[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Finalizing the STIX 2.1 Malware Object
Hi Allan, This approach doesn’t fundamentally change how we capture static/dynamic analysis data, but rather where and how the Cyber Observable Objects that correspond to that data are stored. If you have multiple observables
from different analyses, you’ll just reference their corresponding objects that are stored in the “observable_objects” dictionary (which may or may not be the same objects across different analyses).
Regards, Ivan From: Allan Thomson <athomson@lookingglasscyber.com> What if I have multiple observables for the same malware from different analysis (i.e. static + dynamic results). Would consolidating them into a single place really make it easier? You would still want to indicate that you have a list of observables and indicate where those
were ‘observed’ from either static or dynamic or other. So I’m not sure consolidating it makes it easier but so long as the same things are possible with the consolidated design then I don’t have a strong preference
either way. Allan Thomson CTO (+1-408-331-6646) From:
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Kirillov, Ivan" <ikirillov@mitre.org> All, As we’re wrapping up work on STIX 2.1 CSD01, we need to finalize what we have for the updated Malware SDO. Accordingly, I have two topics I’d like to bring up in
this regard:
Instead of having these observable object dictionaries all over the place, I believe it would make more sense to have a single property
at the top level of the object (let’s call it “observable_objects”), where any Cyber Observable Objects associated with the SDO (samples, analysis results, etc.) could be captured, via references. There are a number of advantages to this: a simpler data model
(less embedded observable object dicts everywhere), the ability to re-use objects (e.g., if static and dynamic analysis find the same objects, you can create one object and just reference it accordingly), and a more compact serialization. See the attached
JSON example for what this looks like in practice – this is a modified version of the “Malware Instance with Analysis Data” example currently in the 2.1 spec.
Let me know what you think – if we can get these final things wrapped up, we’re that much closer to getting STIX 2.1 out the door. Regards, Ivan |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]