[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Vulnerability object added
Hi, I suggest reusing standardized definitions for CTI. (they could be tweaked a bit for highlighting/explaining the relationships between the CTI objects using the CTI objects' names) For example: vulnerability Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. Source: NIST SP 800-30 Rev 1 CNSSI 4009 revised April 6, 2015 if considered too generic - another example A vulnerability is a software weakness that can be exploited by an attacker. Bugs and flaws collectively form the basis of most software vulnerabilities. https://buildsecurityin.us-cert.gov/articles/knowledge/attack-patterns/attack-pattern-glossary (I hate definitions of "hacker" other than RFC1392) PS: probably "too early" to discuss that, but I will be interested, at some point, discussing the relationships with, or mechanisms for leveraging, CybOX objects in the description of Vulnerability (with an extended/better model than the CVE one), allowing, for example, the automation, or semi-automation of the COAs, especially in the context of web applications softwares, where, for example, the Vulnerability model would have to offer information related to URIs/URLs and parameters (a little bit more than a CWE, and not a CPE). CVE+X ((for OVALX)) anyone? On Thu, Jul 14, 2016 at 4:54 PM, Wunder, John A. <jwunder@mitre.org> wrote: > Sorry, should have given a link to the object. It’s in the STIX 2.0-Objects > document, here: > https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.q5ytzmajn6re > > > > John > > > > From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." > <jwunder@mitre.org> > Date: Thursday, July 14, 2016 at 8:11 AM > To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> > Subject: [cti-stix] Vulnerability object added > > > > All, > > > > As discussed on the call on Tuesday, it seemed like people were looking for > a Vulnerability object so that they could say malware/actors/campaigns > target particular vulnerabilities. > > > > Way back when we were first working on 2.0 we had a definition in there that > I updated and moved over. Primarily, it would be used to capture external > references to CVE and other vulnerability identifiers, as Jason had > suggested. It also has a name and description in case there’s no CVE or > other reference assigned yet or you want to duplicate them into the object > directly. I also added the relationships it would conceivably need. > > > > Can you please review it to see if it captures what you need it to? > > > > Thanks, > > John
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]