STIX 2.

0 model and
patterns
Applying API economy to
cybersecurity

Facundo Maldonado (Facundo_Maldonado@mcafee.com)

Leonardo Frittelli (Leonardo_Frittelli@mcafee.com)
Abstract
Effectively exchanging and acting upon threat intelligence in a diverse, heterogeneous landscape such as cyber
security has proven an elusive goal.
With the continuous evolution of both security tools and attack techniques, combined with a market where new
cloud based players surface on a rapid scale, having a common language to both define and apply the knowledge
obtained from actual attacks is key to the success of the whole industry.

In this bootcamp we will explore STIX 2.0 as an effort to provide that standard for both modelling the data and also
(through Pattern Consumer implementing the grammar) the generic application of it on security products. We will
provide an overview of the history and genesis of this standard, its applications in the industry, and the challenges it
faces.
We will also review the details of the STIX model, implementing libraries and focus on Patterning.

Students will use real world examples of threat intelligence reports to practice first hand both the model and
patterning API with bespoke exercises.
References:
https://oasis-open.github.io/cti-documentation/stix/intro.html
http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part5-stix-patterning.html
2
Flight plan

• Introduction to Cybersecurity
• First generation TI services
• Tooling and limitations
• The TI model
• Contexts of application of TI
• Several attempts to standardize: Cybox, Yara, Snort, MISP
• STIX 1.x
• STIX 2.0 (aka let’s try again) and patterning
• Practical exercises
• TAXII, STIX/TAXII preferred program

3
Bio

Facundo Maldonado Leonardo Frittelli

BS in Software Engineering M.Eng. in Software Engineering

Software Architect for Enterprise products Software Architect for Enterprise products
(MVISION EDR) (MVISION EDR)
11 years @Intel/McAfee 4 years @McAfee
Industry experience eCommerce, business 20 years industry experience in software
services, IaaS, software services. development (Telco, Travel, Banking, Cyber
Sec)

4
Campfire rules

• Let this be the campfire section of the

bootcamp.
• Please do ask any questions about the
topic or cyber security in general. There are
no embarrassing questions here
• (I give no such guarantee on answers)

• Singalongs sound much nicer if we all sing.

• No marshmallows provided. Get your own
from downstairs

5
Yes, we have mentimeter too ☺

Go to www.menti.com and use code

94 92 81

6
Cybersecurity in one slide
Defense against compromise of digital resources against an
unauthorized entity

May be viewed in context of an individual person or related to

security of organizations.

Can encompass the security posture (passive defense) or the

use of specialized tooling/techniques to defend against
compromise (active defense)

7
Parallel to a pre-digital world: Sophia’s secret diary
An almost digital resource
Defense against
compromise of digital
resources against an
unauthorized entity
Unauthorized entities?

May be viewed in
context of an
individual person or Individual vs group security?
related to security of
organizations.

Can encompass the Passive vs active defense?

security posture
(passive defense) or
the use of specialized
tooling/techniques to
defend against
compromise (active
defense)

8
Compromise defined
Some examples of “compromise” include:

Data Exfiltration: Unapproved access to enterprise data.

Data Loss: Unapproved removal of enterprise data.

Infiltration: Usage of the device to access enterprise assets.

Unavailability: Impairment of the device’s ability to fulfill its

approved use.

Improper use: Usage of the device to perform tasks contrary to its

approved use.

9
Let’s take it to Sophia’s world…
Exfiltration

Data Exfiltration:
Unapproved access to
enterprise data.
Data loss
Data Loss:
Unapproved removal
of enterprise data.
Infiltration: Usage of Infiltration
the device to access
enterprise assets.
Unavailability:
Impairment of the
device’s ability to fulfill Unavailability
its approved use.
Improper use: Usage
of the device to
perform tasks Improper use
contrary to its
approved use.

10
Protect, Detect, Correct – Adaptive Security Model

Protect - Comprehensive prevention stops the most

pervasive attack vectors while also disrupting never-before-
seen techniques and payloads

Detect - Advanced monitoring identifies anomalous, outlier

behavior to perceive low-threshold attacks that would
otherwise go unnoticed

Correct - Facilitated triage and response provides

prioritization and fluid investigation

What does this

mean to Sophia? Adapt - Apply insights immediately throughout a
collaborative infrastructure

11
11
Some basic types of attacks

Opportunistic attacks: drive-by, click-bait compromises,

commonly automated: Ransomware, credit card theft are
good current examples.

Targeted attacks: The actor has a specific individual or

organization in mind.

