OASIS Cyber Threat Intelligence (CTI) TC

  • 1.  Public review comments from Kaiser Permanente for STIX V1.2.1

    Posted 02-05-2016 20:52
    Comment on this area: STIX Part 5, TTP, Section 3.2.3.1 ExploitType Class: Should CVE_ID be included, considering CAPEC_ID is included for AttackPatternType? Basically, the default extensions for similar classes include attributes for similar ID types. Example: the Exploit Target data model WeaknessType class contains CWE_ID. It should be useful to include an (optional) attribute for CVE numbers on Exploits, if the CVE numbers are known.


  • 2.  RE: [cti] Public review comments from Kaiser Permanente for STIX V1.2.1

    Posted 02-07-2016 22:07




    I think the "best practices" way of expressing what you want, it to have the TTP be related to an Exploit_Target that describes the CVE, including its ID.
     
    Also, notice that the ttp:ExploitType isn't fully specified - from the specs:
     
    The ExploitType class is intended to be extended to enable the structured description of an exploit instance.  However, no extension is provided by STIX
    v 1.2.1; producers wanting to represent structured exploit instance information are encouraged to develop such an extension.
     



  • 3.  Re: [cti] Public review comments from Kaiser Permanente for STIX V1.2.1

    Posted 02-08-2016 17:40





    Keep in mind that “Exploit" != "Exploit Target". Within TTP, there’s a placeholder “ExploitType” that’s intended to characterize actual exploits. We don’t really have a good way to do that now so it’s pretty bare. There’s a separate “ExploitTargetType”
    as a top-level construct that can represent vulnerabilities, configurations, and weaknesses. That construct does indeed have a CVE_ID field.




    So…exploit = representation of the actual exploit code that exploits a vulnerability. Exploit target = representation of the vulnerability that is or might be the target of an exploit.


    John




    From: < cti@lists.oasis-open.org > on behalf of Rich Piazza < rpiazza@mitre.org >
    Date: Sunday, February 7, 2016 at 5:07 PM
    To: Beth Pumo < beth.pumo@kp.org >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: RE: [cti] Public review comments from Kaiser Permanente for STIX V1.2.1







    I think the "best practices" way of expressing what you want, it to have the TTP be related to an Exploit_Target that describes the CVE, including its ID.
     
    Also, notice that the ttp:ExploitType isn't fully specified - from the specs:
     
    The ExploitType class is intended to be extended to enable the structured description of an exploit instance.  However, no extension is provided by STIX
    v 1.2.1; producers wanting to represent structured exploit instance information are encouraged to develop such an extension.