CTI STIX Subcommittee

  • 1.  Malware SDO Remaining Open Questions

    Posted 10-27-2017 16:44




    All,
     
    As we mentioned on the TC call, there are a few small open questions remaining on the updated Malware SDO [1]:
     

    Regarding the
    name property, should this property always capture the filename for a malware instance? Or should we leave this flexible so that you can capture more semantic (e.g., family-derived) names such as “Zeus.A”? Regarding the existing “targets” relationship in STIX 2.0 from Malware to Vulnerability, we’ve suggested updating this to a new “exploits” relationship
    (i.e., Malware -> exploits -> Vulnerability) for semantic clarity. This would be a breaking change, but our thinking is that there would be far less confusion as to what this means.
     
    My own thoughts:

    I feel like
    name should be flexible – we already have the samples property for capturing the information about the binaries associated with the malware, including their filenames. “Exploits” is much clearer and preferable than “targets” with regards to vulnerabilities (I’ve never seen any malware reporting which states that malware
    “targets” a vulnerability) so it’s worth making a breaking change for this.
     
    [1]
    https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.73mue8q00k8

     
    Regards,
    Ivan






  • 2.  Re: [cti-stix] Malware SDO Remaining Open Questions

    Posted 10-27-2017 16:49
    1) definitely feel this should be flexible and not a filename. 2) exploits is clearer but I do have some minor worry that it conveys an impression that the malware always successfully exploits the vuln where reality in many cases is that malware may target a vuln for exploitation but its success may depend on many other factors within the targeted environment. Not a huge worry but something to consider. Get Outlook for iOS From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Kirillov, Ivan A. <ikirillov@mitre.org> Sent: Friday, October 27, 2017 12:43:32 PM To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Malware SDO Remaining Open Questions   All,   As we mentioned on the TC call, there are a few small open questions remaining on the updated Malware SDO [1]:   Regarding the name property, should this property always capture the filename for a malware instance? Or should we leave this flexible so that you can capture more semantic (e.g., family-derived) names such as “Zeus.A”? Regarding the existing “targets” relationship in STIX 2.0 from Malware to Vulnerability, we’ve suggested updating this to a new “exploits” relationship (i.e., Malware -> exploits -> Vulnerability) for semantic clarity. This would be a breaking change, but our thinking is that there would be far less confusion as to what this means.   My own thoughts: I feel like name should be flexible – we already have the samples property for capturing the information about the binaries associated with the malware, including their filenames. “Exploits” is much clearer and preferable than “targets” with regards to vulnerabilities (I’ve never seen any malware reporting which states that malware “targets” a vulnerability) so it’s worth making a breaking change for this.   [1] https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.73mue8q00k8   Regards, Ivan This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.


  • 3.  Re: [cti-stix] Malware SDO Remaining Open Questions

    Posted 10-27-2017 16:54




    Thanks – I agree with your comment around “exploits”, though maybe we can just update the description to state that the malware “exploits or
    attempts to exploit ” a vulnerability to get around this.
     
    Regards,
    Ivan
     

    From: <cti-stix@lists.oasis-open.org> on behalf of Sean Barnum <sean.barnum@FireEye.com>
    Date: Friday, October 27, 2017 at 10:49 AM
    To: Ivan Kirillov <ikirillov@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Subject: Re: [cti-stix] Malware SDO Remaining Open Questions


     





    1) definitely feel this should be flexible and not a filename.


    2) exploits is clearer but I do have some minor worry that it conveys an impression that the malware always successfully exploits the vuln where reality in many cases is that malware may target a vuln for
    exploitation but its success may depend on many other factors within the targeted environment. Not a huge worry but something to consider.



     


    Get
    Outlook for iOS







    From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Kirillov, Ivan A. <ikirillov@mitre.org>
    Sent: Friday, October 27, 2017 12:43:32 PM
    To: cti-stix@lists.oasis-open.org
    Subject: [cti-stix] Malware SDO Remaining Open Questions


     




    All,
     
    As we mentioned on the TC call, there are a few small open questions remaining on the updated Malware SDO [1]:
     

    Regarding the
    name property, should this property always capture the filename for a malware instance? Or should we leave this flexible so that you can capture more semantic (e.g., family-derived) names such as “Zeus.A”? Regarding the existing “targets” relationship in STIX 2.0 from Malware to Vulnerability, we’ve suggested updating this to a new “exploits” relationship (i.e.,
    Malware -> exploits -> Vulnerability) for semantic clarity. This would be a breaking change, but our thinking is that there would be far less confusion as to what this means.
     
