Added STIX-D intro

ciioprof0 · Aug 18, 2024 · e9a787c · e9a787c
1 parent 9b8d573
commit e9a787c
Show file tree

Hide file tree

Showing 5 changed files with 187 additions and 21 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -51,6 +51,7 @@
         "browed",
         "Clex",
         "colour",
+        "cryptolocker",
         "csvfile",
         "falutin",
         "fetchone",

diff --git a/ling508/demos/demo_clex_importer.ipynb b/ling508/demos/demo_clex_importer.ipynb
@@ -39,17 +39,12 @@
    "source": [
     "## Agenda\n",
     "\n",
+    "1. Intro to STIX-D Project\n",
     "1. Use Case\n",
     "1. Project Design\n",
     "1. Code Interaction with Database\n",
     "1. Test Cases\n",
-    "    - All Tests\n",
-    "    - Unit Tests\n",
-    "    - Integration Tests\n",
-    "    - End-to-End Tests\n",
-    "1. Code Execution\n",
-    "    - Command Line Interface (in notebook)\n",
-    "    - Web Interface (not in notebook)"
+    "1. Code Execution\n"
    ]
   },
   {
@@ -63,6 +58,8 @@
     "**Speaker Notes for the Agenda Slide:**\n",
     "\n",
     "- **Introduction**: This slide outlines the key points we'll cover in today's demonstration.\n",
+    "\n",
+    "- **Background**: We'll provide an overview of the parent STIX-D project.\n",
     "  \n",
     "- **Use Case**: We'll start by discussing the specific problem this tool addresses and the context in which it operates.\n",
     "\n",
@@ -83,7 +80,94 @@
     }
    },
    "source": [
-    "## Use Case\n",
+    "## What is the STIX-D Project?\n",
+    "\n",
+    "To develop a Controlled Natural Language ([CNL](https://en.wikipedia.org/wiki/Controlled_natural_language)) and necessary tools for Structured Threat Information eXpression ([STIX](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html)) descriptions within the Cyber Threat Intelligence ([CTI](https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/)) domain. The CNL will be a custom subset of Attempto Controlled English ([ACE](https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/)). \n",
+    "\n",
+    "The goal of the project is to improve the efficiency and efficacy of automated CTI systems in processing natural language texts.\n",
+    "\n",
+    "*Click the down arrow to explore the STIX-D project in more detail.*\n"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {
+    "slideshow": {
+     "slide_type": "notes"
+    }
+   },
+   "source": [
+    "**Speaker Notes for the STIX-D Project Slide:**\n",
+    "\n",
+    "As outlined on this slide, the purpose of the STIX-D Project is to develop a Controlled Natural Language (CNL) and the necessary tools for STIX descriptions. \n",
+    "This CNL will be a custom subset of Attempto Controlled English (ACE). \n",
+    "The project's aim is to improve the efficiency and efficacy of automated CTI systems in processing natural language texts, making threat intelligence more precise and actionable."
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {
+    "slideshow": {
+     "slide_type": "subslide"
+    }
+   },
+   "source": [
+    "## What is STIX?\n",
+    "\n",
+    "- A language and serialization format for sharing cyber threat intelligence\n",
+    "- STIX objects categorize each datum with specific attributes\n",
+    "- `description` field (optional)\n",
+    "    - Natural language ‘free’ text\n",
+    "    - Provides more details & context\n",
+    "        - Purpose & key characteristics\n",
+    "        - How used; relation to other objects\n"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {
+    "slideshow": {
+     "slide_type": "notes"
+    }
+   },
+   "source": [
+    "**Speaker Notes for the \"What is STIX?\" Slide:**\n",
+    "\n",
+    "STIX is a standardized language and format used for sharing cyber threat intelligence. \n",
+    "It categorizes each piece of data with specific attributes, allowing for a structured approach to analyzing threats. \n",
+    "The 'description' field, highlighted here, is optional but highly valuable. \n",
+    "It provides natural language text that offers more details, context, and insights into the nature and purpose of the threat. \n",
+    "While this flexibility in the description field is beneficial, it also introduces challenges, especially when complex language is involved, which can be difficult for automated systems to process effectively.\n"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {
+    "slideshow": {
+     "slide_type": "subslide"
+    }
+   },
+   "source": [
+    "### STIX Description (STIX-D) Examples\n",
+    "\n",
+    "1. \"description\": \"A variant of the cryptolocker family\"\n",
+    "2. \"description\": \"The Evil Org threat actor group\"\n",
+    "3. \"description\": \"This file is part of Poison Ivy“\n",
+    "\n",
+    "4. \"description\": \"A particular form of spear phishing where the attacker claims that the target had won a contest, including personal details, to get them to click on a link.\"\n",
+    "\n",
+    "5. \"description\": \"Incidents usually feature a shared TTP of a wildcat being released within the building containing network access, scaring users to leave their computers without locking them first. Still determining where the threat actors are getting the wildcats.\"\n"
+   ]
+  },
+  {
+   "cell_type": "markdown",
+   "metadata": {
+    "slideshow": {
+     "slide_type": "slide"
+    }
+   },
+   "source": [
+    "## Use Case L1: Import ACE Common Lexicon\n",
     "\n",
     "- **Objective**: Seed lexicon table with ACE common lexicon entries\n",
     "- **Actors**: Database Administrator\n",

