[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-cybox] CybOX Objects/Relationships
Hi!, If that is one thing I could suggest, it would be to see how this would look under JSON as I am interested to see how all of the relationships are linked together
in the format. I think seeing the use case expressed in JSON might help people understand what is trying to be achieved for this use case as well as being a thought provoker for more questions. I would be more than happy to see it represented in JSON. Infact, I would love for somebody to do it that as a really good understanding of the new binding. If you need other examples where I have used relationships, I am more than happy to send them through. Regards, Dean From: Kirillov, Ivan A. [mailto:ikirillov@mitre.org]
Great example – thanks Dean! It will be interesting to mock this up in JSON, based on our current approach for CybOX 3.0. Regards, Ivan From:
"Thompson, Dean" <Dean.Thompson@anz.com> Hi!, Personally I think there is a real need to have relationships in Cybox. Here is a real use case that I am using on a daily basis. I have analysts that detect
drive-by infections all the time. The behaviour that we see observed is as follows: Initial Site:
hxxp://crossfithpu.com:47211/2015/08/22/crim-2015-results (173.254.28.110) Which redirects to the following: hxxp://user.infernomushroomee.com/boards/viewtopic.php?t=6g59&f=0u71921ph7.uu950&
(108.61.103.67) and then to: hxxp://user.infernomushroomee.com/bar.phtml?effort=&paper=3vhRLJqt&after=&occur=zu5&interact=&law=sAt9ZFRCENN1SC0l4yUJenHmbum-HMz-Y-D_0 H (108.61.103.67) As a result, I express this relationship within my CybOX objects, as I think it is important that the relationship is expressed and shown so that someone can
see the complete chain rather than discrete observables: <cybox:Observable id="ANZ:Observable-b6719fc4-4d46-11e5-82bb-956cedbc72a0"> <cybox:Title>Compromised IP: '173.254.28.110' redirecting to Angler malware</cybox:Title> <cybox:Description>IP: '173.254.28.110' is redirecting to an Angler malware drop site.</cybox:Description> <cybox:Keywords> <cybox:Keyword>Initial Site: 173.254.28.110</cybox:Keyword> <cybox:Keyword>Initial URL:
http://crossfithpu.com:47211/2015/08/22/crim-2015-results</cybox:Keyword> <cybox:Keyword>Initial Angler Landing Page IP: 108.61.103.67</cybox:Keyword> <cybox:Keyword>Initial Angler Landing URL: user.infernomushroomee.com</cybox:Keyword> <cybox:Keyword>Malware: Angler EK</cybox:Keyword> <cybox:Keyword>Confidence Level: High</cybox:Keyword> <cybox:Keyword>Earliest Observed Time: 2015-08-18T10:09:00+10:00</cybox:Keyword> </cybox:Keywords> […] <cybox:Object id="ANZ:IPAddressObject-b6719fc4-4d46-11e5-82bb-956cedbc72a0"> <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr"> <AddressObj:Address_Value>173.254.28.110</AddressObj:Address_Value> </cybox:Properties> <cybox:Related_Objects> <cybox:Related_Object idref="ANZ:Observable-b66bb686-4d46-11e5-8158-956cedbc72a0"> <cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.1">Resolved_To</cybox:Relationship> </cybox:Related_Object> <cybox:Related_Object idref="ANZ:Observable-b6776f3a-4d46-11e5-81b8-956cedbc72a0"> <cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.1">Resolved_To</cybox:Relationship> </cybox:Related_Object> </cybox:Related_Objects> </cybox:Object> […] <cybox:Observable id="ANZ:Observable-b66bb686-4d46-11e5-8158-956cedbc72a0"> <cybox:Title>Domain: 'crossfithpu.com' redirecting to Angler malware</cybox:Title> <cybox:Description>Domain: 'crossfithpu.com' is redirecting users to Angler malware.</cybox:Description> <cybox:Keywords> <cybox:Keyword>Initial Site: 173.254.28.110</cybox:Keyword> <cybox:Keyword>Initial URL:
http://crossfithpu.com:47211/2015/08/22/crim-2015-results</cybox:Keyword> <cybox:Keyword>Initial Angler Landing Page IP: 108.61.103.67</cybox:Keyword> <cybox:Keyword>Initial Angler Landing URL: user.infernomushroomee.com</cybox:Keyword> <cybox:Keyword>Malware: Angler EK</cybox:Keyword> <cybox:Keyword>Confidence Level: High</cybox:Keyword> <cybox:Keyword>Earliest Observed Time: 2015-08-18T10:09:00+10:00</cybox:Keyword> </cybox:Keywords> […] <cybox:Object id="ANZ:DomainRecordObject-b66bb686-4d46-11e5-8158-956cedbc72a0"> <cybox:Properties type="Domain Name" xsi:type="URIObj:URIObjectType"> <URIObj:Value condition="Equals">crossfithpu.com</URIObj:Value> </cybox:Properties> <cybox:Related_Objects> <cybox:Related_Object idref="ANZ:Observable-b6719fc4-4d46-11e5-82bb-956cedbc72a0"> <cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.1">Resolved_To</cybox:Relationship> </cybox:Related_Object> <cybox:Related_Object idref="ANZ:Observable-b68dfcf8-4d46-11e5-8233-956cedbc72a0"> <cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.1">Redirects_To</cybox:Relationship> </cybox:Related_Object> <cybox:Related_Object idref="ANZ:Observable-b6776f3a-4d46-11e5-81b8-956cedbc72a0"> <cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.1">Resolved_To</cybox:Relationship> </cybox:Related_Object> </cybox:Related_Objects> </cybox:Object> And so forth. For me it is important that these relationships are maintained because I think it tells the ‘complete’ story of what is going on here. I have other examples
where I link file attachments to emails, which then go on to spawn malicious network connections which are linked to domains and IP addresses and so forth. Personally, I see a place for relationships in Cybox objects with a use case like this. Regards, Dean This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only
of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in
the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ
does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication. This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]