    My own thoughts:

    I feel like
    name should be flexible – we already have the samples property for capturing the information about the binaries associated with the malware, including their filenames. “Exploits” is much clearer and preferable than “targets” with regards to vulnerabilities (I’ve never seen any malware reporting which states that malware “targets”
    a vulnerability) so it’s worth making a breaking change for this.
     
    [1]
    https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.73mue8q00k8

     
    Regards,
    Ivan


    This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments
    thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.







  • 4.  Re: [cti-stix] Malware SDO Remaining Open Questions

    Posted 10-27-2017 17:12




    I’m on board with updated the description
     

    From:
    <cti-stix@lists.oasis-open.org> on behalf of Ivan Kirillov <ikirillov@mitre.org>
    Date: Friday, October 27, 2017 at 12:54 PM
    To: Sean Barnum <sean.barnum@FireEye.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Subject: Re: [cti-stix] Malware SDO Remaining Open Questions


     

    Thanks – I agree with your comment around “exploits”, though maybe we can just update the description to state that the malware “exploits or
    attempts to exploit ” a vulnerability to get around this.
     
    Regards,
    Ivan
     

    From:
    <cti-stix@lists.oasis-open.org> on behalf of Sean Barnum <sean.barnum@FireEye.com>
    Date: Friday, October 27, 2017 at 10:49 AM
    To: Ivan Kirillov <ikirillov@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Subject: Re: [cti-stix] Malware SDO Remaining Open Questions


     





    1) definitely feel this should be flexible and not a filename.


    2) exploits is clearer but I do have some minor worry that it conveys an impression that the malware always successfully exploits the vuln where reality in many cases is that malware
    may target a vuln for exploitation but its success may depend on many other factors within the targeted environment. Not a huge worry but something to consider.



     


    Get
    Outlook for iOS








    From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Kirillov, Ivan A. <ikirillov@mitre.org>
    Sent: Friday, October 27, 2017 12:43:32 PM
    To: cti-stix@lists.oasis-open.org
    Subject: [cti-stix] Malware SDO Remaining Open Questions


     




    All,
     
    As we mentioned on the TC call, there are a few small open questions remaining on the updated Malware SDO [1]:
     

    1.      
    Regarding the name property, should this property always capture the filename for a malware instance? Or should we leave this flexible so that you can capture more semantic (e.g., family-derived)
    names such as “Zeus.A”?

    2.      
    Regarding the existing “targets” relationship in STIX 2.0 from Malware to Vulnerability, we’ve suggested updating this to a new “exploits” relationship (i.e., Malware -> exploits -> Vulnerability) for semantic
    clarity. This would be a breaking change, but our thinking is that there would be far less confusion as to what this means.
     
    My own thoughts:

    1.      
    I feel like name should be flexible – we already have the
    samples property for capturing the information about the binaries associated with the malware, including their filenames.

    2.      
    “Exploits” is much clearer and preferable than “targets” with regards to vulnerabilities (I’ve never seen any malware reporting which states that malware “targets” a vulnerability) so it’s worth making
    a breaking change for this.
     
    [1]
    https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.73mue8q00k8

     
    Regards,
    Ivan


    This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution
    of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.


    This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited.
    If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.





  • 5.  Re: [cti-stix] Malware SDO Remaining Open Questions

    Posted 10-31-2017 12:33


    I 100% agree that file name should be flexible. I have seen many reports that discuss malware and give hashes, but do not give the filename, and given that this is required, flexibility is a must.  I think
    I also prefer “exploits” to “Targets” for vulnerability.
     

