RE: STIX 2.1 Malware

Bret,

One way that we might be able to break this out is that STIX is used for capturing artifacts about the malware that are relevant for network defense and cyber analytics while MAEC is more fine-grained and used for capturing how the malware analysis was performed.

Thoughts?

-Gary

From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Bret Jordan (CS)
Sent: Wednesday, September 21, 2016 3:58 PM
To: cti-stix@lists.oasis-open.org
Subject: [Non-DoD Source] [cti-stix] STIX 2.1 Malware

As I have been working on the Malware object for STIX 2.1, it is becoming clear that it would be nice if the STIX Malware object had some basic analysis data and some more advanced malware analysis data in it. This would make this object infinitely more valuable.

I think there are two options for this.....

1) We just start doing all of this natively in STIX. We start with basic malware meta data, similar to what I have and then just add more and more analysis stuff as we go along. You can see what I have been working on here: https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.s5l7katgbp09

2) We do some of the basic malware meta data in STIX natively, like what I have so far. But the detailed analysis we look for some external language to provide that and then link to it or embedded it or something. When this has come up in the past, many have voiced concerns about using things like MAEC. My concern is that using a third party language always comes at a significant cost and with significant complexity. Things tend to revision on their own and you have to build a matrix of support which makes it hard on product owners.

So since my initial desire to just use MAEC was shot down by the community, I would like to propose that we just start doing more and more malware analysis documentation and modeling natively in STIX. What do you all think of this?

Bret

cti-stix message