[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-cybox] A way of describing credential dumps
Hi All,I've now had two people ask me how they would push out credential dumps to their sharing groups over STIX/CybOX and I've not had a good answer for them. So I decided I would sit down and write one.So, without further ado - here is my draft proposal for a Credential Dump Object. I've shown in the example how you would use it in conjunction with the Post Object (renamed Forum Object) that I proposed a few days ago. I personally think these two objects together could be quite powerful.I've also used Ivan's direct reference method for linking Objects, and the Object extension methods described in the Draft standards doc.1.1 Credential Dump Object
Type Name: credential-dump-object
Status: Draft
MVP: Undecided
The Credential Dump Object represents credential dump containing username and password information that attackers have gained access to and dumped somewhere on the web in public or traded for money. It is primarily to enable the sharing of credential dump information to allow the remediation of affected users.
Properties
CybOX Object Properties
id, type
Property Name
Type
Description
type (inherited from cybox-object)
string
Indicates that this object is a CybOX Credential Dump Object. The value of this field MUST be credential-dump-object.
credentials (required)
array of type credential
Specifies a list of credentials
Credential Object (credential)
The Credential Object specifies a single credential to capture details for a specific login and password combination. It is used to enable the sharing of credential dumps to enable consumers to remediate those affected users or to check for password reuse within their organization.
Properties
Property Name
Type
Description
username
(required)
string
Specifies the username of the credential
password
(optional)
string
Specifies the password of the credential
password_hash
(optional)
string
Specifies the password hash of the credential.
Examples
Underground forum post with linked credentials object
{
"type": "post-object",
"id": "post-object--1",
"url": "https://www.cardz4cheap.org/cardsforsale/5332113",
"post_creator": "DeliteD",
"post_details": "Hey Dudes, I got 1500 credentials for sale real cheap.",
"has_attachment_ref":["credential-dump-object--1"]
"extended_properties": {
"web-forum": {
"forum_name": "Cardz4cheap",
"room_name": "Cards for sale",
"thread_title": "Happy Burger Cards",
}
}
},
{
"type": "credential-dump-object",
"id": "credential-dump-object--1",
"credentials": [
{
"username": "user1",
"password": "mysimplepassword"
},
{
"username": "user2",
"password": "mysimplepassword"
},
{
"username": "user3",
"password": "mysimplepassword"
}
}
}Comments?CheersTerry MacDonald | Chief Product Officer
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]