Re: [cti] Re: Example STIX document.

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

The pattern in this example is never going to match anything because there is no ObservedData ( because of these top level fields in Malware, instead of using ObservedData to define that ).

Or... is that what you're trying to illustrate?

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


"Jordan, Bret" ---09/14/2016 02:25:26 AM---Oh and I forgot to mention, this code includes some proposed ideas for the Malware object and will h

From: "Jordan, Bret" <bret.jordan@bluecoat.com>
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 09/14/2016 02:25 AM
Subject: [cti] Re: Example STIX document.
Sent by: <cti@lists.oasis-open.org>

---

Oh and I forgot to mention, this code includes some proposed ideas for the Malware object and will have content from the proposed Infrastructure object.  


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

On Sep 13, 2016, at 23:16, Jordan, Bret <bret.jordan@BLUECOAT.COM> wrote:

All,

I have been working on some code tonight to hopefully show a potential issue with Observed Data. I am not yet ready to explain it or show it in detail, but I wanted to show you what I have done so far tonight (I still have a bit more work to do).

The code for all of this can be found here:
https://github.com/freetaxii/libstix2





JSON Output:

[22:43:05] saturn
[jordan]:/opt/go/src/github.com/freetaxii/libstix2/examples/bundle-> go run 01-bundle.go
{
"type": "bundle",
"id": "bundle--cf94e6c9-4908-4dc0-90bc-830fb073e3fa",
"spec_version": "stix-2.0",
"campaigns": [
{
"type": "campaign",
"id": "campaign--06d4b8e7-0726-43e8-aa30-0808f90bb51a",
"created": "2016-09-14T05:06:10Z",
"modified": "2016-09-14T05:06:10Z",
"version": 1,
"name": "Bank Attack 2016",
"objective": "Compromise SWIFT system and steal money"
}
],
"indicators": [
{
"type": "indicator",
"id": "indicator--413517ea-3f42-4b6a-be29-b6e58f9981b0",
"created": "2016-09-14T05:06:10Z",
"modified": "2016-09-14T05:06:10Z",
"version": 1,
"name": "Malware C2 Indicator 2016",
"pattern": "file-object:hashes.md5 = 84714c100d2dfc88629531f6456b8276"
}
],
"malware": [
{
"type": "malware",
"id": "malware--045513d3-61ab-4a32-accd-548fee1bf1d7",
"created": "2016-09-14T05:06:10Z",
"modified": "2016-09-14T05:06:10Z",
"version": 1,
"labels": [
"trojan",
"malware-family"
],
"name": "Zeus"
},
{
"type": "malware",
"id": "malware--fbeff686-72d1-42b1-8a74-d52d4d8b1b36",
"created": "2016-09-14T05:06:10Z",
"modified": "2016-09-14T05:06:10Z",
"version": 1,
"labels": [
"trojan"
],
"name": "SpyEye",
"filenames": [
"cleansweep.exe",
"spyeye2_exe",
"build_1_.exe"
],
"hashes": {
"md5": "84714c100d2dfc88629531f6456b8276",
"sha256": "861aa9c5ddcb5284e1ba4e5d7ebacfa297567c353446506ee4b4e39c84454b09"
},
"scan_data": [
{
"product": "avg",
"scanned": "2016-08-30T06:31:48Z",
"classification": "Generic16.BFGI"
},
{
"product": "avast",
"scanned": "2016-08-30T06:31:48Z",
"classification": "Win32:Downloader-NTU [PUP]"
}
]
}
],
"relationships": [
{
"type": "relationship",
"id": "relationship--e1fa4b09-49bb-4726-8e46-433841fc2d86",
"created": "2016-09-14T05:06:10Z",
"modified": "2016-09-14T05:06:10Z",
"version": 1,
"relationship_type": "member-of",
"source_ref": "malware--045513d3-61ab-4a32-accd-548fee1bf1d7",
"target_ref": "malware--fbeff686-72d1-42b1-8a74-d52d4d8b1b36"
},
{
"type": "relationship",
"id": "relationship--e8a71f7e-f3e3-4e1e-9bbc-315855021f8b",
"created": "2016-09-14T05:06:10Z",
"modified": "2016-09-14T05:06:10Z",
"version": 1,
"relationship_type": "uses",
"source_ref": "campaign--06d4b8e7-0726-43e8-aa30-0808f90bb51a",
"target_ref": "malware--fbeff686-72d1-42b1-8a74-d52d4d8b1b36"
},
{
"type": "relationship",
"id": "relationship--f9e5545a-25d3-468f-a1fe-bfae8c3bcc3b",
"created": "2016-09-14T05:06:10Z",
"modified": "2016-09-14T05:06:10Z",
"version": 1,
"relationship_type": "indicates",
"source_ref": "indicator--413517ea-3f42-4b6a-be29-b6e58f9981b0",
"target_ref": "malware--fbeff686-72d1-42b1-8a74-d52d4d8b1b36"
}
],
"sightings": [
{
"type": "sighting",
"id": "sighting--0f152ef9-17d2-4dd1-8f75-5ecd0607f722",
"created": "2016-09-14T05:06:10Z",
"modified": "2016-09-14T05:06:10Z",
"version": 1,
"first_seen": "2016-09-01T00:00:00Z",
"last_seen": "2016-09-01T10:30:00Z",
"count": 3,
"sighting_of_ref": "malware--fbeff686-72d1-42b1-8a74-d52d4d8b1b36"
}
]
}


