[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [Non-DoD Source] Use Case
Efrain, I changed the subject line, added the AP SC email distro and CCed David Girard. (He is a trend micro guy and they are working on a FAM)
Being able to send the file to the analytic seems logical to me, but to be blunt, the product vendors and the people who work with FAM every day can answer the question better than I can.
All, The gist of Efrain’s question (read the chain to make sure I do not mischaracterize) is; should we have openc2 send the file to be scanned as a part of the command?
My two cents (with all of my normal disclaimers):
·
Sounds logical to me, but I can see why some people might argue against the notion.
·
Is there a concern of loading the C2 channel? Bandwidth is not an issue for the majority of use cases, but there is an appeal for really concise messages if you have a hostile RF environment during
a war. ·
What are the state of the art malware scanners doing today? Do you send the program the file or do you simply send it the path to the file and the software pulls it at its leisure? Or can you do either
depending on the product or option you select? What is preferred? ·
If it turns out that the scanner wants the file to be analyzed sent to them, what is the best way to do it? You send it as a binary? An asci? Do you set up an SSH or use HTTPS?
I just reread this and realize I gave no useful information to Efrain. Sorry man…. Will somebody else step in?
VR Joe B From: efrain@hereuco.com <efrain@hereuco.com> Toby, Joe, First, I didn’t totally understand what you were saying with the military reference but I’ll respond with my thoughts. I like Joe’s suggestion of the SCAN action with file and an argument to specify that the file contents
are included or referenced from somewhere else. The uploading of a file and the referencing of a file in a remote location to be retrieved by the actuating device are useful for a reputation lookup. A reputation system won’t necessarily have the reputation
scores for all files already, so it should support an upload mechanism for the orchestrator’s to use. Having the ability to send the actual file to request a reputation scan sounds useful to me. Does it not sound within the realm of OpenC2?
Feel free to forward to whomever you like. Cheers, Efrain From: Considine, Toby <Toby.Considine@unc.edu> I agree. The essence of OpenC2 is what other parts of DOD call special forces mode. Take Out Bad Guy Don’t tell me whether it is by knife or garrotte or drone or telling his cousin who has long hated him where he lives. In openC2 The head informs the body that this file is bad The body deletes/blocks/searches/prevents network transmission/quarantines and examines as it is capable. tc From: Brule, Joseph M <jmbrule@radium.ncsc.mil>
Efrain, Toby, I hesitate to offer technical suggestions but… I would suggest a command argument in the malware profile rather than cook up another action.
Here is my logic or lack thereof:
Logical? There is a nuance here that we may need to cross check with the BluVector guys. It is my understanding that BluVector has known malicious and known benign files that it breaks up into a crap-ton of vectors.
An unknown is compared and malice or benign is determined by how the unknown vectors align with the known benign and malicious vectors.
I bring this up because some sort of file upload action is probably not needed for BluVector. We could probably use ‘UPDATE’ to distinguish it from a new action (if we go that way) for purposes of uploading
an unknown for analysis VR Joe B Misc comment: I would like to CC the actuator profile subcommittee email alias, but I will not do that unless Efrain explicitly says it is OK to do so. More eyes looking at it seems good, but forwarding Efrain’s
email without permission seems bad…. From: efrain@hereuco.com <efrain@hereuco.com>
Hello Toby, I’ve helped Bluvector behind the scenes answering their questions regarding OpenC2 during the build up to the plugfest and one of the OpenC2 use cases that BluVector AND Google, at the plugfest, brought up is file upload.
I don’t know if you remember, but at the plugfest I built a prototype query file hash to query both BluVector and Google. I published this code to my github:
https://github.com/netcoredor/OpenC2-FileQuery-PoC The next logical step to demonstrate OpenC2 compatibility across these two vendors is to get a file upload for scanning done. I’m emailing to bring up the use case of uploading a file to an OpenC2 consumer. I’m happy to begin experimenting on this command but I’m having a hard time determining which command to use from the list of available actions and targets
in OpenC2. I’m hoping to bring this up at the next OpenC2 language TC meeting if possible. What format should the file object be? Binary? Hex? ASCII encoding? I have no idea. But I’m guessing we don’t want to rely on the HTTP application/zip type for transfer since it should be supportable by other transports. Do I simply add
a new suggestion for a OpenC2 action/target combo? My 10 cents, Efrain From: openc2@lists.oasis-open.org <openc2@lists.oasis-open.org>
On Behalf Of Brule, Joseph M OpenC2 Technical Committee,
Our Executive Secretary (Dave Lemire) is unavailable for this week’s happenings email. I will try to meet his standard of excellence, but don’t get your hopes up. Dave will return next week.
Before we start the normal happenings: Thank you for your continued support of this Technical Committee. Our first Plug Fest was quite successful and the fact that over 2/3 of the participants were not members of this TC indicates
that OpenC2 is in fact generating a lot of interest. Realization of wider awareness and interest in this suite of specifications is rewarding. Now it is even more important to remain vigilant and responsive.
As a direct result of the OpenC2 Plug Fest, four companies and an individual are in dialogue with OASIS regarding membership so that they can join the OpenC2 Technical Committee. We are anticipating
new OpenC2 members in the near future, so now is an opportunity for improvement. Please send your feedback and suggestions. Should we improve the Happenings? Should we discontinue the Happenings and pursue another mechanism? Is there a hybrid approach?
Please send your suggestions to Dave Lemire. And now for our normal Happenings… ===================================== tear line =================================== ITEMS ONE AND TWO:
ITEM THREE: Post-plug fest. As reported last week, we had a very successful plug fest / hackathon last
week. We are in the process of documenting and capturing lessons learned. Review the plug fest outcomes page on GitHub. If you were there, contribute your experience.
Regardless of whether or not you attended the Plug Fest, let’s find ways to improve our suite of specifications, which leads us to…
Meetings This Week: Joe Brule 'Adnius ad retinedam puritem noster peciosus corporalis fluidorum…' |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]