[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-cybox] A new Forum Object
My point is, none of this is arguments for or against a dedicated forum object. All of these things can be applied to email, SMS, and any other message type. I can craft a highly targeted SMS campaign just as easily as a highly targeted email campaign. Re: “- There have been a heck of a lot of drive-by downloads distributed via forum posts. Forum posts distribute malware just as much as email.” Agreed, Malicious content is delivered by numerous channels/methods including Forums. Watering-hole and Drive-By attacks can be ***very*** targeted. Not sure what you point is? Re: “- The incredible majority of malware delivered via email is not specifically targeted.” Again not sure of your point. While some nuisance-ware & run-of-the-mill-malware is not specifically targeted, what does that have to do with VERY specifically targeted attacks against organizations and entire sectors? Patrick Maroney Office: (856)983-0001 Cell: (609)841-5104 President Integrated Networking Technologies, Inc. PO Box 569 Marlton, NJ 08053 From: Jason Keirstead <jason.keirstead@ca.ibm.com> Date: Friday, June 17, 2016 at 2:48 PM To: Patrick Maroney <Pmaroney@Specere.org> Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, Jason Keirstead <jason.keirstead@ca.ibm.com>, Richard Piazza <rpiazza@mitre.org>, Terry MacDonald <terry.macdonald@cosive.com> Subject: RE: [cti-cybox] A new Forum Object I dunno about that... My .02: There are very distinct differences between an email message and a forum post. Starting with the header meta-data and intent. For example, as an attacker I send a malicious weaponized email to 1200 very specific targets. These individual emails, targets, along with all of the other email meta-data are completely different from a forum post. Of course a forum post may be created and/or further disemminated by an email message, but these all represent distinct objects, acts, and ponts in time. Patrick Maroney President Integrated Networking Technologies, Inc. Desk: (856)983-0001 Cell: (609)841-5104 Email: pmaroney@specere.org On Fri, Jun 17, 2016 at 9:57 AM -0400, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com> wrote: Maybe I am "old school" from the days of NNTP boards and what-not - but the difference between an email message and a newsgroup AKA Forum post is actually very small to me. My problem with putting this under message is that a forum post doesn't go anywhere. It's a post on a forum. It is accessed at a certain time, and at that point it's a message, by that should be captured in a network connection object somehow. Cheers On 17/06/2016 5:03 AM, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com> wrote:
But I will say, if people think at any time in the future we will want all these types of messages (like forum post), it doesn't make sense to make an EmailMessage object... once you make a object it is going to be really hard to get rid of. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security | www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown "Piazza, Rich" ---06/16/2016 03:40:05 PM---That's described in the "playground" - I was under the impression that we weren't going with the Mes From: "Piazza, Rich" <rpiazza@mitre.org> To: Jason Keirstead/CanEast/IBM@IBMCA Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, "Terry MacDonald" <terry.macdonald@cosive.com> Date: 06/16/2016 03:40 PM Subject: RE: [cti-cybox] A new Forum Object That’s described in the “playground” – I was under the impression that we weren’t going with the Message abstraction object (see Ivan’s comment), but maybe I’m not up to date with the current thinking…
Sent: Thursday, June 16, 2016 2:34 PM To: Piazza, Rich <rpiazza@mitre.org> Cc: cti-cybox@lists.oasis-open.org; Terry MacDonald <terry.macdonald@cosive.com> Subject: RE: [cti-cybox] A new Forum Object Email is also an extension to the Message object though. Did you mean the Email Message object?
Sent: Thursday, June 16, 2016 9:36 AM To: Terry MacDonald <terry.macdonald@cosive.com> Cc: cti-cybox@lists.oasis-open.org Subject: Re: [cti-cybox] A new Forum Object This seems to me like it should be an extension to the Message object, not its own object. Hi All, For the 3rd time someone recently asked me if there was a way of encoding web forum posts within CybOX. My reply...well not really. That answer bothered me greatly, so with the help of AJ from EclecticIQ I put together a Forum Object. The Forum Object is designed to record web forum and newsgroup posts, and is aimed primarily at helping people record what is being discussed on underground forums. I really think it is needed for CybOX 3.0 MVP personally, and a couple of friends at very large organizations have also confirmed they would find this very useful. In fact one was surprised that it wasn't there already. 1.1 Forum Object
The Forum Object represents a single Forum post. It is used to capture posts on newsgroups and web forums, primarily to enable the sharing of conversations held between threat actors on underground forums. Properties
Underground forum post
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]