Re: [cti-stix] Vulnerability object added

["Wunder, John A." <jwunder@mitre.org>]

Yeah good point…I pulled the definition from CVE because that’s primarily what we were referencing but it probably does make sense to use the NIST definition instead.

Thanks!
John

On 7/14/16, 2:24 PM, "Jerome Athias" <athiasjerome@gmail.com> wrote:

Hi,

I suggest reusing standardized definitions for CTI.
(they could be tweaked a bit for highlighting/explaining the
relationships between the CTI objects using the CTI objects' names)

For example:

vulnerability
Weakness in an information system, system security procedures,
internal controls, or implementation that could be exploited by a
threat source.
Source: NIST SP 800-30 Rev 1
CNSSI 4009 revised April 6, 2015

if considered too generic - another example
A vulnerability is a software weakness that can be exploited by an
attacker. Bugs and flaws collectively form the basis of most software
vulnerabilities.
https://buildsecurityin.us-cert.gov/articles/knowledge/attack-patterns/attack-pattern-glossary

(I hate definitions of "hacker" other than RFC1392)


PS: probably "too early" to discuss that, but I will be interested, at
some point, discussing the relationships with, or mechanisms for
leveraging, CybOX objects in the description of Vulnerability (with an
extended/better model than the CVE one), allowing, for example, the
automation, or semi-automation of the COAs, especially in the context
of web applications softwares, where, for example, the Vulnerability
model would have to offer information related to URIs/URLs and
parameters (a little bit more than a CWE, and not a CPE). CVE+X ((for
OVALX)) anyone?




On Thu, Jul 14, 2016 at 4:54 PM, Wunder, John A. <jwunder@mitre.org> wrote:
> Sorry, should have given a link to the object. It’s in the STIX 2.0-Objects
> document, here:
> https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.q5ytzmajn6re
>
>
>
> John
>
>
>
> From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A."
> <jwunder@mitre.org>
> Date: Thursday, July 14, 2016 at 8:11 AM
> To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
> Subject: [cti-stix] Vulnerability object added
>
>
>
> All,
>
>
>
> As discussed on the call on Tuesday, it seemed like people were looking for
> a Vulnerability object so that they could say malware/actors/campaigns
> target particular vulnerabilities.
>
>
>
> Way back when we were first working on 2.0 we had a definition in there that
> I updated and moved over. Primarily, it would be used to capture external
> references to CVE and other vulnerability identifiers, as Jason had
> suggested. It also has a name and description in case there’s no CVE or
> other reference assigned yet or you want to duplicate them into the object
> directly. I also added the relationships it would conceivably need.
>
>
>
> Can you please review it to see if it captures what you need it to?
>
>
>
> Thanks,
>
> John