CTI STIX Subcommittee

Sorry, should have given a link to the object. It’s in the STIX 2.0-Objects document, here:

https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.q5ytzmajn6re
 
John
 

From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org>
Date: Thursday, July 14, 2016 at 8:11 AM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Vulnerability object added


 



All,
 
As discussed on the call on Tuesday, it seemed like people were looking for a Vulnerability object so that they could say malware/actors/campaigns target particular vulnerabilities.
 
Way back when we were first working on 2.0 we had a definition in there that I updated and moved over. Primarily, it would be used to capture external references to CVE and other vulnerability identifiers,
as Jason had suggested. It also has a name and description in case there’s no CVE or other reference assigned yet or you want to duplicate them into the object directly. I also added the relationships it would conceivably need.
 
Can you please review it to see if it captures what you need it to?
 
Thanks,
John

Looks good to me. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown "Wunder, John A." ---07/14/2016 10:55:12 AM---Sorry, should have given a link to the object. It’s in the STIX 2.0-Objects document, here: https:// From: "Wunder, John A." <jwunder@mitre.org> To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Date: 07/14/2016 10:55 AM Subject: Re: [cti-stix] Vulnerability object added Sent by: <cti-stix@lists.oasis-open.org> Sorry, should have given a link to the object. It’s in the STIX 2.0-Objects document, here: https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.q5ytzmajn6re John From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org> Date: Thursday, July 14, 2016 at 8:11 AM To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: [cti-stix] Vulnerability object added All, As discussed on the call on Tuesday, it seemed like people were looking for a Vulnerability object so that they could say malware/actors/campaigns target particular vulnerabilities. Way back when we were first working on 2.0 we had a definition in there that I updated and moved over. Primarily, it would be used to capture external references to CVE and other vulnerability identifiers, as Jason had suggested. It also has a name and description in case there’s no CVE or other reference assigned yet or you want to duplicate them into the object directly. I also added the relationships it would conceivably need. Can you please review it to see if it captures what you need it to? Thanks, John

Agreed.
 
Thanks for getting this in there.
 

From:
"cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Thursday, July 14, 2016 at 7:05 AM
To: "Wunder, John" <jwunder@mitre.org>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Vulnerability object added


 



Looks good to me.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


"Wunder, John A." ---07/14/2016 10:55:12 AM---Sorry, should have
given a link to the object. It’s in the STIX 2.0-Objects document, here: https://

From: "Wunder, John A." <jwunder@mitre.org>
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 07/14/2016 10:55 AM
Subject: Re: [cti-stix] Vulnerability object added
Sent by: <cti-stix@lists.oasis-open.org>






Sorry, should have given a link to the object. It’s in the STIX 2.0-Objects document, here:
https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.q5ytzmajn6re

John

From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org>
Date: Thursday, July 14, 2016 at 8:11 AM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Vulnerability object added

All,

As discussed on the call on Tuesday, it seemed like people were looking for a Vulnerability object so that they could say malware/actors/campaigns target particular vulnerabilities.

Way back when we were first working on 2.0 we had a definition in there that I updated and moved over. Primarily, it would be used to capture external references to CVE and other vulnerability identifiers, as Jason had suggested.
It also has a name and description in case there’s no CVE or other reference assigned yet or you want to duplicate them into the object directly. I also added the relationships it would conceivably need.

Can you please review it to see if it captures what you need it to?

Thanks,
John

Hi, I suggest reusing standardized definitions for CTI. (they could be tweaked a bit for highlighting/explaining the relationships between the CTI objects using the CTI objects' names) For example: vulnerability Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. Source: NIST SP 800-30 Rev 1 CNSSI 4009 revised April 6, 2015 if considered too generic - another example A vulnerability is a software weakness that can be exploited by an attacker. Bugs and flaws collectively form the basis of most software vulnerabilities. https://buildsecurityin.us-cert.gov/articles/knowledge/attack-patterns/attack-pattern-glossary (I hate definitions of "hacker" other than RFC1392) PS: probably "too early" to discuss that, but I will be interested, at some point, discussing the relationships with, or mechanisms for leveraging, CybOX objects in the description of Vulnerability (with an extended/better model than the CVE one), allowing, for example, the automation, or semi-automation of the COAs, especially in the context of web applications softwares, where, for example, the Vulnerability model would have to offer information related to URIs/URLs and parameters (a little bit more than a CWE, and not a CPE). CVE+X ((for OVALX)) anyone? On Thu, Jul 14, 2016 at 4:54 PM, Wunder, John A. <jwunder@mitre.org> wrote: > Sorry, should have given a link to the object. It’s in the STIX 2.0-Objects > document, here: > https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.q5ytzmajn6re > > > > John > > > > From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." > <jwunder@mitre.org> > Date: Thursday, July 14, 2016 at 8:11 AM > To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> > Subject: [cti-stix] Vulnerability object added > > > > All, > > > > As discussed on the call on Tuesday, it seemed like people were looking for > a Vulnerability object so that they could say malware/actors/campaigns > target particular vulnerabilities. > > > > Way back when we were first working on 2.0 we had a definition in there that > I updated and moved over. Primarily, it would be used to capture external > references to CVE and other vulnerability identifiers, as Jason had > suggested. It also has a name and description in case there’s no CVE or > other reference assigned yet or you want to duplicate them into the object > directly. I also added the relationships it would conceivably need. > > > > Can you please review it to see if it captures what you need it to? > > > > Thanks, > > John

