All,
As we mentioned on the TC call, there are a few small open questions remaining on the updated Malware SDO [1]:
- Regarding the
name property, should this property always capture the filename for a malware instance? Or should we leave this flexible so that you can capture more semantic (e.g., family-derived) names such as “Zeus.A”?
- Regarding the existing “targets” relationship in STIX 2.0 from Malware to Vulnerability, we’ve suggested updating this to a new “exploits” relationship
(i.e., Malware -> exploits -> Vulnerability) for semantic clarity. This would be a breaking change, but our thinking is that there would be far less confusion as to what this means.
My own thoughts:
- I feel like
name should be flexible – we already have the samples property for capturing the information about the binaries associated with the malware, including their filenames.
- “Exploits” is much clearer and preferable than “targets” with regards to vulnerabilities (I’ve never seen any malware reporting which states that malware
“targets” a vulnerability) so it’s worth making a breaking change for this.
[1]
https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.73mue8q00k8
Regards,
Ivan
|