The US Cybersecurity and Infrastructure Security Agency (CISA) has developed a comprehensive, in-depth incident reporting form (IRF), along with a Structured Threat Information Expression (STIX 2.1) data mapping to support standardized incident reporting suitable for machine-to-machine processing. IRF data capture relies on STIX extensions, which we introduce after a brief overview of STIX 2.1. An example ransomware incident, which illustrates capture of IRF data related to monetary impact (ransom demand and payment details) and malware detection capabilities, will then be mapped into STIX 2.1 to illustrate the new properties, vocabularies, and objects.
We will be soliciting feedback on the IRF and STIX extensions to ensure they support the needs of the international cyber community, so the presentation will include guidelines for further reviewing the material and submitting suggestions. Knowledge of STIX will not be assumed. Approved for Public Release; Distribution Unlimited. Public Release Case Number 24-2232.
