OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Sample Malware STIX Documents


Hey All,
    Apologize for the Friday release of data.  Last week, I had the
opportunity to present on some proposed changes to the malware object.  As
promised, I wanted to provide sample STIX documents for everyone's review.
This is some redacted processing based upon some VirusTotal samples, but it
is live results.  

As a reminder, the main things we are changing is:

samples -> samples_ref where it points to an observed-data object that
contains the samples that were submitted for processing
results in the analysis_type changes to results_ref where it points to an
observed-data object containing the cyber observables that came out of the
processing.

The reason we are proposing these changes is to make it easier for
implementations to reuse the work they already performed to correctly parse
observed-data rather than having to learn a separate way to use cyber
observables in a malware object.
Next, because results changed from a dictionary to a reference to an
observed-data object, that data is captured in a common STIX format rather
than being arbitrary to each implementation.  

We did have to use some custom extensions for our data, as we expect others
will as well.  As part of the STIX process, this will help identify new
cyber-observables or updates to the standard, but because we are using
extensions rather than a dictionary, it is putting us down the correct path
toward conformity.

During this upcoming Tuesday's call, we will review these changes.
Hopefully we can get a consensus one way or another, if we cannot, I would
suggest that we turn this into a ballot so we can quickly get approval to
move forward on this object and get towards a 2.1 release.

Btw: Big Thank you to Sagar Singh and Jeff Mates for helping put this all
together.  

Thanks everyone!
   -Gary

Attachment: STIX_AMR-2018-0000299_AutomatedResponse.json
Description: Binary data

Attachment: STIX_AMR-2018-0000302_AutomatedResponse.json
Description: Binary data

Attachment: STIX Malware Object Presentation 2.pptx
Description: application/vnd.openxmlformats-officedocument.presentationml.presentation

Attachment: smime.p7s
Description: S/MIME cryptographic signature



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]