Re: [cti-cybox] A new Forum Object

[Eric Burger <Eric.Burger@georgetown.edu>]

Not to be dense here, but it sounds like bad things can be transported in messages. Most messages have some sort of sender ID and message ID. Most modern messaging systems have some concept of thread, in-response-to, etc.

I would offer we are all talking about the same thing: there is this message thing, and that thing can be transported as an email, SMS, forum post, MMS, instant message, etc. These message things share 85+% of the same characteristics. In fact, for many of these message things, the only difference is the transport mechanism. Besides IP vs. SS7 and message length, what is the difference between an SMS and an MMS? Besides the handshake, what is the difference between Jabber and 4G RCS?

So, rather than have a flavor-of-the-month TLO, why not have a message object TLO that has a tag that says whether it is an email, SMS, MMS, forum post (NNTP, IRC, whatever), instant message (XMPP, AIM, SIP, whatever), Facebook messenger, Slack, whatever?

On Jun 20, 2016, at 9:48 AM, Patrick Maroney <Pmaroney@Specere.org> wrote:

My point was that I agree with Terry that a Forum/Message Board Post is completely different from a directed  message.  The full content (or an abridged portion thereof) of a Forum/Message Board Post may be, and often are, also delivered via Email Messages (in a single message or in a periodic digest message) which can and should be represented as distinct events/objects.  They do include a Subject, Email Address of the "poster", and Message Body (again full or abridged). However, key unique characteristics of Forum/Message Board Post are a Forum User ID/Handle, URI, Thread ID, Message ID, and Category.

Other than my [+1] to Terry, we can just agree to disagree and move on.

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org

On Mon, Jun 20, 2016 at 8:20 AM -0400, "Jerome Athias" <athiasjerome@gmail.com> wrote:

Yeah, I think we agreed on exploring this approach, some time ago (Ref. SMS Message Object http://making-security-measurable.1364806.n2.nabble.com/CybOX-2-1-Proposals-Round-2-td7581861.html )

2016-06-20 14:30 GMT+03:00 Jason Keirstead <Jason.Keirstead@ca.ibm.com>:

My point is, none of this is arguments for or against a dedicated forum object. All of these things can be applied to email, SMS, and any other message type. I can craft a highly targeted SMS campaign just as easily as a highly targeted email campaign.

I do not see why email or forum are unique enough to have their own objects. They should be extensions of a common "message" object which contains the 75%+ of common attributes that all messages share.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


<graycol.gif>Patrick Maroney ---06/17/2016 04:55:52 PM---Re: “- There have been a heck of a lot of drive-by downloads distributed via forum posts. Forum post

From: Patrick Maroney <Pmaroney@Specere.org>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, "Rich Piazza" <rpiazza@mitre.org>, Terry MacDonald <terry.macdonald@cosive.com>
Date: 06/17/2016 04:55 PM
Subject: Re: [cti-cybox] A new Forum Object

---

Re: “- There have been a heck of a lot of drive-by downloads distributed via forum posts. Forum posts distribute malware just as much as email.”

Agreed, Malicious content is delivered by numerous channels/methods including Forums. Watering-hole and Drive-By attacks can be ***very*** targeted. Not sure what you point is?


Re: “- The incredible majority of malware delivered via email is not specifically targeted.”

Again not sure of your point. While some nuisance-ware & run-of-the-mill-malware is not specifically targeted, what does that have to do with VERY specifically targeted attacks against organizations and entire sectors?

Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104

<0E085886.gif>

President
Integrated Networking Technologies, Inc.
PO Box 569
Marlton, NJ 08053

From: Jason Keirstead <jason.keirstead@ca.ibm.com>
Date: Friday, June 17, 2016 at 2:48 PM
To: Patrick Maroney <Pmaroney@Specere.org>
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, Jason Keirstead <jason.keirstead@ca.ibm.com>, Richard Piazza <rpiazza@mitre.org>, Terry MacDonald <terry.macdonald@cosive.com>
Subject: RE: [cti-cybox] A new Forum Object

I dunno about that...

- There have been a heck of a lot of drive-by downloads distributed via forum posts. Forum posts distribute malware just as much as email.

- The incredible majority of malware delivered via email is not specifically targeted.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


<0E009732.gif>Patrick Maroney ---06/17/2016 02:59:28 PM---My .02: There are very distinct differences between an email message and a forum post. Starting wit

From: Patrick Maroney <Pmaroney@Specere.org>
To: Terry MacDonald <terry.macdonald@cosive.com>, Jason Keirstead/CanEast/IBM@IBMCA
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, "Rich Piazza" <rpiazza@mitre.org>
Date: 06/17/2016 02:59 PM
Subject: RE: [cti-cybox] A new Forum Object

---

My .02:

There are very distinct differences between an email message and a forum post. Starting with the header meta-data and intent. For example, as an attacker I send a malicious weaponized email to 1200 very specific targets. These individual emails, targets, along with all of the other email meta-data are completely different from a forum post. Of course a forum post may be created and/or further disemminated by an email message, but these all represent distinct objects, acts, and ponts in time.

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org




On Fri, Jun 17, 2016 at 9:57 AM -0400, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com> wrote:

Maybe I am "old school" from the days of NNTP boards and what-not - but the difference between an email message and a newsgroup AKA Forum post is actually very small to me.

