CTI STIX Subcommittee

  • 1.  Re: [cti-stix] Re: [EXT] Re: [cti-stix] Feedback on Malware Object

    Posted 09-14-2017 20:48




    Crawl. Walk. Run.
     
    We need to remember that we are trying to build a solid foundation that we can build upon here and just because it would be great if we did 100% of what is possible, that doesn’t mean we can or should in STIX 2.1. This is about striking
    the right balance.
     

    From: <cti-stix@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
    Date: Thursday, September 14, 2017 at 4:41 PM
    To: "Kirillov, Ivan A." <ikirillov@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Subject: [cti-stix] Re: [EXT] Re: [cti-stix] Feedback on Malware Object


     


    I think we could sweet talk people around issue 1..  But item 5 is really important for STIX Malware. As it currently stands there is no real way to understand the dynamic analysis, which type of system generated it, how that virtual
    environment was configured, and what it actually applies to.  In defense of item 5, we knew this might be an issue.  But we decided to get something put together in the minigroup and then see if this was really an issue.  
     
    This is a significant issue for us, and given the sheer volume of STIX Malware content that we could potential create for the eco-system, I would hope that the minigroup and STIX SC would consider this feedback from our internal
    teams and work through how we can address this. 
     
    Bret





    From: Kirillov, Ivan A. <ikirillov@mitre.org>
    Sent: Thursday, September 14, 2017 1:58:01 PM
    To: Bret Jordan; cti-stix@lists.oasis-open.org
    Subject: [EXT] Re: [cti-stix] Feedback on Malware Object

     



    Thanks for the feedback Bret (and thanks to your team as well)! On the face of it, #2, #3, #4, #6, and probably #7 are things that we could tweak or update in the existing data model without significantly changing the scope or intent of
    the current object.
     
    #1 is something that we discussed at length during the initial discussions around this object, and our decision to have a single object was based on the fact that having a separate malware family and instance object would be highly duplicative
    in terms of the data that both would convey.
     
    #5 would mean significantly changing the scope of this SDO. If you recall, our original goal was to create an object suitable for the “80%” use case, that is capable of capturing roughly 80% of commonly reported data around malware. To
    this end, I don’t think we were envisioning a 1:1 mapping between a sandbox tool such as that produced by Symantec, and were thinking that there would have to be some post-processing or filtering of data that would take place before sandbox or other analysis
    data would be populated in this object. In addition, while I don’t doubt that we could create a data model and structure to capture details of the particular execution environment for each sandbox run and its corresponding output, doing so would engender a
    fair amount of specification and schema complexity. It’s also worth pointing out that if you have a strong need for #5, this is something that MAEC does to a large extent.
     
    Anyhow, let’s discuss this during tomorrow’s call. Also, we’d be very interested if any other sandbox tool vendors (FireEye, etc.) have similar (or any) feedback, so please let us know.
     
    Regards,
    Ivan
     

    From: <cti-stix@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
    Date: Thursday, September 14, 2017 at 12:42 PM
    To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Subject: [cti-stix] Feedback on Malware Object


     


    Here is the initial feedback from Symantec on the 2.1 Malware Object.
     



    Malware needs to be two different objects, one for family and one for the instance. It is really confusing to think of these as the same object.
    Malware needs to track the build version and vanity name. Example 3rd generation of this malware. 
    Need to be able to track which sub-phase of the kill chain it is in or provide some sort of nesting logic. Basically, this malware calls this other malware, which calls this other malware. Need to know the order in which they
    were called as this is critical information. There are often multiple phases that require understanding of the nesting.
    Maybe change the terms to be Static Events and Dynamic Events, this would reduce the overlap and the guessing of where thing are documented. Example is Mutexes (down below)
    Dynamic Analysis



    Needs to capture multiple passes based on the type of execution environment that it was run on (Windows 7, Windows 10 + Office 2016, Windows 10 + Chrome)
    Needs to track which type of sandbox it was run on and how that sandbox or virtual machine was configured / track the execution environment of where it was run, not just what it targets. 






