Hi All,
With all the copious amounts of spare time over the holiday festive period, I've spent some time on a Webpage Cyber Observable and a HTTP-Response-ext proposal. This proposal is to specifically target a major hole in our Cyber Observables repertoire - the ability to record contents from a webpage.
I propose that we add the Webpage Cyber Observable to STIX 2.1. I also propose that we add the HTTP-Response-Ext (an extension for the Network-Traffic object) to STIX 2.1.
The new objects will enable the following use cases that are currently missing:
- Record the _javascript_ from an exploit redirection site
- Record excerpts from a conversation held within a web forum
- Record the redirect chain of multiple stages of exploit redirection to show how an attack was performed
- Record a web defacement
- Record changes to a webpage over time
I believe strongly that the attached proposal is essential to add to STIX 2.1 to ensure that we can adequately cover the use cases described above (and many others that require the capturing of web based data).
Please provide any comments back to the group.
Cheers
Terry MacDonald | Chief Product Officer