OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] Public review comments from Kaiser Permanente for STIX V1.2.1

Keep in mind that “Exploit" != "Exploit Target". Within TTP, there’s a placeholder “ExploitType” that’s intended to characterize actual exploits. We don’t really have a good way to do that now so it’s pretty bare. There’s a separate “ExploitTargetType” as a top-level construct that can represent vulnerabilities, configurations, and weaknesses. That construct does indeed have a CVE_ID field.

So…exploit = representation of the actual exploit code that exploits a vulnerability. Exploit target = representation of the vulnerability that is or might be the target of an exploit.

John

From: <cti@lists.oasis-open.org> on behalf of Rich Piazza <rpiazza@mitre.org>
Date: Sunday, February 7, 2016 at 5:07 PM
To: Beth Pumo <beth.pumo@kp.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: RE: [cti] Public review comments from Kaiser Permanente for STIX V1.2.1

I think the "best practices" way of expressing what you want, it to have the TTP be related to an Exploit_Target that describes the CVE, including its ID.
 
Also, notice that the ttp:ExploitType isn't fully specified - from the specs:
 
The ExploitType class is intended to be extended to enable the structured description of an exploit instance.  However, no extension is provided by STIX v 1.2.1; producers wanting to represent structured exploit instance information are encouraged to develop such an extension.
 
-----Original Message-----
From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Beth Pumo
Sent: Friday, February 05, 2016 3:52 PM
To: cti@lists.oasis-open.org
Subject: [cti] Public review comments from Kaiser Permanente for STIX V1.2.1
 
Comment on this area: STIX Part 5, TTP, Section 3.2.3.1 ExploitType Class: Should CVE_ID be included, considering CAPEC_ID is included for AttackPatternType?
 
Basically, the default extensions for similar classes include attributes for similar ID types. Example: the Exploit Target data model WeaknessType class contains CWE_ID. It should be useful to include an (optional) attribute for CVE numbers on Exploits, if the CVE numbers are known.
 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]