diff --git a/ling508/demos/demo_clex_importer.pdf b/ling508/demos/demo_clex_importer.pdf
diff --git a/ling508/demos/demo_clex_importer.html → ling508/demos/demo_clex_importer_notes.html b/ling508/demos/demo_clex_importer.html → ling508/demos/demo_clex_importer_notes.html
@@ -7544,21 +7544,12 @@ <h1 id="Demonstration-of-STIX-D's-Clex-Importer-Tool">Demonstration of STIX-D's
 <div class="jp-InputArea jp-Cell-inputArea"><div class="jp-InputPrompt jp-InputArea-prompt">
 </div><div class="jp-RenderedHTMLCommon jp-RenderedMarkdown jp-MarkdownOutput" data-mime-type="text/markdown">
 <h2 id="Agenda">Agenda<a class="anchor-link" href="#Agenda">¶</a></h2><ol>
+<li>Intro to STIX-D Project</li>
 <li>Use Case</li>
 <li>Project Design</li>
 <li>Code Interaction with Database</li>
-<li>Test Cases<ul>
-<li>All Tests</li>
-<li>Unit Tests</li>
-<li>Integration Tests</li>
-<li>End-to-End Tests</li>
-</ul>
-</li>
-<li>Code Execution<ul>
-<li>Command Line Interface (in notebook)</li>
-<li>Web Interface (not in notebook)</li>
-</ul>
-</li>
+<li>Test Cases</li>
+<li>Code Execution</li>
 </ol>
 </div>
 </div>
@@ -7574,6 +7565,8 @@ <h2 id="Agenda">Agenda<a class="anchor-link" href="#Agenda">¶</a></h2><ol>
 <ul>
 <li><p><strong>Introduction</strong>: This slide outlines the key points we'll cover in today's demonstration.</p>
 </li>
+<li><p><strong>Background</strong>: We'll provide an overview of the parent STIX-D project.</p>
+</li>
 <li><p><strong>Use Case</strong>: We'll start by discussing the specific problem this tool addresses and the context in which it operates.</p>
 </li>
 <li><p><strong>Project Design</strong>: Next, we'll dive into the overall architecture and design principles that guided the development of the Clex Importer tool.</p>
@@ -7595,7 +7588,95 @@ <h2 id="Agenda">Agenda<a class="anchor-link" href="#Agenda">¶</a></h2><ol>
 </div>
 <div class="jp-InputArea jp-Cell-inputArea"><div class="jp-InputPrompt jp-InputArea-prompt">
 </div><div class="jp-RenderedHTMLCommon jp-RenderedMarkdown jp-MarkdownOutput" data-mime-type="text/markdown">
-<h2 id="Use-Case">Use Case<a class="anchor-link" href="#Use-Case">¶</a></h2><ul>
+<h2 id="What-is-the-STIX-D-Project?">What is the STIX-D Project?<a class="anchor-link" href="#What-is-the-STIX-D-Project?">¶</a></h2><p>To develop a Controlled Natural Language (<a href="https://en.wikipedia.org/wiki/Controlled_natural_language">CNL</a>) and necessary tools for Structured Threat Information eXpression (<a href="https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html">STIX</a>) descriptions within the Cyber Threat Intelligence (<a href="https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/">CTI</a>) domain. The CNL will be a custom subset of Attempto Controlled English (<a href="https://www.crowdstrike.com/cybersecurity-101/threat-intelligence/">ACE</a>).</p>
+<p>The goal of the project is to improve the efficiency and efficacy of automated CTI systems in processing natural language texts.</p>
+<p><em>Click the down arrow to explore the STIX-D project in more detail.</em></p>
+</div>
+</div>
+</div>
+</div>
+<div class="jp-Cell jp-MarkdownCell jp-Notebook-cell">
+<div class="jp-Cell-inputWrapper" tabindex="0">
+<div class="jp-Collapser jp-InputCollapser jp-Cell-inputCollapser">
+</div>
+<div class="jp-InputArea jp-Cell-inputArea"><div class="jp-InputPrompt jp-InputArea-prompt">
+</div><div class="jp-RenderedHTMLCommon jp-RenderedMarkdown jp-MarkdownOutput" data-mime-type="text/markdown">
+<p><strong>Speaker Notes for the STIX-D Project Slide:</strong></p>
+<p>As outlined on this slide, the purpose of the STIX-D Project is to develop a Controlled Natural Language (CNL) and the necessary tools for STIX descriptions.
+This CNL will be a custom subset of Attempto Controlled English (ACE).
+The project's aim is to improve the efficiency and efficacy of automated CTI systems in processing natural language texts, making threat intelligence more precise and actionable.</p>
+</div>
+</div>
+</div>
+</div>
+<div class="jp-Cell jp-MarkdownCell jp-Notebook-cell">
+<div class="jp-Cell-inputWrapper" tabindex="0">
