cti-stix message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [cti-stix] Possible solution to conundrum of how to do patterns for Infrastructure and Malware
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: "Kirillov, Ivan A." <ikirillov@mitre.org>
- Date: Thu, 25 May 2017 14:15:32 -0300
We're not dictating which parts of the
model we are matching *against* - we are *sourcing* the thing we want to
match - from STIX itself.
It is a lot like my external reference
proposal - instead of pulling from an external list though, you are pulling
it from STIX itself.
> How
are you supposed to convert STIX Patterns to other _expression_ such as YARA
or SIEM correlation rules if the pattern is intrinsically tied to the data
model?
The same as external reference.... you
look up the previous STIX object you presumably received, and/or you query
your TAXII server, and source the data from there.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
Without data, all you are is just another person with an opinion - Unknown
From:
"Kirillov, Ivan
A." <ikirillov@mitre.org>
To:
Trey Darley <trey@kingfisherops.com>,
Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc:
"cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>
Date:
05/25/2017 02:08 PM
Subject:
Re: [cti-stix]
Possible solution to conundrum of how to do patterns for Infrastructure
and Malware
Sent by:
<cti-stix@lists.oasis-open.org>
To be honest, this doesn’t make sense to me – STIX
Patterns should not dictate which parts of the STIX data model (if any)
they should match against. The core semantics of STIX Patterns are based
on matching on specific artifacts, wherever they may be found – in a STIX
SDO, in a PCAP, on an endpoint, etc. How are you supposed to convert STIX
Patterns to other _expression_ such as YARA or SIEM correlation rules if
the pattern is intrinsically tied to the data model? If a matching Object
(File in this case) is contained in an Observed Data blob, then you can
match against that, and similarly if it’s encompassed inside of the sample_metadata
property of a Malware SDO.
I think it would be much more sensible to keep patterns data-model agnostic
and instead include language that encourages indicators to be created when
necessary for SDOs like Malware and Infrastructure that may include instantial
Cyber Observable data.
-Ivan
On 5/25/17, 10:41 AM, "Trey Darley" <cti-stix@lists.oasis-open.org
on behalf of trey@kingfisherops.com> wrote:
On 25.05.2017 08:25:35, Jason Keirstead wrote:
> Sorry I wrote that pattern before I had coffee.. it
makes no sense.
>
> This is what the pattern would be with my proposal....
you are
> looking for the hash contained inside a specific object...
>
> [file:hashes.“SHA-256" =
> stix-object:malware-12345-aaaaa-bbbbb-ccccc.sample_metadata[*].hashes.“SHA-256"]
>
Good thinking, Jason! I think this approach solves many of
the
challenges we discussed yesterday around Malware and Infrastructure
vis-a-vis Indicators.
--
Cheers,
Trey
++--------------------------------------------------------------------------++
Kingfisher Operations, sprl
gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4 5B9B B30D
DD6E 62C8 6C1D
++--------------------------------------------------------------------------++
--
"Any sufficiently complex input format is indistinguishable
from
bytecode." -- Bratus, Patterson, & Shubina
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]