OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-cybox message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: A way of describing credential dumps

Hi All,

I've now had two people ask me how they would push out credential dumps to their sharing groups over STIX/CybOX and I've not had a good answer for them. So I decided I would sit down and write one.

So, without further ado - here is my draft proposal for a Credential Dump Object. I've shown in the example how you would use it in conjunction with the Post Object (renamed Forum Object) that I proposed a few days ago. I personally think these two objects together could be quite powerful.

I've also used Ivan's direct reference method for linking Objects, and the Object extension methods described in the Draft standards doc.

1.1 Credential Dump Object

Type Name: credential-dump-object

Status: Draft

MVP: Undecided


The Credential Dump Object represents credential dump containing username and password information that attackers have gained access to and dumped somewhere on the web in public or traded for money. It is primarily to enable the sharing of credential dump information to allow the remediation of affected users.

Properties

CybOX Object Properties

id, type


Property Name

Type

Description

type (inherited from cybox-object)

string

Indicates that this object is a CybOX Credential Dump Object. The value of this field MUST be credential-dump-object.

credentials (required)

array of type  credential

Specifies a list of credentials


Credential Object (credential)

The Credential Object specifies a single credential to capture details for a specific login and password combination. It is used to enable the sharing of credential dumps to enable consumers to remediate those affected users or to check for password reuse within their organization.

Properties


Property Name



Type



Description


username

(required)

string

Specifies the username of the credential

password

(optional)

string

Specifies the password of the credential

password_hash

(optional)

string

Specifies the password hash of the credential.



Examples

Underground forum post with linked credentials object


{

   "type": "post-object",

   "id": "post-object--1",

   "url": "https://www.cardz4cheap.org/cardsforsale/5332113",

   "post_creator": "DeliteD",

   "post_details": "Hey Dudes, I got 1500 credentials for sale real cheap.",

   "has_attachment_ref":["credential-dump-object--1"]

   "extended_properties": {

       "web-forum": {

           "forum_name": "Cardz4cheap",

           "room_name": "Cards for sale",

           "thread_title": "Happy Burger Cards",

       }

   }

},

{

   "type": "credential-dump-object",

   "id": "credential-dump-object--1",

   "credentials": [

       {

           "username": "user1",

           "password": "mysimplepassword"

       },

       {

           "username": "user2",

           "password": "mysimplepassword"

       },

       {

           "username": "user3",

           "password": "mysimplepassword"

       }

   }

}

Comments?

Cheers

Terry MacDonald | Chief Product Officer






[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]