Endpoint Threat Detection Standards

28 May 2014

The most vocal player in the endpoint threat detection standards game is Mitre. Unfortunately, they are also the least useful as they don't provide any tools that use the formats they create. For a long time this meant no one used their formats, but it seems recently the US government (who paid Mitre to make these formats) has started forcing companies to supply data in these formats. The docs on these formats are lengthy and never give a simple explanation, so this is my simplification.

Terms

  • Stateful properties: These are the currently running processes, files that exist, registry keys that exist, etc. These can be acquired by running periodic scans on a system, or running one scan after an incident. Think of this as data you obtain from a memory image or hard-drive image.
  • Events: These are acquired by monitoring a system. These are generated as processes are created or terminated, files are created, written to, read from, or deleted, etc. Think of this as procmon data from the Sysinternals tools.

Formats

OpenIOC

OpenIOC = stateful properties + a threat name. It is a Mandiant format that is useful for incident response.

CybOX

CybOX = stateful properties + event data. It's not really meant to be used by itself, but rather should be used as part of one of Mitre's other formats. There are 88 object types possible that range from common things like files and processes, down to oddly specific things like "PDF File" and "Windows hook". Although mostly focused on Windows, some objects are Unix specific.

MAEC

MAEC = CybOX + a threat name. It is used with some Advanced Threat Protection products, such Cuckoo Sandbox.

STIX

STIX = MAEC + whatever you want. The STIX samples on Mitre's site look like MAEC data plus lot's of meta-data including long html descriptions of pieces of the content.

TAXII

This is just how you should send STIX data. It is a publish/subscribe model built on HTTP/S. Luckily, Mitre actually made an example implementation of this.

Summary

Format Stateful properties Event data Malware/threat description Kitchen sink
Procmon output No Yes No No
tasklist output Yes No No No
CybOX Yes Yes No No
OpenIOC Yes No Yes No
MAEC Yes Yes Yes No
STIX Yes Yes Yes Yes