oasis-tcs / cti-stix2 Goto Github PK
View Code? Open in Web Editor NEWOASIS CTI TC: Provides issue tracking and wiki pages for the STIX 2.x Work Products
Home Page: https://github.com/oasis-tcs/cti-stix2
License: Other
OASIS CTI TC: Provides issue tracking and wiki pages for the STIX 2.x Work Products
Home Page: https://github.com/oasis-tcs/cti-stix2
License: Other
The addition of capabilities to STIX 2.0 to capture text in multiple languages.
Work area: https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4
Capabilities required to capture multiple languages for content in STIX. Translatable content includes text strings (name, description) and potentially open vocabularies.
We should add a new parent_directory_ref property to the Directory Object, for specifying the parent directory of a directory. We already have a very similar parent_directory_ref property on the File Object.
The src_ref and dst_ref properties in Network Traffic have descriptions that refer to a list, but the property itself is a single value. The description should be corrected.
In part 4, section 2.7.6.3: all properties of windows-pe-optional-header-type are optional. We should add a normative statement that says at least one property should be populated.
https://lists.oasis-open.org/archives/cti-comment/201705/msg00005.html
Dictionary keys in the hashes
property on the File Object MUST come from the hash-algorithm-ov
. Clarifying text added to 2.1, Part 4 in suggestion mode.
The development of one or more SDOs to capture incident and event information.
Work area: Working Concepts
The capture of information related to internal security events, internal security incidents, and external security-relevant events.
The service_name
property in the Windows Service Extension of the Process Object (Part 4, §2.13.3) is currently required. To support additional use cases, such as capturing malware configuration parameters (without the service name), we should make it optional.
Jason pointed out that we're missing a way of describing Windows named pipes, so we likely need to add a new Windows Named Pipe Observable Object to do so.
Currently, the user_id
property is required in the User Account Object (Part 4, §2.16). To support use cases such as capturing a password used by malware (embedded as a configuration parameter) without a corresponding user ID, we should consider making this property optional.
Jason brought up some questions around network shares and patterning:
I think the main implication here is that we'd need a new Network Share Cyber Observable Object.
Enhanced malware capabilities will create enhancements to STIX (new objects, new properties on existing objects) to capture more in-depth malware analysis information. The intent is to capture much or all of the information that is currently expressable in MAEC directly in STIX.
Still being determined.
The Infrastructure object would capture information about adversary infrastructure, such as command and control servers, download sites, e-mail delivery, etc.
Still being determined.
Still being determined.
Jason pointed out that we currently can't characterize whether some network traffic was denied/blocked access or allowed in the Network Traffic Cyber Observable Object.
Allan has suggested adding first_seen
and last_seen
fields (both optional, presumably) to the relationship object. This would let you track, for example, the time period when a malware
object was used-by
an intrusion-set
.
Many relationships are only valid for some time period...for example, malware may only be used by a threat actor for some period of time. Optional valid_from and valid_to properties would let you capture that, when relevant.
Per CSDPR02#6 (https://docs.google.com/spreadsheets/d/1YOPONeKzc6Uu1A1MS3WkICG26LKLQOWdr-KBDzM8K6Y/edit#gid=5055878), the TC should define further normative rules for referencing external IDs (e.g., CAPEC, LMCO kill chain phase names).
TODO:
The following sectors are not mentioned in the industry-sector-ov:
the term Sector could be omitted
There are a few missing entries in the current Malware Label Vocabulary, so I propose that we expand the current vocabulary with the following:
Value | Description |
---|---|
downloader | A small trojan file programmed to download and execute other files, usually more complex malware. |
wiper | A piece of malware whose primary aim is to delete files or entire disks on a machine. |
unknown | There is not enough information available to determine the type of malware. |
webshell | A malicious script used by an attacker with the intent to escalate and maintain persistent access on an already compromised web application. |
Oh, and the 'unknown' value is necessary because the labels
property is required and there are cases when you may not know the "type" of malware being characterized.
