[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] RE: [EXT] Re: [cti] Need to integrate MAEC and STIX into single report
Hi Subodh, > I had a chance to review the document and perform a dry run of FireEye MAS analysis data. Great – thanks for the review! :-) > Examples show “static_analysis_data” as a key but the property table shows “static_analysis_resutls” & “dynamic_analysis_results” as fields. Am I reading this
wrong? I think we forgot to update the examples, but it should indeed be “static_analysis_results” and “dynamic_analysis_results”. I’ve since updated our examples, so
they should be correct now. > Is there a reason it was dropped when CyBox was included in STIX specifications? Unfortunately we had to make some difficult choices as far as which objects to include in STIX 2.0 due to time constraints, and as such DNS Query wasn’t included.
However, I think there’s a good chance that it will make it into STIX 2.1 (I know IBM and some others would like to see it included). Our current draft of what this could look like is found here [1], so if you get a chance to review it that would be much appreciated. > If all cybox objects could be collectively written in one section under “observable_data”, and
All observation/environment/results that reference observables, just make a reference to it, the implementation becomes cleaner. It is also easier to manage programmatically. Interesting! I can also see this being easier to manage programmatically, since you’ll know that any object references will point to “observable_data”. It will
also enable object re-use, e.g., if multiple dynamic analysis results find some of the same artifacts. I think we should definitely consider this as a worthwhile change. > I have the following in attached example. Unfortunately, it looks your attachment got stripped out. Could you try sending it to me directly – I would be interested in taking a look. Regards, Ivan From: "Kumar, Subodh" <subodh.kumar@jpmorgan.com> Hi Ivan I had a chance to review the document and perform a dry run of FireEye MAS analysis data. I have a few observations, one recommendation, and a sample that I
am attaching. Examples show “static_analysis_data” as a key but the property table shows “static_analysis_resutls” & “dynamic_analysis_results” as fields. Am I reading this
wrong? Dns_query as a cybox object has been dropped from STIX 2.0 specs part 4, but I dound this very valueable. I could not represent a dns query and result in STIX
2.1 without that object wihout losing the meaning. Is there a reason it was dropped when CyBox was included in STIX specifications? Recommendation: my thought: If all cybox objects could be collectively written in one section under “observable_data”, and All observation/environment/results that reference observables, just make a reference to it, the implementation becomes cleaner. It is also easier to manage programmatically. I have the following in attached example: Sightings
àsighiting of ref
à malware ref Sighting
à observed data refs
à observable data Malware
à samples (Can this just be a reference)
à observable data Malware
à Analysis_tools (Can this just be a reference)
à observable data Malware
à Analysis_environment (Can this just be a reference)
à observable data Malware
à results
à Observables data Observable_data
à observables I am attaching a FireEye sample converted (it may get rejected although it does not have any confidential data but perimeter rules may just drop this). Thanks Subodh Kumar │ Executive
Director | Technology
│ Cybersecurity & Technology Controls
│ J.P. Morgan Chase & Co. │
575 Washington Boulevard, Jersey City, NJ, 07310 │ T: +1
201 595 7299 │ subodh.kumar@jpmorgan.com From: Kirillov, Ivan A. [mailtoikirillov@mitre.org]
Hi Sudobh, You can find it in the STIX 2.1 Working Draft 01, here:
https://docs.google.com/document/d/1bkMmU1PxlwlAwjrMmyWV147rvLcRs2x62FicHbpH2gU/edit#heading=h.cabdb5lryb9q Regards, Ivan From: <cti@lists.oasis-open.org> on behalf of "Kumar, Subodh" <subodh.kumar@jpmorgan.com> Subodh Kumar │ Executive
Director | Technology
│
Cybersecurity & Technology Controls │ J.P.
Morgan Chase & Co. │
575 Washington Boulevard, Jersey City, NJ, 07310 │
T: +1 201 595 7299 │ subodh.kumar@jpmorgan.com From:
Bret Jordan [mailtoBret_Jordan@symantec.com]
Subodh, You should look at the changes we have made to the STIX 2.1 Malware object. I think this should get you more than 80-90% of the way. Bret From:
cti@lists.oasis-open.org
<cti@lists.oasis-open.org>
on behalf of Kirillov, Ivan A. <ikirillov@mitre.org> Hi Subodh, This message is confidential and subject to terms at: http://www.jpmorgan.com/emaildisclaimer
including on confidentiality, legal privilege, viruses and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. This message is confidential and subject to terms at: http://www.jpmorgan.com/emaildisclaimer
including on confidentiality, legal privilege, viruses and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]