[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] CybOX Datatype Refactoring/Deprecation
If we’re talking about obfuscation/encryption at the Object level, relationships would work quite well, and your example below is a great illustration of that. However, our discussion here is centered around the obfuscation/defanging of individual Object properties
(as permitted by the properties found in the BaseObjectPropertyType), such as the name of a particular file, or the value of a URL. While this could be accomplished via relationships, it wound entail assigning an ID to each Object field, which wouldn’t really
make the field structure any simpler and would instead introduce another layer of relationships that would have to parsed.
Regards,
Ivan
From: Terry MacDonald <terry@soltra.com>
Date: Tuesday, February 9, 2016 at 4:49 PM To: Ivan Kirillov <ikirillov@mitre.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Subject: RE: [cti] CybOX Datatype Refactoring/Deprecation What about using the relationships to handle the levels of obfuscation? That would allow description of obfuscated and encrypted objects within other obfuscated
objects. In other words to describe a PDF containing obfuscated _javascript_ that decodes and extracts a windows executable from within the PDF we could do something
like this: https://docs.google.com/drawings/d/1ozVBXQcFWja5yMAKDRfqkKz_1KfDZwZoVf5IyO7ElRg/pub?w=667&h=560 Would that sort of thing work? BTW the relationship thing seems pretty darn powerful when used like this…. Cheers Terry MacDonald Senior STIX Subject Matter Expert SOLTRA | An FS-ISAC and DTCC Company +61 (407) 203 206 |
terry@soltra.com From:
cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org]
On Behalf Of Kirillov, Ivan A. >> As much as I would like fields to just be the value, I agree that we probably need this layer of indirection to support these extra properties. I was also hoping for Observations/Objects to just hold the value, but some of these fields do seem to be necessary. I think the only other way to do this
would be via relationships, but then you’d have to assign an ID to each field, and that would just get messy quickly without any real benefit. >> We’ll need to decide what that means for patterning, if anything, by the way. Yup, agreed. My initial thinking is that these properties don’t (or shouldn’t) have any significance for patterning. >>Given that we’re talking about actual observations here (instances), is “appears_random” appropriate? That seems to be a statement about a pattern of behavior
over several observations rather than a single observation. I’ve wondered the same – this does seem to be an assertion that one wouldn’t typically make based on a single data point. Also, it seems like you’d want to
be able to specify some level of confidence and perhaps other properties with this as well, so I’m also wondering if this belongs here or perhaps in some separate structure (which could also be used for related observations such as entropy, etc.)? >>Can we combine the “obfuscation” fields into some single “obfuscation_algorithm”, representing a URI or something? Then if the field is there, it’s obfuscated
using that. If it’s not, then it’s not obfuscated. Yeah, that makes good sense to me. I think having the “is_defanged” boolean isn’t strictly necessary, as you can infer that something is obfuscated if the
corresponding “obfuscation_algorithm” field is populated. Having a URI in there seems reasonable. >> Given that we’re now talking about machine-to-machine transmissions, is defanging still important? Can’t the raw data be exchanged as it is and then let
tools to present it to users defanged however they want? It seems weird to me to transmit it defanged if it’s M2M (vs. a PDF that people might accidentally click). I had the same question when we were first implementing defanging/fanging; it does seem like something that should be done at the data ingest/GUI layer rather
than at the data specification layer. It’s definitely odd to support it if there is no expectation that humans will actually look at the data. >> If we do need to include it, can we similarly collapse these attributes into one “defanging_algorithm” URI? They seem very redundant right now. I’m also onboard with this. So we’d get something like:
Regards, Ivan From:
<cti@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org> As much as I would like fields to just be the value, I agree that we probably need this layer of indirection to support these extra properties. We’ll need
to decide what that means for patterning, if anything, by the way. On the attributes you listed, I just have a few questions:
John From:
<cti@lists.oasis-open.org> on behalf of Ivan Kirillov <ikirillov@mitre.org> Sending this to the broader CTI since it’s part of the STIX/CybOX Indicator tranche. Given that we’ll be splitting out embedded patterning from CybOX, there are changes that we need to make to the base datatypes used currently for specifying
properties in CybOX Objects. At a high level, this involves the following:
More details on these proposed changes can be found here: https://github.com/CybOXProject/schemas/issues/416#issuecomment-181916815 Accordingly, this would result in CybOX instance content that looks like the following; each property is an Object (so that it can specify metadata about refanging/defanging/etc)
and thus the “value” field MUST be included in every property to capture its actual value. {
"size": {"value": 23134}, "file-system-properties" : {"file_name": {"value":"test.dll", "observed_encoding":"utf-8"}} }
Some open questions:
Regards, Ivan |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]