Re: [cti-stix] malware and tool

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

I support this with the caveat that we must issue clear guidance in the normative text as to what the definition / distinction is between "malware" and "tool", so that vendors can use this when creating their solutions.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


"Jordan, Bret" ---06/15/2016 10:55:54 AM---All, We had a discussion today on Slack and I think most of us came to agreement on the following de

From: "Jordan, Bret" <bret.jordan@bluecoat.com>
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 06/15/2016 10:55 AM
Subject: [cti-stix] malware and tool
Sent by: <cti-stix@lists.oasis-open.org>

---

All,

We had a discussion today on Slack and I think most of us came to agreement on the following design... I will let everyone voice their own support for it...

1) We will have a TLO called "malware" and one called "tool (final word smithed name TBD)".  

2) A tool can be related to an incident, campaign, Intrusion Set, threat actor, etc with a relationship object.  This relationship object will have verbs like "used-maliciously" etc.

3) There will be no flag or categorization on the actual TLO to say it was used maliciously.  The reason for that is a tool is only used maliciously, at a certain time, by a certain person, in a certain way.  RDP / VNC are good examples of this.  

4) Malware will also have relationships to the various places that make sense.  

5) The tool TLO will have optional fields / properties to allow it to be used for all the uses cases people need. 

If you support this or don't support this, please speak up so we can start closing out this issue and moving on. 


Bret