RE: [cti] How to model the object in this situation

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

Just want to chime in here;

 

There is currently no object in STIX to model "the asset", as in, the host/container/VM with the vulnerability. Its a use case that has been brought up a few times over the years, but never tackled.

 

You can shoe-horn it in with an Indicator, but honestly IMO it is improper and weird to do this.

 

"Infrastructure" SDO could maybe be embraced-and-extended, but it is very much designed for threat actor infrastructure, and has a very different set of information than what you would use to describe an asset.

IBM and some others are working on this problem area via a custom object in STIX Shifter in the OCA because its a very important object & use case for us in a bunch of scenarios around posture management, as well as reporting back of findings using STIX. Once its more settled we would publish an extension with the proposal.

 

We would love anyone who is interested in this use case to come over and collaborate with us on it. Currently what is there is basically a minimal stub used for a specific use case, and needs a lot more thought and fleshing out. https://github.com/opencybersecurityalliance/stix-shifter if you're interested.

 

-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management
www.ibm.com/security

Co-Chair - Open Cybersecurity Alliance, Project Governing Board

www.opencybersecurityalliance.org
 

 

 

----- Original message -----
From: Bret Jordan <bj@ctin.us>
Sent by: <cti@lists.oasis-open.org>
To: "èåæ" <jessie@nccst.nat.gov.tw>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, "JG @ OASIS" <jg@ctin.us>, Kelly Cullinane <Kelly.Cullinane@newcontext.com>
Subject: [EXTERNAL] Re: [cti] How to model the object in this situation
Date: Fri, Mar 26, 2021 12:50 PM
 

With STIX 2.1 SCO objects are now treated as top-level objects. So yes, you would use the SCO Software object to describe the version of Chrome and the SDO Vulnerability to describe the CVE. Then you would use a relationship to tie them together. We did not call out this relationship type specifically in the specification. However, if you look at Infrastructure you can see that there is one called âhasâ vulnerability. So I would do the same here. SCO Software âhasâ SDO Vulnerability.

Bret


> On Mar 26, 2021, at 4:07 AM, èåæ <jessie@nccst.nat.gov.tw> wrote:
>
> Hi TC members,
>
> We are confused about how to describe "affected releases" in STIX 2.1.
>
> There are two use cases:
> 1. CVE-2020-16013 exists in Google Chrome affected chrome versions prior to 86.0.4240.197.
>  âAre affected releases modeled using STIX Software SCO? ( chrome versions prior to 86.0.4240.197 here)
>
> 2. Microsoft Exchange Server Vulnerabilities(CVE-2021-26855ãCVE-2021-26857ãCVE-2021-26858åCVE-2021-27065) affected Microsoft Exchange Server 2013ã2016ã2019.  
>  âAre affected releases modeled using STIX Identity SDO? ( Microsoft Exchange Server 2013ã2016ã2019 here)
>
> We are wondering if there exists "an Object" (without building our own SDO/SCO) that could describe the affected object (no matter it is system or software)?
>
> Regards,
> Jessie Chuang
>
> Taiwan National Computer Emergency Response Team
> No.116, Fuyang St., Daâan Dist., Taipei City 106, Taiwan (R.O.C.)
> Tel: 886-2-6631-6483
>
> This email may contain confidential information. Please disregard and delete this email if you are not the intended recipient.
>


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php