I think all of those items that you listed are just tools.. And they will have a relationship that points to the fact that they are used-maliciously.
Maybe some of our FireEye people can propose a definition. If not, I can ask our malware teams.
Bret
From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Wunder, John A. <jwunder@mitre.org>
Sent: Wednesday, June 15, 2016 8:13 AM
To: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] malware and tool
Agreed. That’s been my concern with this proposal, but assuming we have clear guidance I think it’s workable. I don’t think it really matters what the actual line is, just that we define the line very clearly
so that we don’t end up with inconsistencies.
For example, let’s figure out where to bin “penetration testing” tools:
-
NMAP
-
LOIC
-
sqlmap
-
metasploit
John
From: <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Wednesday, June 15, 2016 at 10:09 AM
To: "Jordan, Bret" <bret.jordan@bluecoat.com>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] malware and tool
I support this with the caveat that we must issue clear guidance in the normative text as to what the definition / distinction is between "malware" and "tool", so that vendors can use this when creating their solutions.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
"Jordan, Bret"
---06/15/2016 10:55:54 AM---All, We had a discussion today on Slack and I think most of us came to agreement on the following de
From: "Jordan, Bret" <bret.jordan@bluecoat.com>
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 06/15/2016 10:55 AM
Subject: [cti-stix] malware and tool
Sent by: <cti-stix@lists.oasis-open.org>
All,
We had a discussion today on Slack and I think most of us came to agreement on the following design... I will let everyone voice their own support for it...
1) We will have a TLO called "malware" and one called "tool (final word smithed name TBD)".
2) A tool can be related to an incident, campaign, Intrusion Set, threat actor, etc with a relationship object. This relationship object will have verbs like "used-maliciously" etc.
3) There will be no flag or categorization on the actual TLO to say it was used maliciously. The reason for that is a tool is only used maliciously, at a certain time, by a certain person, in a certain way.
RDP / VNC are good examples of this.
4) Malware will also have relationships to the various places that make sense.
5) The tool TLO will have optional fields / properties to allow it to be used for all the uses cases people need.
If you support this or don't support this, please speak up so we can start closing out this issue and moving on.
Bret
|