[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-cybox] RE: [Non-DoD Source] RE: [cti-cybox] A new Forum Object
The trouble is that waiting for someone to access it can mean a lot of different things.
1. A snapchat message will can be downloaded and stored locally on your phone. Once it is read however it can self-delete after a certain amount of time specified by the sender.
2. A slack message is sent to a group and the sender can have their phone buzz when received, but people can join a group later and read the message.
3. An IRC message is sent to everyone in a chat room, but if someone joins later they won't see previous messages.
4. A Reddit AMA is an active conversation that can happen in real time to a group with a duration that can be under two hours, but can then be publically access for years to come.
Jeffrey Mates, Civ DC3/DCCI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computer Scientist
Defense Cyber Crime Institute
jeffrey.mates@dc3.mil
410-694-4335
-----Original Message-----
From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org] On Behalf Of Terry MacDonald
Sent: Wednesday, July 06, 2016 12:20 AM
To: Mates, Jeffrey CIV DC3/DCCI
Cc: Jason Keirstead; Ivan A. Kirillov; cti-cybox@lists.oasis-open.org; Paul Patrick; Natale, Bob
Subject: [cti-cybox] RE: [Non-DoD Source] RE: [cti-cybox] A new Forum Object
I would see that as an instant message, which is protectively sent to the recipients. So I'd say that was a message.
Something that waits around for someone to access it is a post.
That's the delineation I have at any rate.
Cheers
Terry MacDonald
Cosive
On 6/07/2016 07:48, "Mates, Jeffrey CIV DC3/DCCI" <Jeffrey.Mates@dc3.mil> wrote:
What about a malicious Slack communication, is that a message or a post?
Jeffrey Mates, Civ DC3/DCCI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computer Scientist
Defense Cyber Crime Institute
jeffrey.mates@dc3.mil
410-694-4335
-----Original Message-----
From: Terry MacDonald [mailto:terry.macdonald@cosive.com]
Sent: Tuesday, July 05, 2016 5:44 PM
To: Natale, Bob
Cc: Jason Keirstead; Ivan A. Kirillov; Mates, Jeffrey CIV DC3/DCCI; cti-cybox@lists.oasis-open.org; Paul Patrick
Subject: [Non-DoD Source] RE: [cti-cybox] A new Forum Object
I'm not thinking of an email list server message for the post object. My focus was on the 'leave the post somewhere' style of communication, e.g. a web forum post. Something where it is stored on a server somewhere, and the post is accessed by a user.
Cheers
Terry MacDonald
Cosive
On 6/07/2016 7:36 AM, "Natale, Bob" <RNATALE@mitre.org> wrote:
> If we did this using message objects then we would need a message object per time it was accessed, so that each time we'd only be recording the single time that one person accessed the post.
How is that different from e-mail messages to listserv aliases…?
Avanti,
BobN
From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org] On Behalf Of Terry MacDonald
Sent: Tuesday, July 05, 2016 5:32 PM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: Paul Patrick <ppatrick@isightpartners.com>; Mates, Jeffrey CIV DC3/DCCI <Jeffrey.Mates@dc3.mil>; Kirillov, Ivan A. <ikirillov@mitre.org>; cti-cybox@lists.oasis-open.org
Subject: Re: [cti-cybox] A new Forum Object
In my mind there as distinct difference between a post which sits somewhere waiting for someone to access, and the actual individual act of someone receiving a message containing the post.
When someone is putting some information on a web server advertising the fact they have credit cards for sale and leaving it there for people to access, that to me is a post left on a webserver.
If we want to track who accessed the post them we should relate who accessed it to that post. This would ensure that there was one CybOX object to represent the post.
If we did this using message objects then we would need a message object per time it was accessed, so that each time we'd only be recording the single time that one person accessed the post.
I don't buy that there is a major difference for pattern matching, as the pattern matching could be done on the page contents, not the message.
