Jason,
We, at DarkLight, have also been working on the definition of a custom object to represent an âassetâ, so weâd definitely be interested in collaborating. The use case/scenario you described is very common to the one which weâre addressing,
so we should find lots of common ground. Weâve looked at the definition of IT Asset as defined in
NIST IR 7693 for inspiration as well.
Paul Patrick
EVP Engineering/interim Chief Product Officer
DarkLight
Mobile: (408) 465-6635
Email: Paul.Patrick@darklight.ai
This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received this e-mail in error, please delete it from
your system without copying it and notify sender by reply e-mail so our records can be corrected.
From:
<cti@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Friday, March 26, 2021 at 1:29 PM
To: "bj@ctin.us" <bj@ctin.us>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, "jessie@nccst.nat.gov.tw" <jessie@nccst.nat.gov.tw>, "jg@ctin.us" <jg@ctin.us>, "Kelly.Cullinane@newcontext.com" <Kelly.Cullinane@newcontext.com>
Subject: RE: [cti] How to model the object in this situation
Just want to chime in here;
There is currently no object in STIX to model "the asset", as in, the host/container/VM with the vulnerability. Its a use case that has been brought
up a few times over the years, but never tackled.
You can shoe-horn it in with an Indicator, but honestly IMO it is improper and weird to do this.
"Infrastructure" SDO could maybe be embraced-and-extended, but it is very much designed for threat actor infrastructure, and has a very different set
of information than what you would use to describe an asset.
IBM and some others are working on this problem area via a custom object in STIX Shifter in the OCA because its a very important object & use case for us in a bunch of scenarios around posture management, as well as reporting back of findings using STIX. Once
its more settled we would publish an extension with the proposal.
We would love anyone who is interested in this use case to come over and collaborate with us on it. Currently what is there is basically a minimal stub
used for a specific use case, and needs a lot more thought and fleshing out. https://github.com/opencybersecurityalliance/stix-shifter if you're interested.
-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management
www.ibm.com/security
Co-Chair - Open Cybersecurity Alliance, Project Governing Board
www.opencybersecurityalliance.org
----- Original message -----
From: Bret Jordan <bj@ctin.us>
Sent by: <cti@lists.oasis-open.org>
To: "èåæ" <jessie@nccst.nat.gov.tw>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, "JG @ OASIS" <jg@ctin.us>, Kelly Cullinane <Kelly.Cullinane@newcontext.com>
Subject: [EXTERNAL] Re: [cti] How to model the object in this situation
Date: Fri, Mar 26, 2021 12:50 PM
With STIX 2.1 SCO objects are now treated as top-level objects. So yes, you would use the SCO Software object to describe the version of Chrome and the SDO Vulnerability to describe the CVE. Then you would use a relationship to tie them together. We did not call out this relationship type specifically in the specification. However, if you look at Infrastructure you can see that there is one called âhasâ vulnerability. So I would do the same here. SCO Software âhasâ SDO Vulnerability.
Bret
> On Mar 26, 2021, at 4:07 AM, èåæ <jessie@nccst.nat.gov.tw> wrote:
>
> Hi TC members,
>
> We are confused about how to describe "affected releases" in STIX 2.1.
>
> There are two use cases:
> 1. CVE-2020-16013 exists in Google Chrome affected chrome versions prior to 86.0.4240.197.
> âAre affected releases modeled using STIX Software SCO? ( chrome versions prior to 86.0.4240.197 here)
>
> 2. Microsoft Exchange Server Vulnerabilities(CVE-2021-26855ãCVE-2021-26857ãCVE-2021-26858åCVE-2021-27065) affected Microsoft Exchange Server 2013ã2016ã2019.
> âAre affected releases modeled using STIX Identity SDO? ( Microsoft Exchange Server 2013ã2016ã2019 here)
>
> We are wondering if there exists "an Object" (without building our own SDO/SCO) that could describe the affected object (no matter it is system or software)?
>
> Regards,
> Jessie Chuang
>
> Taiwan National Computer Emergency Response Team
> No.116, Fuyang St., Daâan Dist., Taipei City 106, Taiwan (R.O.C.)
> Tel: 886-2-6631-6483
>
> This email may contain confidential information. Please disregard and delete this email if you are not the intended recipient.
>
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php