Pushing the Limits of Cyber Threat Intelligence: Extending STIX to Support Complex Patterns

  • Martin UssathEmail author
  • David Jaeger
  • Feng Cheng
  • Christoph Meinel
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 448)


Nowadays, attacks against single computer systems or whole infrastructures pose a significant risk. Although deployed security systems are often able to prevent and detect standard attacks in a reliable way, it is not uncommon that more sophisticated attackers are capable to bypass these systems and stay undetected. To support the prevention and detection of attacks, the sharing of cyber threat intelligence information becomes increasingly important. Unfortunately, the currently available threat intelligence formats, such as YARA or STIX (Structured Threat Information eXpression), cannot be used to describe complex patterns that are needed to share relevant attack details about more sophisticated attacks.

In this paper, we propose an extension for the standardized STIX format that allows the description of complex patterns. With this extension it is possible to tag attributes of an object and use these attributes to describe precise relations between different objects. To evaluate the proposed STIX extension we analyzed the API calls of the credential dumping tool Mimikatz and created a pattern based on these calls. This pattern precisely describes the performed API calls of Mimikatz to access the LSASS (Local Security Authority Subsystem Service) process, which is responsible for authentication procedures in Windows. Due to the specified relations, it is possible to detect the execution of Mimikatz in a reliable way.


Cyber threat intelligence STIX CybOX Complex pattern Attribute relation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    AlienVault: AlienVault Open Threat Exchange (OTX)\(^{\rm TM}\) User Guide, October 2015.
  2. 2.
  3. 3.
    Barnum, S.: Standardizing Cyber Threat Intelligence Information with the Structured Threat Information eXpression (STIX\(^{\rm TM}\)). MITRE Corporation, February 2014.
  4. 4.
    Costa, D.L., Collins, M.L., Perl, S.J., Albrethsen, M.J., Silowash, G.J., Spooner, D.L.: An ontology for insider threat indicators: development and application. In: Proceedings of the 9th Conference on Semantic Technology for Intelligence, Defense, and Security (2014)Google Scholar
  5. 5.
  6. 6.
    FireEye Labs: APT28: A Window Into Russia’s Cyber Espionage Operations? October 2014.
  7. 7.
    Haass, J.C., Ahn, G.J., Grimmelmann, F.: Actra: a case study for threat information sharing. In: Proceedings of the 2nd ACM Workshop on Information Sharing and Collaborative Security, pp. 23–26. ACM (2015)Google Scholar
  8. 8.
    IBM: IBM X-Force Exchange Data Sheet, April 2015.
  9. 9.
    Kampanakis, P.: Security Automation and Threat Information-Sharing Options. Security Privacy, 42–51. IEEE, September 2014Google Scholar
  10. 10.
    Kul, G., Upadhyaya, S.: A preliminary cyber ontology for insider threats in the financial sector. In: Proceedings of the 7th ACM CCS International Workshop on Managing Insider Security Threats, pp. 75–78. ACM (2015)Google Scholar
  11. 11.
    Mandiant: An Introduction to OpenIOC (2011).
  12. 12.
    Meier, M.: A model for the semantics of attack signatures in misuse detection systems. In: Information Security. Lecture Notes in Computer Science. Springer, Berlin, Heidelberg (2004)Google Scholar
  13. 13.
  14. 14.
    Serrano, O., Dandurand, L., Brown, S.: On the design of a cyber security data sharing system. In: Proceedings of the 2014 ACM Workshop on Information Sharing and Collaborative Security, pp. 61–69. ACM (2014)Google Scholar
  15. 15.
    Shackleford, D.: Who’s Using Cyberthreat Intelligence and How? SANS Institute, February 2015.

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Martin Ussath
    • 1
    Email author
  • David Jaeger
    • 1
  • Feng Cheng
    • 1
  • Christoph Meinel
    • 1
  1. 1.Hasso Plattner Institute (HPI)University of PotsdamPotsdamGermany

Personalised recommendations