We’ve still had no volunteers for these Objects, so I think at this point it’s safe to say that they will not make it into the July MVP. I’ll be removing their stubs from the specifications.
Regards,
Ivan
From:
<cti-cybox@lists.oasis-open.org> on behalf of Ivan Kirillov <ikirillov@mitre.org>
Date: Tuesday, June 7, 2016 at 10:36 AM
To: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] CybOX "Adopt an Object"
So far, we have no volunteers to adopt the following Objects:
·
Device
· Operating System
· Network Share
At this point, it seems likely that they will not make it into the July MVP release.
Regards,
Ivan
From:
<cti-cybox@lists.oasis-open.org> on behalf of Ivan Kirillov <ikirillov@mitre.org>
Date: Friday, June 3, 2016 at 7:11 AM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] CybOX "Adopt an Object"
Hi Jason,
That’s a good point – Network Socket and Network Connection do share a number of properties, such as destination IP/port and address family (IPv6 or IPv4). I agree that we’d have to make
the source fields optional, but that might be reasonable since there are likely times that you only care about the destination of a connection.
Sockets do have a few unique properties such as socket type (stream, datagram, etc.) that we could perhaps capture as an extension on Network Connection. I think the use cases for them
are primarily around malware analysis and digital forensics – malware often uses sockets as a low-level means of establishing network connections, and so it’s useful to be able to discretely characterize this.
Thanks for taking a stab at User Account! By the way, we’ve been putting together a list of design principles around CybOX Objects that you can find here:
https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit#heading=h.3txva9d0a3le
We hope to use it as a general guide for ourselves to ensure that we stay consistent in our design philosophy, as well as for others to use when creating new Objects.
Regards,
Ivan
From:
Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Friday, June 3, 2016 at 5:30 AM
To: Ivan Kirillov <ikirillov@mitre.org>
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] CybOX "Adopt an Object"
Hi Ivan - does Network Socket intersect with Network Connection? It seems like the current Network Connection object as defined can do most anything you would want to do with a socket, since you can define connection state as LISTEN
I suppose to use it for that we would need to make the "source" fields optional so they could be left empty (?)
I guess my question is - what are the use cases for Network Socket and who is pushing for it.
I will try to take a stab at User Account...
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
"Kirillov, Ivan A." ---06/02/2016 06:39:23 PM---All,
As we discussed on today’s call, there are a number of Objects (see below) that are in danger o
From: "Kirillov, Ivan A." <ikirillov@mitre.org>
To: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Date: 06/02/2016 06:39 PM
Subject: [cti-cybox] CybOX "Adopt an Object"
Sent by: <cti-cybox@lists.oasis-open.org>
All,
As we discussed on today’s call, there are a number of Objects (see below) that are in danger of not making the July MVP release because we’ve yet to develop their data models and are unlikely to do so in time for this release.
Anyhow, if anyone has a strong need for one (or more) of these Objects, we encourage you to “adopt” these Objects and lead the work on creating its data model - Trey and I would be happy to get you started!
The Objects are the following:
·
Device
· Operating System
· Product
· User Account
· Network Share
· Network Socket
Note that if these Objects do not make the cut for July, they’ll almost certainly be included in the follow up release during the winter timeframe.
Regards,
Ivan