Thursday, April 13, 2017, 1:45pm

Patterning in STIX 2.0
John-Mark Gurney, Principal Security Architect for New Context will be speaking at Industrial Control Systems Joint Working Group (ICSJWG) Spring Meeting

Cyber Threat Intelligence (CTI) is only useful if it provides actionable intelligence which improves an organization’s security. Structured Threat Information Expression (STIX) Patterning provides one part of that actionable intelligence. Patterning enables interchange between both organizations and vendor products to automate detection of threats, malware, and vulnerabilities, among other things. The patterning languages goes far beyond simple IP/URL blacklists, and allows correlation between different data sources such as host based agents and firewalls/IPS/IDS.

Indicator patterning existed in STIX 1, but it was difficult to create and use indicators. The STIX Patterning language in STIX 2 is a significant improvement. It includes the ability to specify temporal restrictions, such as ordering, a happens before b, and limits, a and b happens within 60 seconds of each other. Overall, it is significantly easier to create and deploy than the previous STIX standard.

As part of the California Energy Systems for the 21st Century (CES-21) project, a more expressive indicator language was desired to allow for the description of complex and involved indicators, such as those required by industrial control systems (ICS), using STIX to help protect California’s electrical grid. This helped drive some of the features that are included in the new standard.

The talk will give an overview of the STIX Patterning Language in STIX 2.0. It will give real world examples of observables using the patterning language along with brief discussion and sample of existing libraries for validating patterns and matching patterns against STIX Observed Data SDOs.

I will end with a brief summary of the potential features to be included in the future STIX 2.1 Patterning standard.

About John-Mark

John-Mark Gurney is Principal Security Architect at New Context.  He is a contributor to the OASIS Cyber Threat Intelligence (CTI) committee and primary author of STIX 2.0 Part 5: STIX Patterning standard. Before New Context, he worked at Cryptography Research Inc. (CRI), and nCircle (now TripWire).  He is a FreeBSD committer and has been for the past 20 years.

Follow John-Mark on Twitter