[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-cybox] A new Forum Object
It should be noted that sometimes the recipient of a message is unknown at
that field can be left empty. Likewise if you're using an app to follow a
forum thread some databases record all of the participants in a thread along
with a poster rather than saying who the recipient of each message was. I'm
not sure how Slack tracks it since I haven't pulled out their message
database, but I expect that they use something similar.
So yeah, I tend to think of forum posts as a kind of message.
Jeffrey Mates, Civ DC3/DCCI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computer Scientist
Defense Cyber Crime Institute
jeffrey.mates@dc3.mil
410-694-4335
-----Original Message-----
From: Paul Patrick [mailto:ppatrick@isightpartners.com]
Sent: Tuesday, July 05, 2016 11:58 AM
To: Kirillov, Ivan A.
Cc: Jason Keirstead; Terry MacDonald; Mates, Jeffrey CIV DC3/DCCI;
cti-cybox@lists.oasis-open.org
Subject: [Non-DoD Source] Re: [cti-cybox] A new Forum Object
I'm with Ivan on this
Sent from my iPhone
On Jul 5, 2016, at 11:24 AM, Kirillov, Ivan A. <ikirillov@mitre.org> wrote:
>> Riddle me this - what is the semantic difference of a POST with a
recipient of "xyzforum.com/mygroup", and an email MESSAGE with a recipient
of "cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> "
?
The difference in my mind is that the recipient of an email message
is a well understood entity (an email address), whereas the recipient of a
forum post is abstract and subject to interpretation (Is it a URL of a
forum? Is it the name of a forum/newsgroup?). Also, I think that as a new
user I think it would be quite confusing in trying to understand that a
Message Object can also capture forum posts.
Regards,
Ivan
From: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Tuesday, July 5, 2016 at 9:02 AM
To: Ivan Kirillov <ikirillov@mitre.org>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, "Mates, Jeffrey
CIV DC3/DCCI" <Jeffrey.Mates@dc3.mil>, Paul Patrick
<ppatrick@isightpartners.com>, "cti-cybox@lists.oasis-open.org"
<cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] A new Forum Object
RE "Semantically, I view a "post" differently than a "message",
especially because the concept of recipient is not really shared between the
two. Who is the "recipient" of a post? Thus, I would be very uneasy with a
single representation for both posts and messages."
The "recipient" of the post is the forum group.
Riddle me this - what is the semantic difference of a POST with a
recipient of "xyzforum.com/mygroup", and an email MESSAGE with a recipient
of "cti-cybox@lists.oasis-open.org" ?
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
<http://www.securityintelligence.com>
Without data, all you are is just another person with an opinion -
Unknown
<image001.gif>"Kirillov, Ivan A." ---07/05/2016 11:59:16 AM---Just
catching up here after being away on holiday for a few weeks. Some initial
comments while I thi
From: "Kirillov, Ivan A." <ikirillov@mitre.org>
To: Jason Keirstead/CanEast/IBM@IBMCA, Terry MacDonald
<terry.macdonald@cosive.com>
Cc: "Mates, Jeffrey CIV DC3/DCCI" <Jeffrey.Mates@dc3.mil>, Paul
Patrick <ppatrick@isightpartners.com>, "cti-cybox@lists.oasis-open.org"
<cti-cybox@lists.oasis-open.org>
Date: 07/05/2016 11:59 AM
Subject: Re: [cti-cybox] A new Forum Object
Sent by: <cti-cybox@lists.oasis-open.org>
________________________________
Just catching up here after being away on holiday for a few weeks.
Some initial comments while I think more on this:
. I'm OK with the concepts around the Post Object, though I do worry
that this could set a precedent for the inclusion of more arbitrary Objects
around various types of metadata in CybOX.
. Semantically, I view a "post" differently than a "message",
especially because the concept of recipient is not really shared between the
two. Who is the "recipient" of a post? Thus, I would be very uneasy with a
single representation for both posts and messages.
. More generally, I want to make sure that any abstractions we do
build into CybOX Objects are sound and serve a real purpose; I think there
really need to be a number of key fields that are useful across ANY Object
represented by the abstraction, and that these fields don't mangle any
standard (i.e., RFC) definitions for the Object. This is my hesitation with
an abstract message Object - things like the very standard "from" and "to"
fields in an email would have to be mapped into their corresponding
abstracted fields by a content producer, and subsequently consumers would
have to understand what these fields refer to when parsing such an Object.
This is a significant semantic burden, one that I'm not sure is overcome by
the value of having a few common fields (message body, etc.).
Anyhow, as Trey mentioned, this is something that we should discuss
on this Thursday's working session.
