-
Notifications
You must be signed in to change notification settings - Fork 17
CybOX 3.0: Object Selection
Given that CybOX 3.0 is a major release, we'd like to ensure that the Objects that make it into the release are viable and free of issues (as much as possible). This means that each Object from the CybOX 2.1 release that makes it into 3.0 may require significant refactoring (some of which has already been discussed, such as for the Address and File).
Accordingly, there is a need to define the set of Objects that will be part of the minimum viable product (MVP). This is particularly crucial because we need to properly scope CybOX 3.0 if we hope to have the release in the mid-summer period; as such, determining the set of CybOX Objects that make it into this release is paramount.
Besides possible refactoring, each Object that makes it into CybOX 3.0 will require the following:
- A specification, with substantive documentation about the Object and its fields (more than currently exists in many cases)
- A JSON Schema serialization
- API support (specifics TBD)
Besides this, there are additional implications that are associated with the set of CybOX Objects that are included in the 3.0 release, including:
- Notionally, each user that claims to support CybOX 3.0 must also support the entire Object set. Thus, a smaller set of Objects would make it easier to fully implement CybOX 3.0.
- Each Object may have its own set of semantics with regards to CybOX-based patterning (e.g., in STIX Indicators), which would need to be defined somewhere.
The "Existing Objects" approach is based on the principle of carrying over ALL existing CybOX Objects, unless they have major issues identified for them AND are not being used by the community (based on CTI-stats).
- (+) We don't have perfect visibility into the Objects that are being used, so it is much less likely that we not include an Object that a community members needs.
- (-) Odds are we won't be able to refactor and tweak each Object, based simply on the large number of Objects that are included. Accordingly, there will be some Objects with issues (known or unknown) that make it into the release.
- (-) This approach requires a much more significant amount of work for creating the JSON Schema, writing documentation, etc., based simply on the large number of Objects that are included.
Accordingly, this would entail carrying over everything except for the following currently identified Objects:
- Network Packet
- Network Flow
- User Session
Totals
- Included Objects: 85
- Not Included Objects: 3
The "green-field" approach is more radical and is based on the principle of carrying over only the existing CybOX Objects that are:
- Known to be used today
- Concrete, verifiable proof based on the two biggest users of CybOX today
- Free of major issues
Also, it's important to note that if a group identifies an object that they really need and can contribute the time/effort to refactor it, we would be willing to include it as part of this approach.
- (+) The Object set is much more constrained, making it more likely that we'll be able to refactor and tweak each Object as necessary.
- (+) There will be less work required to create the JSON schemas, documentation, etc., simply based on the smaller number of Objects that are included.
- (-) We don't have perfect visibility into the Objects that are being used, so there is a chance that we not include an Object that a community member needs.
Object | Inclusion | Comments | UML Classes/Enums |
---|---|---|---|
Account | No | No known usage in CTI-stats or MAEC. | 3/2 |
Address | Yes | Widely used, as reported in CTI-stats. | 1/1 |
API | Yes | Used in the Cuckoo Sandbox MAEC output module; no known use elsewhere. | 1/0 |