Jason pointed out that we currently can't characterize signed vs. unsigned processes and drivers in Cyber Observables. For processes, this would mean adding a new property to the Process Cyber Observable Object. For drivers, we'd have to add a new Cyber Observable Object.
I think I am looking at an incorrect link in table 2.5.1 of "STIX Version 2.1 - Part 2 - WD01". This is the property table for the Indicator object. The link is called "STIX™ Version 2.0. Part 5: STIX Patterning" but it doesn't go to the Patterning specification like I think it should.
It has been pointed out that our current encryption-algo-ov is missing some key values, so we should consider expanding it with the following (as a minimum):
AES-192, AES-256, RC4, RC5, RC6
Jason pointed out that we're missing a way of describing windows scheduled task, so we likely need to add a new Windows Scheduled Task Cyber Observable Object to do so.
The name
property on the Windows Registry Value Type (Part 3, §2.17.2) is currently required. In order to support additional use cases, such as capturing malware configuration parameters, we should make it optional.
Enhanced course of action capabilities includes things like automated COAs (OpenC2, others), extra impact statements, and playbook-type capabilities.
Note: this issue may be split in the future
Still being determined.
Still being determined.
Still being determined.
In the “Basic Stream Socket” socket-ext example: is_listening should be a boolean, not a string.
In STIX 2.0, marking definitions cannot be versioned.
Allan Thomson has suggested allowing versioning of them. The idea is that it would reduce network traffic and that the end result is the same.
I've heard two sets of requests:
description
field on observable objectslabels
and description
on observable objectsWe should allow some marking definitions to be referenced in an external document like TOU and other Statement documents. To do this, we will also need to add a hash to make sure that nothing gets changed out from underneath the consumers.
In STIX 2.0, artifact objects are limited to 10MB. This was done to prevent parsers, which sometimes can't handle bigger files, from choking on the JSON. Discussion on Slack and the mailing list suggests that it might be fine to just remove the limit, because many parsers are able to deal with larger files. Removing the limit would then allow for the submission of larger files directly in STIX (vs. via URL).
If we don't remove the limit we should at least properly define it as either 1024 x 1024 (MiB) or the "correct" 1000 x 1000.
Jason pointed out that we're missing the ability to characterize the access level/integrity level granted to a process in the Cyber Observable Process Object. I'm not sure if this makes sense to add to the base object, or if this is something Windows-specific and would need a new extension.
Now that some of the STIX objects are using the dictionary type, we need to move the definition of it from part 3 to part 1.
During 2.0 development there was a view that we should just use labels to track the object classification data, like indicator type, report type, malware type, etc.. On the surface and at the time, this seemed like a good thing to do.
The problem I am seeing now is that I have no way of distinguishing in an automated way the content in the labels property. Meaning, are the values extra entries to the open-vocab or are they just extra user-defined tags? As such I have no way to pivot off this data because I do not know what type of data it represents.
I would propose for those few objects that we either move the object type classification out of labels, or that we make a new property called tags and change the text to say user defined "tagging" goes in tags and the object classification/type information goes in labels.
The development of capabilities in STIX to capture a producer's confidence in the data that they create.
Work area:
N/A
Slack: #confidence
Whatever is necessary to capture producer's confidence in the data that they create. It does not include expressing confidence in another producer's data or confidence in producers.
It's also scoped to only confidence at the STIX Object level - not on individual fields.
While writing tests to support the LanguageContent object I found myself with a problem using the contents
dictionary. I saw RFC5646 supports language tags longer than 2 characters, but the STIX specs mandate 3 or more for keys in a dictionary. The examples found in the document use language tags that are too short. Will this mean that producers need to provide a more specific language tag?
Affects: Section 2.2 Dictionary
Should there be an exception to this MUST requirement or remove the requirement completely?
The Admirality scale we used for the confidence mappings has an item called "(Not present)" for "Truth cannot be judged". The intent was that the property is omitted, but that isn't really clear.
Some of the other scales say "Not specified", which also isn't consistent. This isn't a normative change, just a clarification to text.