    Sarah Kelley
    Senior Cyber Threat Analyst
    Multi-State Information Sharing and Analysis Center (MS-ISAC)                   
    31 Tech Valley Drive
    East Greenbush, NY 12061
     
    sarah.kelley@cisecurity.org
    518-266-3493
    24x7 Security Operations Center
    SOC@cisecurity.org  - 1-866-787-4722
     


          
                 
     

    From: <cti-stix@lists.oasis-open.org> on behalf of Paul Patrick <Paul.Patrick@FireEye.com>
    Date: Friday, October 27, 2017 at 1:12 PM
    To: "Kirillov, Ivan A." <ikirillov@mitre.org>, Sean Barnum <sean.barnum@FireEye.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Subject: Re: [cti-stix] Malware SDO Remaining Open Questions


     




    I’m on board with updated the description
     

    From:
    <cti-stix@lists.oasis-open.org> on behalf of Ivan Kirillov <ikirillov@mitre.org>
    Date: Friday, October 27, 2017 at 12:54 PM
    To: Sean Barnum <sean.barnum@FireEye.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Subject: Re: [cti-stix] Malware SDO Remaining Open Questions


     

    Thanks – I agree with your comment around “exploits”, though maybe we can just update the description to state that the malware “exploits or
    attempts to exploit ” a vulnerability to get around this.
     
    Regards,
    Ivan
     

    From:
    <cti-stix@lists.oasis-open.org> on behalf of Sean Barnum <sean.barnum@FireEye.com>
    Date: Friday, October 27, 2017 at 10:49 AM
    To: Ivan Kirillov <ikirillov@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Subject: Re: [cti-stix] Malware SDO Remaining Open Questions


     





    1) definitely feel this should be flexible and not a filename.


    2) exploits is clearer but I do have some minor worry that it conveys an impression that the malware always successfully exploits the vuln where reality in many cases is that malware
    may target a vuln for exploitation but its success may depend on many other factors within the targeted environment. Not a huge worry but something to consider.



     


    Get
    Outlook for iOS









    From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Kirillov, Ivan A. <ikirillov@mitre.org>
    Sent: Friday, October 27, 2017 12:43:32 PM
    To: cti-stix@lists.oasis-open.org
    Subject: [cti-stix] Malware SDO Remaining Open Questions


     




    All,
     
    As we mentioned on the TC call, there are a few small open questions remaining on the updated Malware SDO [1]:
     

    1.      
    Regarding the name property, should this property always capture the filename for a malware instance? Or should we leave this flexible so that you can capture more semantic (e.g., family-derived)
    names such as “Zeus.A”?

    2.      
    Regarding the existing “targets” relationship in STIX 2.0 from Malware to Vulnerability, we’ve suggested updating this to a new “exploits” relationship (i.e., Malware -> exploits -> Vulnerability) for semantic
    clarity. This would be a breaking change, but our thinking is that there would be far less confusion as to what this means.
     
    My own thoughts:

    1.      
    I feel like name should be flexible – we already have the
    samples property for capturing the information about the binaries associated with the malware, including their filenames.

    2.      
    “Exploits” is much clearer and preferable than “targets” with regards to vulnerabilities (I’ve never seen any malware reporting which states that malware “targets” a vulnerability) so it’s worth making
    a breaking change for this.
     
    [1]
    https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.73mue8q00k8

     
    Regards,
    Ivan


    This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution
    of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.

    This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments
    thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.

    .....



    This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
    immediately and permanently delete the message and any attachments.


    . . . . .



