OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] Motion - Malware and Tool SDOs

I second this.

 

From: <cti-stix@lists.oasis-open.org> on behalf of Bret Jordan <bret.jordan@bluecoat.com>
Date: Tuesday, July 5, 2016 at 7:24 PM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Motion - Malware and Tool SDOs

 

All,

 

The Malware and Tool objects are ready to move forward in the process.  As such:

 

I move that the STIX SC accept by unanimous consent the Malware and Tool object text contained in the STIX pre-draft specifications and duplicated below, and that the SC allow the STIX editors to move these sections to CONSENSUS status. If after a period of 5 business days (by 7/12, assuming this gets a second today) we don’t hear any substantive (non-editorial) objections we will move these sections from REVIEW to CONSENSUS status.

As usual, feel free to object to any item individually. If we get any objections we can either work through them and make another motion for unanimous consent or we can open a ballot, depending on the type of discussion and the nature of the change.

 

 

 

​1.5.​ Malware

Type Name: malware

Status: Review

MVP: Yes

 

Malware, also known as malicious code and malicious software, refers to a program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victimís data, applications, or operating system (OS) or of otherwise annoying or disrupting the victim. Malware such as viruses and worms is usually designed to perform these nefarious functions in such a way that users are unaware of them, at least initially.

​1.5.1.​ Properties

Common Properties

type, id, created_by_ref, version, created, modified, revoked, version_comment, confidence, object_markings_refs, granular_markings

Property Name

Type

Description

type (required)

string

The value of this field MUST be malware

title (required)

string

A name or title used to identify this object.

description (optional)

string

A description that provides the recipient with details and context about this object, potentially including its purpose and its key characteristics.

labels (required)

list of type open-vocab

The type of malware being described. This is an open vocabulary and SHOULD contain a value from the malware-labels-ov vocabulary.

external_references (optional)

list of type external-reference

A list of other IDs for this tool, such as names used by antivirus systems. This field MAY be used to list the names used by antivirus vendors (or others) to identify pieces of malware.

kill_chain_phases (optional)

array of type kill-chain-phase

The list of kill chain phases for which this malware instance can be used.

maec (reserved)

RESERVED

RESERVED FOR FUTURE USE

 

​1.5.2.​ Relationships

These are the relationships defined between the malware object and other objects. Inverse relationships are included here as a convenience. For their definitions, please see the objects for which they represent a forward relationship.

Common Relationships

duplicate-of, related-to

Source

Kind of Relationship

Target

Description

malware

authored-by

identity

This relationship is used to document the identity or type of identity that is believed to have authored the malware.

malware

variant-of

malware

This relationship is used to document that one piece of malware is a variant of another piece of malware.

 

For example, TorrentLocker is a variant of Cryptolocker.

Inverse Relationships

observation

evidence-of

malware

See forward relationship for definition

indicator

indicates

malware

See forward relationship for definition

attack-pattern, campaign, threat-actor

uses

malware

See forward relationship for definition

​1.5.3.​ Examples

{

 "type": "malware",

 "id": "malware--0c7b5b88-8ff7-4a4d-aa9d-feb398cd0061",

 "version": "1",

 "created": "2016-05-12T08:17:27.000000Z",

 "modified": "2016-05-12T08:17:27.000000Z",

 "title": "Cryptowall",

 "description": "...",

 "labels": ["ransomware"]

}



 

 

 

1.9.​ Tool

Type Name: tool

Status: Review

MVP: Yes

 

This object characterizes the properties of software tools other than malware that may be used during an attack; for example, remote access tools (RDP), network scanning tools (NMAP), denial of service attack tools (LOIC), and other attack software.

 

This object MUST NOT be used to define tools used as a course of action in response to an attack or to define malware.

​1.9.1.​ Properties

Common Properties

type, id, created_by_ref, version, created, modified, revoked, version_comment, confidence, object_markings_refs, granular_markings

Property Name

Type

Description

type (required)

string

The value of this field MUST be tool

title (required)

string

A name or title used to identify this object.

description (optional)

string

A description that provides the recipient with details and context about this object, potentially including its purpose and its key characteristics.

labels (required)

list of type open-vocab

The kind(s) of tool(s) being described. This is an open vocabulary and SHOULD contain a value from the tool-label-ov vocabulary.

kill_chain_phases (optional)

array of type kill-chain-phase

The list of kill chain phases for which this malware instance can be used.

 

​1.9.2.​ Relationships

These are the relationships defined between the Tool object and other objects. Inverse relationships are included here as a convenience. For their definitions, please see the objects for which they represent a forward relationship.

Common Relationships

duplicate-of, related-to

Source

Kind of Relationship

Target

Description

tool

authored-by

identity

This relationship is used to document the identity or type of identity that is believed to have authored this tool.

Inverse Relationships

observation

evidence-of

tool

See forward relationship for definition

indicator

indicates

tool

See forward relationship for definition

attack-pattern, campaign, threat-actor

uses

tool

See forward relationship for definition

 

 

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]