Cheers
Terry MacDonald
Cosive
On 6/07/2016 2:22 AM, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com> wrote:
The reason I am fighting so hard for this is as follows: If we proceed down this path to make a different TLO for posts, then that means that in *every single instance* where you want to write a pattern signature to look for malware, or C&C channels, or suspicious activity, you will have to write it for both "message" and for "post". I suspect that in reality this is hardly ever going to be done, and instead people will write one or the other, and miss 50% of the attack vectors.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com <http://www.securityintelligence.com>
Without data, all you are is just another person with an opinion - Unknown
Inactive hide details for "Kirillov, Ivan A." ---07/05/2016 12:25:00 PM--->> Riddle me this - what is the semantic difference o"Kirillov, Ivan A." ---07/05/2016 12:25:00 PM--->> Riddle me this - what is the semantic difference of a POST with a recipient of "xyzforum.com/mygr
From: "Kirillov, Ivan A." <ikirillov@mitre.org>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: Terry MacDonald <terry.macdonald@cosive.com>, "Mates, Jeffrey CIV DC3/DCCI" <Jeffrey.Mates@dc3.mil>, Paul Patrick <ppatrick@isightpartners.com>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Date: 07/05/2016 12:25 PM
Subject: Re: [cti-cybox] A new Forum Object
Sent by: <cti-cybox@lists.oasis-open.org>
________________________________
>> Riddle me this - what is the semantic difference of a POST with a recipient of "xyzforum.com/mygroup", and an email MESSAGE with a recipient of "cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> " ?
The difference in my mind is that the recipient of an email message is a well understood entity (an email address), whereas the recipient of a forum post is abstract and subject to interpretation (Is it a URL of a forum? Is it the name of a forum/newsgroup?). Also, I think that as a new user I think it would be quite confusing in trying to understand that a Message Object can also capture forum posts.
Regards,
Ivan
From: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Tuesday, July 5, 2016 at 9:02 AM
To: Ivan Kirillov <ikirillov@mitre.org>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, "Mates, Jeffrey CIV DC3/DCCI" <Jeffrey.Mates@dc3.mil>, Paul Patrick <ppatrick@isightpartners.com>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] A new Forum Object
RE "Semantically, I view a “post” differently than a “message”, especially because the concept of recipient is not really shared between the two. Who is the “recipient” of a post? Thus, I would be very uneasy with a single representation for both posts and messages."
The "recipient" of the post is the forum group.
Riddle me this - what is the semantic difference of a POST with a recipient of "xyzforum.com/mygroup", and an email MESSAGE with a recipient of "cti-cybox@lists.oasis-open.org" ?
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com <http://www.securityintelligence.com>
Without data, all you are is just another person with an opinion - Unknown
nactive hide details for "Kirillov, Ivan A." ---07/05/2016 11:59:16 AM---"Kirillov, Ivan A." ---07/05/2016 11:59:16 AM---Just catching up here after being away on holiday for a few weeks. Some initial comments while I thi
From: "Kirillov, Ivan A." <ikirillov@mitre.org>
To: Jason Keirstead/CanEast/IBM@IBMCA, Terry MacDonald <terry.macdonald@cosive.com>
Cc: "Mates, Jeffrey CIV DC3/DCCI" <Jeffrey.Mates@dc3.mil>, Paul Patrick <ppatrick@isightpartners.com>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Date: 07/05/2016 11:59 AM
Subject: Re: [cti-cybox] A new Forum Object
Sent by: <cti-cybox@lists.oasis-open.org>
________________________________
Just catching up here after being away on holiday for a few weeks. Some initial comments while I think more on this:
· I’m OK with the concepts around the Post Object, though I do worry that this could set a precedent for the inclusion of more arbitrary Objects around various types of metadata in CybOX.
· Semantically, I view a “post” differently than a “message”, especially because the concept of recipient is not really shared between the two. Who is the “recipient” of a post? Thus, I would be very uneasy with a single representation for both posts and messages.
· More generally, I want to make sure that any abstractions we do build into CybOX Objects are sound and serve a real purpose; I think there really need to be a number of key fields that are useful across ANY Object represented by the abstraction, and that these fields don’t mangle any standard (i.e., RFC) definitions for the Object. This is my hesitation with an abstract message Object – things like the very standard “from” and “to” fields in an email would have to be mapped into their corresponding abstracted fields by a content producer, and subsequently consumers would have to understand what these fields refer to when parsing such an Object. This is a significant semantic burden, one that I’m not sure is overcome by the value of having a few common fields (message body, etc.).
Anyhow, as Trey mentioned, this is something that we should discuss on this Thursday’s working session.
Regards,
Ivan
From: <cti-cybox@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Monday, June 27, 2016 at 6:26 AM
To: Terry MacDonald <terry.macdonald@cosive.com>
Cc: "Mates, Jeffrey CIV DC3/DCCI" <Jeffrey.Mates@dc3.mil>, Paul Patrick <ppatrick@isightpartners.com>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] A new Forum Object
Are you saying that instead of using a base "message" object of which "post" is an extension, the suggestion will now have a "post" object with extensions for things like IRC ? How is IRC more like a web forum post than a web forum post is like an email or SMS?