    How the information as collected. 
    Where it was seen. 
    Where it will probably run





    Need to track the platform that these run on, some things are not applicable to certain platforms. DLLs on Linux, Android MMS on Windows.
    Need ability to search across data to find similar file creates across various runs of dynamic analysis under different configurations



    Static Analysis



    Has a lot of events that are really dynamic events. This is what it would do if/when it were to run
    Mutex for example might be based on computer name or GUID. Information can be derived from the execution environment. Same with filenames. This makes these more “Dynamic Events”



    Need to make a Communications Analysis/Events section and pull out all of the communication pieces.




    HTTP / HTTPS
    Network Requests
    IRC
    Raw Sockets
    UDP
    Network Flow
    Contacted IPs, etc.



     

     
    Bret








  • 2.  Re: [cti-stix] Re: [EXT] Re: [cti-stix] Feedback on Malware Object

    Posted 09-14-2017 21:33



    It is also about making sure as best as possible that what we do is useable and implementable by the market.  In addition if we do not do this now then it would represent a significant breaking change in the future.  It is one thing to add bits as we go
    along, it is another to not get the basic structure right.


    Bret 

    Sent from my Commodore 64 


    PGP
    Fingerprint:  63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    On Sep 14, 2017, at 2:48 PM, Struse, Richard J. < rjs@mitre.org > wrote:









    Crawl. Walk. Run.
     
    We need to remember that we are trying to build a solid foundation that we can build upon here and just because it would be great if we did 100% of what is possible, that doesn’t mean we can or should in STIX 2.1. This is about striking
    the right balance.
     

    From: < cti-stix@lists.oasis-open.org > on behalf of Bret Jordan < Bret_Jordan@symantec.com >
    Date: Thursday, September 14, 2017 at 4:41 PM
    To: "Kirillov, Ivan A." < ikirillov@mitre.org >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: [cti-stix] Re: [EXT] Re: [cti-stix] Feedback on Malware Object


     


    I think we could sweet talk people around issue 1..  But item 5 is really important for STIX Malware. As it currently stands there is no real way to understand the dynamic analysis, which type of system generated it, how that virtual
    environment was configured, and what it actually applies to.  In defense of item 5, we knew this might be an issue.  But we decided to get something put together in the minigroup and then see if this was really an issue.  
     
    This is a significant issue for us, and given the sheer volume of STIX Malware content that we could potential create for the eco-system, I would hope that the minigroup and STIX SC would consider this feedback from our internal
    teams and work through how we can address this. 
     
    Bret





    From: Kirillov, Ivan A. < ikirillov@mitre.org >
    Sent: Thursday, September 14, 2017 1:58:01 PM
    To: Bret Jordan; cti-stix@lists.oasis-open.org
    Subject: [EXT] Re: [cti-stix] Feedback on Malware Object

     



    Thanks for the feedback Bret (and thanks to your team as well)! On the face of it, #2, #3, #4, #6, and probably #7 are things that we could tweak or update in the existing data model without significantly changing the scope or intent of
    the current object.
     
    #1 is something that we discussed at length during the initial discussions around this object, and our decision to have a single object was based on the fact that having a separate malware family and instance object would be highly duplicative
    in terms of the data that both would convey.
     
    #5 would mean significantly changing the scope of this SDO. If you recall, our original goal was to create an object suitable for the “80%” use case, that is capable of capturing roughly 80% of commonly reported data around malware. To
    this end, I don’t think we were envisioning a 1:1 mapping between a sandbox tool such as that produced by Symantec, and were thinking that there would have to be some post-processing or filtering of data that would take place before sandbox or other analysis
    data would be populated in this object. In addition, while I don’t doubt that we could create a data model and structure to capture details of the particular execution environment for each sandbox run and its corresponding output, doing so would engender a
    fair amount of specification and schema complexity. It’s also worth pointing out that if you have a strong need for #5, this is something that MAEC does to a large extent.
     
