[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-cybox] MVP/Message Objects
Hi Ivan,
The reason this whole post/message object discussion came up us because I initially proposed a way for us to track web forum conversations. The original object was just for web forum conversations, and then I expanded it after some discussion to be more general.
I've been asked about how to capture underground web forum conversations within STIX and CybOX by multiple parties, and they all have mentioned that they have a need to track and share this sort of information to keep track of the bad guys. I am concerned that only specifying email message object will reduce the buy in from threat intelligence vendors.
That said I do agree that we need to discuss this more before creating some core extendable objects.
Apologies I have been unavailable over these past few weeks to be more involved in these meetings but I am currently moving from Australia back to New Zealand.
Cheers
Terry MacDonaldOn 8/07/2016 4:24 AM, "Kirillov, Ivan A." <ikirillov@mitre.org> wrote:All,
We had a good discussion today on the working call on the topic of the Message Object. Specifically, we dived into the existing Message Object proposal (thanks again to the DC3 folks for their submission!) and went over some of the potential issues with this approach:
· Not all message types can easily be abstracted into this model
o E.g., SMS messages have phone numbers as their sender/recipient, so would this necessitate a phone number Object?
· Unlike the File Systems in the File Object (as an example), it would be very difficult to survey the numerous types of messages out there and come up with a representative, accurate base type
· While an abstract Message Object reduces the amount of potential fields that are duplicated across several Objects, it could still be a very complex Object, with numerous extensions and caveats/corner cases that users would have to deal with
Therefore, Trey and I proposed an alternative of, for the July MVP release, defining a discrete Email Message Object. Such an Object is well understood and necessary for various types of cyber threat information sharing use cases (spearphishing, watering hole attacks, spambot malware, etc.). Greg Back has taken a stab at defining this Object, which can now be found in the playground [1]. It seemed like we had general (not unanimous) consensus on the call that this may be a less risky and preferable approach for the MVP release.
However, we’d like to see what others on the list think – do you see an immediate need for a Message Object as MVP, or would an Email Object be sufficient? Just to state the options more clearly:
· Option 1: Message Object
o We create a working group and define a Message Object that can characterize Email, Skype, etc. in time for MVP
· Option 2: Email Message Object
o We deliver ONLY an Email Message Object for MVP
o We can consider revisiting the concept of the Message/Post Objects post-MVP, perhaps for the winter release if there is sufficient demand
Please let us know your thoughts – this is something that we need to make a decision on ASAP.
Regards,
Ivan
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]