CybOX

Cyber Observable eXpression

A Structured Language for Cyber Observables

CybOX Language — Version 2.1
Home > About CybOX   

About CybOX

Challenge

The concept of observable events or properties in the operational cyber realm is a central underlying element of many of the different activities involved in cyber security. Today, there exists no uniform standard mechanism for specifying, capturing, characterizing or communicating these cyber observables. Each activity area, each use case and often each supporting tool vendor uses its own unique approach that inhibits consistency, efficiency, interoperability and overall situational awareness.

Solution

The Cyber Observable eXpression (CybOX™) is a standardized language for encoding and communicating high-fidelity information about cyber observables, whether dynamic events or stateful measures that are observable in the operational cyber domain. CybOX is not targeted at a single cyber security use case but rather is intended to be flexible enough to offer a common solution for all cyber security use cases requiring the ability to deal with cyber observables. It is also intended to be flexible enough to allow both the high-fidelity description of instances of cyber observables that have been measured in an operational context as well as more abstract patterns for potential observables that may be targets for observation and analysis apriori. By specifying a common structured schematic mechanism for these cyber observables, the intent is to enable the potential for detailed automatable sharing, mapping, detection and analysis heuristics.

CybOX is targeted to support a wide range of relevant cyber security domains including:

  • Threat assessment & characterization (detailed attack patterns)
  • Malware characterization
  • Operational event management
  • Logging
  • Cyber situational awareness
  • Incident response
  • Indicator sharing
  • Digital forensics
  • Etc.

Through utilization of the standardized CybOX language, relevant observable events or properties can be captured and shared, defined in indicators and rules or used to adorn the appropriate portions of attack patterns and malware profiles in order to tie the logical pattern constructs to real-world evidence of their occurrence or presence for attack detection and characterization. Incident response and management can then take advantage of all of these capabilities to investigate occurring incidents, improve overall situational awareness and improve future attack detection, prevention and response.

Related Efforts

Feedback Requested

To discuss the CybOX effort in general, the impacts and transition opportunities noted above, or any other questions or concerns, please email us at cybox@mitre.org.

Page Last Updated: March 26, 2014