[cti-users] A request for assistance from the OASIS STIX/CybOX SC co-chairs

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[cti-users] A request for assistance from the OASIS STIX/CybOX SC co-chairs

Trey Darley-3
Hi, everybody -

As I'm sure you're aware, the OASIS STIX and CybOX TCs are hard at
work on major revisions of these standards. We'd like to make
evidence-based refactoring decisions. Towards that end, we're reaching
out to the ISACs, ISAOs, and other miscellaneous information-sharing
communities with a request for help.

We're also reaching out to *you*, hence this mail.

We've created a utility [0] which can be run against a threat-intel
repository to output anonymized statistics about STIX/CybOX object
usage. This output will be extremely helpful to informing our
decision-making as we progress towards CybOX 3.0 and STIX 2.0.

Please, if you belong to (or know of) an information-sharing community
using STIX/CybOX, forward this request for assistance to them. Or if
you administer such an organization yourself, please consider running
the tool against your repository and sharing the results back with us.

In any case, reporting output should be emailed to me or my CybOX SC
co-chair Ivan Kirillov (in carbon-copy).

Thanks a million, y'all!

[0]: https://github.com/soltra/cti-stats/

--
Cheers,
Trey
--
Trey Darley
Senior Security Engineer
4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430
Soltra | An FS-ISAC & DTCC Company
www.soltra.com
--
"Every networking problem always takes longer to solve than it seems
like it should." --RFC 1925

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] A request for assistance from the OASIS STIX/CybOX SC co-chairs

Trey Darley-3
Hi, everybody -

Just a reminder, please help us out by running the cti-stats utility
against your CTI repository and submitting the statistics back to Ivan
Kirillov (in cc) or me.

Ivan and I plan to share these anonymized statistics with the
STIX/CybOX standards committees but we will use an anonymous
identifier for the information source.

Here's what cti-stats output looks like run against HailATAXII:

<snip>
+-------STIX stats------------------------------------------------------+
+-------STIX percentages------------------------------------------------+
ttps: 0.91%
indicators: 99.09%
+-------STIX counts-----------------------------------------------------+
ttps: 3442
indicators: 374645
Total STIX objects: 378087

+-------CybOX stats-----------------------------------------------------+
+-------CybOX percentages-----------------------------------------------+
URI: 38.81%
Address: 28.85%
Port: 0.62%
File: 0.30%
DomainName: 31.41%
+-------CybOX counts----------------------------------------------------+
URI: 192292
Address: 142963
Port: 3089
File: 1488
DomainName: 155623
Total CybOX objects: 495455
</snip>

If you don't feel comfortable sharing the object counts, you can just
sent us the percentages. Even that we can use.

Thanks in advance!

--
Cheers,
Trey
--
Trey Darley
Senior Security Engineer
4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430
Soltra | An FS-ISAC & DTCC Company
www.soltra.com
--
"There are only two hard things in Computer Science: cache
invalidation and naming things." --Phil Karlton

signature.asc (836 bytes) Download Attachment
JA
Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] A request for assistance from the OASIS STIX/CybOX SC co-chairs

JA
Would be interesting if we get similar results than that http://www.net-security.org/secworld.php?id=19068

On Tuesday, 27 October 2015, Trey Darley <[hidden email]> wrote:
Hi, everybody -

Just a reminder, please help us out by running the cti-stats utility
against your CTI repository and submitting the statistics back to Ivan
Kirillov (in cc) or me.

Ivan and I plan to share these anonymized statistics with the
STIX/CybOX standards committees but we will use an anonymous
identifier for the information source.

Here's what cti-stats output looks like run against HailATAXII:

<snip>
+-------STIX stats------------------------------------------------------+
+-------STIX percentages------------------------------------------------+
ttps: 0.91%
indicators: 99.09%
+-------STIX counts-----------------------------------------------------+
ttps: 3442
indicators: 374645
Total STIX objects: 378087

+-------CybOX stats-----------------------------------------------------+
+-------CybOX percentages-----------------------------------------------+
URI: 38.81%
Address: 28.85%
Port: 0.62%
File: 0.30%
DomainName: 31.41%
+-------CybOX counts----------------------------------------------------+
URI: 192292
Address: 142963
Port: 3089
File: 1488
DomainName: 155623
Total CybOX objects: 495455
</snip>

If you don't feel comfortable sharing the object counts, you can just
sent us the percentages. Even that we can use.

Thanks in advance!

--
Cheers,
Trey
--
Trey Darley
Senior Security Engineer
4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430
Soltra | An FS-ISAC & DTCC Company
www.soltra.com
--
"There are only two hard things in Computer Science: cache
invalidation and naming things." --Phil Karlton