Jerome: So this suggestion does not get lost in the shuffle of the final push toward MVP I'm forwarding it to the CybOX list as well. There will be an effort to reorganize the path forward after we get the STIX 2.0 & CybOX 3.0 Pre-Draft Specs out for public review. That effort will be aimed at picking up the threads for the discussions on the Objects and issues that have been temporarily placed on hold in order to meet the July 29th deadline. That would be a good time to get this suggestion on the agenda. Jane Ginn ************************************************* Hi, I suggest reusing standardized definitions for CTI. (they could be tweaked a bit for highlighting/explaining the relationships between the CTI objects using the CTI objects' names) For example: vulnerability Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. Source: NIST SP 800-30 Rev 1 CNSSI 4009 revised April 6, 2015 if considered too generic - another example A vulnerability is a software weakness that can be exploited by an attacker. Bugs and flaws collectively form the basis of most software vulnerabilities. https://buildsecurityin.us-cert.gov/articles/knowledge/attack-patterns/attack-pattern-glossary (I hate definitions of "hacker" other than RFC1392) PS: probably "too early" to discuss that, but I will be interested, at some point, discussing the relationships with, or mechanisms for leveraging, CybOX objects in the description of Vulnerability (with an extended/better model than the CVE one), allowing, for example, the automation, or semi-automation of the COAs, especially in the context of web applications softwares, where, for example, the Vulnerability model would have to offer information related to URIs/URLs and parameters (a little bit more than a CWE, and not a CPE). CVE+X ((for OVALX)) anyone? -- Jane Ginn, MSIA, MRP CTI-TC Co-Secretary Cyber Threat Intelligence Network, Inc. jg@ctin.us

Thank you Jane. This would, for example, give an idea of the concept/context behind it https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications Best regards On Thu, Jul 14, 2016 at 10:58 PM, JG on CTI-TC <jg@ctin.us> wrote: > Jerome: > > So this suggestion does not get lost in the shuffle of the final push toward > MVP I'm forwarding it to the CybOX list as well. There will be an effort to > reorganize the path forward after we get the STIX 2.0 & CybOX 3.0 Pre-Draft > Specs out for public review. That effort will be aimed at picking up the > threads for the discussions on the Objects and issues that have been > temporarily placed on hold in order to meet the July 29th deadline. > > That would be a good time to get this suggestion on the agenda. > > Jane Ginn > > ************************************************* > > > Hi, > > I suggest reusing standardized definitions for CTI. > (they could be tweaked a bit for highlighting/explaining the > relationships between the CTI objects using the CTI objects' names) > > For example: > > vulnerability > Weakness in an information system, system security procedures, > internal controls, or implementation that could be exploited by a > threat source. > Source: NIST SP 800-30 Rev 1 > CNSSI 4009 revised April 6, 2015 > > if considered too generic - another example > A vulnerability is a software weakness that can be exploited by an > attacker. Bugs and flaws collectively form the basis of most software > vulnerabilities. > https://buildsecurityin.us-cert.gov/articles/knowledge/attack-patterns/attack-pattern-glossary > > (I hate definitions of "hacker" other than RFC1392) > > > PS: probably "too early" to discuss that, but I will be interested, at > some point, discussing the relationships with, or mechanisms for > leveraging, CybOX objects in the description of Vulnerability (with an > extended/better model than the CVE one), allowing, for example, the > automation, or semi-automation of the COAs, especially in the context > of web applications softwares, where, for example, the Vulnerability > model would have to offer information related to URIs/URLs and > parameters (a little bit more than a CWE, and not a CPE). CVE+X ((for > OVALX)) anyone? > > > -- > Jane Ginn, MSIA, MRP > CTI-TC Co-Secretary > Cyber Threat Intelligence Network, Inc. > jg@ctin.us >

