Session Abstract: APL in partnership with CISA and the OCA, developed a reference implementation of shareable objects to represent the sequence of adversary behaviors along with detections, analytics, and correlation workflows to help defenders identify and respond to these behaviors. This talk will provide an overview of the concept, access to reference implementations, and opportunities for open collaboration.Summary: Johns Hopkins APL, CISA, and the Open Cybersecurity Alliance have developed a method for representing cyber adversary behaviors, detections, and correlation workflows, enabling network defenders to create detections of cyber threats based on adversary behavior that repeats across multiple campaigns.Additional Information: There is a significant gap in Cyber Threat Intelligence sharing when that sharing is solely focused on Indicators of Compromise (IOCs). IOCs by their very nature have a limited time window of being actionable towards network defense. While significant progress with Security Orchestration, Automation and Response (SOAR) has been achieved to take action on IOCs while they are still viable for network defenders, there remains a clear need for sharing data that can help a community of network defenders proactively defend against advanced attacks. In this talk, I will provide an overview and reference implementation for a new application of the Structured Threat Information eXchange (STIX) standard to represent, share, and utilize detections for observed cyber adversary behavior sequences that can persist between multiple Advanced Persistent Threat campaigns. This effort has been developed in support of the Cyber Threat Information Sharing (CTIS) team within the Cybersecurity Division of the US Cybersecurity and Infrastructure Security Agency (CISA). This work provides new insights into ways that actionable cyber threat intelligence can be shared across multiple communities at machine speed and how that intelligence can translate directly into detections and correlations that are both repeatable and have lower false positive rates than individual analytics. It also expands upon the ATT&CK framework to aid in detection engineering and threat hunting activities. The talk will provide detailed examples from a use case based on APT 37 / Reaper to showcase how the insights from that case are translated into behaviors, detections, and detection correlations within a STIX 2.1 compliant bundle that can be consumed across a cyber defense community and translated into multiple SIEM formats to be processed by SOC teams and SOC automation. Attendees will be able to take away new insights on the concept and will be provided access to several reference implementations and analysis capabilities shared through the Open Cybersecurity Alliance Indicator of Behavior Working Group. They will also be invited to participate with government, academia and industry on future development of the concept and prototypes through open forums.