Re: [cti-stix] Malware SDO Remaining Open Questions

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

I would agree and argue that the normative
text should actively discourage using this for the file name. 

The file name should be encoded in samples.
If folks start putting the file name in the name field, it will cause interoperability
problems as tools can do absolutely nothing with this field from an automation
perspective.

Agree RE exploits.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security

Without data, all you are is just another person with an opinion - Unknown




From:      
 Sarah Kelley <Sarah.Kelley@cisecurity.org>
To:      
 "cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>
Date:      
 10/31/2017 09:33 AM
Subject:    
   Re: [cti-stix]
Malware SDO Remaining Open Questions
Sent by:    
   <cti-stix@lists.oasis-open.org>

---

I 100% agree that file name should be flexible.
I have seen many reports that discuss malware and give hashes, but do not
give the filename, and given that this is required, flexibility is a must.
 I think I also prefer “exploits” to “Targets” for vulnerability.
 
Sarah Kelley
Senior Cyber Threat Analyst
Multi-State Information
Sharing and Analysis Center (MS-ISAC)          
        
31 Tech Valley Drive
East Greenbush, NY 12061
 
sarah.kelley@cisecurity.org
518-266-3493
24x7 Security Operations
Center
SOC@cisecurity.org- 1-866-787-4722

From: <cti-stix@lists.oasis-open.org>
on behalf of Paul Patrick <Paul.Patrick@FireEye.com>
Date: Friday, October 27, 2017 at 1:12 PM
To: "Kirillov, Ivan A." <ikirillov@mitre.org>, Sean
Barnum <sean.barnum@FireEye.com>, "cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Malware SDO Remaining Open Questions
 


I’m on board with updated the description
 
From: <cti-stix@lists.oasis-open.org>
on behalf of Ivan Kirillov <ikirillov@mitre.org>
Date: Friday, October 27, 2017 at 12:54 PM
To: Sean Barnum <sean.barnum@FireEye.com>, "cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Malware SDO Remaining Open Questions
 
Thanks – I agree with your comment around
“exploits”, though maybe we can just update the description to state
that the malware “exploits or attempts to exploit” a vulnerability
to get around this.
 
Regards,
Ivan
 
From: <cti-stix@lists.oasis-open.org>
on behalf of Sean Barnum <sean.barnum@FireEye.com>
Date: Friday, October 27, 2017 at 10:49 AM
To: Ivan Kirillov <ikirillov@mitre.org>, "cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Malware SDO Remaining Open Questions
 
1) definitely feel this should be flexible
and not a filename.
2) exploits is clearer but I do have some
minor worry that it conveys an impression that the malware always successfully
exploits the vuln where reality in many cases is that malware may target
a vuln for exploitation but its success may depend on many other factors
within the targeted environment. Not a huge worry but something to consider.
 
Get Outlook
for iOS

---

From: cti-stix@lists.oasis-open.org
<cti-stix@lists.oasis-open.org> on behalf of Kirillov, Ivan A. <ikirillov@mitre.org>
Sent: Friday, October 27, 2017 12:43:32 PM
To: cti-stix@lists.oasis-open.org
Subject: [cti-stix] Malware SDO Remaining Open Questions 
 
All,
 
As we mentioned on the TC call, there are
a few small open questions remaining on the updated Malware SDO [1]:
 
1.      Regarding
the name property, should this property always capture the filename
for a malware instance? Or should we leave this flexible so that you can
capture more semantic (e.g., family-derived) names such as “Zeus.A”?
2.      Regarding
the existing “targets” relationship in STIX 2.0 from Malware to Vulnerability,
we’ve suggested updating this to a new “exploits” relationship (i.e.,
Malware -> exploits -> Vulnerability) for semantic clarity. This
would be a breaking change, but our thinking is that there would be far
less confusion as to what this means.
 
My own thoughts:
1.      I
feel like name should be flexible – we already have the samplesproperty for capturing the information about the binaries associated with
the malware, including their filenames.
2.      “Exploits”
is much clearer and preferable than “targets” with regards to vulnerabilities
(I’ve never seen any malware reporting which states that malware “targets”
a vulnerability) so it’s worth making a breaking change for this.
 
[1] https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.73mue8q00k8
 
Regards,
Ivan
This email and any attachments thereto
may contain private, confidential, and/or privileged material for the sole
use of the intended recipient. Any review, copying, or distribution of
this email (or any attachments thereto) by others is strictly prohibited.
If you are not the intended recipient, please contact the sender immediately
and permanently delete the original and any copies of this email and any
attachments thereto. 
This email and any attachments thereto
may contain private, confidential, and/or privileged material for the sole
use of the intended recipient. Any review, copying, or distribution of
this email (or any attachments thereto) by others is strictly prohibited.
If you are not the intended recipient, please contact the sender immediately
and permanently delete the original and any copies of this email and any
attachments thereto. 
.....

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .