[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] RE: [EXT] Re: [cti] Need to integrate MAEC and STIX into single report
Hi Subodh, Thanks for the sample – I did receive it. I haven’t had a chance to take look at it yet, but I’ll probably do so early next week and I’ll pass along any recommendations then. Regards, Ivan From: "Kumar, Subodh" <subodh.kumar@jpmorgan.com> Hi Ivan I hope you received the attachment and had a chance to go through it. Do you have any recommendation? Thanks Subodh Kumar │ Executive
Director | Technology
│ Cybersecurity & Technology Controls
│ J.P. Morgan Chase & Co. │
575 Washington Boulevard, Jersey City, NJ, 07310 │ T: +1
201 595 7299 │ subodh.kumar@jpmorgan.com From: Kumar, Subodh
Hi Ivan Joined the call today and wanted to pass the example that I worked on. I think this change will be difficult for 2.1 but considering this for future may help
us keep the document clean, work with multiple malware, bundling information from multiple tools, etc. Sometimes we try to build confidence besed on the observables that were seen by multiple tools. It will help program that too. Resending the file. If you still do not get it, please respond back and I will try to send this from external email. I have redacted very few fields, such as Windows version, etc. to ensure that there is no information specific to my company that goes out. (The file is json although the extension is txt. I use Notepad++ for editing) Thanks Subodh Kumar │ Executive
Director | Technology
│ Cybersecurity & Technology Controls
│ J.P. Morgan Chase & Co. │
575 Washington Boulevard, Jersey City, NJ, 07310 │ T: +1
201 595 7299 │ subodh.kumar@jpmorgan.com From: Kirillov, Ivan A. [mailto:ikirillov@mitre.org]
Hi Subodh, > I had a chance to review the document and perform a dry run of FireEye MAS analysis data. Great – thanks for the review! :-) > Examples show “static_analysis_data” as a key but the property table shows “static_analysis_resutls” & “dynamic_analysis_results” as fields. Am I reading this
wrong? I think we forgot to update the examples, but it should indeed be “static_analysis_results” and “dynamic_analysis_results”. I’ve since updated our examples, so
they should be correct now. > Is there a reason it was dropped when CyBox was included in STIX specifications? Unfortunately we had to make some difficult choices as far as which objects to include in STIX 2.0 due to time constraints, and as such DNS Query wasn’t included.
However, I think there’s a good chance that it will make it into STIX 2.1 (I know IBM and some others would like to see it included). Our current draft of what this could look like is found here [1], so if you get a chance to review it that would be much appreciated. > If all cybox objects could be collectively written in one section under “observable_data”, and
All observation/environment/results that reference observables, just make a reference to it, the implementation becomes cleaner. It is also easier to manage programmatically. Interesting! I can also see this being easier to manage programmatically, since you’ll know that any object references will point to “observable_data”. It will
also enable object re-use, e.g., if multiple dynamic analysis results find some of the same artifacts. I think we should definitely consider this as a worthwhile change. > I have the following in attached example. Unfortunately, it looks your attachment got stripped out. Could you try sending it to me directly – I would be interested in taking a look. Regards, Ivan From: "Kumar, Subodh" <subodh.kumar@jpmorgan.com> Hi Ivan I had a chance to review the document and perform a dry run of FireEye MAS analysis data. I have a few observations, one recommendation, and a sample that I
am attaching. Examples show “static_analysis_data” as a key but the property table shows “static_analysis_resutls” & “dynamic_analysis_results” as fields. Am I reading this
wrong? Dns_query as a cybox object has been dropped from STIX 2.0 specs part 4, but I dound this very valueable. I could not represent a dns query and result in STIX
2.1 without that object wihout losing the meaning. Is there a reason it was dropped when CyBox was included in STIX specifications? Recommendation: my thought: If all cybox objects could be collectively written in one section under “observable_data”, and All observation/environment/results that reference observables, just make a reference to it, the implementation becomes cleaner. It is also easier to manage programmatically. I have the following in attached example: Sightings
àsighiting of ref
à malware ref Sighting
à observed data refs
à observable data Malware
à samples (Can this just be a reference)
à observable data Malware
à Analysis_tools (Can this just be a reference)
à observable data Malware
à Analysis_environment (Can this just be a reference)
à observable data Malware
à results
à Observables data Observable_data
à observables I am attaching a FireEye sample converted (it may get rejected although it does not have any confidential data but perimeter rules may just drop this). Thanks Subodh Kumar │ Executive
Director | Technology
│ Cybersecurity & Technology Controls
│ J.P. Morgan Chase & Co. │
575 Washington Boulevard, Jersey City, NJ, 07310 │ T: +1
201 595 7299 │ subodh.kumar@jpmorgan.com From: Kirillov, Ivan A. [mailtoikirillov@mitre.org]
Hi Sudobh, You can find it in the STIX 2.1 Working Draft 01, here:
https://docs.google.com/document/d/1bkMmU1PxlwlAwjrMmyWV147rvLcRs2x62FicHbpH2gU/edit#heading=h.cabdb5lryb9q Regards, Ivan From: <cti@lists.oasis-open.org> on behalf of "Kumar, Subodh" <subodh.kumar@jpmorgan.com> Subodh Kumar │ Executive
Director | Technology
│
Cybersecurity & Technology Controls │ J.P.
Morgan Chase & Co. │
575 Washington Boulevard, Jersey City, NJ, 07310 │
T: +1 201 595 7299 │ subodh.kumar@jpmorgan.com From:
Bret Jordan [mailtoBret_Jordan@symantec.com]
Subodh, You should look at the changes we have made to the STIX 2.1 Malware object. I think this should get you more than 80-90% of the way. Bret From:
cti@lists.oasis-open.org
<cti@lists.oasis-open.org>
on behalf of Kirillov, Ivan A. <ikirillov@mitre.org> Hi Subodh, This message is confidential and subject to terms at: http://www.jpmorgan.com/emaildisclaimer
including on confidentiality, legal privilege, viruses and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. This message is confidential and subject to terms at: http://www.jpmorgan.com/emaildisclaimer
including on confidentiality, legal privilege, viruses and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. This message is confidential and subject to terms at: http://www.jpmorgan.com/emaildisclaimer
including on confidentiality, legal privilege, viruses and monitoring of electronic messages. If you are not the intended recipient, please delete this message and notify the sender immediately. Any unauthorized use is strictly prohibited. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]