OASIS Cyber Threat Intelligence (CTI) TC

 View Only

Finalizing the STIX 2.1 Malware Object

  • 1.  Finalizing the STIX 2.1 Malware Object

    Posted 06-13-2018 19:57




    All,
     
    As we’re wrapping up work on STIX 2.1 CSD01, we need to finalize what we have for the updated Malware SDO. Accordingly, I have two topics I’d like to bring up in this regard:
     

    Thanks to the work done by Subodh Kumar and his team, I’ve been wondering if there’s a better way to capture the Observable Objects associated with the
    Malware SDO. Right now, there are three places where you may encounter a Cyber Observable Object: samples (a dict of observable objects), static_analysis_results/results (certain keys have a corresponding dict of observable objects), dynamic_analysis_results/results
    (each key has a corresponding dict of observable objects).  
     
    Instead of having these observable object dictionaries all over the place, I believe it would make more sense to have a single property at the top level of the object (let’s call it
    “observable_objects”), where any Cyber Observable Objects associated with the SDO (samples, analysis results, etc.) could be captured, via references. There are a number of advantages to this: a simpler data model (less embedded observable object dicts everywhere),
    the ability to re-use objects (e.g., if static and dynamic analysis find the same objects, you can create one object and just reference it accordingly), and a more compact serialization. See the attached JSON example for what this looks like in practice –
    this is a modified version of the “Malware Instance with Analysis Data” example currently in the 2.1 spec.
     

    Currently, the “av-results-type”, used to capture AV classification results, has only optional properties and the text specifies that at least one must
    be included. This allows you to construct some odd, but spec-valid instances, such as an AV classification with only the engine version. In order to make this type more useful, I’d suggest that we make “product” (the name of the tool performing the scan) and
    “scanned” (the date/time the scan occurred) required, so that way you’ll at least have this minimum set of useful data for each instance. In addition, we should probably add some text stating that the “result” property (the actual AV classification result,
    e.g., “Trojan.Zeus”) must be included if the tool reports some classification during the scan.
     
    Let me know what you think – if we can get these final things wrapped up, we’re that much closer to getting STIX 2.1 out the door.
     
    Regards,
    Ivan



    Attachment: malware_example_observables.json Description: malware_example_observables.json