As Jeff implies - aren't these all just messages with differing levels of visibility? I still don't like this object. It has far too much overlap with email.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com <http://www.securityintelligence.com>
Without data, all you are is just another person with an opinion - Unknown
active hide details for Terry MacDonald ---06/27/2016 09:05:46 AM---WhicTerry MacDonald ---06/27/2016 09:05:46 AM---Which is why I've now created a 'Post' Object that has a base 'Post' object and that allows other ty
From: Terry MacDonald <terry.macdonald@cosive.com>
To: "Mates, Jeffrey CIV DC3/DCCI" <Jeffrey.Mates@dc3.mil>
Cc: Paul Patrick <ppatrick@isightpartners.com>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Date: 06/27/2016 09:05 AM
Subject: Re: [cti-cybox] A new Forum Object
Sent by: <cti-cybox@lists.oasis-open.org>
________________________________
Which is why I've now created a 'Post' Object that has a base 'Post' object and that allows other types of posts to be derived from it. I've posted it into the CybOX playground for comments and review:
https://docs.google.com/document/d/1P6k0uqbAYDRpYG5jjgYAKBDEc_iSG0-SGFaXgaPkqyg/edit?ts=56c3b210#heading=h.ki1ufj1ku8s0 <https://docs.google.com/document/d/1P6k0uqbAYDRpYG5jjgYAKBDEc_iSG0-SGFaXgaPkqyg/edit?ts=56c3b210#heading=h.ki1ufj1ku8s0>
Cheers
Terry MacDonald | Chief Product Officer
M: +61-407-203-026 <tel:%2B61-407-203-026> <tel:+61-407-203-026 <tel:%2B61-407-203-026> >
E: terry.macdonald@cosive.com <mailto:terry.macdonald@cosive.com>
W: www.cosive.com <https://www.cosive.com/>
On Mon, Jun 27, 2016 at 9:32 PM, Mates, Jeffrey CIV DC3/DCCI <Jeffrey.Mates@dc3.mil <mailto:Jeffrey.Mates@dc3.mil> > wrote:
I know I'm jumping in late here, but I really do not like the idea of forum post not using the generic Message TLO with one or more extensions. Consider for example the following semi-forum post objects:
A tweet (fully public to group; persistent)
A twitter direct message (private to individual; persistent)
A facebook post (semi-private to group; persistent)
A facebook group chat where a participant joins the conversation halfway through (private to group; persistent)
An IRC message (semi-private to group or individual; persistent)
A snapchat story (private to group; ephemeral)
A reddit post (public to group; persistent)
A whisper conversation (public to geographically similar temporary group; ephemeral)
Given that message already contains a way to store a title, body and sender as part of the pure TLO with an extension for attachments I don't see why we need to split the two. I apologize for not sending this sooner, but until recently I haven't had much time to go through the STIX / CybOX discussion.
Jeffrey Mates, Civ DC3/DCCI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computer Scientist
Defense Cyber Crime Institute
jeffrey.mates@dc3.mil <mailto:jeffrey.mates@dc3.mil>
410-694-4335
-----Original Message-----
From: cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> [mailto:cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> ] On Behalf Of Paul Patrick
Sent: Friday, June 24, 2016 10:52 AM
To: cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org>
Subject: [Non-DoD Source] Re: [cti-cybox] A new Forum Object
After working with some of my analysts that work in the works of Hacktivism, I believe there are a few missing fields that we should add:
· create_date – a timestamp as to when the post was created
· modify_date – a timestamp as to when the post was last modified
· attachments – a number of times correlation between posts that are to attributed to a common actor can’t be done based on the persona used in the forum. It is often necessary to be able to capture their persona image as a base64 encoded value. This same thing could also be used for capturing the payloads from forums such as Pastebin, althrough that might best be handled with a source relationship to a File object
· post-title – in many forums, there thread of conversation has a title/name that is different than the title of the post itself, so it is often necessary to be able to represent those as different properties.
· view-count – a count of the number of times a post is views can often be used as an indicator of interest
· share-count – a count of the number of times a post is ‘shared’ can often be used as an indicators of interest but also as part of getting an understanding around influence.
