Cyber Observable Expression (CybOX)
is a standardized language that enables a systematic exchange and sharing of any observable and notable event or property, related to the cyber realm. This can be understood as an equivalent (more sophisticated) of having a Structured Query Language (SQL) to deal with all Relational Database Transactions. All standard products based on Relational Databases can follow a common SQL format, enabling an exchange of information across different intel platforms or products. Similarly, CybOX can help in exchanging high-fidelity information about cyber observables (including stateful measures, dynamic events, etc.) across different Cyber-security systems. CybOX has been developed to provide support for a wide range of relevant cybersecurity activities, including Threat assessment, Malware characterization, Operational event management, Event logging, Incident response
, Cyber forensics, and Situational awareness
What is a Cyber Observable?
A Cyber Observable is any event or any measurable property of any cyber entity or incident that may occur in the cyber domain, such as access to some website, creation/deletion of some file or change in the values of a registry.
What are CybOX Objects? How do you use a CybOX object?
CybOX objects refer to a set of schema-defined properties, that characterize any given object in the cyber security domain. This may include a Windows Registry Key, an HTTP Session or a DNS query. CybOX objects can be developed using the CybOX Schemas. The CybOX properties comprise of two core schemas: CybOX_Core and CybOX_Common, that provide it the required structure and functionality. Use of CybOX_Core schema is essential for developing an object, while the CybOX_Common can be used as and when needed. Due to the modular design of CybOX architecture, the whole suite of schema need not be imported; only selective elements can be picked up.
What are some common examples of CybOX Objects?
CybOX objects can be simple email messages having a sender and receiver addresses, any network connection, the SHA1 hash value of a file, a URL, modification of a registry key or an Indicator of Compromise. It can be used for the assessment of a threat, malware characterization, log management, indicator or intel sharing or incident response. There are several CybOX samples
are available online.
Does Cybox support structured sharing of observables?
CybOX provides a platform for a structured capture and sharing of cyber observables across the entire spectrum of security activities, tools, and services. This international community effort for the cybersecurity domain has been developed by a broad range of industry, academia and government organizations across the world. It can be used as a foundational language to describe many base level system and network elements, which can further help in the development of higher level schemas, languages and conventions, like Structured Threat Information eXpression (STIX)
, Common Attack Pattern Enumeration and Classification (CAPEC), and Malware Attribute Enumeration and Characterization (MAEC). The CybOX Language has now been integrated
into the Structured Threat Information eXpression version 2.0 (STIX 2.0).