Keep in mind that “Exploit" != "Exploit Target". Within TTP, there’s a placeholder “ExploitType” that’s intended to characterize actual exploits. We don’t really have a good way to do that now so it’s pretty bare. There’s a separate “ExploitTargetType”
as a top-level construct that can represent vulnerabilities, configurations, and weaknesses. That construct does indeed have a CVE_ID field.
So…exploit = representation of the actual exploit code that exploits a vulnerability. Exploit target = representation of the vulnerability that is or might be the target of an exploit.
John
From: <
cti@lists.oasis-open.org > on behalf of Rich Piazza <
rpiazza@mitre.org >
Date: Sunday, February 7, 2016 at 5:07 PM
To: Beth Pumo <
beth.pumo@kp.org >, "
cti@lists.oasis-open.org " <
cti@lists.oasis-open.org >
Subject: RE: [cti] Public review comments from Kaiser Permanente for STIX V1.2.1
I think the "best practices" way of expressing what you want, it to have the TTP be related to an Exploit_Target that describes the CVE, including its ID.
Also, notice that the ttp:ExploitType isn't fully specified - from the specs:
The ExploitType class is intended to be extended to enable the structured description of an exploit instance. However, no extension is provided by STIX
v 1.2.1; producers wanting to represent structured exploit instance information are encouraged to develop such an extension.
Original Message-----
From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On Behalf Of Beth Pumo
Sent: Friday, February 05, 2016 3:52 PM
To: cti@lists.oasis-open.org
Subject: [cti] Public review comments from Kaiser Permanente for STIX V1.2.1
Comment on this area: STIX Part 5, TTP, Section 3.2.3.1 ExploitType Class: Should CVE_ID be included, considering CAPEC_ID is included for AttackPatternType?
Basically, the default extensions for similar classes include attributes for similar ID types. Example: the Exploit Target data model WeaknessType class contains CWE_ID. It should be useful to include an (optional) attribute for CVE numbers on Exploits,
if the CVE numbers are known.