RE: [cti-cybox] A new Forum Object

["Mates, Jeffrey CIV DC3/DCCI" <Jeffrey.Mates@dc3.mil>]

I know I'm jumping in late here, but I really do not like the idea of forum post not using the generic Message TLO with one or more extensions.  Consider for example the following semi-forum post objects:

A tweet (fully public to group; persistent)
A twitter direct message (private to individual; persistent)
A facebook post (semi-private to group; persistent)
A facebook group chat where a participant joins the conversation halfway through (private to group; persistent)
An IRC message (semi-private to group or individual; persistent)
A snapchat story (private to group; ephemeral)
A reddit post (public to group; persistent)
A whisper conversation (public to geographically similar temporary group; ephemeral)


Given that message already contains a way to store a title, body and sender as part of the pure TLO with an extension for attachments I don't see why we need to split the two.  I apologize for not sending this sooner, but until recently I haven't had much time to go through the STIX / CybOX discussion.

Jeffrey Mates, Civ DC3/DCCI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computer Scientist
Defense Cyber Crime Institute
jeffrey.mates@dc3.mil
410-694-4335

-----Original Message-----
From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org] On Behalf Of Paul Patrick
Sent: Friday, June 24, 2016 10:52 AM
To: cti-cybox@lists.oasis-open.org
Subject: [Non-DoD Source] Re: [cti-cybox] A new Forum Object

After working with some of my analysts that work in the works of Hacktivism, I believe there are a few missing fields that we should add:

 

·         create_date – a timestamp as to when the post was created

·         modify_date – a timestamp as to when the post was last modified

·         attachments – a number of times correlation between posts that are to attributed to a common actor can’t be done based on the persona used in the forum.  It is often necessary to be able to capture their persona image as a base64 encoded value.  This same thing could also be used for capturing the payloads from forums such as Pastebin, althrough that might best be handled with a source relationship to a File object

·         post-title – in many forums, there thread of conversation has a title/name that is different than the title of the post itself, so it is often necessary to be able to represent those as different properties.

·         view-count – a count of the number of times a post is views can often be used as an indicator of interest

·         share-count – a count of the number of times a post is ‘shared’ can often be used as an indicators of interest but also as part of getting an understanding around influence. 

·         ‘likes’ – a count of the number of ‘likes’ or +1s that have been given to a particular post.  I haven’t been able to come up with a better property name yet, but it’s one thing to view a post and another thing to actually take an action to indicate that a reader is in agreement.  An alternative could be to use the proposed Opinion so that not only can a count be obtained but also the ability to capture the persona of the entity that expressed that opinion.  This would also be used as a means to capture comments about a post rather than treating them as posts and using a sources relationship of commented-on

 

 

Paul Patrick

 

 

From: Jerome Athias <athiasjerome@gmail.com>
Date: Friday, June 24, 2016 at 1:02 AM
To: Paul Patrick <ppatrick@isightpartners.com>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] A new Forum Object

 

	I concur that Post would be better name. 

	Another example would be a Pastebin post

	 

	2016-06-22 18:55 GMT+03:00 Paul Patrick <ppatrick@isightpartners.com>:

		Terry,

		 

		I’d like to suggest we not call it a ‘Forum’ object but rather some think like ‘Post’ since it’s the posting, not the forum/blog/chat channel that we’re trying to describe.  That why we can equally apply it to things like forums but also to mediums like IRC Chat which are not person-to-person. 

		 

		Thoughts?

		 

		 

		Paul

		 

		From: <cti-cybox@lists.oasis-open.org> on behalf of Jerome Athias <athiasjerome@gmail.com>
		Date: Wednesday, June 22, 2016 at 1:35 AM
		To: Terry MacDonald <terry.macdonald@cosive.com>
		Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
		Subject: Re: [cti-cybox] A new Forum Object
		Resent-From: <Paul.Patrick@FireEye.com>

		 

			Interesting reading  

			http://www.networkworld.com/article/3085065/security/hack-the-hackers-eavesdrop-for-intel-on-emerging-threats.html

			
			
			On Thursday, 16 June 2016, Terry MacDonald <terry.macdonald@cosive.com> wrote:

				Hi All, 

				 

				For the 3rd time someone recently asked me if there was a way of encoding web forum posts within CybOX. My reply...well not really. That answer bothered me greatly, so with the help of AJ from EclecticIQ I put together a Forum Object.

				 

				The Forum Object is designed to record web forum and newsgroup posts, and is aimed primarily at helping people record what is being discussed on underground forums. 

				 

				I really think it is needed for CybOX 3.0 MVP personally, and a couple of friends at very large organizations have also confirmed they would find this very useful. In fact one was surprised that it wasn't there already.


				1.1 Forum Object

Type Name: forum-object

Status: Draft

MVP: Yes

				 

				The Forum Object represents a single Forum post. It is used to capture posts on newsgroups and web forums, primarily to enable the sharing of conversations held between threat actors on underground forums.


				Properties

CybOX Object Properties


id, type

Property Name

Type

Description

type (inherited from cybox-object)

string

Indicates that this object is a CybOX Forum Object. The value of this field MUST be forum-object.

url (optional)

string

Specifies the url of the forum.

forum-name(required)

string

Specifies the name of the forum.

room-name(optional)

string

Specifies the room-name within the forum.

thread-title

string

Specifies the thread-title within the forum.

post-creator

string

Specifies the identity of the forum post creator.

post-details

string

Specifies the full details of the forum post.


				Examples


				Underground forum post

				 

				{

				   "type": "forum-object",

				   "id": "forum-object--1",

				   "url": "https://www.cardz4cheap.org/cardsforsale/5332113";,

				   "forum-name": "Cardz4cheap",

				   "room-name": "Cards for sale",

				   "thread-title": "Happy Burger Cards",

				   "post-creator": "DeliteD",

				   "post-details": "Hey Dudes, I got 1500 cards for sale real cheap."

				}

				 

				
				

				Cheers

				 

				Terry MacDonald | Chief Product Officer

				 

				

				 

				M: +61-407-203-026 <tel:+61-407-203-026> 

				E: terry.macdonald@cosive.com

				W: www.cosive.com <https://www.cosive.com/>

Attachment: smime.p7s
Description: S/MIME cryptographic signature