CybOX provides a common foundation for all cyber security use cases requiring the ability to deal with cyber observables. CybOX is flexible, and directly supports use case domain-specific standards and solutions by providing them with a unified and consistent foundational definition of cyber observables. For most use cases, the utilization of CybOX should be indirect with primary focus on the use case domain-specific standard or solution which leverages CybOX as an enabler.
CybOX adheres to the following principles for scoping of informational content:
Flexible extension mechanisms are incorporated into CybOX to support this sort of use by use case domain-specific standards and solutions.
The following table lists a sampling of some of the current use cases targeted by CybOX, and some of the primary CybOX-leveraging use case domain-specific standards and solutions available for each use case.
| Supported Use Case | Relevant Process | Domain Specific Standard |
|---|---|---|
| Analyze event data from diverse set of sensors of different types and different vendors | Event Management | CybOX |
| Detect malicious activity utilizing attack patterns | Attack Detection | Common Attack Pattern Enumerationand Classification (CAPEC™) |
| Detect malicious activity utilizing malware behavior characterizations | Attack Detection | Malware Attribute Enumeration and Characterization (MAEC™) |
| Enable automated attack detection signature rule generation | Attack Detection | CybOX, MAEC, CAPEC, Structured Threat Information eXpression (STIX™) |
| Characterize malicious activity utilizing attack patterns | Incident Response/Management | CAPEC, STIX |
| Identify new attack patterns | Threat Characterization | CAPEC |
| Prioritize existing attack patterns based on tactical reality | Security Testing and Secure Development | CAPEC, STIX |
| Characterize malware behavior | Malware Analysis | MAEC |
| Guide malware analysis utilizing attack patterns | Malware Analysis | MAEC, CAPEC |
| Detect malware effects | AttackDetection and Incident Response/Management | Open Vulnerability and Assessment Language (OVAL®), MAEC, STIX |
| Enable collaborative attack indicator sharing | Information Sharing | STIX |
| Empower and guide incident management utilizing attack patterns and malware characterizations | Incident Response/Management | STIX, CAPEC, MAEC, CybOX |
| Enable consistent, useful and automation-capable incident alerts | Incident Response/Management | STIX, MAEC, CAPEC |
| Enable automatic application of mitigations specified in attack patterns | Incident Response/Management | STIX |
| Enable incident information sharing | Incident Response/Management | STIX |
| Support correlation between observed properties and malicious indicators as part of digital forensics | Digital Forensics | Digital Forensics XML (DFXML), STIX, MAEC, CAPEC |
| Capture digital forensics analysis results | Digital Forensics | DFXML |
| Capture digital forensics provenance information | Digital Forensics | DFXML |
| Enable collaborative sharing of digital forensics information | Digital Forensics | DFXML |
| Enable explicit and implicit sharing controls for cyber observable information | Information Sharing | STIX, CybOX, Trusted Automated eXchange of Indicator Information (TAXII™) |
| Enable new levels of meta-analysis onoperational cyber observables | Cyber Situational Awareness | CybOX, STIX |