Regards,
Ivan
From: <cti-cybox@lists.oasis-open.org> on behalf of Jason Keirstead
<Jason.Keirstead@ca.ibm.com>
Date: Monday, June 27, 2016 at 6:26 AM
To: Terry MacDonald <terry.macdonald@cosive.com>
Cc: "Mates, Jeffrey CIV DC3/DCCI" <Jeffrey.Mates@dc3.mil>, Paul
Patrick <ppatrick@isightpartners.com>, "cti-cybox@lists.oasis-open.org"
<cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] A new Forum Object
Are you saying that instead of using a base "message" object of
which "post" is an extension, the suggestion will now have a "post" object
with extensions for things like IRC ? How is IRC more like a web forum post
than a web forum post is like an email or SMS?
As Jeff implies - aren't these all just messages with differing
levels of visibility? I still don't like this object. It has far too much
overlap with email.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
<http://www.securityintelligence.com>
Without data, all you are is just another person with an opinion -
Unknown
<image002.gif>Terry MacDonald ---06/27/2016 09:05:46 AM---Which is
why I've now created a 'Post' Object that has a base 'Post' object and that
allows other ty
From: Terry MacDonald <terry.macdonald@cosive.com>
To: "Mates, Jeffrey CIV DC3/DCCI" <Jeffrey.Mates@dc3.mil>
Cc: Paul Patrick <ppatrick@isightpartners.com>,
"cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Date: 06/27/2016 09:05 AM
Subject: Re: [cti-cybox] A new Forum Object
Sent by: <cti-cybox@lists.oasis-open.org>
________________________________
Which is why I've now created a 'Post' Object that has a base 'Post'
object and that allows other types of posts to be derived from it. I've
posted it into the CybOX playground for comments and review:
https://docs.google.com/document/d/1P6k0uqbAYDRpYG5jjgYAKBDEc_iSG0-SGFaXgaPk
qyg/edit?ts=56c3b210#heading=h.ki1ufj1ku8s0
<https://docs.google.com/document/d/1P6k0uqbAYDRpYG5jjgYAKBDEc_iSG0-SGFaXgaP
kqyg/edit?ts=56c3b210#heading=h.ki1ufj1ku8s0>
Cheers
Terry MacDonald | Chief Product Officer
<image003.png>
M: +61-407-203-026 <tel:+61-407-203-026>
E: terry.macdonald@cosive.com <mailto:terry.macdonald@cosive.com>
W: www.cosive.com <https://www.cosive.com/>
On Mon, Jun 27, 2016 at 9:32 PM, Mates, Jeffrey CIV DC3/DCCI
<Jeffrey.Mates@dc3.mil <mailto:Jeffrey.Mates@dc3.mil> > wrote:
I know I'm jumping in late here, but I really do not like the idea
of forum post not using the generic Message TLO with one or more extensions.
Consider for example the following semi-forum post objects:
A tweet (fully public to group; persistent)
A twitter direct message (private to individual; persistent)
A facebook post (semi-private to group; persistent)
A facebook group chat where a participant joins the conversation
halfway through (private to group; persistent)
An IRC message (semi-private to group or individual; persistent)
A snapchat story (private to group; ephemeral)
A reddit post (public to group; persistent)
A whisper conversation (public to geographically similar temporary
group; ephemeral)
Given that message already contains a way to store a title, body and
sender as part of the pure TLO with an extension for attachments I don't see
why we need to split the two. I apologize for not sending this sooner, but
until recently I haven't had much time to go through the STIX / CybOX
discussion.
Jeffrey Mates, Civ DC3/DCCI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computer Scientist
Defense Cyber Crime Institute
jeffrey.mates@dc3.mil <mailto:jeffrey.mates@dc3.mil>
410-694-4335
-----Original Message-----
From: cti-cybox@lists.oasis-open.org
<mailto:cti-cybox@lists.oasis-open.org>
[mailto:cti-cybox@lists.oasis-open.org
<mailto:cti-cybox@lists.oasis-open.org> ] On Behalf Of Paul Patrick
Sent: Friday, June 24, 2016 10:52 AM
To: cti-cybox@lists.oasis-open.org
<mailto:cti-cybox@lists.oasis-open.org>
Subject: [Non-DoD Source] Re: [cti-cybox] A new Forum Object
After working with some of my analysts that work in the works of
Hacktivism, I believe there are a few missing fields that we should add:
. create_date - a timestamp as to when the post was created
. modify_date - a timestamp as to when the post was last modified
. attachments - a number of times correlation between posts that are
to attributed to a common actor can't be done based on the persona used in
the forum. It is often necessary to be able to capture their persona image
as a base64 encoded value. This same thing could also be used for capturing
the payloads from forums such as Pastebin, althrough that might best be
handled with a source relationship to a File object
. post-title - in many forums, there thread of conversation has a
title/name that is different than the title of the post itself, so it is
often necessary to be able to represent those as different properties.
. view-count - a count of the number of times a post is views can
often be used as an indicator of interest
. share-count - a count of the number of times a post is 'shared'
can often be used as an indicators of interest but also as part of getting
an understanding around influence.
