CybOX provides a common foundation for all cyber security use cases requiring the ability to deal with cyber observables. CybOX is flexible, and directly supports use case domain-specific standards and solutions by providing them with a unified and consistent foundational definition of cyber observables. For most use cases, the utilization of CybOX should be indirect with primary focus on the use case domain-specific standard or solution which leverages CybOX as an enabler.
Flexible extension mechanisms are incorporated into CybOX to support this sort of use by use case domain-specific standards and solutions.
The following table lists a sampling of some of the current use cases targeted by CybOX and some of the primary CybOX-leveraging use case domain-specific standards and solutions available for each use case.
| Supported Use Case |
Relevant Process |
Domain Specific Standard |
| Analyze event data from diverse set of sensors of different types and different vendors |
Event Management |
CybOX |
| Detect malicious activity utilizing attack patterns |
Attack Detection |
Common Attack Pattern Enumerationand Classification (CAPEC™) |
| Detect malicious activity utilizing malware behavior characterizations |
Attack Detection |
Malware Attribute Enumeration and Characterization (MAEC™) |
| Enable automated attack detection signature rule generation |
Attack Detection |
CybOX, MAEC, CAPEC, Structured Threat Information eXpression (STIX™) |
| Characterize malicious activity utilizing attack patterns |
Incident Response/Management |
CAPEC, STIX |
| Identify new attack patterns |
Threat Characterization |
CAPEC |
| Prioritize existing attack patterns based on tactical reality |
Security Testing and Secure Development |
CAPEC, STIX |
| Characterize malware behavior |
Malware Analysis |
MAEC |
| Guide malware analysis utilizing attack patterns |
Malware Analysis |
MAEC, CAPEC |
| Detect malware effects |
Attack Detection and Incident Response/Management |
Open Vulnerability and Assessment Language (OVAL®), MAEC, STIX |
| Enable collaborative attack indicator sharing |
Information Sharing |
|
| Empower and guide incident management utilizing attack patterns and malware characterizations |
Incident Response/Management |
STIX, CAPEC, MAEC, CybOX |
| Enable consistent, useful and automation-capable incident alerts |
Incident Response/Management |
STIX, MAEC, CAPEC |
| Enable automatic application of mitigations specified in attack patterns |
Incident Response/Management |
STIX |
| Enable incident information sharing |
Incident Response/Management |
STIX |
| Support correlation between observed properties and malicious indicators as part of digital forensics |
Digital Forensics |
Digital Forensics XML (DFXML), STIX, MAEC, CAPEC |
| Capture digital forensics analysis results |
Digital Forensics |
DFXML |
| Capture digital forensics provenance information |
Digital Forensics |
DFXML |
| Enable collaborative sharing of digital forensics information |
Digital Forensics |
DFXML |
| Enable explicit and implicit sharing controls for cyber observable information |
Information Sharing |
STIX, CybOX, Trusted Automated eXchange of Indicator Information (TAXII™) |
| Enable new levels of meta-analysis onoperational cyber observables |
Cyber Situational Awareness |
CybOX, STIX |