Thank you Jane. This would, for example, give an idea of the concept/context behind it https://www.owasp.org/index.php/OWASP_Automated_Threats_to_Web_Applications Best regards On Thu, Jul 14, 2016 at 10:58 PM, JG on CTI-TC <jg@ctin.us> wrote: > Jerome: > > So this suggestion does not get lost in the shuffle of the final push toward > MVP I'm forwarding it to the CybOX list as well. There will be an effort to > reorganize the path forward after we get the STIX 2.0 & CybOX 3.0 Pre-Draft > Specs out for public review. That effort will be aimed at picking up the > threads for the discussions on the Objects and issues that have been > temporarily placed on hold in order to meet the July 29th deadline. > > That would be a good time to get this suggestion on the agenda. > > Jane Ginn > > ************************************************* > > > Hi, > > I suggest reusing standardized definitions for CTI. > (they could be tweaked a bit for highlighting/explaining the > relationships between the CTI objects using the CTI objects' names) > > For example: > > vulnerability > Weakness in an information system, system security procedures, > internal controls, or implementation that could be exploited by a > threat source. > Source: NIST SP 800-30 Rev 1 > CNSSI 4009 revised April 6, 2015 > > if considered too generic - another example > A vulnerability is a software weakness that can be exploited by an > attacker. Bugs and flaws collectively form the basis of most software > vulnerabilities. > https://buildsecurityin.us-cert.gov/articles/knowledge/attack-patterns/attack-pattern-glossary > > (I hate definitions of "hacker" other than RFC1392) > > > PS: probably "too early" to discuss that, but I will be interested, at > some point, discussing the relationships with, or mechanisms for > leveraging, CybOX objects in the description of Vulnerability (with an > extended/better model than the CVE one), allowing, for example, the > automation, or semi-automation of the COAs, especially in the context > of web applications softwares, where, for example, the Vulnerability > model would have to offer information related to URIs/URLs and > parameters (a little bit more than a CWE, and not a CPE). CVE+X ((for > OVALX)) anyone? > > > -- > Jane Ginn, MSIA, MRP > CTI-TC Co-Secretary > Cyber Threat Intelligence Network, Inc. > jg@ctin.us >

Yeah good point…I pulled the definition from CVE because that’s primarily what we were referencing but it probably does make sense to use the NIST definition instead. Thanks! John On 7/14/16, 2:24 PM, "Jerome Athias" <athiasjerome@gmail.com> wrote: Hi, I suggest reusing standardized definitions for CTI. (they could be tweaked a bit for highlighting/explaining the relationships between the CTI objects using the CTI objects' names) For example: vulnerability Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. Source: NIST SP 800-30 Rev 1 CNSSI 4009 revised April 6, 2015 if considered too generic - another example A vulnerability is a software weakness that can be exploited by an attacker. Bugs and flaws collectively form the basis of most software vulnerabilities. https://buildsecurityin.us-cert.gov/articles/knowledge/attack-patterns/attack-pattern-glossary (I hate definitions of "hacker" other than RFC1392) PS: probably "too early" to discuss that, but I will be interested, at some point, discussing the relationships with, or mechanisms for leveraging, CybOX objects in the description of Vulnerability (with an extended/better model than the CVE one), allowing, for example, the automation, or semi-automation of the COAs, especially in the context of web applications softwares, where, for example, the Vulnerability model would have to offer information related to URIs/URLs and parameters (a little bit more than a CWE, and not a CPE). CVE+X ((for OVALX)) anyone? On Thu, Jul 14, 2016 at 4:54 PM, Wunder, John A. <jwunder@mitre.org> wrote: > Sorry, should have given a link to the object. It’s in the STIX 2.0-Objects > document, here: > https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.q5ytzmajn6re > > > > John > > > > From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." > <jwunder@mitre.org> > Date: Thursday, July 14, 2016 at 8:11 AM > To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> > Subject: [cti-stix] Vulnerability object added > > > > All, > > > > As discussed on the call on Tuesday, it seemed like people were looking for > a Vulnerability object so that they could say malware/actors/campaigns > target particular vulnerabilities. > > > > Way back when we were first working on 2.0 we had a definition in there that > I updated and moved over. Primarily, it would be used to capture external > references to CVE and other vulnerability identifiers, as Jason had > suggested. It also has a name and description in case there’s no CVE or > other reference assigned yet or you want to duplicate them into the object > directly. I also added the relationships it would conceivably need. > > > > Can you please review it to see if it captures what you need it to? > > > > Thanks, > > John