cti cybox sc meeting november 19, 2015

CTI CybOX SC Meeting

www.oasis-open.org

November 19, 2015

www.oasis-open.org

Agenda Recent discussions recap Maturity spectrum/cti-stats discussion CybOX 3.0 roadmap update

File object refactoring OASIS work product status & discussion

Recent Discussions Address object refactoring

Splitting up the existing Address object into more “atomic” entities

HashType refactoring Making it easier to capture common (e.g., MD5) hash values

Observable revocation

Maturity Spectrum http://cyboxproject.github.io/maturity-spectrum/ Three-tiered model for capturing the relative maturity of CybOX components

Semantic consensus Semantic completeness Existing use

Informed by cti-stats Used to inform our CybOX 3.0+ decisions

What should we focus on refactoring and improving now? What should we leave for later versions?

cti-stats I http://cyboxproject.github.io/cti-stats/ Up-to-date statistics around usage of STIX and CybOX components

STIX entities CybOX objects

STIX Objects Counts Percentages

Campaign 101 0.02%

Course of Action 10 0.00%

Exploit Target 18 0.00%

Incident 3 0.00%

Indicator 497944 98.99%

Report 0 0.00%

TTP 4736 0.94%

Threat Actor 228 0.05%

cti-stats IICybOX Objects Counts Percentages

Address 194400 30.24%

Artifact 48 0.01%

DomainName 194915 30.32%

EmailMessage 1515 0.24%

File 21928 3.41%

Hostname 13 0.00%

HTTPSession 185 0.03%

Link 255 0.04%

Memory 40 0.01%

Mutex 1332 0.21%

NetworkConnection 30 0.00%

PDFFile 6 0.00%

Port 3696 0.58%

URI 218889 34.05%

Whois 539 0.08%

WinExecutableFile 551 0.09%

WinRegistryKey 4437 0.69%

cti-stats III

CybOX 3.0 Roadmap Update We’re considering merging CybOX Core and Common, in addition to performing

any streamlining around them They serve similar purposes “Common” is only truly common to CybOX

We want to avoid basing our refactoring on reductionist reasoning based on just the simple constructs in use today

Therefore, in addition to the simpler Object types that we see in use in the wild today, we’ll select 3-5 additional, more complex Objects for refactoring

File Object Refactoring I https://github.com/CybOXProject/schemas/wiki/CybOX-3.0:-File-Object-

Refactoring There are a number of existing issues with the File object and its subclasses:

• Conflation of generic file properties with those related to file systems and disk-level representation

• There are certain fields that may be specific to Windows and no other platforms

• There currently are LOTS of subclasses of the File object:• File

• Archive File• Image File• PDF File• Unix File• Windows File

• Windows Executable File

File Object Refactoring II

File Object Refactoring III{ "hashes" : [{"type":"md5", "hash_value":"3773a88f65a5e780c8dff9cdc3a056f3"}], "size" : 25537, "file_system_properties":{"file_name":{"delimiter":"/", "components":["usr","tmp","foo.exe"]}}, "extensions": [{"type":"EXT3FileExtension", "inode":"34483923"}, {"type":"PEBinaryFileExtension", "exports":[{"name":"foo_app"}]}] }

OASIS Work Product Update CybOX 2.1.1

40 specifications out of 94 reviewed and edited https://github.com/CybOXProject/specifications/tree/master/documents

ETA: Late November/Early December

Next meeting December 10th-20th?