RE: [EXT] Re: [cti] Need to integrate MAEC and STIX into single report

["Kumar, Subodh" <subodh.kumar@jpmorgan.com>]

Thank Bret! I was expecting that based on the 2.1 work scope that I had read. My apologies, but I could not get to the 2.1 document. Can you point me there? I would like to minimize the customization, while keeping this as a mechanism to always extend STIX model.

 

Subodh Kumar │ Executive Director |  Technology │ Cybersecurity & Technology Controls │ J.P. Morgan Chase & Co. │ 575 Washington Boulevard, Jersey City, NJ, 07310 │ T: +1 201 595 7299 │ subodh.kumar@jpmorgan.com

 

From: Bret Jordan [mailtoBret_Jordan@symantec.com]
Sent: Monday, April 16, 2018 4:36 PM
To: Kumar, Subodh <subodh.kumar@jpmorgan.com>; cti@lists.oasis-open.org
Subject: Re: [EXT] Re: [cti] Need to integrate MAEC and STIX into single report

 

Subodh,

 

You should look at the changes we have made to the STIX 2.1 Malware object. I think this should get you more than 80-90% of the way.

 

Bret

---

From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Kirillov, Ivan A. <ikirillov@mitre.org>
Sent: Monday, April 16, 2018 7:48:39 AM
To: Mr. Subodh Kumar; cti@lists.oasis-open.org
Subject: [EXT] Re: [cti] Need to integrate MAEC and STIX into single report

 

Hi Subodh,

STIX 2.0 supports the inclusion of custom properties on all objects [1], so I would say that this is a completely legitimate way to associate a STIX Malware Object with MAEC data. However, I would just suggest changing the property name to "x_jpmorgan_maecreference" to better align with the suggested requirements for custom properties (see section 7.1.1).

[1] https://docs.google.com/document/d/1dIrh1Lp3KAjEMm8o2VzAmuV0Peu-jt9aAh1IHrjAroM/edit#heading=h.8072zpptza86

Regards,
Ivan Kirillov
MITRE

On 4/15/18, 9:40 PM, "cti@lists.oasis-open.org on behalf of Mr. Subodh Kumar" <cti@lists.oasis-open.org on behalf of subodh.kumar@jpmorgan.com> wrote:

    I am working on transforming Reversing Lab's malware report into STIX. Since malware section of STIX is not very detailed in STIX 2.0, I am using MAEC to describe details of malware.
   
    I have to connect STIX information with MAEC information, so that the software reading STIX package should be able to navigate STIX parts and MAEC part to capture all the information regarding malware.
   
    What is the recommended way to integrate MAEC information into STIX?
   
    My approach -
    Added MAECReference number to malware object:
   
    malware: {
    .....
    MAECReference: "MAEC-nnn-nnn-nnnn"
    }
   
    MAEC: { id: "MAEC-nnn-nnn-nnnn"
    ...
    }
   
    Ingore the id for MAEC, it is a made up id.
   
    Is this a legit way? Can we use MAECRefernce as a custom attribute to accomplish this objective?
   
    Looking forward to guidance.
    Thanks
    Subodh

This message is confidential and subject to terms at: http://www.jpmorgan.com/emaildisclaimer including on confidentiality, legal privilege, viruses and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited.