OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] Malware/Infrastructure Content

Also, here’s a brief summary of yesterday’s discussion:


·         There was much discussion on characterizing attacker/adversary infrastructure vs. victim infrastructure:

o    The use cases around the two are quite different, and those around adversary infrastructure are more understood

§  For adversary infrastructure, the high-level goal is to describe and then relate infrastructure deployed by threat actors and used to host malware, perform DDOS attacks, etc.

§  For victim infrastructure, there are multiple goals, including infrastructure that is targeted by adversaries and that which has already been exploited (i.e., is part of an incident)

o    One main point that seemed to be brought up is that we should focus on characterizing the more understood adversary infrastructure for STIX 2.1 and focus on victim infrastructure for a later release

§  Also, it was pointed out that victim infrastructure overlaps with victim targeting and therefore those components should be developed together

·         There was some discussion around malware, and our notion of characterizing malware instances and malware families as separate SDOs

o    Most of the discussion was around the Malware Instance and what we should be characterizing as far as common analysis outputs for STIX 2.1

§  The biggest open question is the level of detail we wish to capture for sandbox/dynamic analysis output. More specifically, do we want to include actions in STIX 2.1?


These were the takeaways and action items (from my perspective):

·         We need a better understanding of what we wish to capture for infrastructure (i.e., use cases), although it seems like starting with adversary infrastructure for STIX 2.1 is reasonable

·         We have a decent starting point for malware but could use additional feedback on our data model from tool vendors, analysts, and the like

·         We will be scheduling more working calls on these topics in the near future. Also, if anyone wants to step up and lead the infrastructure work, let us know!





From: <cti@lists.oasis-open.org> on behalf of Ivan Kirillov <ikirillov@mitre.org>
Date: Tuesday, April 11, 2017 at 2:21 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Malware/Infrastructure Content




The content that we discussed today around Malware and Infrastructure can be found here in our STIX Cyber Observables Working Concepts document: https://docs.google.com/document/d/1PHRpmizbMGOwAu_TwRj5ofwnUEOIoM__vIDCDZGf4Sk/edit#heading=h.hlyf9n4eawre


If you’d like comment privileges, please let us know.




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]