RE: [cti-cybox] A new Forum Object

[Terry MacDonald <terry.macdonald@cosive.com>]

My problem with putting this under message is that a forum post doesn't go anywhere. It's a post on a forum. It is accessed at a certain time, and at that point it's a message, by that should be captured in a network connection object somehow.

Cheers
Terry MacDonald
Cosive

On 17/06/2016 5:03 AM, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com> wrote:

Or maybe *I* am not up to date :)

But I will say, if people think at any time in the future we will want all these types of messages (like forum post), it doesn't make sense to make an EmailMessage object... once you make a object it is going to be really hard to get rid of.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


"Piazza, Rich" ---06/16/2016 03:40:05 PM---That's described in the "playground" - I was under the impression that we weren't going with the Mes

From: "Piazza, Rich" <rpiazza@mitre.org>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, "Terry MacDonald" <terry.macdonald@cosive.com>
Date: 06/16/2016 03:40 PM
Subject: RE: [cti-cybox] A new Forum Object

---

That’s described in the “playground” – I was under the impression that we weren’t going with the Message abstraction object (see Ivan’s comment), but maybe I’m not up to date with the current thinking…

From: Jason Keirstead [mailto:Jason.Keirstead@ca.ibm.com]
Sent: Thursday, June 16, 2016 2:34 PM
To: Piazza, Rich <rpiazza@mitre.org>
Cc: cti-cybox@lists.oasis-open.org; Terry MacDonald <terry.macdonald@cosive.com>
Subject: RE: [cti-cybox] A new Forum Object


Email is also an extension to the Message object though.

There is currently a Message object with extensions for SMS, Email, Skype, and Attachment in the Playground:

https://docs.google.com/document/d/1P6k0uqbAYDRpYG5jjgYAKBDEc_iSG0-SGFaXgaPkqyg/edit

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


"Piazza, Rich" ---06/16/2016 03:07:33 PM---Did you mean the Email Message object? From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.

From: "Piazza, Rich" <rpiazza@mitre.org>
To: Jason Keirstead/CanEast/IBM@IBMCA, Terry MacDonald <terry.macdonald@cosive.com>
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Date: 06/16/2016 03:07 PM
Subject: RE: [cti-cybox] A new Forum Object


---





Did you mean the Email Message object?
From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org] On Behalf Of Jason Keirstead
Sent: Thursday, June 16, 2016 9:36 AM
To: Terry MacDonald <terry.macdonald@cosive.com>
Cc: cti-cybox@lists.oasis-open.org
Subject: Re: [cti-cybox] A new Forum Object

This seems to me like it should be an extension to the Message object, not its own object.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Terry MacDonald ---06/16/2016 10:33:15 AM---Hi All, For the 3rd time someone recently asked me if there was a way of encoding

From: Terry MacDonald <terry.macdonald@cosive.com>
To: cti-cybox@lists.oasis-open.org
Date: 06/16/2016 10:33 AM
Subject: [cti-cybox] A new Forum Object
Sent by: <cti-cybox@lists.oasis-open.org>


---






Hi All,

For the 3rd time someone recently asked me if there was a way of encoding web forum posts within CybOX. My reply...well not really. That answer bothered me greatly, so with the help of AJ from EclecticIQ I put together a Forum Object.

The Forum Object is designed to record web forum and newsgroup posts, and is aimed primarily at helping people record what is being discussed on underground forums.

I really think it is needed for CybOX 3.0 MVP personally, and a couple of friends at very large organizations have also confirmed they would find this very useful. In fact one was surprised that it wasn't there already.
1.1 Forum Object

Type Name: forum-object

Status: Draft MVP: Yes


The Forum Object represents a single Forum post. It is used to capture posts on newsgroups and web forums, primarily to enable the sharing of conversations held between threat actors on underground forums.
Properties

CybOX Object Properties
id, type
Property Name	Type	Description
type (inherited from cybox-object)	string	Indicates that this object is a CybOX Forum Object. The value of this field MUST be forum-object.
url (optional)	string	Specifies the url of the forum.
forum-name(required)	string	Specifies the name of the forum.
room-name(optional)	string	Specifies the room-name within the forum.
thread-title	string	Specifies the thread-title within the forum.
post-creator	string	Specifies the identity of the forum post creator.
post-details	string	Specifies the full details of the forum post.

Examples
Underground forum post


{
"type": "forum-object",
"id": "forum-object--1",
"url": "https://www.cardz4cheap.org/cardsforsale/5332113",
"forum-name": "Cardz4cheap",
"room-name": "Cards for sale",
"thread-title": "Happy Burger Cards",
"post-creator": "DeliteD",
"post-details": "Hey Dudes, I got 1500 cards for sale real cheap."
}



Cheers

Terry MacDonald | Chief Product Officer



M: +61-407-203-026
E: terry.macdonald@cosive.com
W: www.cosive.com