cti-stix message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [cti-stix] Possible solution to conundrum of how to do patterns for Infrastructure and Malware
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: "Kirillov, Ivan A." <ikirillov@mitre.org>
- Date: Thu, 25 May 2017 14:47:27 -0300
If you have to create indicators for those
cases, then you are back to the problems I outlined in my original email...
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
Without data, all you are is just another person with an opinion - Unknown
From:
"Kirillov, Ivan
A." <ikirillov@mitre.org>
To:
Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc:
"cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>, "Trey Darley" <trey@kingfisherops.com>
Date:
05/25/2017 02:24 PM
Subject:
Re: [cti-stix]
Possible solution to conundrum of how to do patterns for Infrastructure
and Malware
I replied with some clarifications after
re-reading the proposal. I still don’t think this is a good idea. I also
just don’t really think that we’ll be trying to match against instantial
observation data contained within a Malware or Infrastructure SDO, particularly
because the semantics of this are undefined (do you match against all of
the properties, i.e., as a logical AND? or do you treat all properties
as an OR?). Instead I think we should strongly encourage the creation of
formal Indicators for such cases.
-Ivan
From: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Thursday, May 25, 2017 at 11:15 AM
To: Ivan Kirillov <ikirillov@mitre.org>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>,
Trey Darley <trey@kingfisherops.com>
Subject: Re: [cti-stix] Possible solution to conundrum of how to do
patterns for Infrastructure and Malware
We're not dictating which parts of the
model we are matching *against* - we are *sourcing* the thing we want to
match - from STIX itself.
It is a lot like my external reference proposal - instead of pulling from
an external list though, you are pulling it from STIX itself.
> How are you supposed
to convert STIX Patterns to other _expression_ such as YARA or SIEM correlation
rules if the pattern is intrinsically tied to the data model?
The same as external reference.... you look up the previous STIX object
you presumably received, and/or you query your TAXII server, and source
the data from there.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
Without data, all you are is just another person with an opinion - Unknown
From: "Kirillov,
Ivan A." <ikirillov@mitre.org>
To: Trey
Darley <trey@kingfisherops.com>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: "cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>
Date: 05/25/2017
02:08 PM
Subject: Re:
[cti-stix] Possible solution to conundrum of how to do patterns for Infrastructure
and Malware
Sent by: <cti-stix@lists.oasis-open.org>
To be honest, this doesn’t make sense to me – STIX Patterns should not
dictate which parts of the STIX data model (if any) they should match against.
The core semantics of STIX Patterns are based on matching on specific artifacts,
wherever they may be found – in a STIX SDO, in a PCAP, on an endpoint,
etc. How are you supposed to convert STIX Patterns to other _expression_
such as YARA or SIEM correlation rules if the pattern is intrinsically
tied to the data model? If a matching Object (File in this case) is contained
in an Observed Data blob, then you can match against that, and similarly
if it’s encompassed inside of the sample_metadata property of a Malware
SDO.
I think it would be much more sensible to keep patterns data-model agnostic
and instead include language that encourages indicators to be created when
necessary for SDOs like Malware and Infrastructure that may include instantial
Cyber Observable data.
-Ivan
On 5/25/17, 10:41 AM, "Trey Darley" <cti-stix@lists.oasis-open.org
on behalf of trey@kingfisherops.com> wrote:
On 25.05.2017 08:25:35, Jason Keirstead wrote:
> Sorry I wrote that pattern before I had coffee.. it makes
no sense.
>
> This is what the pattern would be with my proposal.... you
are
> looking for the hash contained inside a specific object...
>
> [file:hashes.“SHA-256" =
> stix-object:malware-12345-aaaaa-bbbbb-ccccc.sample_metadata[*].hashes.“SHA-256"]
>
Good thinking, Jason! I think this approach solves many of the
challenges we discussed yesterday around Malware and Infrastructure
vis-a-vis Indicators.
--
Cheers,
Trey
++--------------------------------------------------------------------------++
Kingfisher Operations, sprl
gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4 5B9B B30D DD6E
62C8 6C1D
++--------------------------------------------------------------------------++
--
"Any sufficiently complex input format is indistinguishable
from
bytecode." -- Bratus, Patterson, & Shubina
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]