CTI STIX Subcommittee

All,
 
I took a shot at producing some material describing various approaches we could use to represent malware, malicious tools (or, malicious usage of tools), and tools.
 
It’s a tough call with a bunch of tradeoffs, I don’t really see a “right” answer, but my preference is still Option 1. My reasoning:
 
-          
IMO TLOs should be able to stand on their own…critical information should not be captured via relationships because people might not know them or might not want to share them. The fact that a particular
TLO represents malicious usage of a tool seems very important to me.
-          
I’m not sure that the fields used to represent data about malicious usage of tools is the same as the fields used to represent data about benign usage of tools (as a target, info source, or other
use cases). So, having those as separate TLOs seems important to me. You care about different data for a tool depending on how it’s being used.
 
To be honest I’m not 100% sold on “Weapon” as the TLO name (vs. Malicious Tool, Malicious Code, or something else) but I’m fairly comfortable with having one TLO for stuff used maliciously and a different
TLO for stuff not used maliciously (defining that based on our use cases for it).
 
John



Attachment: Malware Thoughts.pptx Description: Malware Thoughts.pptx

Can we not just have a boolean flag that says this tool is being used maliciously?   Bret From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Wunder, John A. <jwunder@mitre.org> Sent: Thursday, June 9, 2016 8:10 AM To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Malware, Malicious Tool, and Tool   All,   I took a shot at producing some material describing various approaches we could use to represent malware, malicious tools (or, malicious usage of tools), and tools.   It’s a tough call with a bunch of tradeoffs, I don’t really see a “right” answer, but my preference is still Option 1. My reasoning:   -           IMO TLOs should be able to stand on their own…critical information should not be captured via relationships because people might not know them or might not want to share them. The fact that a particular TLO represents malicious usage of a tool seems very important to me. -           I’m not sure that the fields used to represent data about malicious usage of tools is the same as the fields used to represent data about benign usage of tools (as a target, info source, or other use cases). So, having those as separate TLOs seems important to me. You care about different data for a tool depending on how it’s being used.   To be honest I’m not 100% sold on “Weapon” as the TLO name (vs. Malicious Tool, Malicious Code, or something else) but I’m fairly comfortable with having one TLO for stuff used maliciously and a different TLO for stuff not used maliciously (defining that based on our use cases for it).   John

Based on your list from your email I would go with #2 or #3...  The reason for this, I spelled out in detail on the Slack channel.  But it comes down to, the industry knows and understands what Malware is...  If we produce a spec that does not have a container for Malware, it will be a big mistake.  We will effectively need to re-train the entire internet on the fact that we are re-defining the way they use the term Malware.  And I doubt that will have a positive outcome.   Bret From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Wunder, John A. <jwunder@mitre.org> Sent: Thursday, June 9, 2016 8:10 AM To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Malware, Malicious Tool, and Tool   All,   I took a shot at producing some material describing various approaches we could use to represent malware, malicious tools (or, malicious usage of tools), and tools.   It’s a tough call with a bunch of tradeoffs, I don’t really see a “right” answer, but my preference is still Option 1. My reasoning:   -           IMO TLOs should be able to stand on their own…critical information should not be captured via relationships because people might not know them or might not want to share them. The fact that a particular TLO represents malicious usage of a tool seems very important to me. -           I’m not sure that the fields used to represent data about malicious usage of tools is the same as the fields used to represent data about benign usage of tools (as a target, info source, or other use cases). So, having those as separate TLOs seems important to me. You care about different data for a tool depending on how it’s being used.   To be honest I’m not 100% sold on “Weapon” as the TLO name (vs. Malicious Tool, Malicious Code, or something else) but I’m fairly comfortable with having one TLO for stuff used maliciously and a different TLO for stuff not used maliciously (defining that based on our use cases for it).   John