Skip to content

CybOX 3.0: Object Selection

Ivan Kirillov edited this page Feb 10, 2016 · 44 revisions

Given that CybOX 3.0 is a major release, we'd like to ensure that the Objects that make it into the release are viable and free of issues (as much as possible). This means that each Object from the CybOX 2.1 release that makes it into 3.0 may require significant refactoring (some of which has already been discussed, such as for the Address and File).

Accordingly, there is a need to define the set of Objects that will be part of the minimum viable product (MVP). This is particularly crucial because we need to properly scope CybOX 3.0 if we hope to have the release in the mid-summer period; as such, determining the set of CybOX Objects that make it into this release is paramount.

Work Product Implications

Besides possible refactoring, each Object that makes it into CybOX 3.0 will require the following:

  1. A specification, with substantive documentation about the Object and its fields (more than currently exists in many cases)
  2. A JSON Schema serialization
  3. API support (specifics TBD)

Other Implications

Besides this, there are additional implications that are associated with the set of CybOX Objects that are included in the 3.0 release, including:

  1. Notionally, each user that claims to support CybOX 3.0 must also support the entire Object set. Thus, a smaller set of Objects would make it easier to fully implement CybOX 3.0.
  2. Each Object may have its own set of semantics with regards to CybOX-based patterning (e.g., in STIX Indicators), which would need to be defined somewhere.

"Existing Objects" Approach

The "Existing Objects" approach is based on the principle of carrying over ALL existing CybOX Objects, unless they have major issues identified for them AND are not being used by the community (based on CTI-stats).

Pros/Cons

  • (+) We don't have perfect visibility into the Objects that are being used, so it is much less likely that we not include an Object that a community members needs.
  • (-) Odds are we won't be able to refactor and tweak each Object, based simply on the large number of Objects that are included. Accordingly, there will be some Objects with issues (known or unknown) that make it into the release.
  • (-) This approach requires a much more significant amount of work for creating the JSON Schema, writing documentation, etc., based simply on the large number of Objects that are included.

Object List

Accordingly, this would entail carrying over everything except for the following currently identified Objects:

  1. Network Packet
  2. Network Flow
  3. User Session

Totals

  • Included Objects: 85
  • Not Included Objects: 3

"Green-field" Approach

The "green-field" approach is more radical and is based on the principle of carrying over only the existing CybOX Objects that are:

  1. Known to be used today
    1. Concrete, verifiable proof based on the two biggest users of CybOX today
      1. STIX, via CTI-stats
      2. MAEC schemas and/or utilities
  2. Free of major issues

Also, it's important to note that if a group identifies an object that they really need and can contribute the time/effort to refactor it, we would be willing to include it as part of this approach.

Pros/Cons

  • (+) The Object set is much more constrained, making it more likely that we'll be able to refactor and tweak each Object as necessary.
  • (+) There will be less work required to create the JSON schemas, documentation, etc., simply based on the smaller number of Objects that are included.
  • (-) We don't have perfect visibility into the Objects that are being used, so there is a chance that we not include an Object that a community member needs.

