OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] malware and tool


We should also consider that MAEC is a more focused language for describing malware and if we have both MAEC and CybOX it would be pretty duplicative. Obviously I’m a bit biased but I think we should focus on MAEC and enable these hash and filename use cases via that. In the current definition, it’s reserved while we wait for the release of 5.0.

 

John

 

From: "Jane Ginn - jg@ctin.us" <jg@ctin.us>
Date: Thursday, June 16, 2016 at 9:31 PM
To: "terry.macdonald@cosive.com" <terry.macdonald@cosive.com>, Bret Jordan <bret.jordan@bluecoat.com>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "ppatrick@isightpartners.com" <ppatrick@isightpartners.com>, "Wunder, John A." <jwunder@mitre.org>
Subject: Re: [cti-stix] malware and tool

 

Bret & All:

This sounds like a good approach. I can support this, too.

Jane Ginn, MSIA, MRP
Cyber Threat Intelligence Network, Inc.
jg@ctin.us



-------- Original Message --------
From: Terry MacDonald <terry.macdonald@cosive.com>
Sent: Thursday, June 16, 2016 11:52 PM
To: Bret Jordan <bret.jordan@bluecoat.com>
Subject: Re: [cti-stix] malware and tool
CC: cti-stix@lists.oasis-open.org,Paul Patrick <ppatrick@isightpartners.com>," Wunder, John A." <jwunder@mitre.org>

No we don't need to add a CybOX field. That's what the observation object and the evidence-of relationship are for. That's why we relationships are so powerful. We should be relating via relationships and avoiding direct references unless they are never going to be added to by third parties.

In this case I can absolutely see third parties adding to malware examples with examples of new file hashes or mutexes, so my vote would be to keep this as separate relationships. A CybOX field will restrict entry to the object creator... which is exactly the problem we were trying to fix from STIX v1.2.

Cheers
Terry MacDonald
Cosive

On 16/06/2016 7:08 PM, "Jordan, Bret" <bret.jordan@bluecoat.com> wrote:

We need to add a "cybox" field on Malware so that people can easily put in the filename, hash, etc..  For Tool, we can start very simply, and just do a title and description, with the idea we will add more in Winter as needed.

 

Bret

 


From: Wunder, John A. <jwunder@mitre.org>
Sent: Wednesday, June 15, 2016 6:33 PM
To: Terry MacDonald; Paul Patrick
Cc: Jordan, Bret; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] malware and tool

 

So I think to move forward we need:

 

1.       Strong definitions for malware and tool that minimizes any ambiguity

2.       Decisions on what properties we need on malware and tool. Malware is probably good as is, need to add stuff to tool. For MVP I’d probably just leave them super minimal to avoid controversy, maybe just a title and description?

 

John

 

From: <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Date: Wednesday, June 15, 2016 at 6:06 PM
To: Paul Patrick <ppatrick@isightpartners.com>
Cc: Bret Jordan <bret.jordan@bluecoat.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] malware and tool

 

I can support this too.

Cheers
Terry MacDonald
Cosive

On 16/06/2016 02:28, "Paul Patrick" <ppatrick@isightpartners.com> wrote:

I’m can support this.

 

 

Paul Patrick

 

 

From: <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com>
Date: Wednesday, June 15, 2016 at 9:55 AM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] malware and tool
Resent-From: <Paul.Patrick@FireEye.com>

 

All,

 

We had a discussion today on Slack and I think most of us came to agreement on the following design... I will let everyone voice their own support for it...

 

1) We will have a TLO called "malware" and one called "tool (final word smithed name TBD)".  

 

2) A tool can be related to an incident, campaign, Intrusion Set, threat actor, etc with a relationship object.  This relationship object will have verbs like "used-maliciously" etc.

 

3) There will be no flag or categorization on the actual TLO to say it was used maliciously.  The reason for that is a tool is only used maliciously, at a certain time, by a certain person, in a certain way.  RDP / VNC are good examples of this.  

 

4) Malware will also have relationships to the various places that make sense.  

 

5) The tool TLO will have optional fields / properties to allow it to be used for all the uses cases people need. 

 

If you support this or don't support this, please speak up so we can start closing out this issue and moving on. 

 

 

Bret

 

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]