Re: [cti-cybox] CybOX Objects/Relationships

["Jordan, Bret" <bret.jordan@bluecoat.com>]

Shouldn't this be done in a higher level language?

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Apr 13, 2016, at 05:19, Thompson, Dean <Dean.Thompson@anz.com> wrote:

 

Hi!,

 

Personally I think there is a real need to have relationships in Cybox.  Here is a real use case that I am using on a daily basis.  I have analysts that detect drive-by infections all the time.  The behaviour that we see observed is as follows:

 

Initial Site: hxxp://crossfithpu.com:47211/2015/08/22/crim-2015-results (173.254.28.110)

 

Which redirects to the following:

 

hxxp://user.infernomushroomee.com/boards/viewtopic.php?t=6g59&f=0u71921ph7.uu950& (108.61.103.67)

 

and then to:

hxxp://user.infernomushroomee.com/bar.phtml?effort=&paper=3vhRLJqt&after=&occur=zu5&interact=&law=sAt9ZFRCENN1SC0l4yUJenHmbum-HMz-Y-D_0 H (108.61.103.67)

 

As a result, I express this relationship within my CybOX objects, as I think it is important that the relationship is expressed and shown so that someone can see the complete chain rather than discrete observables:

 

                <cybox:Observable id="ANZ:Observable-b6719fc4-4d46-11e5-82bb-956cedbc72a0">

                    <cybox:Title>Compromised IP: '173.254.28.110' redirecting to Angler malware</cybox:Title>

                    <cybox:Description>IP: '173.254.28.110' is redirecting to an Angler malware drop site.</cybox:Description>

                    <cybox:Keywords>

                        <cybox:Keyword>Initial Site: 173.254.28.110</cybox:Keyword>

                        <cybox:Keyword>Initial URL: http://crossfithpu.com:47211/2015/08/22/crim-2015-results</cybox:Keyword>

                        <cybox:Keyword>Initial Angler Landing Page IP: 108.61.103.67</cybox:Keyword>

                        <cybox:Keyword>Initial Angler Landing URL: user.infernomushroomee.com</cybox:Keyword>

                        <cybox:Keyword>Malware: Angler EK</cybox:Keyword>

                        <cybox:Keyword>Confidence Level: High</cybox:Keyword>

                        <cybox:Keyword>Earliest Observed Time: 2015-08-18T10:09:00+10:00</cybox:Keyword>

                    </cybox:Keywords>

[…]

 

                    <cybox:Object id="ANZ:IPAddressObject-b6719fc4-4d46-11e5-82bb-956cedbc72a0">

                        <cybox:Properties xsi:type="AddressObj:AddressObjectType" category="ipv4-addr">

                                <AddressObj:Address_Value>173.254.28.110</AddressObj:Address_Value>

                        </cybox:Properties>

                        <cybox:Related_Objects>

                                <cybox:Related_Object idref="ANZ:Observable-b66bb686-4d46-11e5-8158-956cedbc72a0">

                                        <cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.1">Resolved_To</cybox:Relationship>

                                </cybox:Related_Object>

                                <cybox:Related_Object idref="ANZ:Observable-b6776f3a-4d46-11e5-81b8-956cedbc72a0">

                                        <cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.1">Resolved_To</cybox:Relationship>

                                </cybox:Related_Object>

                        </cybox:Related_Objects>

                    </cybox:Object>

 

[…]

 

                <cybox:Observable id="ANZ:Observable-b66bb686-4d46-11e5-8158-956cedbc72a0">

                    <cybox:Title>Domain: 'crossfithpu.com' redirecting to Angler malware</cybox:Title>

                    <cybox:Description>Domain: 'crossfithpu.com' is redirecting users to Angler malware.</cybox:Description>

                    <cybox:Keywords>

                        <cybox:Keyword>Initial Site: 173.254.28.110</cybox:Keyword>

                        <cybox:Keyword>Initial URL: http://crossfithpu.com:47211/2015/08/22/crim-2015-results</cybox:Keyword>

                        <cybox:Keyword>Initial Angler Landing Page IP: 108.61.103.67</cybox:Keyword>

                        <cybox:Keyword>Initial Angler Landing URL: user.infernomushroomee.com</cybox:Keyword>

                        <cybox:Keyword>Malware: Angler EK</cybox:Keyword>

                        <cybox:Keyword>Confidence Level: High</cybox:Keyword>

                        <cybox:Keyword>Earliest Observed Time: 2015-08-18T10:09:00+10:00</cybox:Keyword>

                    </cybox:Keywords>

[…]

                    <cybox:Object id="ANZ:DomainRecordObject-b66bb686-4d46-11e5-8158-956cedbc72a0">

                        <cybox:Properties type="Domain Name" xsi:type="URIObj:URIObjectType">

                                <URIObj:Value condition="Equals">crossfithpu.com</URIObj:Value>

                        </cybox:Properties>

                        <cybox:Related_Objects>

                                <cybox:Related_Object idref="ANZ:Observable-b6719fc4-4d46-11e5-82bb-956cedbc72a0">

                                        <cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.1">Resolved_To</cybox:Relationship>

                                </cybox:Related_Object>

                                <cybox:Related_Object idref="ANZ:Observable-b68dfcf8-4d46-11e5-8233-956cedbc72a0">

                                        <cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.1">Redirects_To</cybox:Relationship>

                                </cybox:Related_Object>

                                <cybox:Related_Object idref="ANZ:Observable-b6776f3a-4d46-11e5-81b8-956cedbc72a0">

                                        <cybox:Relationship xsi:type="cyboxVocabs:ObjectRelationshipVocab-1.1">Resolved_To</cybox:Relationship>

                                </cybox:Related_Object>

                        </cybox:Related_Objects>

                    </cybox:Object>

 

And so forth.

 

For me it is important that these relationships are maintained because I think it tells the ‘complete’ story of what is going on here.  I have other examples where I link file attachments to emails, which then go on to spawn malicious network connections which are linked to domains and IP addresses and so forth.  Personally, I see a place for relationships in Cybox objects with a use case like this.

 

Regards,

 

Dean

---

This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail