Cyber Observable eXpression — CybOX™

A Structured Language for Cyber Observables

CybOX provides a common structure for representing cyber observables across and among the operational areas
of enterprise cyber security that improves the consistency, efficiency, and interoperability of deployed tools and
processes, as well as increases overall situational awareness by enabling the potential for detailed automatable
sharing, mapping, detection, and analysis heuristics.

Examples of cyber observables ■■ A file has a specific MD5 hash ■■ Application logs show
include: ■■ Data is sent to an address on a communication on certain ports

■■ A Registry Key is created socket ■■ A service’s configuration is

■■ Network traffic occurs to specific changed
■■ A File is deleted
IP addresses ■■ A remote thread is created
■■ A Mutex exists
■■ Email from a specific address is
■■ Specific HTTP Get Request
observed
received

International in scope and free for public use, CybOX is a Solution

structured language for the specification, capture, characteriza- CybOX is a standardized language for representing cyber
tion, and communication of events or stateful properties that observables, whether dynamic events or stateful properties
are observable in the operational domain. A wide variety of that are observable in the operational cyber domain. CybOX
high-level cyber security use cases rely on such information is not targeted at a single cyber security use case but rather is
including event management/ logging, malware characteriza- intended to be flexible enough to offer a common solution for
tion, intrusion detection, incident response/management, attack all cyber security use cases requiring the ability to deal with
pattern characterization, indicator sharing, etc. CybOX provides cyber observables. It is also intended to be flexible enough to
a common structure for representing cyber observables across allow both the high-fidelity description of instances of cyber
and among these use cases thereby improving consistency, ef- observables that have been measured in an operational context
ficiency, interoperability, and overall situational awareness for as well as more abstract patterns for potential observables that
the enterprise. may be targets for observation and analysis apriori. By specify-
ing a common structured schematic mechanism for these cyber
Challenge observables, CybOX enables detailed automatable sharing,
The concept of observable events or properties in the opera- mapping, detection and analysis heuristics.
tional cyber realm is a central underlying element of many of the CybOX is targeted to support a wide range of relevant cyber
different activities involved in cyber security. Until recently, no security domains including:
uniform structured mechanism existed for specifying, captur- ■■ Threat assessment and characterization (detailed attack

ing, characterizing, or communicating these cyber observables. patterns)

Each activity area, each use case and often each supporting tool ■■ Malware characterization

vendor uses its own unique approach that inhibits consistency, ■■ Operational event management

efficiency, interoperability and overall situational awareness. ■■ Logging

CybOX is a U.S. Department of Homeland Security–led effort of the office of Cybersecurity and
Communications. MITRE, operating as DHS’s FFRDC, manages the CybOX website, community
cybox.mitre.org engagement, and discussion lists to enable open and public collaboration with all stakeholders.
 ■■ Cyber situational awareness
Supported Use Case Relevant Process Domain Specific Standard
■■ Incident response
Analyze event data from diverse set of Event Management CybOX
■■ Indicator sharing sensors of different types and different
■■ Digital forensics vendors
■■ Etc. Detect malicious activity utilizing attack Attack Detection Common Attack Pattern Enumeration
patterns and Classification (CAPEC™)
Through utilization of the standardized
Detect malicious activity utilizing Attack Detection Malware Attribute Enumeration and
CybOX Language, relevant observable malware behavior characterizations Characterization (MAEC™)
events or properties can be captured and Enable automated attack detection Attack Detection CybOX, MAEC, CAPEC, STIX
shared, defined in indicators and rules, or signature rule generation
used to adorn the appropriate portions of Characterize malicious activity utilizing Incident Response/ CAPEC, STIX
attack patterns Management
attack patterns and malware profiles in or-
Identify new attack patterns Threat Characterization CAPEC
der to tie the logical pattern constructs to
Prioritize existing attack patterns based Security Testing and Secure CAPEC, STIX
real-world evidence of their occurrence or
on tactical reality Development
presence for attack detection and charac-
Characterize malware behavior Malware Analysis MAEC
terization. Incident response and manage-
Guide malware analysis utilizing attack Malware Analysis MAEC, CAPEC
ment can then take advantage of all of patterns
these capabilities to investigate occurring Detect malware effects Attack Detection and STIX, MAEC, Open Vulnerability and
incidents, improve overall situational Incident Response/ Assessment Language (OVAL®)
awareness and improve future attack de- Management

tection, prevention and response. Enable collaborative attack indicator Information Sharing STIX, TAXII
sharing

Supported Use Cases Empower and guide incident

management utilizing attack patterns
Incident Response/
Management
STIX, CAPEC, MAEC, CybOX

CybOX is intended to be flexible enough and malware characterizations

to provide a common foundation for a Enable consistent, useful and Incident Response/ STIX, MAEC, CAPEC, CEE
wide diversity of cyber security use cases automation-capable incident alerts Management

requiring the ability to deal with cyber Enable automatic application of Incident Response/ STIX
mitigations specified in attack patterns Management
observables. For most use cases, the utili-
Enable incident information sharing Incident Response/ STIX, Trusted Automated eXchange of
zation of CybOX should be indirect with Management Indicator Information (TAXII™)
primary focus on the use case domain- Support correlation between observed Digital Forensics STIX, MAEC, CAPEC, ongoing work to
specific standard or solution which lever- properties and malicious indicators as refine Digital Forensics XML (DFXML)
ages CybOX as an enabler. See table at part of digital forensics based on CybOX

right for examples of current use cases. Capture digital forensics analysis results Digital Forensics Ongoing work to refine DFXML based
on CybOX

Feedback Requested Capture digital forensics provenance Digital Forensics Ongoing work to refine DFXML based
information on CybOX
CybOX Community members can make Enable collaborative sharing of digital Digital Forensics Ongoing work to refine DFXML based
contributions to CybOX development forensics information on CybOX, STIX, TAXII
and manage issue tracking for the CybOX Enable explicit and implicit sharing Information Sharing STIX, CybOX, TAXII
schemas, utilities, specifications, and sup- controls for cyber observable
information
porting information by joining the CybOX
Enable new levels of meta-analysis on Cyber Situational CybOX, STIX
Community at https://cybox.mitre.org/
operational cyber observables Awareness
community/. Members of the cyber secu-
rity community are invited to participate
in this growing community effort.

MITRE Learn More – https://cybox.mitre.org