cti cybox sc meeting november 19, 2015
DESCRIPTION
Recent Discussions Address object refactoring Splitting up the existing Address object into more “atomic” entities HashType refactoring Making it easier to capture common (e.g., MD5) hash values Observable revocationTRANSCRIPT
CTI CybOX SC Meeting
www.oasis-open.org
November 19, 2015
www.oasis-open.org
Agenda Recent discussions recap Maturity spectrum/cti-stats discussion CybOX 3.0 roadmap update
File object refactoring OASIS work product status & discussion
Recent Discussions Address object refactoring
Splitting up the existing Address object into more “atomic” entities
HashType refactoring Making it easier to capture common (e.g., MD5) hash values
Observable revocation
Maturity Spectrum http://cyboxproject.github.io/maturity-spectrum/ Three-tiered model for capturing the relative maturity of CybOX components
Semantic consensus Semantic completeness Existing use
Informed by cti-stats Used to inform our CybOX 3.0+ decisions
What should we focus on refactoring and improving now? What should we leave for later versions?
cti-stats I http://cyboxproject.github.io/cti-stats/ Up-to-date statistics around usage of STIX and CybOX components
STIX entities CybOX objects
STIX Objects Counts Percentages
Campaign 101 0.02%
Course of Action 10 0.00%
Exploit Target 18 0.00%
Incident 3 0.00%
Indicator 497944 98.99%
Report 0 0.00%
TTP 4736 0.94%
Threat Actor 228 0.05%
cti-stats IICybOX Objects Counts Percentages
Address 194400 30.24%
Artifact 48 0.01%
DomainName 194915 30.32%
EmailMessage 1515 0.24%
File 21928 3.41%
Hostname 13 0.00%
HTTPSession 185 0.03%
Link 255 0.04%
Memory 40 0.01%
Mutex 1332 0.21%
NetworkConnection 30 0.00%
PDFFile 6 0.00%
Port 3696 0.58%
URI 218889 34.05%
Whois 539 0.08%
WinExecutableFile 551 0.09%
WinRegistryKey 4437 0.69%
cti-stats III
CybOX 3.0 Roadmap Update We’re considering merging CybOX Core and Common, in addition to performing
any streamlining around them They serve similar purposes “Common” is only truly common to CybOX
We want to avoid basing our refactoring on reductionist reasoning based on just the simple constructs in use today
Therefore, in addition to the simpler Object types that we see in use in the wild today, we’ll select 3-5 additional, more complex Objects for refactoring
File Object Refactoring I https://github.com/CybOXProject/schemas/wiki/CybOX-3.0:-File-Object-
Refactoring There are a number of existing issues with the File object and its subclasses:
• Conflation of generic file properties with those related to file systems and disk-level representation
• There are certain fields that may be specific to Windows and no other platforms
• There currently are LOTS of subclasses of the File object:• File
• Archive File• Image File• PDF File• Unix File• Windows File
• Windows Executable File
File Object Refactoring II
File Object Refactoring III{ "hashes" : [{"type":"md5", "hash_value":"3773a88f65a5e780c8dff9cdc3a056f3"}], "size" : 25537, "file_system_properties":{"file_name":{"delimiter":"/", "components":["usr","tmp","foo.exe"]}}, "extensions": [{"type":"EXT3FileExtension", "inode":"34483923"}, {"type":"PEBinaryFileExtension", "exports":[{"name":"foo_app"}]}] }
OASIS Work Product Update CybOX 2.1.1
40 specifications out of 94 reviewed and edited https://github.com/CybOXProject/specifications/tree/master/documents
ETA: Late November/Early December
Next meeting December 10th-20th?