Recent CybOX Changes

["Kirillov, Ivan A." <ikirillov@mitre.org>]

Thanks again to everyone for the recent comments on the CybOX specs! We’re still in the process of addressing them, but have made some great headway this week.

 

Based on your comments, recent discussions, as well as our own analysis, here are some of the recent notable changes that have been made in the CybOX specs this week:

 

·         CybOX Core

o    Updated intro text in CybOX Object (8.1) to more clearly introduce the concept and answer the question of what a CybOX Object represents

o    Add requirements section (based on STIX) to Custom Relationships (8.1.2.2), Custom Extensions (8.1.3.3), and Custom Object Properties (8.1.6) – please review

o    Added File Path Type to Common Object Types (8.1.4.2) so that it can be re-used for file paths as needed in the various CybOX Objects

o    Based on comments and discussions, removed Object Property Metadata section and instead added String with Encoding Type to Common Object Types (8.1.4.2). This type permits the capture of observed encodings for strings in Objects wherever appropriate (see example: https://docs.google.com/document/d/1DdS-NrVTjGJ3wvCJ7dbSlhYeiaWS6G6dOXu2F3POpUs/edit#heading=h.47ju1z5ea7t). Accordingly, updated the type definitions throughout the CybOX Objects to be an OR between a string and this new type wherever it made sense. We realize that this may complicate parsing (e.g., having to distinguish between strings and objects) and creation of CybOX data so we look forward to your feedback.

·         Host-based Objects

o    File Object

§  Moved magic_number from File Metadata Extension to base File Object, since it is analogous to mime_type which was already on the base. Accordingly, renamed File Metadata to File Metadata Mismatch and removed redundant has_mismatch field. However, a point was raised about this particular extension, namely that it represents an assertion rather than a “fact” such as a magic number or hash. Accordingly, we need to consider the question of whether such assertions belong in CybOX or not.

§  Renamed a PE Binary Extension to Windows PE Binary Extension for consistency

§  Removed file_count field from Archive File Extension, as it was redundant with the file_refs field

o    Registry Key Object

§  Renamed to Windows Registry Key Object for consistency

§  Removed number_of_values field, as it was redundant with the values field

·         Network Objects

o    IPv4 and IPv6 Address

§  Updated text around CIDR specification for clarity

§  Updated resolves_to_ref and belongs_to_ref to resolves_to_refs and belongs_to_refs (respectively) to allow for one-to-many relationships in these cases

 

We welcome your feedback on these changes (and anything else in the current specs).

 

Regards,

Ivan