Object List

Object Inclusion Comments UML Classes/Enums
Account No No known usage in CTI-stats or MAEC. 3/2
Address Yes Widely used, as reported in CTI-stats. 1/1
API Yes Used in the Cuckoo Sandbox MAEC output module; no known use elsewhere. 1/0
Archive File Yes No known usage in CTI-stats or MAEC; however, will likely be included as part of the refactored File Object. 2/1
ARPCache No No known usage in CTI-stats or MAEC. 3/1
Artifact Yes Some known usage, as reported in CTI-stats. 6/1
AS Maybe No known usage in CTI-stats or MAEC; however, it may be necessary for the refactored Network Connection Object (Source_ASN/Destination_ASN). 1/0
Code Maybe Used in MAEC for capturing code snippets associated with a malware instance. 7/4
Custom Maybe No known usage, but given the nature of the Object (as a custom set of key/value pairs), it would likely make sense to include. 1/0
Device Maybe No known usage in CTI-stats or MAEC. Requested for possible inclusion by COA WG. 1/0
Disk Partition Maybe No known usage in CTI-stats or MAEC. Requested for possible inclusion by COA WG. 2/1
DNS Cache No No known usage in CTI-stats or MAEC. 2/0
DNS Query Yes Used in the Cuckoo Sandbox MAEC output module; no known use elsewhere. 4/1
DNS Record Yes No known separate usage, but used as a key component of the DNS Query Object. 1/0
Domain Name Yes Widely used, as reported in CTI-stats. 1/1
Email Message Yes Widely used, as reported in CTI-stats. 9/0
File Yes Widely used, as reported in CTI-stats. 11/2
GUI Dialog Box No No known usage in CTI-stats or MAEC. 1/0
GUI Window Yes Used in the Cuckoo Sandbox MAEC output module; no known use elsewhere. 1/0
GUI Yes No known separate usage, but defined as the parent class of the GUI Window (and Dialog Box) Objects. 1/0
Hostname Yes Some known usage, as reported in CTI-stats. 1/0
HTTP Session Yes Some known usage, as reported in CTI-stats. 13/1
Image File Yes No known usage in CTI-stats or MAEC; however, will likely be included as part of the refactored File Object. 2/1
Library Yes Used in several MAEC utilities, including the Cuckoo Sandbox MAEC output module, and ThreatExpert to MAEC. 2/1
Link Yes Some known usage, as reported in CTI-stats. 1/0
Linux Package No No known usage in CTI-stats or MAEC. 1/0
Memory Yes Some known usage, as reported in CTI-stats. 2/1
Mutex Yes Widely used, as reported in CTI-stats. 1/0
Network Connection Yes Some known usage, as reported in CTI-stats. 4/3
Network Flow No No known usage in CTI-stats or MAEC 48/7
Network Packet No No known usage in CTI-stats or MAEC; several known issues 92/14
Network Route Entry No No known usage in CTI-stats or MAEC. 3/1
Network Route No No known usage in CTI-stats or MAEC. 2/0
Network Socket Yes Used in the Cuckoo Sandbox MAEC output module; no known use elsewhere. 6/4
Network Subnet No No known usage in CTI-stats or MAEC. 2/0
PDF File Yes Some known usage, as reported in CTI-stats. 20/2
Pipe Yes Used in several MAEC utilities, including the Cuckoo Sandbox MAEC output module, and Anubis to MAEC. 1/0
Port Yes Widely used, as reported in CTI-stats. 1/0
Process Yes Used in several MAEC utilities, including the Cuckoo Sandbox MAEC output module, Anubis to MAEC, and ThreatExpert to MAEC 7/0
Product Maybe No known usage in CTI-stats or MAEC. Requested for possible inclusion by COA WG. 1/0
Semaphore Maybe No known usage in CTI-stats or MAEC. Requested for possible inclusion by a community member. 1/0
SMS Message Maybe No known usage in CTI-stats or MAEC. Requested for possible inclusion by community members. 1/0
Socket Address Yes No known separate usage, but used as one of the key components of the Network Connection Object. 1/0
System Yes Used in MAEC for defining the system(s) on which malware analysis was performed, and also used in the Cuckoo Sandbox MAEC output module. 11/2
Unix File No No known usage in CTI-stats or MAEC. 3/1
Unix Network Route No No known usage in CTI-stats or MAEC. 1/0
Unix Pipe No No known usage in CTI-stats or MAEC. 1/0
Unix Process No No known usage in CTI-stats or MAEC. 4/1
Unix User Account No No known usage in CTI-stats or MAEC. 3/0
Unix Volume No No known usage in CTI-stats or MAEC. 1/0
URI Yes Widely used, as reported in CTI-stats. 1/1
URL History No No known usage in CTI-stats or MAEC. 2/0
User Account Maybe No known usage in CTI-stats or MAEC. Requested for possible inclusion by COA WG. 5/0
User Session Maybe No known usage in CTI-stats or MAEC; has major issues. Requested for possible inclusion by COA WG. 1/0
Volume No No known usage in CTI-stats or MAEC. 4/1
WhoIS Yes Some known usage, as reported in CTI-stats. 9/3
Win Computer Account No No known usage in CTI-stats or MAEC. 5/0
Win Critical Section No No known usage in CTI-stats or MAEC. 1/0
Win Driver Yes Used in several MAEC utilities, including Anubis to MAEC, and ThreatExpert to MAEC. 3/0
Win Event Log No No known usage in CTI-stats or MAEC. 2/0
Win Event No No known usage in CTI-stats or MAEC. 2/1
Win Executable File Yes Some known usage, as reported in CTI-stats. 28/3
Win Filemapping No No known usage in CTI-stats or MAEC. 3/2
Win File No No known usage in CTI-stats or MAEC. 5/1
Win Handle Yes Used in the Cuckoo Sandbox MAEC output module; no known use elsewhere. 3/1
Win Hook No No known usage in CTI-stats or MAEC. 2/1
Win Kernel Hook Yes Used in several MAEC utilities, including the Cuckoo Sandbox MAEC output module, and ThreatExpert to MAEC. 2/1
Win Kernel No No known usage in CTI-stats or MAEC. 5/0
Win Mailslot No No known usage in CTI-stats or MAEC. 1/0
Win Memory Page Region No No known usage in CTI-stats or MAEC. 4/2
Win Mutex Yes Used in several MAEC utilities, including the Cuckoo Sandbox MAEC output module, Anubis to MAEC, and ThreatExpert to MAEC. 1/0
Win Network Route Entry No No known usage in CTI-stats or MAEC. 3/2
Win Network Share Yes Used in the ThreatExpert to MAEC utility. 3/1
Win Pipe Yes Used in the Cuckoo Sandbox MAEC output module; no known use elsewhere. 1/0
Win Prefetch No No known usage in CTI-stats or MAEC. 4/0
Win Process Yes Used in several MAEC utilities, including the Cuckoo Sandbox MAEC output module, Anubis to MAEC, and ThreatExpert to MAEC. 3/0
Win Registry Key Yes Widely used, as reported in CTI-stats. 6/2
Win Semaphore Maybe No known usage in CTI-stats or MAEC. Requested for possible inclusion by a community member. 1/0
Win Service Yes Used in several MAEC utilities, including the Cuckoo Sandbox MAEC output module, Anubis to MAEC, and ThreatExpert to MAEC. 5/3
Win System Yes No known usage in CTI-stats or MAEC; however, likely to be included as part of the broader device/system refactoring. 3/0
Win System Restore No No known usage in CTI-stats or MAEC. 3/1
Win Task No No known usage in CTI-stats or MAEC. 14/6
Win Thread Yes Used in the Cuckoo Sandbox MAEC output module; no known use elsewhere. 2/1
Win User Account No No known usage in CTI-stats or MAEC. 3/0
Win Volume No No known usage in CTI-stats or MAEC. 4/2
Win Waitable Timer No No known usage in CTI-stats or MAEC. 2/1
X509 Certificate Maybe No known usage in CTI-stats or MAEC; however, it is supported in the X509 to CybOX utility 8/0

Totals

  • Included Objects: 41
  • Possibly Included Objects: 10
  • Not Included Objects: 37
Clone this wiki locally