I don't see this as a valid comparison. The properties we are looking to capture on Network Connection have next to zero intersection with the properties below. Also a network flow has two "message bodies" at the same time. FInally, the senders and recipients of "messages" are actors, where as the senders and recipients of network connections are physical devices.
I doubt one would want to combine the Asset object and the Threat Actor object into one common base, which is what you would have to do if you wanted to use the Message object to communicate a network connection.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown 
Terry MacDonald ---06/20/2016 07:18:55 PM---Eric/Jason, How would the Message Object be different to Network Connection Object
From: Terry MacDonald <terry.macdonald@cosive.com>
To: "Katz, Gary CTR DC3/DCCI" <Gary.Katz.ctr@dc3.mil>
Cc: Jerome Athias <athiasjerome@gmail.com>, Jason Keirstead/CanEast/IBM@IBMCA, Patrick Maroney <Pmaroney@specere.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, Rich Piazza <rpiazza@mitre.org>
Date: 06/20/2016 07:18 PM
Subject: [cti-cybox] Re: [Non-DoD Source] Re: [cti-cybox] A new Forum Object
Sent by: <cti-cybox@lists.oasis-open.org>
Eric/Jason,
How would the Message Object be different to Network Connection Object then? Both are describing a connection between two endpoints containing data.
Cheers
Terry MacDonald | Chief Product Officer
M: +61-407-203-026
E: terry.macdonald@cosive.com
W: www.cosive.com
On Tue, Jun 21, 2016 at 5:12 AM, Katz, Gary CTR DC3/DCCI <Gary.Katz.ctr@dc3.mil> wrote:
- Hey guys,
Based on some of our past work in similar areas, suggest the following information be captured:
- body
- timestamp
- timestamp description (message sent, received, created, viewed, etc.)
- viewed (whether or not the user saw the message)
- thread_id (unique identifier that defines what conversation thread the
message comes from)
- sender, recipients, and participants (sometimes you can't determine who the
sender was but you know which people were involved in the conversation)
- attachments
- thumbnails (which we treat as an attachment of the attachment.)
- file path
- name (the name the application gives the attachment, sometimes different then
the filename found in the filepath)
-----Original Message-----
From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org] On Behalf Of Jerome Athias
Sent: Monday, June 20, 2016 8:21 AM
To: Jason Keirstead
Cc: Patrick Maroney; cti-cybox@lists.oasis-open.org; Rich Piazza; Terry MacDonald
Subject: [Non-DoD Source] Re: [cti-cybox] A new Forum Object
Yeah, I think we agreed on exploring this approach, some time ago (Ref. SMS Message Object http://making-security-measurable.1364806.n2.nabble.com/CybOX-2-1-Proposals-Round-2-td7581861.html )
2016-06-20 14:30 GMT+03:00 Jason Keirstead <Jason.Keirstead@ca.ibm.com>:
My point is, none of this is arguments for or against a dedicated forum object. All of these things can be applied to email, SMS, and any other message type. I can craft a highly targeted SMS campaign just as easily as a highly targeted email campaign.
I do not see why email or forum are unique enough to have their own objects. They should be extensions of a common "message" object which contains the 75%+ of common attributes that all messages share.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
Inactive hide details for Patrick Maroney ---06/17/2016 04:55:52 PM---Re: “- There have been a heck of a lot of drive-by downlPatrick Maroney ---06/17/2016 04:55:52 PM---Re: “- There have been a heck of a lot of drive-by downloads distributed via forum posts. Forum post
From: Patrick Maroney <Pmaroney@Specere.org>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, "Rich Piazza" <rpiazza@mitre.org>, Terry MacDonald <terry.macdonald@cosive.com>
Date: 06/17/2016 04:55 PM
Subject: Re: [cti-cybox] A new Forum Object
________________________________
Re: “- There have been a heck of a lot of drive-by downloads distributed via forum posts. Forum posts distribute malware just as much as email.”
Agreed, Malicious content is delivered by numerous channels/methods including Forums. Watering-hole and Drive-By attacks can be ***very*** targeted. Not sure what you point is?
Re: “- The incredible majority of malware delivered via email is not specifically targeted.”
Again not sure of your point. While some nuisance-ware & run-of-the-mill-malware is not specifically targeted, what does that have to do with VERY specifically targeted attacks against organizations and entire sectors?
Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104
President
Integrated Networking Technologies, Inc.
