cti-stix message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [cti-stix] Re: [EXT] Re: [cti-stix] Possible solution to conundrum of how to do patterns for Infrastructure and Malware
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: Bret Jordan <Bret_Jordan@symantec.com>
- Date: Thu, 25 May 2017 13:14:58 -0300
I would not say that it references things
"in ways never intended"...
I am also not sure what having observables
as TLOs gains you. I think it would make things quite messy actually and
not contribute to solving this problem...
RE "would just like to see the pattern shown with trying to reference sub elements
of a cyber observable container that is based on their number dictionary
vs a type"... this is built
into patterning and we have many examples of this in the patterning spec.
That is the "[*]"
part of the pattern I have below, it is saying "the hashes property
of any of the cyber observable objects". If you wanted a specific
one (rare I suspect....) you would put the number in there.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
Without data, all you are is just another person with an opinion - Unknown
From:
Bret Jordan <Bret_Jordan@symantec.com>
To:
Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc:
"cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>, "Paul Patrick" <Paul.Patrick@FireEye.com>
Date:
05/25/2017 12:18 PM
Subject:
Re: [cti-stix]
Re: [EXT] Re: [cti-stix] Possible solution to conundrum of how to do patterns
for Infrastructure and Malware
Sent by:
<cti-stix@lists.oasis-open.org>
There is not any confusion. But looking
at this proposal, which is a good one, it might make sense if we made all
objects TLOs. It might make things easier. We have heard rumblings
about this several times in the past. I am just wanting to make sure
we have got this right and that our design works for all the use cases
that we need. It would be much easier to fix it now, if we in fact need
to do so, then try and do it in 12 months.
Your proposal references objects in ways
that we never intended. But I think it make sense. I would just like
to see the pattern shown with trying to reference sub elements of a cyber
observable container that is based on their number dictionary vs a type.
It might make this really hard. But by promoting ever object
to be a TLO, it might make this a lot easier.
Bret
From: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Thursday, May 25, 2017 9:04:34 AM
To: Bret Jordan
Cc: cti-stix@lists.oasis-open.org; Paul Patrick
Subject: Re: [cti-stix] Re: [EXT] Re: [cti-stix] Possible solution
to conundrum of how to do patterns for Infrastructure and Malware
i think there is confusion in this thread.
My proposal was not to make Cyber Observable TLOs. My proposal was
to simply allow TLOs to be referenced in indicators by reference using
some kind of new namespace such as "stix" or some other identifier.
There is no need to make observables TLOs in this proposal.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
Without data, all you are is just another person with an opinion - Unknown
From: Bret
Jordan <Bret_Jordan@symantec.com>
To: Paul
Patrick <Paul.Patrick@FireEye.com>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: "cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>
Date: 05/25/2017
11:41 AM
Subject: Re:
[cti-stix] Re: [EXT] Re: [cti-stix] Possible solution to conundrum of how
to do patterns for Infrastructure and Malware
Sent by: <cti-stix@lists.oasis-open.org>
We should really look at this Paul, and see how this could work. We
merged the former CybOX into STIX, but now, maybe we need to go the rest
of the way. Maybe there should just be "STIX"objects. Personally,
looking at where we need to go, and based on what needs to happen with
Malware and Infrastructure, it might make the most sense.
Bret
From: Paul Patrick <Paul.Patrick@FireEye.com>
Sent: Thursday, May 25, 2017 8:31:25 AM
To: Bret Jordan; Jason Keirstead
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Re: [EXT] Re: [cti-stix] Possible solution
to conundrum of how to do patterns for Infrastructure and Malware
+1 for making Cyber Observables TLOs. It would solve a number of
problems
From: <cti-stix@lists.oasis-open.org> on behalf of Bret Jordan
<Bret_Jordan@symantec.com>
Date: Thursday, May 25, 2017 at 10:06 AM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Re: [EXT] Re: [cti-stix] Possible solution to conundrum
of how to do patterns for Infrastructure and Malware
Jason,
I think this might be a good approach. Thanks for thinking through
the problem. We will just need to make sure the patterning grammar
like this can reference sub elements of an object or the entire one. This
may also cause us to re-think the way the cyber observable container is
formed (maybe it would have been better if each cyber observable object
was actually just a top-level STIX object.).
