OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [EXT] Re: [cti-stix] Possible solution to conundrum of how to do patterns for Infrastructure and Malware


Jason,


I think this might be a good approach.  Thanks for thinking through the problem.  We will just need to make sure the patterning grammar like this can reference sub elements of an object or the entire one.  This may also cause us to re-think the way the cyber observable container is formed (maybe it would have been better if each cyber observable object was actually just a top-level STIX object.).  


I would like to model this design out with say Malware that has 27 known versions (hashes) where each instance say has 2 different filenames.  While maybe not completely "real-world", it should help verify the design.  I would also like to see about modeling this with say an Infrastructure object that has 1000 IPs in it.  So a pattern that references the entire list of a 1000 IPs and a pattern that only references 3 non contiguous IPs from the list.


Bret





From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Thursday, May 25, 2017 5:25:35 AM
To: Jason Keirstead
Cc: cti-stix@lists.oasis-open.org
Subject: [EXT] Re: [cti-stix] Possible solution to conundrum of how to do patterns for Infrastructure and Malware
 
Sorry I wrote that pattern before I had coffee.. it makes no sense.

This is what the pattern would be with my proposal.... you are looking for the hash contained inside a specific object...

[file:hashes.“SHA-256" = stix-object:malware-12345-aaaaa-bbbbb-ccccc.sample_metadata[*].hashes.“SHA-256"]

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security

Without data, all you are is just another person with an opinion - Unknown




From:        "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
To:        cti-stix@lists.oasis-open.org
Date:        05/25/2017 08:22 AM
Subject:        [cti-stix] Possible solution to conundrum of how to do patterns for Infrastructure and Malware
Sent by:        <cti-stix@lists.oasis-open.org>




Yesterday a major discussion at the face-to-face was around trying to work out the end to end workflow by which the indicators come out of the malware.

Myself (and it seems several others as well) are concerned that if malware sandboxes automatically start sharing tons of “malware” objects via TAXII, or sensors start producing “infrastructure” objects linked to observations, then software vendors are just going to code their implementations to look for those things directly… indicators will never “show up” because either there is no one to make them, and/or people don’t want to do things twice (they don’t want to make an Infrastructure object with observations *and* maintain a pattern for those observations and constantly update them both and keep them in sync as they mature - it is going to be a large headache.


Folks seem to be having this implicit assumption that either (a) humans will make and maintain all of these indicators from the tool output “just because”, or (b) vendors will change their tools to output indicators because someone (?) is asking for the indicators. This to me flies in the face of the fact that the market is lazy and always seeks the shortest path to success; if that path is to just write code to directly search and alert on malware and infrastructure observations, then that is what is going to happen…. after all, the vast majority of what people share on threat intel feeds are pointers to malware or infrastructure.


The danger is that indicators become not very useful and we end up with somewhat crippled STIX implementations everywhere since no one can look for anything complicated, because they can’t use patterns… we end up with STIX 1.X.


I have been thinking about this problem last night and am wondering if a possible solution is to add an operator to allow patterns to somehow reference STIX objects directly.


IE you would have something like


[stix-object:malware-12345-aaaaa-bbbbb-ccccc.sample_metadata[*].hashes.“SHA-256" = ‘aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f’]


This pattern would mean “you want to look for the hashes defined in this specific STIX object“


If we had this, then I think it is an answer to what I think is an obvious problem. This way the actual definition of the object is what is referred to in the indicator. It also makes it much easier to create patterns from malware and infrastructure, and also eliminates the problem of having to constantly sync patterns with these objects.


-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems

www.ibm.com/security

Without data, all you are is just another person with an opinion - Unknown






[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]