· ‘likes’ – a count of the number of ‘likes’ or +1s that have been given to a particular post. I haven’t been able to come up with a better property name yet, but it’s one thing to view a post and another thing to actually take an action to indicate that a reader is in agreement. An alternative could be to use the proposed Opinion so that not only can a count be obtained but also the ability to capture the persona of the entity that expressed that opinion. This would also be used as a means to capture comments about a post rather than treating them as posts and using a sources relationship of commented-on
Paul Patrick
From: Jerome Athias <athiasjerome@gmail.com <mailto:athiasjerome@gmail.com> >
Date: Friday, June 24, 2016 at 1:02 AM
To: Paul Patrick <ppatrick@isightpartners.com <mailto:ppatrick@isightpartners.com> >
Cc: Terry MacDonald <terry.macdonald@cosive.com <mailto:terry.macdonald@cosive.com> >, "cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> " <cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> >
Subject: Re: [cti-cybox] A new Forum Object
I concur that Post would be better name.
Another example would be a Pastebin post
2016-06-22 18:55 GMT+03:00 Paul Patrick <ppatrick@isightpartners.com <mailto:ppatrick@isightpartners.com> >:
Terry,
I’d like to suggest we not call it a ‘Forum’ object but rather some think like ‘Post’ since it’s the posting, not the forum/blog/chat channel that we’re trying to describe. That why we can equally apply it to things like forums but also to mediums like IRC Chat which are not person-to-person.
Thoughts?
Paul
From: <cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> > on behalf of Jerome Athias <athiasjerome@gmail.com <mailto:athiasjerome@gmail.com> >
Date: Wednesday, June 22, 2016 at 1:35 AM
To: Terry MacDonald <terry.macdonald@cosive.com <mailto:terry.macdonald@cosive.com> >
Cc: "cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> " <cti-cybox@lists.oasis-open.org <mailto:cti-cybox@lists.oasis-open.org> >
Subject: Re: [cti-cybox] A new Forum Object
Resent-From: <Paul.Patrick@FireEye.com>
Interesting reading
http://www.networkworld.com/article/3085065/security/hack-the-hackers-eavesdrop-for-intel-on-emerging-threats.html <http://www.networkworld.com/article/3085065/security/hack-the-hackers-eavesdrop-for-intel-on-emerging-threats.html>
On Thursday, 16 June 2016, Terry MacDonald <terry.macdonald@cosive.com <mailto:terry.macdonald@cosive.com> > wrote:
Hi All,
For the 3rd time someone recently asked me if there was a way of encoding web forum posts within CybOX. My reply...well not really. That answer bothered me greatly, so with the help of AJ from EclecticIQ I put together a Forum Object.
The Forum Object is designed to record web forum and newsgroup posts, and is aimed primarily at helping people record what is being discussed on underground forums.
I really think it is needed for CybOX 3.0 MVP personally, and a couple of friends at very large organizations have also confirmed they would find this very useful. In fact one was surprised that it wasn't there already.
1.1 Forum Object
Type Name: forum-object
Status: Draft
MVP: Yes
The Forum Object represents a single Forum post. It is used to capture posts on newsgroups and web forums, primarily to enable the sharing of conversations held between threat actors on underground forums.
Properties
CybOX Object Properties
id, type
Property Name
Type
Description
type (inherited from cybox-object)
string
Indicates that this object is a CybOX Forum Object. The value of this field MUST be forum-object.
url (optional)
string
Specifies the url of the forum.
forum-name(required)
string
Specifies the name of the forum.
room-name(optional)
string
Specifies the room-name within the forum.
thread-title
string
Specifies the thread-title within the forum.
post-creator
string
Specifies the identity of the forum post creator.
post-details
string
Specifies the full details of the forum post.
Examples
Underground forum post
{
"type": "forum-object",
"id": "forum-object--1",
"url": "https://www.cardz4cheap.org/cardsforsale/5332113 <https://www.cardz4cheap.org/cardsforsale/5332113> ",
"forum-name": "Cardz4cheap",
"room-name": "Cards for sale",
"thread-title": "Happy Burger Cards",
"post-creator": "DeliteD",
"post-details": "Hey Dudes, I got 1500 cards for sale real cheap."
}
Cheers
Terry MacDonald | Chief Product Officer
M: +61-407-203-026 <tel:%2B61-407-203-026> <tel:%2B61-407-203-026> <tel:+61-407-203-026 <tel:%2B61-407-203-026> <tel:%2B61-407-203-026> >
E: terry.macdonald@cosive.com <mailto:terry.macdonald@cosive.com>
W: www.cosive.com <http://www.cosive.com/> <https://www.cosive.com/ <https://www.cosive.com/> >
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]