+<div class="jp-Collapser jp-InputCollapser jp-Cell-inputCollapser">
+</div>
+<div class="jp-InputArea jp-Cell-inputArea"><div class="jp-InputPrompt jp-InputArea-prompt">
+</div><div class="jp-RenderedHTMLCommon jp-RenderedMarkdown jp-MarkdownOutput" data-mime-type="text/markdown">
+<h2 id="What-is-STIX?">What is STIX?<a class="anchor-link" href="#What-is-STIX?">¶</a></h2><ul>
+<li>A language and serialization format for sharing cyber threat intelligence</li>
+<li>STIX objects categorize each datum with specific attributes</li>
+<li><code>description</code> field (optional)<ul>
+<li>Natural language ‘free’ text</li>
+<li>Provides more details &amp; context<ul>
+<li>Purpose &amp; key characteristics</li>
+<li>How used; relation to other objects</li>
+</ul>
+</li>
+</ul>
+</li>
+</ul>
+</div>
+</div>
+</div>
+</div>
+<div class="jp-Cell jp-MarkdownCell jp-Notebook-cell">
+<div class="jp-Cell-inputWrapper" tabindex="0">
+<div class="jp-Collapser jp-InputCollapser jp-Cell-inputCollapser">
+</div>
+<div class="jp-InputArea jp-Cell-inputArea"><div class="jp-InputPrompt jp-InputArea-prompt">
+</div><div class="jp-RenderedHTMLCommon jp-RenderedMarkdown jp-MarkdownOutput" data-mime-type="text/markdown">
+<p><strong>Speaker Notes for the "What is STIX?" Slide:</strong></p>
+<p>STIX is a standardized language and format used for sharing cyber threat intelligence.
+It categorizes each piece of data with specific attributes, allowing for a structured approach to analyzing threats.
+The 'description' field, highlighted here, is optional but highly valuable.
+It provides natural language text that offers more details, context, and insights into the nature and purpose of the threat.
+While this flexibility in the description field is beneficial, it also introduces challenges, especially when complex language is involved, which can be difficult for automated systems to process effectively.</p>
+</div>
+</div>
+</div>
+</div>
+<div class="jp-Cell jp-MarkdownCell jp-Notebook-cell">
+<div class="jp-Cell-inputWrapper" tabindex="0">
+<div class="jp-Collapser jp-InputCollapser jp-Cell-inputCollapser">
+</div>
+<div class="jp-InputArea jp-Cell-inputArea"><div class="jp-InputPrompt jp-InputArea-prompt">
+</div><div class="jp-RenderedHTMLCommon jp-RenderedMarkdown jp-MarkdownOutput" data-mime-type="text/markdown">
+<h3 id="STIX-Description-(STIX-D)-Examples">STIX Description (STIX-D) Examples<a class="anchor-link" href="#STIX-Description-(STIX-D)-Examples">¶</a></h3><ol>
+<li><p>"description": "A variant of the cryptolocker family"</p>
+</li>
+<li><p>"description": "The Evil Org threat actor group"</p>
+</li>
+<li><p>"description": "This file is part of Poison Ivy“</p>
+</li>
+<li><p>"description": "A particular form of spear phishing where the attacker claims that the target had won a contest, including personal details, to get them to click on a link."</p>
+</li>
+<li><p>"description": "Incidents usually feature a shared TTP of a wildcat being released within the building containing network access, scaring users to leave their computers without locking them first. Still determining where the threat actors are getting the wildcats."</p>
+</li>
+</ol>
+</div>
+</div>
+</div>
+</div>
+<div class="jp-Cell jp-MarkdownCell jp-Notebook-cell">
+<div class="jp-Cell-inputWrapper" tabindex="0">
+<div class="jp-Collapser jp-InputCollapser jp-Cell-inputCollapser">
+</div>
+<div class="jp-InputArea jp-Cell-inputArea"><div class="jp-InputPrompt jp-InputArea-prompt">
+</div><div class="jp-RenderedHTMLCommon jp-RenderedMarkdown jp-MarkdownOutput" data-mime-type="text/markdown">
+<h2 id="Use-Case-L1:-Import-ACE-Common-Lexicon">Use Case L1: Import ACE Common Lexicon<a class="anchor-link" href="#Use-Case-L1:-Import-ACE-Common-Lexicon">¶</a></h2><ul>
 <li><strong>Objective</strong>: Seed lexicon table with ACE common lexicon entries</li>
 <li><strong>Actors</strong>: Database Administrator</li>
 <li><strong>Input</strong>: Clex lexicon file</li>

diff --git a/ling508/demos/demo_clex_importer_notes.pdf b/ling508/demos/demo_clex_importer_notes.pdf