Advanced Persistent Threats: Typically involve actors

backed by large organizations or even Nation States.

12
Threat Intelligence
Information collected from known/previous attacks.
May refer to any material information that can assist to the defense.

▪ Binary samples
▪ Description of behavior seen
▪ Analysis of potential behavior of samples
▪ Information that may help identify the actor or their intentions
(language/locale, email addresses, remote servers details)
▪ Claims made by the attackers or any other information about the
attackers themselves, their motivations and sponsors.
▪ …

13
Uses of threat Intelligence
• To prevent an attack: by manually or
automatically adjusting the defense posture to
the information received.
• To detect if an attack has happened: by
performing forensic analysis of the logs and
environments.
• To correct/limit the effect of an attack: by
following on other’s steps to revert or limit the
damage caused.

14
How is TI used in the industry?
• Producers of threat intelligence
• Manually (researchers)
• Automatically (sandboxing, malware/threat scanning
and other related techs)

• Consumers of threat intelligence

• IOC sweeping
• Vulnerability scanning
• TI assisted protection

15
Conveying Threat Intelligence

• Different entities need to be able to efficiently

communicate what they have found.
• It should be possible to automate the
generation, publication, consumption of
information.
• It should be able to correlate, validate,
prioritize different sources.

• Competing interests: Security researchers,

software providers, compromised entities, the
media, attackers.
16
Some examples of discrete TI
• Malware analysis tools:
• VirusTotal:
https://www.virustotal.com/gui/file/d8af45210bf931bc5b03215ed30fb731e
067e91f25eda02a404bd55169e3e3c3/detection (destover)
• Joe Sandbox: https://www.joesecurity.org/reports/report-
db349b97c37d22f5ea1d1841e3c89eb4.html (wannacry)
• Reports by security researchers
• https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-
targeted-with-hawkball-backdoor.html
• http://blog.morphisec.com/cve-2018-4878-an-analysis-of-the-flash-player-hack

• Vulnerability reports:
• https://nvd.nist.gov/vuln/detail/CVE-2018-4878

17
TI Feeds
• Feeds are compilations of threat intelligence.
• Intended to represent synthetized, actionable
items.
• Generally include one specific type of intelligence
(e.g. URLs)
• Are produced/updated very regularly (daily)
• Are (hopefully) produced by a reputable
organization

• And of course, are available to both defenders and

18
TI Feed providers
• Feeding TI is a business:
http://thecyberthreat.com/cyber-threat-intelligence-feeds/
• Some companies and researchers make a living by compiling and
curating threat intelligence.
• Some companies even offer threat intelligence tailored to individual
customers.
• Governments back threat intelligence producing groups:
• https://www.nationalisacs.org/
• https://www.fsisac.com/
• https://www.ncsc.gov.uk/section/keep-up-to-date/cisp
• There are, however, NGO and open source feeds too:
https://www.misp-project.org/feeds/

19
 Regulatory requirements

• Some institutions must report and share information on

incidents as part of rules from regulatory authorities. Most
notably Financial Services.

• https://www.fca.org.uk/about/principles-good-regulation

“We also expect you to report material breaches to us, under Principle 11 – and to share information with
others, on the Cyber Information Sharing Partnership (otherwise known as the CISP platform).”
https://www.fca.org.uk/news/speeches/our-approach-cyber-security-financial-services-firms

20
 TI Feed formats

• Most feeds are specific to one type of intelligence and have custom
schemas
Example:

http://data.phishtank.com/data/online-valid.csv Link removed on purpose. Do not

Be careful if you have downloaded the feed. Values download
in the “URL” column are actual, current phishing
The feed adds contextual information on the
sites
entries
phish_id url phish_detail_url submission_time verified verification_time online target
6112859 <hidden> http://www.phishtank.com/phish_detail.php?phish_id=6112859 2019-07-09T06:19:52+00:00 yes 2019-07-09T06:20:52+00:00 yes Other
6112854 <hidden> http://www.phishtank.com/phish_detail.php?phish_id=6112854 2019-07-09T06:15:59+00:00 yes 2019-07-09T06:18:54+00:00 yes Other
6112851 <hidden> http://www.phishtank.com/phish_detail.php?phish_id=6112851 2019-07-09T06:15:47+00:00 yes 2019-07-09T06:18:15+00:00 yes Other

One more time: these are actual and currently available phish
sites. Do not download
21
Exercise introduction
 TI Feed formats

• Interpretation of the information conveyed by the feed content is not

always obvious
https://www.dan.me.uk/torlist/?exit : List of TOR exit nodes.

