1) definitely feel this should be flexible and not a filename.
2) exploits is clearer but I do have some minor worry that it conveys an impression that the malware always successfully exploits the vuln where reality in many cases is that malware may target a vuln for exploitation but its success
may depend on many other factors within the targeted environment. Not a huge worry but something to consider.
From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Kirillov, Ivan A. <ikirillov@mitre.org>
Sent: Friday, October 27, 2017 12:43:32 PM
To: cti-stix@lists.oasis-open.org
Subject: [cti-stix] Malware SDO Remaining Open Questions
All,
As we mentioned on the TC call, there are a few small open questions remaining on the updated Malware SDO [1]:
- Regarding the
name property, should this property always capture the filename for a malware instance? Or should we leave this flexible so that you can capture more semantic (e.g., family-derived) names such as “Zeus.A”?
- Regarding the existing “targets” relationship in STIX 2.0 from Malware to Vulnerability, we’ve suggested updating this to a new “exploits” relationship (i.e., Malware -> exploits
-> Vulnerability) for semantic clarity. This would be a breaking change, but our thinking is that there would be far less confusion as to what this means.
My own thoughts:
- I feel like
name should be flexible – we already have the samples property for capturing the information about the binaries associated with the malware, including their filenames.
- “Exploits” is much clearer and preferable than “targets” with regards to vulnerabilities (I’ve never seen any malware reporting which states that malware “targets” a vulnerability)
so it’s worth making a breaking change for this.
[1]
https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.73mue8q00k8
Regards,
Ivan
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited.
If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
|