OASIS Cyber Threat Intelligence (CTI) TC

Comment on this area: STIX Part 5, TTP, Section 3.2.3.1 ExploitType Class: Should CVE_ID be included, considering CAPEC_ID is included for AttackPatternType? Basically, the default extensions for similar classes include attributes for similar ID types. Example: the Exploit Target data model WeaknessType class contains CWE_ID. It should be useful to include an (optional) attribute for CVE numbers on Exploits, if the CVE numbers are known.

I think the "best practices" way of expressing what you want, it to have the TTP be related to an Exploit_Target that describes the CVE, including its ID.
 
Also, notice that the ttp:ExploitType isn't fully specified - from the specs:
 
The ExploitType class is intended to be extended to enable the structured description of an exploit instance.  However, no extension is provided by STIX
v 1.2.1; producers wanting to represent structured exploit instance information are encouraged to develop such an extension.
 

Original Message-----

From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On Behalf Of Beth Pumo

Sent: Friday, February 05, 2016 3:52 PM

To: cti@lists.oasis-open.org

Subject: [cti] Public review comments from Kaiser Permanente for STIX V1.2.1
 
Comment on this area: STIX Part 5, TTP, Section 3.2.3.1 ExploitType Class: Should CVE_ID be included, considering CAPEC_ID is included for AttackPatternType?
 
Basically, the default extensions for similar classes include attributes for similar ID types. Example: the Exploit Target data model WeaknessType class contains CWE_ID. It should be useful to include an (optional) attribute for CVE numbers on Exploits,
if the CVE numbers are known.
 

Keep in mind that “Exploit" != "Exploit Target". Within TTP, there’s a placeholder “ExploitType” that’s intended to characterize actual exploits. We don’t really have a good way to do that now so it’s pretty bare. There’s a separate “ExploitTargetType”
as a top-level construct that can represent vulnerabilities, configurations, and weaknesses. That construct does indeed have a CVE_ID field.




So…exploit = representation of the actual exploit code that exploits a vulnerability. Exploit target = representation of the vulnerability that is or might be the target of an exploit.


John




From: < cti@lists.oasis-open.org > on behalf of Rich Piazza < rpiazza@mitre.org >
Date: Sunday, February 7, 2016 at 5:07 PM
To: Beth Pumo < beth.pumo@kp.org >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
Subject: RE: [cti] Public review comments from Kaiser Permanente for STIX V1.2.1







I think the "best practices" way of expressing what you want, it to have the TTP be related to an Exploit_Target that describes the CVE, including its ID.
 
Also, notice that the ttp:ExploitType isn't fully specified - from the specs:
 
The ExploitType class is intended to be extended to enable the structured description of an exploit instance.  However, no extension is provided by STIX
v 1.2.1; producers wanting to represent structured exploit instance information are encouraged to develop such an extension.
 

Original Message-----
From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ] On Behalf Of Beth Pumo
Sent: Friday, February 05, 2016 3:52 PM
To: cti@lists.oasis-open.org
Subject: [cti] Public review comments from Kaiser Permanente for STIX V1.2.1
 
Comment on this area: STIX Part 5, TTP, Section 3.2.3.1 ExploitType Class: Should CVE_ID be included, considering CAPEC_ID is included for AttackPatternType?
 
Basically, the default extensions for similar classes include attributes for similar ID types. Example: the Exploit Target data model WeaknessType class contains CWE_ID. It should be useful to include an (optional) attribute for CVE numbers on Exploits,
if the CVE numbers are known.