The STIX 2.1 is a schema that defines a taxonomy of cyber threat intelligence that is represented by different Object types.

STIX Object Types

In total there are 3 Core Object types:

  • STIX Domain Objects (SDOs)
  • STIX Cyber-observable Objects (SCOs)
  • STIX Relationship Objects (SROs)

Most widely known are the 18 STIX Domain Objects (SDOs) used to represent a concept commonly used in CTI: Attack Pattern, Campaign, Course of Action, Grouping, Identity, Indicator, Infrastructure, Intrusion Set, Location, Malware, Malware Analysis, Note, Observed Data, Opinion, Report, Threat Actor, Tool, and Vulnerability.

SSTIX Cyber-observable Objects (SCOs) are used for characterising host-based and network-based information. SCOs are used by various STIX Domain Objects (SDOs) to provide supporting context, for example STIX Pattern in the Indicator SDO.

For example, the Malware SDO might have relationships to Windows Registry Key SDO’s;

STIX 2.1 SDO vs SCO

STIX SCOs document the facts concerning what happened on a network or host, and do not capture the who, when, or why. By associating SCOs with SDOs it is possible to convey a higher-level understanding of the threat landscape, and to potentially provide insight as to the who and the why.

STIX SCO’s

Here is a list of STIX 2.1 SCO’s available for use:

  • Artifact Object (artifact)
    • The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload.
    • View STIX 2.1 specification.
  • AS Object (autonomous-system)
  • Directory Object (directory)
  • Domain Name Object (domain-name)
  • Email Address Object (email-addr)
  • Email Message Object (email-message)
    • The Email Message object represents an instance of an email message, corresponding to the internet message format described in RFC5322 and related RFCs.
    • View STIX 2.1 specification.
  • File Object (file)
  • IPv4 Address Object (ipv4-addr)
  • IPv6 Address Object (ipv6-addr)
  • MAC Address Object (mac-addr)
  • Mutex Object (mutex)
  • Network Traffic Object (network-traffic)
    • The Network Traffic object represents arbitrary network traffic that originates from a source and is addressed to a destination.
    • View STIX 2.1 specification.
  • Process Object (process)
    • The Process object represents common properties of an instance of a computer program as executed on an operating system.
    • View STIX 2.1 specification.
  • Software Object (software)
    • The Software object represents high-level properties associated with software, including software products.
    • View STIX 2.1 specification.
  • URL Object (url)
  • User Account Object (user-account)
    • The User Account object represents an instance of any type of user account, including but not limited to operating system, device, messaging service, and social media platform accounts.
    • View STIX 2.1 specification.
  • Windows Registry Key Object (windows-registry-key)
  • X.509 Certificate Object (x509-certificate)
    • The X.509 Certificate object represents the properties of an X.509 certificate, as defined by ITU recommendation X.509.
    • View STIX 2.1 specification.

STIX SCO Properties

As seen in the specifications, each SCO has a fair bit of other metadata.

I’ll use the Network Traffic Object offers a nice example.

{
  "type": "network-traffic",
  "spec_version": "2.1",
  "id": "network-traffic--630d7bb1-0bbc-53a6-a6d4-f3c2d35c2734",
  "src_ref": "ipv4-addr--e42c19c8-f9fe-5ae9-9fc8-22c398f78fb7",
  "dst_ref": "ipv4-addr--03b708d9-7761-5523-ab75-5ea096294a68",
  "protocols": [
    "ipv4",
    "tcp"
  ],
  "src_byte_count": 147600,
  "src_packets": 100,
  "ipfix": {
    "minimumIpTotalLength": 32,
    "maximumIpTotalLength": 2556
  }
}

You can see the SCO defined in the second line "type": "network-traffic".

The SCO also contains protocols, src_byte_count, src_packets and ipfix properties, providing more information about the SCO. There are other properties available the Network Traffic SCO. Each SCO has its own properties.

SCOs can also be linked using the property fields.

{
  "type": "ipv4-addr",
  "spec_version": "2.1",
  "id": "ipv4-addr--e42c19c8-f9fe-5ae9-9fc8-22c398f78fb7",
  "value": "203.0.113.1"
},
{
  "type": "ipv4-addr",
  "spec_version": "2.1",
  "id": "ipv4-addr--03b708d9-7761-5523-ab75-5ea096294a68",
  "value": "203.0.113.5"
},
{
  "type": "network-traffic",
  "spec_version": "2.1",
  "id": "network-traffic--630d7bb1-0bbc-53a6-a6d4-f3c2d35c2734",
  "src_ref": "ipv4-addr--e42c19c8-f9fe-5ae9-9fc8-22c398f78fb7",
  "dst_ref": "ipv4-addr--03b708d9-7761-5523-ab75-5ea096294a68",
  "protocols": [
    "ipv4",
    "tcp"
  ],
  "src_byte_count": 147600,
  "src_packets": 100,
  "ipfix": {
    "minimumIpTotalLength": 32,
    "maximumIpTotalLength": 2556
  }
}

In this example the src_ref and dst_ref property in the network-traffic SDO each point to another ipv4-addr SDO.

STIX SCO

STIX Patterning (used inside Indicator SDOs) use SCO’s Type and ID Contributing Properties values to define the Object path.

For example, to detect an IPv4 address I would define an ipv4-addr SCO value (e.g.[ipv4-addr:value='198.51.100.1]’).

More on STIX Patterning next week.




Join the Signals Corps on Discord

Join our public community of intelligence analysts and researchers sharing new content hourly.


Obstracts

Obstracts

Turn any blog into structured threat intelligence.

Stixify

Stixify. Extract machine readable intelligence from unstructured data.

Extract machine readable intelligence from unstructured data.


Vulmatch

Vulmatch

Know when software you use is vulnerable, how it is being exploited, and how to detect an attack.

SIEM Rules

SIEM Rules. Your detection engineering database.

View, modify, and deploy SIEM rules for threat hunting.