Archive File | Yes | No known usage in CTI-stats or MAEC; however, will likely be included as part of the refactored File Object. | 2/1 |
ARPCache | No | No known usage in CTI-stats or MAEC. | 3/1 |
Artifact | Yes | Some known usage, as reported in CTI-stats. | 6/1 |
AS | Maybe | No known usage in CTI-stats or MAEC; however, it may be necessary for the refactored Network Connection Object (Source_ASN/Destination_ASN). | 1/0 |
Code | Maybe | Used in MAEC for capturing code snippets associated with a malware instance. | 7/4 |
Custom | Maybe | No known usage, but given the nature of the Object (as a custom set of key/value pairs), it would likely make sense to include. | 1/0 |
Device | Maybe | No known usage in CTI-stats or MAEC. Requested for possible inclusion by COA WG. | 1/0 |
Disk Partition | Maybe | No known usage in CTI-stats or MAEC. Requested for possible inclusion by COA WG. | 2/1 |
DNS Cache | No | No known usage in CTI-stats or MAEC. | 2/0 |
DNS Query | Yes | Used in the Cuckoo Sandbox MAEC output module; no known use elsewhere. | 4/1 |
DNS Record | Yes | No known separate usage, but used as a key component of the DNS Query Object. | 1/0 |
Domain Name | Yes | Widely used, as reported in CTI-stats. | 1/1 |
Email Message | Yes | Widely used, as reported in CTI-stats. | 9/0 |
File | Yes | Widely used, as reported in CTI-stats. | 11/2 |
GUI Dialog Box | No | No known usage in CTI-stats or MAEC. | 1/0 |
GUI Window | Yes | Used in the Cuckoo Sandbox MAEC output module; no known use elsewhere. | 1/0 |
GUI | Yes | No known separate usage, but defined as the parent class of the GUI Window (and Dialog Box) Objects. | 1/0 |
Hostname | Yes | Some known usage, as reported in CTI-stats. | 1/0 |
HTTP Session | Yes | Some known usage, as reported in CTI-stats. | 13/1 |
Image File | Yes | No known usage in CTI-stats or MAEC; however, will likely be included as part of the refactored File Object. | 2/1 |
Library | Yes | Used in several MAEC utilities, including the Cuckoo Sandbox MAEC output module, and ThreatExpert to MAEC. | 2/1 |
Link | Yes | Some known usage, as reported in CTI-stats. | 1/0 |
Linux Package | No | No known usage in CTI-stats or MAEC. | 1/0 |
Memory | Yes | Some known usage, as reported in CTI-stats. | 2/1 |
Mutex | Yes | Widely used, as reported in CTI-stats. | 1/0 |
Network Connection | Yes | Some known usage, as reported in CTI-stats. | 4/3 |
Network Flow | No | No known usage in CTI-stats or MAEC | 48/7 |
Network Packet | No | No known usage in CTI-stats or MAEC; several known issues | 92/14 |
Network Route Entry | No | No known usage in CTI-stats or MAEC. | 3/1 |
Network Route | No | No known usage in CTI-stats or MAEC. | 2/0 |
Network Socket | Yes | Used in the Cuckoo Sandbox MAEC output module; no known use elsewhere. | 6/4 |
Network Subnet | No | No known usage in CTI-stats or MAEC. | 2/0 |
PDF File | Yes | Some known usage, as reported in CTI-stats. | 20/2 |
Pipe | Yes | Used in several MAEC utilities, including the Cuckoo Sandbox MAEC output module, and Anubis to MAEC. | 1/0 |
Port | Yes | Widely used, as reported in CTI-stats. | 1/0 |
Process | Yes | Used in several MAEC utilities, including the Cuckoo Sandbox MAEC output module, Anubis to MAEC, and ThreatExpert to MAEC | 7/0 |
Product | Maybe | No known usage in CTI-stats or MAEC. Requested for possible inclusion by COA WG. | 1/0 |
Semaphore | Maybe | No known usage in CTI-stats or MAEC. Requested for possible inclusion by a community member. | 1/0 |
SMS Message | Maybe | No known usage in CTI-stats or MAEC. Requested for possible inclusion by community members. | 1/0 |
Socket Address | Yes | No known separate usage, but used as one of the key components of the Network Connection Object. | 1/0 |
System | Yes | Used in MAEC for defining the system(s) on which malware analysis was performed, and also used in the Cuckoo Sandbox MAEC output module. | 11/2 |
