All,
We had a discussion today on Slack and I think most of us came to agreement on the following design... I will let everyone voice their own support for it...
1) We will have a TLO called "malware" and one called "tool (final word smithed name TBD)".
2) A tool can be related to an incident, campaign, Intrusion Set, threat actor, etc with a relationship object. This relationship object will have verbs like "used-maliciously" etc.
3) There will be no flag or categorization on the actual TLO to say it was used maliciously. The reason for that is a tool is only used maliciously, at a certain time, by a certain person,
in a certain way. RDP / VNC are good examples of this.
4) Malware will also have relationships to the various places that make sense.
5) The tool TLO will have optional fields / properties to allow it to be used for all the uses cases people need.
If you support this or don't support this, please speak up so we can start closing out this issue and moving on.
Bret