1.161.127.207
103.208.220.122
103.208.220.226 These could be seen as compromised or not depending
103.234.220.195 on the defender’s context.
103.234.220.197
103.236.201.110
103.236.201.88
103.28.52.93

23
 Elaborate TI formats - Yara

Used to describe malware signatures

https://github.com/Yara-Rules/rules

24
 Elaborate TI formats - Snort

Aimed to IPS/IDS systems

Logs/Alerts on suspicious network traffic

Format is structured text

https://www.snort.org/

25
 Elaborate TI formats - Sigma

https://github.com/Neo23x0/sigma

Aimed to SIEM systems

“Sigma is for log files what Snort is for
network traffic and YARA is for files.”

Format is YAML

26
 Overview of MITRE ATT&CK
MITRE is a US based not-for-profit corporation generally
The ATT&CK matrix is a recognized as an independent authority in the cyber security
globally-accessible space
knowledge base of
adversary tactics and
techniques based on real-
world observations.

This catalog of techniques

is referred to in TI reports
and feeds.

https://attack.mitre.org/

27
Overview of MITRE ATT&CK
Tactics
High level types of activities that an attack can be classified into.
Examples
ID Name Description
TA0001 Initial Access The initial access tactic represents the vectors adversaries use to gain an initial foothold within a
network.
TA0002 Execution The execution tactic represents techniques that result in execution of adversary-controlled code
on a local or remote system. This tactic is often used in conjunction with initial access as the
means of executing code once access is obtained, and lateral movement to expand access to
remote systems on a network.
TA0003 Persistence Persistence is any access, action, or configuration change to a system that gives an adversary a
persistent presence on that system. Adversaries will often need to maintain access to systems
through interruptions such as system restarts, loss of credentials, or other failures that would
require a remote access tool to restart or alternate backdoor for them to regain access.
TA0004 Privilege Escalation Privilege escalation is the result of actions that allows an adversary to obtain a higher level of
permissions on a system or network.

28
Overview of MITRE ATT&CK
Techniques
Specific ways in which a tactic has been observed to be achieved.
A technique may be associated with one or more tactics
Examples
ID Name Description
T1156 .bash_profile and .bashrc ~/.bash_profile and ~/.bashrc are executed in a user's context when a new shell opens or when a user logs in so
that their environment is set correctly. ~/.bash_profile is executed for login shells and ~/.bashrc is executed for
interactive non-login shells. This means that when a user logs in (via username and password) to the console
(either locally or remotely via something like SSH), ~/.bash_profile is executed before the initial command prompt
is returned to the user. After that, every time a new shell is opened, ~/.bashrc is executed. This allows users more
fine grained control over when they want certain commands executed.

T1134 Access Token Manipulation Windows uses access tokens to determine the ownership of a running process. A user can manipulate access
tokens to make a running process appear as though it belongs to someone other than the user that started the
process. When this occurs, the process also takes on the security context associated with the new token. For
example, Microsoft promotes the use of access tokens as a security best practice. Administrators should log in as
a standard user but run their tools with administrator privileges using the built-in access token manipulation
command runas.

T1015 Accessibility Features Windows contains accessibility features that may be launched with a key combination before a user has logged in
(for example, when the user is on the Windows logon screen). An adversary can modify the way these programs
are launched to get a command prompt or backdoor without logging in to the system.

29
 Dealing with all of this - TIPs
Threat Intelligence Platforms
• Consume feeds automatically
(commercial and/or opensource)
• Allow input of TI manually or by
parsing natural language (ish)
• De-duplication, curation
• Exporting
• Nirvana: automatically integrate with
an orchestration platform

30
 Elaborate TI formats - MISP

MISP format
Used by the MISP Threat Intelligence Platform
https://www.misp-project.org/

Examples:
https://www.circl.lu/doc/misp/feed-osint/

More informative, but more difficult to interpret

Created for the needs of this platform

31
STIX
An attempt to standardize the data model and format
Created and maintained by the OASIS Cyber Threat Intelligence
Technical Committee

• STIX: Structured Threat Information Expression

Initial version 1.0 based on XML

▪ TAXII: Trusted Automated Exchange of Intelligence Information

Application layer transport protocol for STIX documents
Version 1.0 was a custom protocol for client/server
communication.

32
Basics of the data model

Actor
Individuals, groups, or organizations believed to be
operating with malicious intent.

