OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Malware SDO Remaining Open Questions



As we mentioned on the TC call, there are a few small open questions remaining on the updated Malware SDO [1]:


  1. Regarding the name property, should this property always capture the filename for a malware instance? Or should we leave this flexible so that you can capture more semantic (e.g., family-derived) names such as “Zeus.A”?
  2. Regarding the existing “targets” relationship in STIX 2.0 from Malware to Vulnerability, we’ve suggested updating this to a new “exploits” relationship (i.e., Malware -> exploits -> Vulnerability) for semantic clarity. This would be a breaking change, but our thinking is that there would be far less confusion as to what this means.


My own thoughts:

  1. I feel like name should be flexible – we already have the samples property for capturing the information about the binaries associated with the malware, including their filenames.
  2. “Exploits” is much clearer and preferable than “targets” with regards to vulnerabilities (I’ve never seen any malware reporting which states that malware “targets” a vulnerability) so it’s worth making a breaking change for this.


[1] https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.73mue8q00k8




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]