CybOX v0.6.2 – Cyber Observable eXpression (MITRE)

International in scope and free for public use, the Cyber Observable eXpression (CybOX) is a standardized schema for the specification, capture, characterization and communication of events or stateful properties that are observable in the operational domain.

A wide variety of high-level cyber security use cases rely on such information including: event management/logging, malware characterization, intrusion detection, incident response/management, attack pattern characterization, etc. CybOX provides a common mechanism (structure and content) for addressing cyber observables across and among this full range of use cases improving consistency, efficiency, interoperability and overall situational awareness.

Cyber Observables Overview

  • The Cyber Observable eXpression (CybOX) is a standardized language for encoding and communicating high-fidelity information about cyber observables, whether dynamic events or stateful measures that are observable in the operational cyber domain.
  • CybOX is not targeted at a single cyber security use case but rather is intended to be flexible enough to offer a common solution for all cyber security use cases requiring the ability to deal with cyber observables.
  • It is also intended to be flexible enough to allow both the high-fidelity description of instances of cyber observables that have been measured in an operational context as well as more abstract patterns for potential observables that may be targets for observation and analysis apriori.
  • By specifying a common structured schematic mechanism for these cyber observables, the intent is to enable the potential for detailed automatable sharing, mapping, detection and analysis heuristics.

Cyber Observables Apply to Numerous Domains

  • Threat assessment & characterization (detailed attack patterns)
  • Malware characterization
  • Operational event management
  • Logging
  • Cyber situational awareness
  • Incident response
  • Forensics

Recommended Documentation

  • Cyber Observable eXpression (CybOX) Use Cases (ITSAC) (Oct 2011) (Sean Barnum & Richard Struse) (PPTX) (915 KB)

MaxiSoler @maxisoler