OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [cti-cybox] Re: [cti-stix] STIX 2.1 Cyber Observable Proposal - Webpage Object


Hi David,

This is simply extracts from the webpage, anything from a single word or HTML tag all the way to the complete webpage.

It is a STIX Cyber Observable so it is 'something that has been seen' rather than any interaction that someone did. The interaction to compromise the webpage would be recorded through the attack-pattern STIX object, which would be done using external references to the CAPEC standard.

Har looks like it was designed to record the flows to and from the webserver. For this type of information we currently use the network connection STIX Cyber Observable object with the http-request extension. The Har format doors look useful, but I think it's at to late a stage for STIX 2.0 for us to change from the http-request model to a Har based model. That said we should look at what useful information we can use from Har in any improvements to the http objects.

Cheers
Terry MacDonald
Cosive


On 21 Jan. 2017 03:42, "Kemp, David P" <dpkemp@nsa.gov> wrote:
If this is a transcript of 1) an adversary's interaction with a webpage to compromise it, or 2) a defender's interaction with the webpage to record the defacement, wouldn't this be in HAR format?

Dave


-----Original Message-----
From: cti-cybox@lists.oasis-open.org [mailto:cti-cybox@lists.oasis-open.org] On Behalf Of Terry MacDonald
Sent: Saturday, January 14, 2017 11:07 PM
To: Bret Jordan (CS) <Bret_Jordan@symantec.com>
Cc: OASIS CTI TC CybOX SC list <cti-cybox@lists.oasis-open.org>; cti-stix@lists.oasis-open.org
Subject: [cti-cybox] Re: [cti-stix] STIX 2.1 Cyber Observable Proposal - Webpage Object

Hi Bret,

This isn't designed to just replicate HTML. It's designed to allow people to record bits from a webpage. We need a way to record a webpage with _javascript_ in it that redirects to an exploit page. This object would allow us to record the interesting bits of the redirect site, such as the _javascript_ that does the redirection.

Or if there was a .onion ransomware webpage that infected users were redirected to, we now have a way of recording that.

Or if there is a webpage defacement, we can record the bits of the webpage that were defaced.

Or if there is an underground web forum that has a series of web posts discussing a new exploit kit for sale we can now record that.

As you can see this is very flexible, and I think it is imperative to get something similar into six to allow us to record this sort of information. It's a huge hole in the current STIX Cyber Observables arsenal.

Cheers
Terry MacDonald
Cosive


On 14 Jan. 2017 15:47, "Bret Jordan" <Bret_Jordan@symantec.com <mailto:Bret_Jordan@symantec.com> > wrote:


        I am not so sure about this one..  It seems like there are already "structured" ways of sending this information, aka its native form.  I do not think we should be re-inventing HTML or HTMLv5.




        I just do not see any vendors producing a product that tears HTML apart and puts it in specialized containers.  IMHO, they will just attack the webpage as an artifact and then put some notes that you should parse it with the HTML diagnostic tools that you already have for doing the exact thing.




        Bret

________________________________

        From: cti-stix@lists.oasis-open.org <mailto:cti-stix@lists.oasis-open.org>  <cti-stix@lists.oasis-open.org <mailto:cti-stix@lists.oasis-open.org> > on behalf of Terry MacDonald <terry.macdonald@cosive.com <mailto:terry.macdonald@cosive.com> >
        Sent: Thursday, January 5, 2017 1:45:44 AM
        To: cti-stix@lists.oasis-open.org <mailto:cti-stix@lists.oasis-open.org> ; OASIS CTI TC CybOX SC list
        Subject: [cti-stix] STIX 2.1 Cyber Observable Proposal - Webpage Object

        Hi All,

        In the spirit of gift giving at this time of year, I have yet another proposal to offer the grou pfor discussion at the upcoming F2F...

        ​2.6.Webpage Object

        Type Name: webpage


        The Webpage Object represents an instance of a webpage, corresponding to the HTML W3C recommendations described at https://www.w3.org/TR/#tr_HTML <https://www.w3.org/TR/#tr_HTML> .




        If you wish to comment, please do so as a reply to this email, or leave a comment on the Google Doc here: https://docs.google.com/document/d/1UdU20HcBbRM1yBQJw0-phC7HEryaokgp7X04h6pJ_Ak/edit?usp=sharing <https://docs.google.com/document/d/1UdU20HcBbRM1yBQJw0-phC7HEryaokgp7X04h6pJ_Ak/edit?usp=sharing>

        PDF version attached for those who prefer those.....

        Cheers

        Terry MacDonald | Chief Product Officer





        M: +64 211 918 814 <tel:+64+211+918+814>
        E: terry.macdonald@cosive.com <mailto:terry.macdonald@cosive.com>
        W: www.cosive.com <https://clicktime.symantec.com/a/1/CcvJetJALbv_mRWZ8WGYktPYSM-1kgatB1HIn-EYqAs=?d=6EVT0l-qeAWhVEBcFTTC30xaL5zChzjD2V2JFxRfpH6LpgoYTpNRNPRSvM-CC72wJ2hgDSMiQLtrF8hsw5W4BVF-sxFhMRfxZ6SpbV29ifYR_c1Wd3o0lTTFDRBzSW0T51cewYQXTI6FHwkGmzxoaG3L97D_zWRS3AvYAt90a5__ikgoqsV15keKtmb-7vmNkpcKUby_BJ0-aKfX2gPP-wu72yAZOnAEhXNHxqyXRCApe1WSmYxb_K2f7w39EuvrnCM77BXjzQpKX5aHgJ2psq6b8_0suvdneJXq9UfeBpfnVck-eSgHhRBwZmZ3LDmyv2iWDTLcwbfAQXXlZkDLkhdLEOqZkT_09YKIqygFmKdXqhdjudcPhVYW5nlA0B36vQxsOl5XR-e6tp0d1ZpQV6_K9bcO-q2mx-CiTKO1HlJEuAIy82dCW8Y3ZLIhzHEF1YLZgT3eH81TpumdkAfVUPL_4cI8E4oOKlE5xK5nQlllDznj4cgu&u=https%3A%2F%2Fwww.cosive.com%2F>








[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]