. 'likes' - a count of the number of 'likes' or +1s that have been
given to a particular post. I haven't been able to come up with a better
property name yet, but it's one thing to view a post and another thing to
actually take an action to indicate that a reader is in agreement. An
alternative could be to use the proposed Opinion so that not only can a
count be obtained but also the ability to capture the persona of the entity
that expressed that opinion. This would also be used as a means to capture
comments about a post rather than treating them as posts and using a sources
relationship of commented-on
Paul Patrick
From: Jerome Athias <athiasjerome@gmail.com
<mailto:athiasjerome@gmail.com> >
Date: Friday, June 24, 2016 at 1:02 AM
To: Paul Patrick <ppatrick@isightpartners.com
<mailto:ppatrick@isightpartners.com> >
Cc: Terry MacDonald <terry.macdonald@cosive.com
<mailto:terry.macdonald@cosive.com> >, "cti-cybox@lists.oasis-open.org
<mailto:cti-cybox@lists.oasis-open.org> " <cti-cybox@lists.oasis-open.org
<mailto:cti-cybox@lists.oasis-open.org> >
Subject: Re: [cti-cybox] A new Forum Object
I concur that Post would be better name.
Another example would be a Pastebin post
2016-06-22 18:55 GMT+03:00 Paul Patrick <ppatrick@isightpartners.com
<mailto:ppatrick@isightpartners.com> >:
Terry,
I'd like to suggest we not call it a 'Forum' object but rather some
think like 'Post' since it's the posting, not the forum/blog/chat channel
that we're trying to describe. That why we can equally apply it to things
like forums but also to mediums like IRC Chat which are not
person-to-person.
Thoughts?
Paul
From: <cti-cybox@lists.oasis-open.org
<mailto:cti-cybox@lists.oasis-open.org> > on behalf of Jerome Athias
<athiasjerome@gmail.com <mailto:athiasjerome@gmail.com> >
Date: Wednesday, June 22, 2016 at 1:35 AM
To: Terry MacDonald <terry.macdonald@cosive.com
<mailto:terry.macdonald@cosive.com> >
Cc: "cti-cybox@lists.oasis-open.org
<mailto:cti-cybox@lists.oasis-open.org> " <cti-cybox@lists.oasis-open.org
<mailto:cti-cybox@lists.oasis-open.org> >
Subject: Re: [cti-cybox] A new Forum Object
Resent-From: <Paul.Patrick@FireEye.com>
Interesting reading
http://www.networkworld.com/article/3085065/security/hack-the-hackers-eavesd
rop-for-intel-on-emerging-threats.html
<http://www.networkworld.com/article/3085065/security/hack-the-hackers-eaves
drop-for-intel-on-emerging-threats.html>
On Thursday, 16 June 2016, Terry MacDonald
<terry.macdonald@cosive.com <mailto:terry.macdonald@cosive.com> > wrote:
Hi All,
For the 3rd time someone recently asked me if there was a way of
encoding web forum posts within CybOX. My reply...well not really. That
answer bothered me greatly, so with the help of AJ from EclecticIQ I put
together a Forum Object.
The Forum Object is designed to record web forum and newsgroup
posts, and is aimed primarily at helping people record what is being
discussed on underground forums.
I really think it is needed for CybOX 3.0 MVP personally, and a
couple of friends at very large organizations have also confirmed they would
find this very useful. In fact one was surprised that it wasn't there
already.
1.1 Forum Object
Type Name: forum-object
Status: Draft
MVP: Yes
The Forum Object represents a single Forum post. It is used to
capture posts on newsgroups and web forums, primarily to enable the sharing
of conversations held between threat actors on underground forums.
Properties
CybOX Object Properties
id, type
Property Name
Type
Description
type (inherited from cybox-object)
string
Indicates that this object is a CybOX Forum Object. The value of
this field MUST be forum-object.
url (optional)
string
Specifies the url of the forum.
forum-name(required)
string
Specifies the name of the forum.
room-name(optional)
string
Specifies the room-name within the forum.
thread-title
string
Specifies the thread-title within the forum.
post-creator
string
Specifies the identity of the forum post creator.
post-details
string
Specifies the full details of the forum post.
Examples
Underground forum post
{
"type": "forum-object",
"id": "forum-object--1",
"url": "https://www.cardz4cheap.org/cardsforsale/5332113
<https://www.cardz4cheap.org/cardsforsale/5332113> ",
"forum-name": "Cardz4cheap",
"room-name": "Cards for sale",
"thread-title": "Happy Burger Cards",
"post-creator": "DeliteD",
"post-details": "Hey Dudes, I got 1500 cards for sale real cheap."
}
Cheers
Terry MacDonald | Chief Product Officer
M: +61-407-203-026 <tel:%2B61-407-203-026> <tel:+61-407-203-026
<tel:%2B61-407-203-026> >
E: terry.macdonald@cosive.com <mailto:terry.macdonald@cosive.com>
W: www.cosive.com <http://www.cosive.com/> <https://www.cosive.com/
<https://www.cosive.com/> >
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]