only one graph. Note: Separating each IP Address into a separate Observed-Data would make sending the data very bloated. Observed-Data Intrusion Set Krypto-Katz Owns Infrastructure Contains IP Address IP Address IP Address IP Address
A Potential Solution The Observed Data parent_nodes property would identify the ids of locally defined observed data objects that are parents and therefore are connected to connected STIX objects. Rules: 1. If parent_nodes are included in an Observed Data, Select nodes in the graph are parents, listed by id. There can be no orphan nodes in the cyber observables list 2. If no parent_nodes are defined, every node in the graph is a parent
Example 1: Intrusion Set Krypto-Katz Observed-Data Owns Infrastructure Contains IP Address 1. 1. 1. 2 Contains Apache Web server version 1. 2. 3. 4 Contains Apache Web server version 1. 2. 2. 1
Example 2: Intrusion Set Krypto-Katz Observed-Data Owns Infrastructure Contains IP Address 1. 1. 1. 3 IP Address 1. 1. 1. 2 IP Address 1. 1. 1. 4
- Slides: 8