  • 6.  RE: [cti-stix] Malware SDO Remaining Open Questions

    Posted 10-31-2017 16:34
    +1   From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Sarah Kelley Sent: Tuesday, October 31, 2017 8:33 AM To: cti-stix@lists.oasis-open.org Subject: [Non-DoD Source] Re: [cti-stix] Malware SDO Remaining Open Questions   I 100% agree that file name should be flexible. I have seen many reports that discuss malware and give hashes, but do not give the filename, and given that this is required, flexibility is a must.  I think I also prefer “exploits” to “Targets” for vulnerability.   Sarah Kelley Senior Cyber Threat Analyst Multi-State Information Sharing and Analysis Center (MS-ISAC)                    31 Tech Valley Drive East Greenbush, NY 12061   sarah.kelley@cisecurity.org 518-266-3493 24x7 Security Operations Center SOC@cisecurity.org  - 1-866-787-4722                          From: <cti-stix@lists.oasis-open.org> on behalf of Paul Patrick <Paul.Patrick@FireEye.com> Date: Friday, October 27, 2017 at 1:12 PM To: "Kirillov, Ivan A." <ikirillov@mitre.org>, Sean Barnum <sean.barnum@FireEye.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: Re: [cti-stix] Malware SDO Remaining Open Questions   I’m on board with updated the description   From: <cti-stix@lists.oasis-open.org> on behalf of Ivan Kirillov <ikirillov@mitre.org> Date: Friday, October 27, 2017 at 12:54 PM To: Sean Barnum <sean.barnum@FireEye.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: Re: [cti-stix] Malware SDO Remaining Open Questions   Thanks – I agree with your comment around “exploits”, though maybe we can just update the description to state that the malware “exploits or attempts to exploit ” a vulnerability to get around this.   Regards, Ivan   From: <cti-stix@lists.oasis-open.org> on behalf of Sean Barnum <sean.barnum@FireEye.com> Date: Friday, October 27, 2017 at 10:49 AM To: Ivan Kirillov <ikirillov@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: Re: [cti-stix] Malware SDO Remaining Open Questions   1) definitely feel this should be flexible and not a filename. 2) exploits is clearer but I do have some minor worry that it conveys an impression that the malware always successfully exploits the vuln where reality in many cases is that malware may target a vuln for exploitation but its success may depend on many other factors within the targeted environment. Not a huge worry but something to consider.   Get Outlook for iOS From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Kirillov, Ivan A. <ikirillov@mitre.org> Sent: Friday, October 27, 2017 12:43:32 PM To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Malware SDO Remaining Open Questions   All,   As we mentioned on the TC call, there are a few small open questions remaining on the updated Malware SDO [1]:   1.       Regarding the name property, should this property always capture the filename for a malware instance? Or should we leave this flexible so that you can capture more semantic (e.g., family-derived) names such as “Zeus.A”? 2.       Regarding the existing “targets” relationship in STIX 2.0 from Malware to Vulnerability, we’ve suggested updating this to a new “exploits” relationship (i.e., Malware -> exploits -> Vulnerability) for semantic clarity. This would be a breaking change, but our thinking is that there would be far less confusion as to what this means.   My own thoughts: 1.       I feel like name should be flexible – we already have the samples property for capturing the information about the binaries associated with the malware, including their filenames. 2.       “Exploits” is much clearer and preferable than “targets” with regards to vulnerabilities (I’ve never seen any malware reporting which states that malware “targets” a vulnerability) so it’s worth making a breaking change for this.   [1] https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.73mue8q00k8   Regards, Ivan This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto. This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto. ..... This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . . . . Attachment: smime.p7s Description: S/MIME cryptographic signature


  • 7.  Re: [cti-stix] Malware SDO Remaining Open Questions

    Posted 11-01-2017 15:23




    Thanks all – it seems like we have strong consensus that we should leave the
    name property on Malware open and deprecate the existing “targets” relationship in favor of a new “exploits” relationship (with some expanded text). Unless there are objections (let us know if so), this is the approach we’ll go with.
     
    Regards,
    Ivan
     

    From: <cti-stix@lists.oasis-open.org> on behalf of "Katz, Gary CTR DC3DCCI" <Gary.Katz.ctr@dc3.mil>
    Date: Tuesday, October 31, 2017 at 10:34 AM
    To: Sarah Kelley <Sarah.Kelley@cisecurity.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Subject: RE: [cti-stix] Malware SDO Remaining Open Questions


     

    +1
     


    From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
    On Behalf Of Sarah Kelley
    Sent: Tuesday, October 31, 2017 8:33 AM
    To: cti-stix@lists.oasis-open.org
    Subject: [Non-DoD Source] Re: [cti-stix] Malware SDO Remaining Open Questions


     
    I 100% agree that file name should be flexible. I have seen many reports that discuss malware and give hashes, but do not give the filename, and given that this is required, flexibility is a must.  I think
    I also prefer “exploits” to “Targets” for vulnerability.
     

