[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-cybox] A way of describing credential dumps
First of all, I agree that we want to convey this information.
But, I feel like I’m in a time warp.
We talked about this exact topic on a working call instigated by me to ensure we could do this. At that time, there was opposition to it but after discussion there appeared to be some consensus.
The conclusion on that call was that there were basic objects already in CyBox to support communication of PII information in existing objects with some added tweaks that Ivan and myself discussed after the call. Ivan took the action to update the objects in the spec.
The attached presentation was given and folks agreed that we didn’t need the new objects being proposed but rather lets just make sure the existing connection objects….etc could convey the concept we needed.
I would suggest that we do *not* add another object for credential dumps. What’s next? Ipr-dump-document? My-favorite-word-doc-dump-document?
We have the framework in CyBox already, so lets just make sure that it can capture the attributes in existing objects.
Allan
From: OASIS list <cti-cybox@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Friday, June 24, 2016 at 5:18 AM
To: Jerome Athias <athiasjerome@gmail.com>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, OASIS list <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] A way of describing credential dumps
Agree, we need unification across this potential object and it should probably use the "hashes" type used in other Cybox objects like "File".
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
[nactive hide details for Jerome Athias ---06/24/2016 06:35:26 AM---I'm ok]Jerome Athias ---06/24/2016 06:35:26 AM---I'm ok on the principle I just would like the properties like username and password_hash to be
From: Jerome Athias <athiasjerome@gmail.com>
To: Terry MacDonald <terry.macdonald@cosive.com>
Cc: cti-cybox@lists.oasis-open.org
Date: 06/24/2016 06:35 AM
Subject: Re: [cti-cybox] A way of describing credential dumps
Sent by: <cti-cybox@lists.oasis-open.org>
________________________________
I'm ok on the principle
I just would like the properties like username and password_hash to be easily -mappable- with the corresponding CybOX objects (like Account or Hash, Email address, etc.)
PS: the type of hash (eventually with the salt, if known) would be potentially also interesting to have
2016-06-24 5:33 GMT+03:00 Terry MacDonald <terry.macdonald@cosive.com<mailto:terry.macdonald@cosive.com>>:
Hi All,
I've now had two people ask me how they would push out credential dumps to their sharing groups over STIX/CybOX and I've not had a good answer for them. So I decided I would sit down and write one.
So, without further ado - here is my draft proposal for a Credential Dump Object. I've shown in the example how you would use it in conjunction with the Post Object (renamed Forum Object) that I proposed a few days ago. I personally think these two objects together could be quite powerful.
I've also used Ivan's direct reference method for linking Objects, and the Object extension methods described in the Draft standards doc.
1.1 Credential Dump Object
Type Name: credential-dump-object
Status: Draft
MVP: Undecided
The Credential Dump Object represents credential dump containing username and password information that attackers have gained access to and dumped somewhere on the web in public or traded for money. It is primarily to enable the sharing of credential dump information to allow the remediation of affected users.
Properties
CybOX Object Properties
id, type
Property Name
Type
Description
type (inherited from cybox-object)
string
Indicates that this object is a CybOX Credential Dump Object. The value of this field MUST be credential-dump-object.
credentials (required)
array of type credential
Specifies a list of credentials
Credential Object (credential)
The Credential Object specifies a single credential to capture details for a specific login and password combination. It is used to enable the sharing of credential dumps to enable consumers to remediate those affected users or to check for password reuse within their organization.
Properties
Property Name
Type
Description
username
(required)
string
Specifies the username of the credential
password
(optional)
string
Specifies the password of the credential
password_hash
(optional)
string
Specifies the password hash of the credential.
Examples
Underground forum post with linked credentials object
{
"type": "post-object",
"id": "post-object--1",
"url": "https://www.cardz4cheap.org/cardsforsale/5332113";,
"post_creator": "DeliteD",
"post_details": "Hey Dudes, I got 1500 credentials for sale real cheap.",
"has_attachment_ref":["credential-dump-object--1"]
"extended_properties": {
"web-forum": {
"forum_name": "Cardz4cheap",
"room_name": "Cards for sale",
"thread_title": "Happy Burger Cards",
}
}
},
{
"type": "credential-dump-object",
"id": "credential-dump-object--1",
"credentials": [
{
"username": "user1",
"password": "mysimplepassword"
},
{
"username": "user2",
"password": "mysimplepassword"
},
{
"username": "user3",
"password": "mysimplepassword"
}
}
}
Comments?
Cheers
Terry MacDonald | Chief Product Officer
[cid:image002.png@01D1CDE9.B6E21940]
M: +61-407-203-026<tel:+61-407-203-026>
E: terry.macdonald@cosive.com<mailto:terry.macdonald@cosive.com>
W: www.cosive.com<https://www.cosive.com/>
<<attachment: winmail.dat>>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]