Unix File | No | No known usage in CTI-stats or MAEC. | 3/1 |
Unix Network Route | No | No known usage in CTI-stats or MAEC. | 1/0 |
Unix Pipe | No | No known usage in CTI-stats or MAEC. | 1/0 |
Unix Process | No | No known usage in CTI-stats or MAEC. | 4/1 |
Unix User Account | No | No known usage in CTI-stats or MAEC. | 3/0 |
Unix Volume | No | No known usage in CTI-stats or MAEC. | 1/0 |
URI | Yes | Widely used, as reported in CTI-stats. | 1/1 |
URL History | No | No known usage in CTI-stats or MAEC. | 2/0 |
User Account | Maybe | No known usage in CTI-stats or MAEC. Requested for possible inclusion by COA WG. | 5/0 |
User Session | Maybe | No known usage in CTI-stats or MAEC; has major issues. Requested for possible inclusion by COA WG. | 1/0 |
Volume | No | No known usage in CTI-stats or MAEC. | 4/1 |
WhoIS | Yes | Some known usage, as reported in CTI-stats. | 9/3 |
Win Computer Account | No | No known usage in CTI-stats or MAEC. | 5/0 |
Win Critical Section | No | No known usage in CTI-stats or MAEC. | 1/0 |
Win Driver | Yes | Used in several MAEC utilities, including Anubis to MAEC, and ThreatExpert to MAEC. | 3/0 |
Win Event Log | No | No known usage in CTI-stats or MAEC. | 2/0 |
Win Event | No | No known usage in CTI-stats or MAEC. | 2/1 |
Win Executable File | Yes | Some known usage, as reported in CTI-stats. | 28/3 |
Win Filemapping | No | No known usage in CTI-stats or MAEC. | 3/2 |
Win File | No | No known usage in CTI-stats or MAEC. | 5/1 |
Win Handle | Yes | Used in the Cuckoo Sandbox MAEC output module; no known use elsewhere. | 3/1 |
Win Hook | No | No known usage in CTI-stats or MAEC. | 2/1 |
Win Kernel Hook | Yes | Used in several MAEC utilities, including the Cuckoo Sandbox MAEC output module, and ThreatExpert to MAEC. | 2/1 |
Win Kernel | No | No known usage in CTI-stats or MAEC. | 5/0 |
Win Mailslot | No | No known usage in CTI-stats or MAEC. | 1/0 |
Win Memory Page Region | No | No known usage in CTI-stats or MAEC. | 4/2 |
Win Mutex | Yes | Used in several MAEC utilities, including the Cuckoo Sandbox MAEC output module, Anubis to MAEC, and ThreatExpert to MAEC. | 1/0 |
Win Network Route Entry | No | No known usage in CTI-stats or MAEC. | 3/2 |
Win Network Share | Yes | Used in the ThreatExpert to MAEC utility. | 3/1 |
Win Pipe | Yes | Used in the Cuckoo Sandbox MAEC output module; no known use elsewhere. | 1/0 |
Win Prefetch | No | No known usage in CTI-stats or MAEC. | 4/0 |
Win Process | Yes | Used in several MAEC utilities, including the Cuckoo Sandbox MAEC output module, Anubis to MAEC, and ThreatExpert to MAEC. | 3/0 |
Win Registry Key | Yes | Widely used, as reported in CTI-stats. | 6/2 |
Win Semaphore | Maybe | No known usage in CTI-stats or MAEC. Requested for possible inclusion by a community member. | 1/0 |
Win Service | Yes | Used in several MAEC utilities, including the Cuckoo Sandbox MAEC output module, Anubis to MAEC, and ThreatExpert to MAEC. | 5/3 |
Win System | Yes | No known usage in CTI-stats or MAEC; however, likely to be included as part of the broader device/system refactoring. | 3/0 |
Win System Restore | No | No known usage in CTI-stats or MAEC. | 3/1 |
Win Task | No | No known usage in CTI-stats or MAEC. | 14/6 |
Win Thread | Yes | Used in the Cuckoo Sandbox MAEC output module; no known use elsewhere. | 2/1 |
Win User Account | No | No known usage in CTI-stats or MAEC. | 3/0 |
Win Volume | No | No known usage in CTI-stats or MAEC. | 4/2 |
Win Waitable Timer | No | No known usage in CTI-stats or MAEC. | 2/1 |
X509 Certificate | Maybe | No known usage in CTI-stats or MAEC; however, it is supported in the X509 to CybOX utility | 8/0 |
Totals
- Included Objects: 41
- Possibly Included Objects: 10
- Not Included Objects: 37