Common CybOX Object Refactoring

["Kirillov, Ivan A." <ikirillov@mitre.org>]

Sending this to the broader CTI list since it’s part of the STIX/CybOX Indicator tranche. 

Here’s a summary of the status of the refactoring of the most commonly used CybOX Objects (based on CTI-stats). Please let us know if you don’t agree with the consensus status for Address and File, and also if you have any input on their open questions. 

• Address Object
  • Proposal: https://github.com/CybOXProject/schemas/wiki/CybOX-3.0:-Address-Object-Refactoring
  • Consensus largely reached
  • Open questions:
    • Should Email Address be a separate Object, or should it instead be a property of a different Object (e.g., User Account)?
• Artifact Object
  • Not discussed yet
  • May require some changes
• Domain Name
  • Not discussed yet
  • Likely requires very little in the way of changes
• Email Message
  • Not discussed yet
  • May require some changes; we’re considering creating a base “Message” Object for use in Email Message as well as SMS Message
• File Object
  • Proposal: https://github.com/CybOXProject/schemas/wiki/CybOX-3.0:-File-Object-Refactoring
  • Consensus largely reached
  • Open questions:
    • Are there any additional properties that belong in the base set of properties or basic set of file system properties?
    • Which default extensions should be included with the Object? 
      • Current proposed list:
        • File Metadata
        • EXT3 File
        • NTFS File
        • Image File (based on existing Image File Object)
        • PDF File (based on existing PDF File Object)
        • Archive File (based on existing Archive File Object)
        • PE Binary File (based on existing Windows Executable File Object)
• Hostname
  • Not discussed yet
  • Likely requires very little in the way of changes
• HTTP Session
  • Not discussed yet
  • May require some significant refactoring, related to the refactoring of Network Connection
• Link
  • Not discussed yet
  • Likely requires very little in the way of changes
• Memory
  • Not discussed yet
  • May require some changes
• Mutex
  • Not discussed yet
  • Likely requires very little in the way of changes
• Network Connection
  • Not discussed yet; proposal forthcoming
  • May require significant refactoring
• PDF File
  • Not discussed yet
  • May require some changes; likely to be included as an extension of the File Object
• Port
  • Not discussed yet
  • Likely requires very little in the way of changes
• URI
  • Not discussed yet
  • Likely requires very little in the way of changes
• WhoIS
  • Not discussed yet
  • May require some changes
• Windows Executable File
  • Not discussed yet
  • May require some changes; see https://github.com/CybOXProject/schemas/issues?q=windows+executable+file+is%3Aopen
• Windows Registry Key
  • Not discussed yet
  • Likely requires very little in the way of changes

Accordingly, I would propose grouping and timeboxing the refactoring discussions as such:

• Network Object Refactoring – Network Connection and HTTP Session
  • 2 weeks
• Messaging Object Refactoring – Email Message and SMS Message
  • 1 week
• Other Atomic Network Object Refactoring – Domain Name, Hostname, Port, URI, and Link
  • 1 week
• Host Object Refactoring – Windows Executable File, Windows Registry Key, PDF File, and Mutex
  • 1 week
• Other Object Refactoring – WhoIS and Artifact
  • 1 week

Regards,

Ivan