    Anyhow, let’s discuss this during tomorrow’s call. Also, we’d be very interested if any other sandbox tool vendors (FireEye, etc.) have similar (or any) feedback, so please let us know.
     
    Regards,
    Ivan
     

    From: < cti-stix@lists.oasis-open.org > on behalf of Bret Jordan < Bret_Jordan@symantec.com >
    Date: Thursday, September 14, 2017 at 12:42 PM
    To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: [cti-stix] Feedback on Malware Object


     


    Here is the initial feedback from Symantec on the 2.1 Malware Object.
     



    Malware needs to be two different objects, one for family and one for the instance. It is really confusing to think of these as the same object.
    Malware needs to track the build version and vanity name. Example 3rd generation of this malware. 
    Need to be able to track which sub-phase of the kill chain it is in or provide some sort of nesting logic. Basically, this malware calls this other malware, which calls this other malware. Need to know the order in which they
    were called as this is critical information. There are often multiple phases that require understanding of the nesting.
    Maybe change the terms to be Static Events and Dynamic Events, this would reduce the overlap and the guessing of where thing are documented. Example is Mutexes (down below)
    Dynamic Analysis



    Needs to capture multiple passes based on the type of execution environment that it was run on (Windows 7, Windows 10 + Office 2016, Windows 10 + Chrome)
    Needs to track which type of sandbox it was run on and how that sandbox or virtual machine was configured / track the execution environment of where it was run, not just what it targets. 






    How the information as collected. 
    Where it was seen. 
    Where it will probably run





    Need to track the platform that these run on, some things are not applicable to certain platforms. DLLs on Linux, Android MMS on Windows.
    Need ability to search across data to find similar file creates across various runs of dynamic analysis under different configurations



    Static Analysis



    Has a lot of events that are really dynamic events. This is what it would do if/when it were to run
    Mutex for example might be based on computer name or GUID. Information can be derived from the execution environment. Same with filenames. This makes these more “Dynamic Events”



    Need to make a Communications Analysis/Events section and pull out all of the communication pieces.




    HTTP / HTTPS
    Network Requests
    IRC
    Raw Sockets
    UDP
    Network Flow
    Contacted IPs, etc.



     

