OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [cti] Need to integrate MAEC and STIX into single report

Thank you Ivan for the response and name suggestion. I will share a full mapping of a sample ReversingLabs report to STIX, and after adjusting the initial map to recommendations, we will adopt it in jpmorgan for exchanging information with the tool.

We have similar cases to reference other models and custom objects may turn out to be our integration approach.

Subodh Kumar  Executive Director |  Technology Cybersecurity & Technology Controls  J.P. Morgan Chase & Co.  575 Washington Boulevard, Jersey City, NJ, 07310 T: +1 201 595 7299  subodh.kumar@jpmorgan.com

 

From: Kirillov, Ivan A. [mailtoikirillov@mitre.org]
Sent: Monday, April 16, 2018 9:49 AM
To: Kumar, Subodh <subodh.kumar@jpmorgan.com>; cti@lists.oasis-open.org
Subject: Re: [cti] Need to integrate MAEC and STIX into single report

 

Hi Subodh,

STIX 2.0 supports the inclusion of custom properties on all objects [1], so I would say that this is a completely legitimate way to associate a STIX Malware Object with MAEC data. However, I would just suggest changing the property name to "x_jpmorgan_maecreference" to better align with the suggested requirements for custom properties (see section 7.1.1).

[1] https://docs.google.com/document/d/1dIrh1Lp3KAjEMm8o2VzAmuV0Peu-jt9aAh1IHrjAroM/edit#heading=h.8072zpptza86

Regards,
Ivan Kirillov
MITRE

On 4/15/18, 9:40 PM, "cti@lists.oasis-open.org on behalf of Mr. Subodh Kumar" <cti@lists.oasis-open.org on behalf of subodh.kumar@jpmorgan.com> wrote:

    I am working on transforming Reversing Lab's malware report into STIX. Since malware section of STIX is not very detailed in STIX 2.0, I am using MAEC to describe details of malware.
    
    I have to connect STIX information with MAEC information, so that the software reading STIX package should be able to navigate STIX parts and MAEC part to capture all the information regarding malware.
    
    What is the recommended way to integrate MAEC information into STIX?
    
    My approach - 
    Added MAECReference number to malware object:
    
    malware: {
    .....
    MAECReference: "MAEC-nnn-nnn-nnnn"
    }
    
    MAEC: { id: "MAEC-nnn-nnn-nnnn"
    ...
    }
    
    Ingore the id for MAEC, it is a made up id.
    
    Is this a legit way? Can we use MAECRefernce as a custom attribute to accomplish this objective?
    
    Looking forward to guidance.
    Thanks
    Subodh

This message is confidential and subject to terms at: http://www.jpmorgan.com/emaildisclaimer including on confidentiality, legal privilege, viruses and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]