I would like to model this design out with say Malware that has 27 known
versions (hashes) where each instance say has 2 different filenames. While
maybe not completely "real-world", it should help verify the
design. I would also like to see about modeling this with say an
Infrastructure object that has 1000 IPs in it. So a pattern that
references the entire list of a 1000 IPs and a pattern that only references
3 non contiguous IPs from the list.
Bret
From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org>
on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Thursday, May 25, 2017 5:25:35 AM
To: Jason Keirstead
Cc: cti-stix@lists.oasis-open.org
Subject: [EXT] Re: [cti-stix] Possible solution to conundrum of how
to do patterns for Infrastructure and Malware
Sorry I wrote that pattern before I had coffee.. it makes no sense.
This is what the pattern would be with my proposal.... you are looking
for the hash contained inside a specific object...
[file:hashes.“SHA-256" = stix-object:malware-12345-aaaaa-bbbbb-ccccc.sample_metadata[*].hashes.“SHA-256"]
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
Without data, all you are is just another person with an opinion - Unknown
From: "Jason
Keirstead" <Jason.Keirstead@ca.ibm.com>
To: cti-stix@lists.oasis-open.org
Date: 05/25/2017
08:22 AM
Subject: [cti-stix]
Possible solution to conundrum of how to do patterns for Infrastructure
and Malware
Sent by: <cti-stix@lists.oasis-open.org>
Yesterday a major discussion at the face-to-face was around trying to work
out the end to end workflow by which the indicators come out of the malware.
Myself (and it seems several others as well) are concerned that if malware
sandboxes automatically start sharing tons of “malware” objects via TAXII,
or sensors start producing “infrastructure” objects linked to observations,
then software vendors are just going to code their implementations to look
for those things directly… indicators will never “show up” because either
there is no one to make them, and/or people don’t want to do things twice
(they don’t want to make an Infrastructure object with observations *and*
maintain a pattern for those observations and constantly update them both
and keep them in sync as they mature - it is going to be a large headache.
Folks seem to be having this implicit assumption that either (a) humans
will make and maintain all of these indicators from the tool output “just
because”, or (b) vendors will change their tools to output indicators
because someone (?) is asking for the indicators. This to me flies in the
face of the fact that the market is lazy and always seeks the shortest
path to success; if that path is to just write code to directly search
and alert on malware and infrastructure observations, then that is what
is going to happen…. after all, the vast majority of what people share
on threat intel feeds are pointers to malware or infrastructure.
The danger is that indicators become not very useful and we end up with
somewhat crippled STIX implementations everywhere since no one can look
for anything complicated, because they can’t use patterns… we end up
with STIX 1.X.
I have been thinking about this problem last night and am wondering if
a possible solution is to add an operator to allow patterns to somehow
reference STIX objects directly.
IE you would have something like
[stix-object:malware-12345-aaaaa-bbbbb-ccccc.sample_metadata[*].hashes.“SHA-256"
= ‘aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f’]
This pattern would mean “you want to look for the hashes defined in this
specific STIX object“
If we had this, then I think it is an answer to what I think is an obvious
problem. This way the actual definition of the object is what is referred
to in the indicator. It also makes it much easier to create patterns from
malware and infrastructure, and also eliminates the problem of having to
constantly sync patterns with these objects.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
Without data, all you are is just another person with an opinion - Unknown
This email and any attachments thereto may contain private,
confidential, and/or privileged material for the sole use of the intended
recipient. Any review, copying, or distribution of this email (or any attachments
thereto) by others is strictly prohibited. If you are not the intended
recipient, please contact the sender immediately and permanently delete
the original and any copies of this email and any attachments thereto.
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]