I would have to agree with Alexandre why couldn’t we just add a severity/risk level of 0? I’m running into this exact same issue right now with malware analysis write ups. Malware will drop or use ps.exe as part of its infection, this is technically part of the Malware process but the file itself is legitimate windows file.
Best Regards, Nicholas Hayden, CISSP, GICSP, CNDA, CEH, Sec+ 808 Winslow St Redwood City, CA 94063 Phone: (650) 257-0867 | Twitter: @anomali
On 13/07/17 15:31, Jason Keirstead wrote: Hello everyone;
A while back I submitted a proposal for a Classification object in the playground. This proposal can be found here: https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q0b5OxXCaCV14/edit#heading=h.snfvxw2o7p1u
A key example of the reason we need this object are threat intelligence vendors. Feeds of threat intelligence data do not only contain "bad things", they also contain "known good things". For example, if I go to a URL reputation site and put in www.amazon.com, it will have a low risk score. If I look up https://virustotal.com/en/file/1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455/analysis/ , it is a known-good file in Virus Total and comes up as a "trusted source". Today, we have no way to denote this type of information in STIX. I have no way to reply to a TAXII query that a file hash is known good, or any way to encode known good indicators that resulted from a sandbox destruction.
Brett Jordan added a few small comments, but in general I haven't seen much feedback in either direction.
I would like some folks to comment on the list what they think of this proposal for STIX 2.1 or 2.2 release.
Thanks,
- Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security
Without data, all you are is just another person with an opinion - Unknown
Hello Jason, we have a similar issue with STIX 2.x in general, being able to exchange things that are "not bad things" as you describe, something that we have in MISP but cannot translate to STIX, so I'm definitely interested where this is going. However, after a quick glance at the proposal I was curious about something, the risk_level has 3 options (low, medium, high) wouldn't a no risk option make sense? Best regards, -- Alexandre Dulaunoy CIRCL - Computer Incident Response Center Luxembourg 41, avenue de la gare L-1611 Luxembourg info@circl.lu - www.circl.lu - (+352) 247 88444 --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
|