Campaign
A grouping of adversarial behaviors that describes a set
of malicious activities or attacks that occur over a period
of time against a specific set of targets.

Indicator (or Indicator of Compromise – IOC)

Contains a pattern that can be used to detect
suspicious or malicious cyber activity.

33
Basics of the data model

Malware
A type of TTP, also known as malicious code and malicious software,
used to compromise the confidentiality, integrity, or availability of a
victim’s data or system.

Tool
Legitimate software that can be used by
threat actors to perform attacks.

Vulnerability
A mistake in software that can be directly used by a
hacker to gain access to a system or network.

34
Basics of the data model

Identity
Individuals, organizations, or groups, as well as classes of
individuals, organizations, or groups.

Observed data
Conveys information observed on a system
or network (e.g., an IP address).

Intrusion set
A grouped set of adversarial behaviors and resources
with common properties believed to be orchestrated by a
single threat actor.

35
Relationships in the model

https://oasis-open.github.io/cti-documentation/examples/visualized-sdo-
relationships

36
TI report example using the model

37
STIX 1.x or how good intentions can go very wrong
• V1.x was never truly adopted by the market

• Complexity in the format made implementations too

expensive
• Ambiguity caused different tools to not understand each other
even though both ends supported STIX.

• Lacked temporal matching (first X then Y)

• TAXII required a dedicated platform that was not appealing to

ramp up on.

38
STIX 1.x or how good intentions can go very wrong

https://www.first.org/resources/papers/conf2018/Thomson-Allan_FIRST_20180602.pdf

39
STIX/TAXII 2

▪ Base document format changed from XML to JSON

▪ TAXII added support to standard REST

▪ Only one way to define indicators

▪ IOC matching expressed using a “patterning” language using a

grammar instead of spread in the document format.

▪ Added support for temporal relationships

40
STIX patterning language

http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part5-stix-
patterning.html

41
STIX patterning language - qualifiers
Qualifiers Description
a REPEATS x TIMES a MUST be an Observation Expression or a preceding
Qualifier. a MUST match exactly x times, where each match is a different
Observation. x MUST be a positive integer.

a WITHIN x SECONDS a MUST be an Observation Expression or a preceding Qualifier. All

Observations matched by a MUST occur, or have been observed, within the
specified time window. x MUST be a positive floating point value.

a START x STOP y a MUST be an Observation Expression or a preceding Qualifier. All

Observations that match a MUST have an observation time >= x and < y.

42
STIX patterning language – observation operators

Observation Operators Description Associativity

[ a ] AND [ b ] a and b MUST both be Observation Left to right
Expressions and MUST both evaluate to
true on different Observations.
[ a ] OR [ b ] a and b MUST both be Observation Left to right
Expressions and one
of a or b MUSTevaluate to true
on different Observations.
[ a ] FOLLOWEDBY [ b ] a and b MUST both be Observation Left to right
Expressions. Both a and b MUST both
evaluate to true, where the observation
timestamp associated with b is greater
than or equal to the observation
timestamp associated
with a and MUST evaluate to true
on different Observations.

43
 STIX patterning language – comparison operators
Comparison Description Example
Operator
a=b a and b MUST be equal (transitive), where a MUST be an Object Path and b MUST be a constant of the file:name = 'foo.dll'
same data type as the Object property specified by a.
a != b a and b MUST NOT be equal (transitive), where a MUST be an Object Path and b MUST be a constant of file:size != 4112
the same data type as the Object property specified by a.
a>b a is numerically or lexically greater than b, where aMUST be an Object Path and b MUST be a constant of file:size > 256
the same data type as the Object property specified by a.
a<b a is numerically or lexically less than b, where a MUSTbe an Object Path and b MUST be a constant of the file:size < 1024
same data type as the Object property specified by a.
a <= b a is numerically or lexically less than or equal to b, where a MUST be an Object Path and b MUST be a file:size <= 25145
constant of the same data type as the Object property specified by a.
a >= b a is numerically or lexically greater than or equal to b, where a MUST be an Object Path and b MUST be a file:size >= 33312
constant of the same data type as the Object property specified by a.
a IN (x,y,...) a MUST be an Object Path and MUST evaluate to one of the values enumerated in the set of x,y,... process:name IN
(transitive). The set values in b MUST be constants of homogenous data type and MUST be valid data types ('proccy',
for the Object Property specified by a. The return value is true if a is equal to one of the values in the list. 'proximus',
If a is not equal to any of the items in the list, then the Comparison Expression evaluates to false. 'badproc')

a LIKE b a MUST be an Object Path and MUST match the pattern specified in b where any '%' is 0 or more characters directory:path LIKE
and ‘_' is any one character. 'C:\\Windows\\%\\foo'
a MATCHES b a MUST be an Object Path and MUST be matched by the pattern specified in b, where b is a string constant directory:path
containing a PCRE compliant regular expression. A MATCHES
'^C:\\Windows\\w+$'
MUST be NFC normalized before comparison if the property is of string type.

