OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [EXT] Re: [cti] Need to integrate MAEC and STIX into single report

Thank Bret! I was expecting that based on the 2.1 work scope that I had read. My apologies, but I could not get to the 2.1 document. Can you point me there? I would like to minimize the customization, while keeping this as a mechanism to always extend STIX model.


Subodh Kumar  Executive Director |  Technology Cybersecurity & Technology Controls  J.P. Morgan Chase & Co.  575 Washington Boulevard, Jersey City, NJ, 07310 T: +1 201 595 7299  subodh.kumar@jpmorgan.com


From: Bret Jordan [mailtoBret_Jordan@symantec.com]
Sent: Monday, April 16, 2018 4:36 PM
To: Kumar, Subodh <subodh.kumar@jpmorgan.com>; cti@lists.oasis-open.org
Subject: Re: [EXT] Re: [cti] Need to integrate MAEC and STIX into single report




You should look at the changes we have made to the STIX 2.1 Malware object. I think this should get you more than 80-90% of the way.



From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Kirillov, Ivan A. <ikirillov@mitre.org>
Sent: Monday, April 16, 2018 7:48:39 AM
To: Mr. Subodh Kumar; cti@lists.oasis-open.org
Subject: [EXT] Re: [cti] Need to integrate MAEC and STIX into single report


Hi Subodh,

STIX 2.0 supports the inclusion of custom properties on all objects [1], so I would say that this is a completely legitimate way to associate a STIX Malware Object with MAEC data. However, I would just suggest changing the property name to "x_jpmorgan_maecreference" to better align with the suggested requirements for custom properties (see section 7.1.1).

[1] https://docs.google.com/document/d/1dIrh1Lp3KAjEMm8o2VzAmuV0Peu-jt9aAh1IHrjAroM/edit#heading=h.8072zpptza86

Ivan Kirillov

On 4/15/18, 9:40 PM, "cti@lists.oasis-open.org on behalf of Mr. Subodh Kumar" <cti@lists.oasis-open.org on behalf of subodh.kumar@jpmorgan.com> wrote:

    I am working on transforming Reversing Lab's malware report into STIX. Since malware section of STIX is not very detailed in STIX 2.0, I am using MAEC to describe details of malware.
    I have to connect STIX information with MAEC information, so that the software reading STIX package should be able to navigate STIX parts and MAEC part to capture all the information regarding malware.
    What is the recommended way to integrate MAEC information into STIX?
    My approach -
    Added MAECReference number to malware object:
    malware: {
    MAECReference: "MAEC-nnn-nnn-nnnn"
    MAEC: { id: "MAEC-nnn-nnn-nnnn"
    Ingore the id for MAEC, it is a made up id.
    Is this a legit way? Can we use MAECRefernce as a custom attribute to accomplish this objective?
    Looking forward to guidance.

This message is confidential and subject to terms at: http://www.jpmorgan.com/emaildisclaimer including on confidentiality, legal privilege, viruses and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]