Thanks all – it seems like we have strong consensus that we should leave the
name property on Malware open and deprecate the existing “targets” relationship in favor of a new “exploits” relationship (with some expanded text). Unless there are objections (let us know if so), this is the approach we’ll go with.
Regards,
Ivan
From: <
cti-stix@lists.oasis-open.org> on behalf of "Katz, Gary CTR DC3DCCI" <
Gary.Katz.ctr@dc3.mil>
Date: Tuesday, October 31, 2017 at 10:34 AM
To: Sarah Kelley <
Sarah.Kelley@cisecurity.org>, "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: RE: [cti-stix] Malware SDO Remaining Open Questions
+1
From:
cti-stix@lists.oasis-open.org [mailto:
cti-stix@lists.oasis-open.org]
On Behalf Of Sarah Kelley
Sent: Tuesday, October 31, 2017 8:33 AM
To:
cti-stix@lists.oasis-open.org Subject: [Non-DoD Source] Re: [cti-stix] Malware SDO Remaining Open Questions
I 100% agree that file name should be flexible. I have seen many reports that discuss malware and give hashes, but do not give the filename, and given that this is required, flexibility is a must. I think
I also prefer “exploits” to “Targets” for vulnerability.
Sarah Kelley
Senior Cyber Threat Analyst
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061
sarah.kelley@cisecurity.org 518-266-3493
24x7 Security Operations Center
SOC@cisecurity.org - 1-866-787-4722
From: <
cti-stix@lists.oasis-open.org> on behalf of Paul Patrick <
Paul.Patrick@FireEye.com>
Date: Friday, October 27, 2017 at 1:12 PM
To: "Kirillov, Ivan A." <
ikirillov@mitre.org>, Sean Barnum <
sean.barnum@FireEye.com>, "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Malware SDO Remaining Open Questions
I’m on board with updated the description
From:
<
cti-stix@lists.oasis-open.org> on behalf of Ivan Kirillov <
ikirillov@mitre.org>
Date: Friday, October 27, 2017 at 12:54 PM
To: Sean Barnum <
sean.barnum@FireEye.com>, "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Malware SDO Remaining Open Questions
Thanks – I agree with your comment around “exploits”, though maybe we can just update the description to state that the malware “exploits or
attempts to exploit ” a vulnerability to get around this.
Regards,
Ivan
From:
<
cti-stix@lists.oasis-open.org> on behalf of Sean Barnum <
sean.barnum@FireEye.com>
Date: Friday, October 27, 2017 at 10:49 AM
To: Ivan Kirillov <
ikirillov@mitre.org>, "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Malware SDO Remaining Open Questions
1) definitely feel this should be flexible and not a filename.
2) exploits is clearer but I do have some minor worry that it conveys an impression that the malware always successfully exploits the vuln where reality in many cases is that malware
may target a vuln for exploitation but its success may depend on many other factors within the targeted environment. Not a huge worry but something to consider.
Get
Outlook for iOS
From:
cti-stix@lists.oasis-open.org <
cti-stix@lists.oasis-open.org> on behalf of Kirillov, Ivan A. <
ikirillov@mitre.org>
Sent: Friday, October 27, 2017 12:43:32 PM
To:
cti-stix@lists.oasis-open.org Subject: [cti-stix] Malware SDO Remaining Open Questions
All,
As we mentioned on the TC call, there are a few small open questions remaining on the updated Malware SDO [1]:
1.
Regarding the name property, should this property always capture the filename for a malware instance? Or should we leave this flexible so that you can capture more semantic (e.g., family-derived)
names such as “Zeus.A”?
2.
Regarding the existing “targets” relationship in STIX 2.0 from Malware to Vulnerability, we’ve suggested updating this to a new “exploits” relationship (i.e., Malware -> exploits -> Vulnerability) for semantic
clarity. This would be a breaking change, but our thinking is that there would be far less confusion as to what this means.
My own thoughts:
1.
I feel like name should be flexible – we already have the
samples property for capturing the information about the binaries associated with the malware, including their filenames.
2.
“Exploits” is much clearer and preferable than “targets” with regards to vulnerabilities (I’ve never seen any malware reporting which states that malware “targets” a vulnerability) so it’s worth making
a breaking change for this.
[1]
https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.73mue8q00k8 Regards,
Ivan
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution
of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments
thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
.....
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this
message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . . . .