I agree with both of you – compromised x509 certs have been used in various malicious activities (e.g., to digitally sign malware), so the characterization and sharing of this information is a valid use case.
Regards,
Ivan
From: Sean Barnum <sbarnum@mitre.org>
Date: Tuesday, February 23, 2016 at 1:25 PM
To: Patrick Maroney <Pmaroney@Specere.org>, Ivan Kirillov <ikirillov@mitre.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] CybOX Object Selection
Date: Tuesday, February 23, 2016 at 1:25 PM
To: Patrick Maroney <Pmaroney@Specere.org>, Ivan Kirillov <ikirillov@mitre.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] CybOX Object Selection
I am pretty sure that this specifically was one of DHS targeted use cases in their published intelligence products as well.
I recall one of the sharing communities (don’t recall which one specifically) also bringing up the use case of characterizing compromised X509 certs in Indicators and then wanting to characterize revoking/blocking certs from certain compromised authorities
as structured COAs.
sean
From: <cti-cybox@lists.oasis-open.org> on behalf of Patrick Maroney <Pmaroney@Specere.org>
Date: Tuesday, February 23, 2016 at 3:17 PM
To: Steve Cell <ikirillov@mitre.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] CybOX Object Selection
Date: Tuesday, February 23, 2016 at 3:17 PM
To: Steve Cell <ikirillov@mitre.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] CybOX Object Selection
Ivan,
Not clear from your comment that this use case is fully represented. The capture and conveyance of malicious/subverted/compromised X509 Certificates is unfortunately a common Use Case/Scenario. Therefore should be part of what we can represent.
Patrick Maroney
Office: (856)983-0001
Cell: (609)841-5104
President
Integrated Networking Technologies, Inc.
PO Box 569
Marlton, NJ 08053
From: <cti-cybox@lists.oasis-open.org> on behalf of Ivan Kirillov <ikirillov@mitre.org>
Date: Tuesday, February 23, 2016 at 1:13 PM
To: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] CybOX Object Selection
Date: Tuesday, February 23, 2016 at 1:13 PM
To: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] CybOX Object Selection
- X509 Certificate:
- Comments: this Object is used only in a CybOX utility, though its structure is well understood and there are some relevant use cases around it such as digital binary signing. Therefore, I would err on the side of including it.