Per CSDPR01#20 (https://docs.google.com/spreadsheets/d/1TCNdwL9o4lbblsIlDfeV0mHsBVGMdbFgwp95dhLLfaI/edit#gid=5055878), the community should consider adding a relationship from an indicator to a vulnerability saying that the indicator "indicates" the vulnerability.
The development of capabilities in STIX to capture the location of STIX Objects.
Work area:
Slack: #location
Any capabilities necessary to represent location information for STIX objects.
RFE to implement the Classification proposal as in the playground document. This proposal would allow threat intelligence vendors to indicate the "known good" as well as the bad.
Note, I do not care what the name is. I just can not come up with a good name.
There are a few examples in Part 5, STIX Patterning that are missing quotes around object path components that use dashes ("-").
Here are the fixed versions:
Section 5.2
file:extensions.'windows-pebinary-ext'.sections[*].entropy > 7.0
Section 5.3
file:extensions.'raster-image-ext'.image_height
Section 6
[file:extensions.'windows-pebinary-ext'.sections[*].entropy > 7.0]
@chrisr3d (from CIRCL) proposed making the value
property on the Email Address object (STIX 2.0, Part 4, §2.5) optional to accommodate cases where folks want to share information about the intended target of a spear-phishing campaign specifying the email display name but omitting the actual email address of the intended victim.
The proposal would be to make the value
property optional and add normative text that at least one of value
or display_name
MUST be present.
Jason had some confusion with regards to the process image name vs filename vs command line on the Cyber Observable Process Object and when you'd use each, so we should try to clarify the descriptions of these properties as necessary.
Hi All,
"pattern" property of "indicator" could support STIX, YARA, Snort, OpenIOC, etc. with "pattern_lang" property in earlier draft version of STIX 2.0.
But, current draft support only STIX.
I think the former is better because it can support more wide use cases, specifically, legacy(not STIX) but commonly used nowadays such as YARA, Snort, OpenIOC.
They are almost "de facto" standard still now.
I hope STIX 2 should have comprehensiveness.
Let's re-think our earlier decision.
In STIX 2.0, there is a relationship from Malware to Vulnerability named "targets". For STIX 2.1, we recommend replacing this with a new relationship of "exploits" that is semantically clearer and less ambiguous.
As discussed on Slack, being able to mark Malware SDO objects as benign would allow the sharing of false-positive sandbox analysis results.
The Intel Note object would allow information sources to add intelligence notes to objects created both by themselves and by others. For example, a comment with more information could be added to an existing object.
The intel note object will be scoped to only capture notes about STIX Objects (not fields in objects).
Propose a default value (from the open vocabulary) when a label is required on a SDO.
At the very end of the 2.0 development and editorial process it was brought up that there was no way to verify the external references content that you were pointing to in the url field. The TC decided that we should try and solve that for 2.0. We noticed that we had this "hashes" type in cyber observables, so we just used that, without any real thought to the implementation.
The hashes type is a dictionary where the key is pulled from an open-vocab. As I have written a tool to handle this now, I have found it near impossible to do anything with this. The problem comes from variability in the data. There is nothing you can count on. As an implementer you will need to add library support for every known type of hashing algorithm that is in the open-vocab and then try to figure out what to do with something that is not in the open-vocab but that a user just adds.
This makes interoperability very painful and difficult. It also adds enormous unnecessary complexity on code.
I would like to propose that we make a breaking change, and change this to a "string" type and say in the description that the type for this release MUST be SHA256.
Per CSDPR02#7 (https://docs.google.com/spreadsheets/d/1YOPONeKzc6Uu1A1MS3WkICG26LKLQOWdr-KBDzM8K6Y/edit#gid=5055878), any time there's a first_* timestamp and a last_* timestamp, we should add a normative requirement saying that the first_ timestamp MUST be before the last_ timestamp.
I noticed that the examples in Part 5, Section 5 are not valid Observation Expressions, since they're missing their opening/closing brackets. We should fix this - I've already made the corresponding changes in STIX 2.1 Part 5.
The Opinion object would allow information creators to assert their opinion about objects created by other producers.
The opinion object will be scoped to only capture opinions about STIX Objects (not fields in objects).
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.