Source Code to Generate:
package main

import (
"encoding/json"
"fmt"
"github.com/freetaxii/libstix2/messages/bundle"
)

func main() {
sm := bundle.New()

// Create a campagin
c := sm.NewCampaign()
c.SetName("Bank Attack 2016")
c.SetObjective("Compromise SWIFT system and steal money")

// Create an indicator
i := sm.NewIndicator()
i.SetName("Malware C2 Indicator 2016")
i.SetPattern("file-object:hashes.md5 = 84714c100d2dfc88629531f6456b8276")

// Define a family of malware
m1 := sm.NewMalware()
m1.SetName("Zeus")
m1.AddLabel("trojan")
m1.AddLabel("malware-family")

// Define a piece of malware
m2 := sm.NewMalware()
m2.SetName("SpyEye")
m2.AddLabel("trojan")
m2.AddFilename("cleansweep.exe")
m2.AddFilename("spyeye2_exe")
m2.AddFilename("build_1_.exe")
m2.AddHash("md5", "84714c100d2dfc88629531f6456b8276")
m2.AddHash("sha256", "861aa9c5ddcb5284e1ba4e5d7ebacfa297567c353446506ee4b4e39c84454b09")

// Define some scan data for the malware sample
m2s1 := m2.NewScanData()
m2s1.SetScannedText("2016-08-30T06:31:48Z")
m2s1.SetProduct("avg")
m2s1.SetClassification("Generic16.BFGI")

m2s2 := m2.NewScanData()
m2s2.SetScannedText("2016-08-30T06:31:48Z")
m2s2.SetProduct("avast")
m2s2.SetClassification("Win32:Downloader-NTU [PUP]")

// Connect the malware sample to a malware family
r1 := sm.NewRelationship()
r1.SetRelationshipType("member-of")
r1.SetSourceRef(m1.GetId())
r1.SetTargetRef(m2.GetId())

// Identify that this campaign uses this piece of malware
r2 := sm.NewRelationship()
r2.SetRelationshipType("uses")
r2.SetSourceRef(c.GetId())
r2.SetTargetRef(m2.GetId())

// Identify that this indicator can indicate the presence of this malware
r3 := sm.NewRelationship()
r3.SetRelationshipType("indicates")
r3.SetSourceRef(i.GetId())
r3.SetTargetRef(m2.GetId())

// Add a sighting for the malware
s1 := sm.NewSighting()
s1.SetFirstSeenText("2016-09-01T00:00:00Z")
s1.SetLastSeenText("2016-09-01T10:30:00Z")
s1.SetCount(3)
s1.SetSightingOfRef(m2.GetId())

var data []byte
data, _ = json.MarshalIndent(sm, "", " ")

fmt.Println(string(data))
}



Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]