44
STIX patterning language – set operators
Set Operator Description Example
a ISSUBSET b When a is a set that is wholly contained by the set b, ipv4-addr:value ISSUBSET
the Comparison Expression evaluates to '198.51.100.0/24'
true. a MUSTbe an Object Path referring to
the value property of an Object of type ipv4-
addr or ipv6-addr. b MUST be a
valid string representation of the corresponding
Object type
In the case that both a and b evaluate to an identical
single IP address or an identical IP subnet, the
Comparison Expression evaluates to true.
a ISSUPERSET b When a is a set that wholly contains the set specified ipv4-addr:value ISSUPERSET
by b, the Comparison Expression evaluates to '198.51.100.0/24'
true. aMUST be an Object Path referring either
an ipv4-addror ipv6-addr

In the case that both a and b evaluate to an identical

single IP address or an identical IP subnet, the
Comparison Expression evaluates to true.

45
 STIX observable types

http://docs.oasis-open.org/cti/stix/v2.0/stix-v2.0-part4-cyber-observable-objects.html
46
(Very brief) TAXII overview

47
 TAXII example server
• https://test.freetaxii.com:8000/taxii/

48
 MITRE ATT&CK in STIX/TAXII format
• Data in the MITRE ATT&CK matrix is available in a TAXII server and STIX format

• https://github.com/mitre/cti/tree/master/enterprise-attack (STIX)

49
Exercise
Exercise parameters
Given
- Observations (converted to STIX)
- STIX TI feed with IOCs (Patterns)
Achieve
- Basic:
- Consume the feed
- Sweep the IOCs against the observations
- Consume the feed from TAXII
- Advanced:
- Create elaborate patterns
- Publish findings over DXL (leveraging the prior bootcamp)

51
STIX tools
▪ Format converters
▪ https://github.com/m0jtaba/sigma-to-stix
▪ https://github.com/MISP/MISP-STIX-Converter
▪ https://github.com/oasis-open/cti-stix-elevator (1.x to 2.0)
▪ Pattern/syntax validation
▪ https://github.com/oasis-open/cti-pattern-validator
▪ Graphical visualization
▪ https://oasis-open.github.io/cti-stix-visualization/
▪ Pattern matching against observed data
▪ https://github.com/oasis-open/cti-pattern-matcher

52
STIX/TAXII preferred program

https://oasis-stixpreferred.org/

An effort to provide assurance on effective integration across

products.

Allows self certification of STIX (Part 1) and TAXII (Part 2)

Includes a set of defined test cases for mandatory supported

elements of the standards.

53
But wait. There are more “standard” formats!

http://www.threat-intelligence.eu/standards/

54
STIX/TAXII preferred program

Interactions are classified in Personas

55
STIX/TAXII preferred program

Essential test case

http://docs.oasis-open.org/cti/stix-taxii-2-interop-p1/v1.1/stix-taxii-2-interop-p1-
v1.1.html
56
STIX and behAPI

▪ STIX is a common language, rather than an

API.
▪ STIX attempts to express what was or
should be seen, rather than how the
information should be used.
▪ Each cybersecurity tool can produce or
leverage TI as they best see fit and this is
how heterogeneity is addressed.

57
STIX and behAPI

▪ STIX shares challenges similar to many

behavioral APIs:
▪ Adoption difficulties
▪ Poor specification/documentation
▪ Ambiguity
▪ Political motivations

58
Further reading
https://github.com/deralexxx/security-apis
https://github.com/hslatman/awesome-threat-intelligence

https://attack.mitre.org/
https://www.first.org/

Threat intelligence on APTs:

https://www.fireeye.com/current-threats/apt-groups.html
https://operationblockbuster.com/

CERT orgs:
http://www.ukcert.org.uk/
https://cert.europa.eu/
https://www.us-cert.gov/
59
McAfee, the McAfee logo and [insert <other relevant McAfee Names>] are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the U.S. and/or other countries.
Other names and brands may be claimed as the property of others.
Copyright © 2017 McAfee, LLC.