The Unified Cyber Ontology is a crosscutting and unified ontology approach to capturing the foundational objects, relationships, and rules across the cybersecurity domain. UCO works in close collaboration with adopting communities with expertise in specific cyber subdomain areas, where those communities extend UCO with ontologies containing objects, relationships, and rules that are specific to that cyber subdomain area. The UCO Community and subdomain communities align ontology development priorities and adoption technology engineering efforts. From time-to-time, the UCO Community adds new subdomain communities to join the effort. Subdomain communities can save a lot of engineering time by inheriting the common cyber domain objects, relationships, and rules applicable across the cyber domain. Existing subdomains include:

• digital investigation
• cyber risk management
• cyber threat intelligence
• supply chain security

UCO’s cyber investigation use case is managed by the CASE Opensource Community

CASE Opensource Community

Cyber-investigation Analysis Standard Expression (CASE) is a community-developed evolving standard that provides a structured (ontology-based) specification for representing information commonly analyzed and exchanged by people and systems during investigations involving digital evidence. The power of CASE is that it provides a common language to support automated normalization, combination and validation of varied information sources to facilitate analysis and exploration of investigative questions (who, when, how long, where). In addition to representing tool results, CASE ensures that analysis results can be traced back to their source(s), keeping track of when, where and who used which tools to perform investigative actions on data sources. The CASE Community has eighty-five members representing fifty different organizations. Digital Investigation Tools that have adopted CASE and UCO.

• Autopsy® - the premier end-to-end opensource digital forensics platform. Built by Basis Technology with the core features you expect in commercial forensic tools, Autopsy is a fast, thorough, and efficient hard drive investigation solution that evolves with your needs.
• DC3 SQLite Dissect - DC3 SQLite Dissect is a configurable SQLite parser with data recovery abilities over SQLite databases and their accompanying journal and WAL files.
• Network Miner (free version) - NetworkMiner is an opensource Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/reassemble transmitted files and certificates from PCAP files. NetworkMiner makes it easy to perform advanced Network Traffic Analysis (NTA) by providing extracted artifacts in an intuitive user interface. The way data is presented not only makes the analysis simpler, it also saves valuable time for the analyst or forensic investigator. NetworkMiner has, since the first release in 2007, become a popular tool among incident response teams as well as law enforcement. NetworkMiner is today used by companies and organizations all over the world.

Cyber Risk Management Community

The UCO Community has efforts underway to address the subdomain of cyber risk management. The UCO Community is planning to spin out cyber risk management contributors into its own subdomain community in the future.

Cyber Threat Intelligence Community

The UCO Community has efforts underway to address the subdomain of cyber threat intelligence (CTI) with formal ontological specifications to provide a solid and flexible underpinning to various existing CTI resources and serializations. The UCO Community is planning to spin out cyber threat intelligence contributors into its own subdomain community in the future.

Supply Chain Security Community

The UCO Community has efforts underway to address the subdomain of supply chain security. The UCO Community is planning to spin out cyber risk management contributors into its own subdomain community in the future.