There's a reason it is so easy to create a forum from a mailing list and vice-versa (like Nabble).... its really more a protocol difference than a difference in the message contents. Both are messages that come from an entity that are addressed to one or more other entities, which have headers and which may or may not have other attachments to the message. The fact that one is delivered via SMTP and the other via NNTP or the Web is a protocol nuance, not a property of the message, IMO.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


<0E009732.gif>Terry MacDonald ---06/16/2016 06:43:06 PM---My problem with putting this under message is that a forum post doesn't go anywhere. It's a post on

From: Terry MacDonald <terry.macdonald@cosive.com>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: Rich Piazza <rpiazza@mitre.org>, cti-cybox@lists.oasis-open.org
Date: 06/16/2016 06:43 PM
Subject: RE: [cti-cybox] A new Forum Object

---

My problem with putting this under message is that a forum post doesn't go anywhere. It's a post on a forum. It is accessed at a certain time, and at that point it's a message, by that should be captured in a network connection object somehow.

Cheers
Terry MacDonald
Cosive

On 17/06/2016 5:03 AM, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com> wrote:

Or maybe *I* am not up to date :)

But I will say, if people think at any time in the future we will want all these types of messages (like forum post), it doesn't make sense to make an EmailMessage object... once you make a object it is going to be really hard to get rid of.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


<0E009732.gif>"Piazza, Rich" ---06/16/2016 03:40:05 PM---That's described in the "playground" - I was under the impression that we weren't going with the Mes

From: "Piazza, Rich" <rpiazza@mitre.org>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, "Terry MacDonald" <terry.macdonald@cosive.com>
Date: 06/16/2016 03:40 PM
Subject: RE: [cti-cybox] A new Forum Object


---





That’s described in the “playground” – I was under the impression that we weren’t going with the Message abstraction object (see Ivan’s comment), but maybe I’m not up to date with the current thinking…
From: Jason Keirstead [mailto:Jason.Keirstead@ca.ibm.com]
Sent: Thursday, June 16, 2016 2:34 PM
To: Piazza, Rich <rpiazza@mitre.org>
Cc: cti-cybox@lists.oasis-open.org; Terry MacDonald <terry.macdonald@cosive.com>
Subject: RE: [cti-cybox] A new Forum Object

Email is also an extension to the Message object though.

There is currently a Message object with extensions for SMS, Email, Skype, and Attachment in the Playground:

https://docs.google.com/document/d/1P6k0uqbAYDRpYG5jjgYAKBDEc_iSG0-SGFaXgaPkqyg/edit

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


<0E009732.gif>"Piazza, Rich" ---06/16/2016 03:07:33 PM---Did you mean the Email Message object? From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.

From: "Piazza, Rich" <rpiazza@mitre.org>
To: Jason Keirstead/CanEast/IBM@IBMCA, Terry MacDonald <terry.macdonald@cosive.com>
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Date: 06/16/2016 03:07 PM
Subject: RE: [cti-cybox] A new Forum Object


---






Did you mean the Email Message object?
From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org] On Behalf Of Jason Keirstead
Sent: Thursday, June 16, 2016 9:36 AM
To: Terry MacDonald <terry.macdonald@cosive.com>
Cc: cti-cybox@lists.oasis-open.org
Subject: Re: [cti-cybox] A new Forum Object

This seems to me like it should be an extension to the Message object, not its own object.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


<0E009732.gif>Terry MacDonald ---06/16/2016 10:33:15 AM---Hi All, For the 3rd time someone recently asked me if there was a way of encoding

From: Terry MacDonald <terry.macdonald@cosive.com>
To: cti-cybox@lists.oasis-open.org
Date: 06/16/2016 10:33 AM
Subject: [cti-cybox] A new Forum Object
Sent by: <cti-cybox@lists.oasis-open.org>


---







Hi All,

For the 3rd time someone recently asked me if there was a way of encoding web forum posts within CybOX. My reply...well not really. That answer bothered me greatly, so with the help of AJ from EclecticIQ I put together a Forum Object.

The Forum Object is designed to record web forum and newsgroup posts, and is aimed primarily at helping people record what is being discussed on underground forums.

I really think it is needed for CybOX 3.0 MVP personally, and a couple of friends at very large organizations have also confirmed they would find this very useful. In fact one was surprised that it wasn't there already.
1.1 Forum Object



Type Name: forum-object

Status: Draft MVP: Yes


The Forum Object represents a single Forum post. It is used to capture posts on newsgroups and web forums, primarily to enable the sharing of conversations held between threat actors on underground forums.
Properties



CybOX Object Properties
id, type
Property Name	Type	Description
type (inherited from cybox-object)	string	Indicates that this object is a CybOX Forum Object. The value of this field MUST be forum-object.
url (optional)	string	Specifies the url of the forum.
forum-name(required)	string	Specifies the name of the forum.
room-name(optional)	string	Specifies the room-name within the forum.
thread-title	string	Specifies the thread-title within the forum.
post-creator	string	Specifies the identity of the forum post creator.
post-details	string	Specifies the full details of the forum post.

Examples
Underground forum post


{
"type": "forum-object",
"id": "forum-object--1",
"url": "https://www.cardz4cheap.org/cardsforsale/5332113",
"forum-name": "Cardz4cheap",
"room-name": "Cards for sale",
"thread-title": "Happy Burger Cards",
"post-creator": "DeliteD",
"post-details": "Hey Dudes, I got 1500 cards for sale real cheap."
}



Cheers

Terry MacDonald | Chief Product Officer

<0E919178.gif>

M: +61-407-203-026
E: terry.macdonald@cosive.com
W: www.cosive.com

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail