[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] CybOX Datatype Refactoring/Deprecation
Jason Keirstead wrote this message on Tue, Mar 22, 2016 at 10:54 -0400: > I understand the encoding one, but not the obfuscated one. If someone wants > to obfuscate (either reversibly or irreversibly) an email or URL before > publishing it, we can't prevent that. I am not sure what is meant by > "support" in this case. I could possibly see a flag that lets the consumer know that this value was changed from the original, but IMO, there isn't much value in obfuscating things... You don't want to obfuscate TTP or Campaigns, etc. You don't want to obfuscate an Indicator... The only things I can think of that you'd want to obfuscate is Observations, but in that case, we have sightings, so you can instead sight it and just not publish it. > From: "Kirillov, Ivan A." <ikirillov@mitre.org> > To: "'cti@lists.oasis-open.org'" <cti@lists.oasis-open.org> > Date: 03/22/2016 11:29 AM > Subject: Re: [cti] CybOX Datatype Refactoring/Deprecation > Sent by: <cti@lists.oasis-open.org> > > > > Now that we’ve voted to not support defanging, the question remains as to > whether we should support obfuscation and capture of observed encoding on > CybOX Object fields: > Obfuscation example: XXXX@yahoo.com or YYYY@comcast.com. Also used > for URLs. > Observed encoding: utf-8, etc. Mostly relevant for malware analysis > and attribution, e.g., if an actor is known to use a particular > encoding in their comment strings. -- John-Mark
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]