PO Box 569
Marlton, NJ 08053
From: Jason Keirstead <jason.keirstead@ca.ibm.com>
Date: Friday, June 17, 2016 at 2:48 PM
To: Patrick Maroney <Pmaroney@Specere.org>
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, Jason Keirstead <jason.keirstead@ca.ibm.com>, Richard Piazza <rpiazza@mitre.org>, Terry MacDonald <terry.macdonald@cosive.com>
Subject: RE: [cti-cybox] A new Forum Object
I dunno about that...
- There have been a heck of a lot of drive-by downloads distributed via forum posts. Forum posts distribute malware just as much as email.
- The incredible majority of malware delivered via email is not specifically targeted.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
nactive hide details for Patrick Maroney ---06/17/2016 02:59:28 PM---My .Patrick Maroney ---06/17/2016 02:59:28 PM---My .02: There are very distinct differences between an email message and a forum post. Starting wit
From: Patrick Maroney <Pmaroney@Specere.org>
To: Terry MacDonald <terry.macdonald@cosive.com>, Jason Keirstead/CanEast/IBM@IBMCA
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, "Rich Piazza" <rpiazza@mitre.org>
Date: 06/17/2016 02:59 PM
Subject: RE: [cti-cybox] A new Forum Object
________________________________
My .02:
There are very distinct differences between an email message and a forum post. Starting with the header meta-data and intent. For example, as an attacker I send a malicious weaponized email to 1200 very specific targets. These individual emails, targets, along with all of the other email meta-data are completely different from a forum post. Of course a forum post may be created and/or further disemminated by an email message, but these all represent distinct objects, acts, and ponts in time.
Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org <mailto:pmaroney@specere.org>
On Fri, Jun 17, 2016 at 9:57 AM -0400, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com <mailto:Jason.Keirstead@ca.ibm.com> > wrote:
Maybe I am "old school" from the days of NNTP boards and what-not - but the difference between an email message and a newsgroup AKA Forum post is actually very small to me.
There's a reason it is so easy to create a forum from a mailing list and vice-versa (like Nabble).... its really more a protocol difference than a difference in the message contents. Both are messages that come from an entity that are addressed to one or more other entities, which have headers and which may or may not have other attachments to the message. The fact that one is delivered via SMTP and the other via NNTP or the Web is a protocol nuance, not a property of the message, IMO.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
nactive hide details for Terry MacDonald ---06/16/2016 06:43:06 PM---My pTerry MacDonald ---06/16/2016 06:43:06 PM---My problem with putting this under message is that a forum post doesn't go anywhere. It's a post on
From: Terry MacDonald <terry.macdonald@cosive.com>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: Rich Piazza <rpiazza@mitre.org>, cti-cybox@lists.oasis-open.org
Date: 06/16/2016 06:43 PM
Subject: RE: [cti-cybox] A new Forum Object
________________________________
My problem with putting this under message is that a forum post doesn't go anywhere. It's a post on a forum. It is accessed at a certain time, and at that point it's a message, by that should be captured in a network connection object somehow.
Cheers
Terry MacDonald
Cosive
On 17/06/2016 5:03 AM, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com <mailto:Jason.Keirstead@ca.ibm.com> > wrote:
Or maybe *I* am not up to date :)
But I will say, if people think at any time in the future we will want all these types of messages (like forum post), it doesn't make sense to make an EmailMessage object... once you make a object it is going to be really hard to get rid of.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security <http://www.ibm.com/security> | www.securityintelligence.com <http://www.securityintelligence.com/>
Without data, all you are is just another person with an opinion - Unknown
nactive hide details for "Piazza, Rich" ---06/16/2016 03:40:05 PM---That'"Piazza, Rich" ---06/16/2016 03:40:05 PM---That's described in the "playground" - I was under the impression that we weren't going with the Mes
From: "Piazza, Rich" <rpiazza@mitre.org <mailto:rpiazza@mitre.org> >
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: "cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> " <cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> >, "Terry MacDonald" <terry.macdonald@cosive.com <mailto:terry.macdonald@cosive.com> >
Date: 06/16/2016 03:40 PM
Subject: RE: [cti-cybox] A new Forum Object
________________________________
That’s described in the “playground” – I was under the impression that we weren’t going with the Message abstraction object (see Ivan’s comment), but maybe I’m not up to date with the current thinking…
From: Jason Keirstead [mailto:Jason.Keirstead@ca.ibm.com <mailto:Jason.Keirstead@ca.ibm.com> ]
Sent: Thursday, June 16, 2016 2:34 PM
To: Piazza, Rich <rpiazza@mitre.org <mailto:rpiazza@mitre.org> >
Cc: cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> ; Terry MacDonald <terry.macdonald@cosive.com <mailto:terry.macdonald@cosive.com> >
Subject: RE: [cti-cybox] A new Forum Object
Email is also an extension to the Message object though.