    Sarah Kelley
    Senior Cyber Threat Analyst
    Multi-State Information Sharing and Analysis Center (MS-ISAC)                   
    31 Tech Valley Drive
    East Greenbush, NY 12061
     
    sarah.kelley@cisecurity.org
    518-266-3493
    24x7 Security Operations Center
    SOC@cisecurity.org  - 1-866-787-4722
     


          
                 
     

    From: <cti-stix@lists.oasis-open.org> on behalf of Paul Patrick <Paul.Patrick@FireEye.com>
    Date: Friday, October 27, 2017 at 1:12 PM
    To: "Kirillov, Ivan A." <ikirillov@mitre.org>, Sean Barnum <sean.barnum@FireEye.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Subject: Re: [cti-stix] Malware SDO Remaining Open Questions


     






    I’m on board with updated the description
     

    From:
    <cti-stix@lists.oasis-open.org> on behalf of Ivan Kirillov <ikirillov@mitre.org>
    Date: Friday, October 27, 2017 at 12:54 PM
    To: Sean Barnum <sean.barnum@FireEye.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Subject: Re: [cti-stix] Malware SDO Remaining Open Questions


     

    Thanks – I agree with your comment around “exploits”, though maybe we can just update the description to state that the malware “exploits or
    attempts to exploit ” a vulnerability to get around this.
     
    Regards,
    Ivan
     

    From:
    <cti-stix@lists.oasis-open.org> on behalf of Sean Barnum <sean.barnum@FireEye.com>
    Date: Friday, October 27, 2017 at 10:49 AM
    To: Ivan Kirillov <ikirillov@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Subject: Re: [cti-stix] Malware SDO Remaining Open Questions


     





    1) definitely feel this should be flexible and not a filename.


    2) exploits is clearer but I do have some minor worry that it conveys an impression that the malware always successfully exploits the vuln where reality in many cases is that malware
    may target a vuln for exploitation but its success may depend on many other factors within the targeted environment. Not a huge worry but something to consider.



     


    Get
    Outlook for iOS









    From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Kirillov, Ivan A. <ikirillov@mitre.org>
    Sent: Friday, October 27, 2017 12:43:32 PM
    To: cti-stix@lists.oasis-open.org
    Subject: [cti-stix] Malware SDO Remaining Open Questions


     




    All,
     
    As we mentioned on the TC call, there are a few small open questions remaining on the updated Malware SDO [1]:
     

    1.      
    Regarding the name property, should this property always capture the filename for a malware instance? Or should we leave this flexible so that you can capture more semantic (e.g., family-derived)
    names such as “Zeus.A”?

    2.      
    Regarding the existing “targets” relationship in STIX 2.0 from Malware to Vulnerability, we’ve suggested updating this to a new “exploits” relationship (i.e., Malware -> exploits -> Vulnerability) for semantic
    clarity. This would be a breaking change, but our thinking is that there would be far less confusion as to what this means.
     
    My own thoughts:

    1.      
    I feel like name should be flexible – we already have the
    samples property for capturing the information about the binaries associated with the malware, including their filenames.

    2.      
    “Exploits” is much clearer and preferable than “targets” with regards to vulnerabilities (I’ve never seen any malware reporting which states that malware “targets” a vulnerability) so it’s worth making
    a breaking change for this.
     
    [1]
    https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.73mue8q00k8

     
    Regards,
    Ivan


    This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution
    of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.

    This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments
    thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.

    .....




    This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this
    message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.


    . . . . .






  • 8.  Re: [cti-stix] Malware SDO Remaining Open Questions

    Posted 10-27-2017 18:27
    On 27.10.2017 16:43:32, Kirillov, Ivan A. wrote: > My own thoughts: > > 1. I feel like name should be flexible – we already have the samples > property for capturing the information about the binaries > associated with the malware, including their filenames. > > 2. “Exploits” is much clearer and preferable than “targets” with > regards to vulnerabilities (I’ve never seen any malware reporting > which states that malware “targets” a vulnerability) so it’s worth > making a breaking change for this. > I concur entirely with Ivan's perspective. -- Cheers, Trey ++--------------------------------------------------------------------------++ Director of Standards Development, New Context gpg fingerprint: 3918 9D7E 50F5 088F 823F 018A 831A 270A 6C4F C338 ++--------------------------------------------------------------------------++ -- "In theory there is no difference between theory and practice; in practice there is." --anonymous Attachment: signature.asc Description: Digital signature