Re: [cti] Malware/Infrastructure Content

["Kirillov, Ivan A." <ikirillov@mitre.org>]

Also, here’s a brief summary of yesterday’s discussion:

 

·         There was much discussion on characterizing attacker/adversary infrastructure vs. victim infrastructure:

o    The use cases around the two are quite different, and those around adversary infrastructure are more understood

§  For adversary infrastructure, the high-level goal is to describe and then relate infrastructure deployed by threat actors and used to host malware, perform DDOS attacks, etc.

§  For victim infrastructure, there are multiple goals, including infrastructure that is targeted by adversaries and that which has already been exploited (i.e., is part of an incident)

o    One main point that seemed to be brought up is that we should focus on characterizing the more understood adversary infrastructure for STIX 2.1 and focus on victim infrastructure for a later release

§  Also, it was pointed out that victim infrastructure overlaps with victim targeting and therefore those components should be developed together

·         There was some discussion around malware, and our notion of characterizing malware instances and malware families as separate SDOs

o    Most of the discussion was around the Malware Instance and what we should be characterizing as far as common analysis outputs for STIX 2.1

§  The biggest open question is the level of detail we wish to capture for sandbox/dynamic analysis output. More specifically, do we want to include actions in STIX 2.1?

 

These were the takeaways and action items (from my perspective):

·         We need a better understanding of what we wish to capture for infrastructure (i.e., use cases), although it seems like starting with adversary infrastructure for STIX 2.1 is reasonable

·         We have a decent starting point for malware but could use additional feedback on our data model from tool vendors, analysts, and the like

·         We will be scheduling more working calls on these topics in the near future. Also, if anyone wants to step up and lead the infrastructure work, let us know!

 

Regards,

Ivan

 

From: <cti@lists.oasis-open.org> on behalf of Ivan Kirillov <ikirillov@mitre.org>
Date: Tuesday, April 11, 2017 at 2:21 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Malware/Infrastructure Content

 

All,

 

The content that we discussed today around Malware and Infrastructure can be found here in our STIX Cyber Observables Working Concepts document: https://docs.google.com/document/d/1PHRpmizbMGOwAu_TwRj5ofwnUEOIoM__vIDCDZGf4Sk/edit#heading=h.hlyf9n4eawre

 

If you’d like comment privileges, please let us know.

 

Regards,

Ivan