OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] Possible solution to conundrum of how to do patterns for Infrastructure and Malware


As a follow-up, perhaps I misread the original proposal, but I still don’t believe that STIX Pattern expressions should be allowed to reference other STIX entities. This raises all kinds of issues (what if the referenced entity is not found? what if the referenced property is not included?) and will be a significant complication to patterning. IMO, Indicator pattern expressions should be standalone and not reliant on other STIX data.

-Ivan

On 5/25/17, 11:07 AM, "cti-stix@lists.oasis-open.org on behalf of Kirillov, Ivan A." <cti-stix@lists.oasis-open.org on behalf of ikirillov@mitre.org> wrote:

    To be honest, this doesn’t make sense to me – STIX Patterns should not dictate which parts of the STIX data model (if any) they should match against. The core semantics of STIX Patterns are based on matching on specific artifacts, wherever they may be found – in a STIX SDO, in a PCAP, on an endpoint, etc. How are you supposed to convert STIX Patterns to other expression such as YARA or SIEM correlation rules if the pattern is intrinsically tied to the data model? If a matching Object (File in this case) is contained in an Observed Data blob, then you can match against that, and similarly if it’s encompassed inside of the sample_metadata property of a Malware SDO. 
    
    I think it would be much more sensible to keep patterns data-model agnostic and instead include language that encourages indicators to be created when necessary for SDOs like Malware and Infrastructure that may include instantial Cyber Observable data. 
    
    -Ivan
    
    On 5/25/17, 10:41 AM, "Trey Darley" <cti-stix@lists.oasis-open.org on behalf of trey@kingfisherops.com> wrote:
    
        On 25.05.2017 08:25:35, Jason Keirstead wrote:
        > Sorry I wrote that pattern before I had coffee.. it makes no sense.
        > 
        > This is what the pattern would be with my proposal.... you are
        > looking for the hash contained inside a specific object...
        > 
        > [file:hashes.“SHA-256" = 
        > stix-object:malware-12345-aaaaa-bbbbb-ccccc.sample_metadata[*].hashes.“SHA-256"]
        > 
        
        Good thinking, Jason! I think this approach solves many of the
        challenges we discussed yesterday around Malware and Infrastructure
        vis-a-vis Indicators.
        
        -- 
        Cheers,
        Trey
        ++--------------------------------------------------------------------------++
        Kingfisher Operations, sprl
        gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4  5B9B B30D DD6E 62C8 6C1D
        ++--------------------------------------------------------------------------++
        --
        "Any sufficiently complex input format is indistinguishable from
        bytecode." -- Bratus, Patterson, & Shubina
        
    
    



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]