There is currently a Message object with extensions for SMS, Email, Skype, and Attachment in the Playground:
https://docs.google.com/document/d/1P6k0uqbAYDRpYG5jjgYAKBDEc_iSG0-SGFaXgaPkqyg/edit <https://docs.google.com/document/d/1P6k0uqbAYDRpYG5jjgYAKBDEc_iSG0-SGFaXgaPkqyg/edit>
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security <http://www.ibm.com/security> | www.securityintelligence.com <http://www.securityintelligence.com/>
Without data, all you are is just another person with an opinion - Unknown
nactive hide details for "Piazza, Rich" ---06/16/2016 03:07:33 PM---Did y"Piazza, Rich" ---06/16/2016 03:07:33 PM---Did you mean the Email Message object? From: cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> [mailto:cti-cybox@lists <mailto:cti-cybox@lists> .
From: "Piazza, Rich" <rpiazza@mitre.org <mailto:rpiazza@mitre.org> >
To: Jason Keirstead/CanEast/IBM@IBMCA, Terry MacDonald <terry.macdonald@cosive.com <mailto:terry.macdonald@cosive.com> >
Cc: "cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> " <cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> >
Date: 06/16/2016 03:07 PM
Subject: RE: [cti-cybox] A new Forum Object
________________________________
Did you mean the Email Message object?
From: cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> [mailto:cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> ] On Behalf Of Jason Keirstead
Sent: Thursday, June 16, 2016 9:36 AM
To: Terry MacDonald <terry.macdonald@cosive.com <mailto:terry.macdonald@cosive.com> >
Cc: cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] A new Forum Object
This seems to me like it should be an extension to the Message object, not its own object.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security <http://www.ibm.com/security> | www.securityintelligence.com <http://www.securityintelligence.com/>
Without data, all you are is just another person with an opinion - Unknown
nactive hide details for Terry MacDonald ---06/16/2016 10:33:15 AM---Hi ATerry MacDonald ---06/16/2016 10:33:15 AM---Hi All, For the 3rd time someone recently asked me if there was a way of encoding
From: Terry MacDonald <terry.macdonald@cosive.com <mailto:terry.macdonald@cosive.com> >
To: cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org>
Date: 06/16/2016 10:33 AM
Subject: [cti-cybox] A new Forum Object
Sent by: <cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> >
________________________________
Hi All,
For the 3rd time someone recently asked me if there was a way of encoding web forum posts within CybOX. My reply...well not really. That answer bothered me greatly, so with the help of AJ from EclecticIQ I put together a Forum Object.
The Forum Object is designed to record web forum and newsgroup posts, and is aimed primarily at helping people record what is being discussed on underground forums.
I really think it is needed for CybOX 3.0 MVP personally, and a couple of friends at very large organizations have also confirmed they would find this very useful. In fact one was surprised that it wasn't there already.
1.1 Forum Object
Type Name: forum-object
Status: Draft
MVP: Yes
The Forum Object represents a single Forum post. It is used to capture posts on newsgroups and web forums, primarily to enable the sharing of conversations held between threat actors on underground forums.
Properties
CybOX Object Properties
id, type
Property Name Type Description
type (inherited from cybox-object) string Indicates that this object is a CybOX Forum Object. The value of this field MUST be forum-object.
url (optional) string Specifies the url of the forum.
forum-name(required) string Specifies the name of the forum.
room-name(optional) string Specifies the room-name within the forum.
thread-title string Specifies the thread-title within the forum.
post-creator string Specifies the identity of the forum post creator.
post-details string Specifies the full details of the forum post.
Examples
Underground forum post
{
"type": "forum-object",
"id": "forum-object--1",
"url": "https://www.cardz4cheap.org/cardsforsale/5332113 <https://www.cardz4cheap.org/cardsforsale/5332113> ",
"forum-name": "Cardz4cheap",
"room-name": "Cards for sale",
"thread-title": "Happy Burger Cards",
"post-creator": "DeliteD",
"post-details": "Hey Dudes, I got 1500 cards for sale real cheap."
}
Cheers
Terry MacDonald | Chief Product Officer
M: +61-407-203-026 <tel:+61-407-203-026>
E: terry.macdonald@cosive.com <mailto:terry.macdonald@cosive.com>
W: www.cosive.com <https://www.cosive.com/>