First of all, you should never trust Canadians, we're shifty. Joking aside, I read through this drop the other day, and it looks like it would have promise... (I would actually recommend reading about the whole assemblyline utility package - it is quite an interesting architecture for malware analysis!) If we used CaRT inside STIX, you may get into a chicken-and-the-egg scenario, since they actually talk about how you can use a STIX malware sample, inside CaRT, as the JSON header. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security Without data, all you are is just another person with an opinion - Unknown From: "Katz, Gary CTR DC3\DCCI" <
Gary.Katz.ctr@dc3.mil> To: "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org> Date: 10/23/2017 12:22 PM Subject: [cti-stix] CaRT Format for sending malware in STIX2 Sent by: <
cti-stix@lists.oasis-open.org> Canada's CSE team released a tool called CaRT (Compressed and RC4 Transport) specifically for storing and transferring malware and associated metadata. It looks like a small useful tool and they have some documentation on how to use CaRT with STIX v2. Figured it was worth mentioning since we had been looking at how encryption needed to be handled to support transferring malware files. I've only performed a cursory glance at the tool, so I am not endorsing it or currently using it, just wanted to pass on the knowledge.
https://bitbucket.org/cse-assemblyline/cart -Gary