Re: [cti-stix] Two Minor 2.1 STIX Proposals

[Allan Thomson <athomson@lookingglasscyber.com>]

Jason - should the relationship not be named ‘has_vulnerability’ rather than vulnerable to?

Example:

The telnet software version 11.2 has vulnerability CVE #1-23-5

Please confirm that your intention is to relate the software to known vulnerabilities detected for that software version.

Thanks

Allan Thomson.

CTO, lookingglass cyber solutions.

Www.lookingglasscyber.com. This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential. The information in this message is intended only for use by the individual(s) to whom it is addressed. If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure, copying or distribution of the contents contained within is strictly prohibited.

---

From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Saturday, September 29, 2018 1:48:34 AM
To: cti-stix@lists.oasis-open.org
Subject: [cti-stix] Two Minor 2.1 STIX Proposals

 

I would like to submit the following two minor proposals for 2.1...

- The addition of a "software_ref" property to the "Process" cyber observable object. This would allow one to encode what piece of software a given process is for (which you can then tie to CPE and do many things with)

- A defined relationship type of "vulnerable_to" to be added from observed_data to vulnerability. This would allow you to say that a given process, system, or software was vulnerable to a certain vulnerability.

-
Jason Keirstead
Lead Architect - IBM.Security
www.ibm.com/security

"Things may come to those who wait, but only the things left by those who hustle." - Unknown