     
    Bret










  • 3.  Re: [cti-stix] Re: [EXT] Re: [cti-stix] Feedback on Malware Object

    Posted 09-14-2017 21:50
    Regarding #1, I think this definitely aligns with the Modularity (conflating concepts) design principle in my suggested Design Principles posting earlier this month .... along with same fields don't mean same object. I too would prefer Malware Family to be a separate object, even if it has exactly the same fields in it. Cheers Terry MacDonald   Chief Product Officer M:   +64 211 918 814 E:   terry.macdonald@cosive.com W:   www.cosive.com On Fri, Sep 15, 2017 at 9:32 AM, Bret Jordan < Bret_Jordan@symantec.com > wrote: It is also about making sure as best as possible that what we do is useable and implementable by the market.  In addition if we do not do this now then it would represent a significant breaking change in the future.  It is one thing to add bits as we go along, it is another to not get the basic structure right. Bret  Sent from my Commodore 64  PGP Fingerprint:  63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 On Sep 14, 2017, at 2:48 PM, Struse, Richard J. < rjs@mitre.org > wrote: Crawl. Walk. Run.   We need to remember that we are trying to build a solid foundation that we can build upon here and just because it would be great if we did 100% of what is possible, that doesn’t mean we can or should in STIX 2.1. This is about striking the right balance.   From: < cti-stix@lists.oasis-open.org > on behalf of Bret Jordan < Bret_Jordan@symantec.com > Date: Thursday, September 14, 2017 at 4:41 PM To: "Kirillov, Ivan A." < ikirillov@mitre.org >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Subject: [cti-stix] Re: [EXT] Re: [cti-stix] Feedback on Malware Object   I think we could sweet talk people around issue 1..  But item 5 is really important for STIX Malware. As it currently stands there is no real way to understand the dynamic analysis, which type of system generated it, how that virtual environment was configured, and what it actually applies to.  In defense of item 5, we knew this might be an issue.  But we decided to get something put together in the minigroup and then see if this was really an issue.     This is a significant issue for us, and given the sheer volume of STIX Malware content that we could potential create for the eco-system, I would hope that the minigroup and STIX SC would consider this feedback from our internal teams and work through how we can address this.    Bret From: Kirillov, Ivan A. < ikirillov@mitre.org > Sent: Thursday, September 14, 2017 1:58:01 PM To: Bret Jordan; cti-stix@lists.oasis-open.org Subject: [EXT] Re: [cti-stix] Feedback on Malware Object   Thanks for the feedback Bret (and thanks to your team as well)! On the face of it, #2, #3, #4, #6, and probably #7 are things that we could tweak or update in the existing data model without significantly changing the scope or intent of the current object.   #1 is something that we discussed at length during the initial discussions around this object, and our decision to have a single object was based on the fact that having a separate malware family and instance object would be highly duplicative in terms of the data that both would convey.   #5 would mean significantly changing the scope of this SDO. If you recall, our original goal was to create an object suitable for the “80%” use case, that is capable of capturing roughly 80% of commonly reported data around malware. To this end, I don’t think we were envisioning a 1:1 mapping between a sandbox tool such as that produced by Symantec, and were thinking that there would have to be some post-processing or filtering of data that would take place before sandbox or other analysis data would be populated in this object. In addition, while I don’t doubt that we could create a data model and structure to capture details of the particular execution environment for each sandbox run and its corresponding output, doing so would engender a fair amount of specification and schema complexity. It’s also worth pointing out that if you have a strong need for #5, this is something that MAEC does to a large extent.   Anyhow, let’s discuss this during tomorrow’s call. Also, we’d be very interested if any other sandbox tool vendors (FireEye, etc.) have similar (or any) feedback, so please let us know.   Regards, Ivan   From: < cti-stix@lists.oasis-open.org > on behalf of Bret Jordan < Bret_Jordan@symantec.com > Date: Thursday, September 14, 2017 at 12:42 PM To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Subject: [cti-stix] Feedback on Malware Object   Here is the initial feedback from Symantec on the 2.1 Malware Object.   Malware needs to be two different objects, one for family and one for the instance. It is really confusing to think of these as the same object. Malware needs to track the build version and vanity name. Example 3rd generation of this malware.  Need to be able to track which sub-phase of the kill chain it is in or provide some sort of nesting logic. Basically, this malware calls this other malware, which calls this other malware. Need to know the order in which they were called as this is critical information. There are often multiple phases that require understanding of the nesting. Maybe change the terms to be Static Events and Dynamic Events, this would reduce the overlap and the guessing of where thing are documented. Example is Mutexes (down below) Dynamic Analysis Needs to capture multiple passes based on the type of execution environment that it was run on (Windows 7, Windows 10 + Office 2016, Windows 10 + Chrome) Needs to track which type of sandbox it was run on and how that sandbox or virtual machine was configured / track the execution environment of where it was run, not just what it targets.  How the information as collected.  Where it was seen.  Where it will probably run Need to track the platform that these run on, some things are not applicable to certain platforms. DLLs on Linux, Android MMS on Windows. Need ability to search across data to find similar file creates across various runs of dynamic analysis under different configurations Static Analysis Has a lot of events that are really dynamic events. This is what it would do if/when it were to run Mutex for example might be based on computer name or GUID. Information can be derived from the execution environment. Same with filenames. This makes these more “Dynamic Events” Need to make a Communications Analysis/Events section and pull out all of the communication pieces. HTTP / HTTPS Network Requests IRC Raw Sockets UDP Network Flow Contacted IPs, etc.     Bret Attachment: STIX Core Design Principles.jpg Description: JPEG image