[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-cybox] Re: [cti-stix] STIX 2.1 Cyber Observable Proposal - Webpage Object
If this is a transcript of 1) an adversary's interaction with a webpage to compromise it, or 2) a defender's interaction with the webpage to record the defacement, wouldn't this be in HAR format?
Dave
-----Original Message-----
From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org ] On Behalf Of Terry MacDonald
Sent: Saturday, January 14, 2017 11:07 PM
To: Bret Jordan (CS) <Bret_Jordan@symantec.com>
Cc: OASIS CTI TC CybOX SC list <cti-cybox@lists.oasis-open.org >; cti-stix@lists.oasis-open.org
Subject: [cti-cybox] Re: [cti-stix] STIX 2.1 Cyber Observable Proposal - Webpage Object
Hi Bret,
This isn't designed to just replicate HTML. It's designed to allow people to record bits from a webpage. We need a way to record a webpage with _javascript_ in it that redirects to an exploit page. This object would allow us to record the interesting bits of the redirect site, such as the _javascript_ that does the redirection.
Or if there was a .onion ransomware webpage that infected users were redirected to, we now have a way of recording that.
Or if there is a webpage defacement, we can record the bits of the webpage that were defaced.
Or if there is an underground web forum that has a series of web posts discussing a new exploit kit for sale we can now record that.
As you can see this is very flexible, and I think it is imperative to get something similar into six to allow us to record this sort of information. It's a huge hole in the current STIX Cyber Observables arsenal.
Cheers
Terry MacDonald
Cosive
On 14 Jan. 2017 15:47, "Bret Jordan" <Bret_Jordan@symantec.com <mailto:Bret_Jordan@symantec.cFrom: cti-stix@lists.oasis-open.org <mailto:cti-stix@lists.oasis-oom > > wrote:
I am not so sure about this one.. It seems like there are already "structured" ways of sending this information, aka its native form. I do not think we should be re-inventing HTML or HTMLv5.
I just do not see any vendors producing a product that tears HTML apart and puts it in specialized containers. IMHO, they will just attack the webpage as an artifact and then put some notes that you should parse it with the HTML diagnostic tools that you already have for doing the exact thing.
Bret
________________________________
pen.org > <cti-stix@lists.oasis-open.org <mailto:cti-stix@lists.oasis-open.org > > on behalf of Terry MacDonald <terry.macdonald@cosive.com <mailto:terry.macdonald@cosive.com > >
Sent: Thursday, January 5, 2017 1:45:44 AMTo: cti-stix@lists.oasis-open.org <mailto:cti-stix@lists.oasis-o
pen.org > ; OASIS CTI TC CybOX SC list
Subject: [cti-stix] STIX 2.1 Cyber Observable Proposal - Webpage ObjectThe Webpage Object represents an instance of a webpage, corresponding to the HTML W3C recommendations described at https://www.w3.org/TR/#tr_HTML <https://www.w3.org/TR/#tr_HTM
Hi All,
In the spirit of gift giving at this time of year, I have yet another proposal to offer the grou pfor discussion at the upcoming F2F...
2.6.Webpage Object
Type Name: webpage
L > .
If you wish to comment, please do so as a reply to this email, or leave a comment on the Google Doc here: https://docs.google.com/document/d/1UdU20HcBbRM1yBQJw0-phC7H <https://docs.google.com/documEryaokgp7X04h6pJ_Ak/edit?usp= sharing ent/d/1UdU20HcBbRM1yBQJw0-phC7 >HEryaokgp7X04h6pJ_Ak/edit?usp= sharing
M: +64 211 918 814 <tel:+64+211+918+814>
PDF version attached for those who prefer those.....
Cheers
Terry MacDonald | Chief Product Officer
E: terry.macdonald@cosive.com <mailto:terry.macdonald@cosive.com >
W: www.cosive.com <https://clicktime.symantec.com/a/1/CcvJetJALbv_mRWZ8WGYktPY >SM-1kgatB1HIn-EYqAs=?d=6EVT0l- qeAWhVEBcFTTC30xaL5zChzjD2V2JF xRfpH6LpgoYTpNRNPRSvM-CC72wJ2h gDSMiQLtrF8hsw5W4BVF-sxFhMRfxZ 6SpbV29ifYR_c1Wd3o0lTTFDRBzSW0 T51cewYQXTI6FHwkGmzxoaG3L97D_z WRS3AvYAt90a5__ikgoqsV15keKtmb -7vmNkpcKUby_BJ0-aKfX2gPP-wu72 yAZOnAEhXNHxqyXRCApe1WSmYxb_K2 f7w39EuvrnCM77BXjzQpKX5aHgJ2ps q6b8_0suvdneJXq9UfeBpfnVck-eSg HhRBwZmZ3LDmyv2iWDTLcwbfAQXXlZ kDLkhdLEOqZkT_09YKIqygFmKdXqhd judcPhVYW5nlA0B36vQxsOl5XR- e6tp0d1ZpQV6_K9bcO-q2mx-CiTKO1 HlJEuAIy82dCW8Y3ZLIhzHEF1YLZgT 3eH81TpumdkAfVUPL_4cI8E4oOKlE5 xK5nQlllDznj4cgu&u=https%3A% 2F%2Fwww.cosive.com%2F
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]