I just wanted to share some info about our plans for the upcoming MAEC 3.0 release:
-We’re creating a new component (along with its own schema) called that we’re tentatively calling the ‘MAEC Package.’ The MAEC Package is intended to allow for the characterization of multiple malware instances, the relationships between
them, and any associated MAEC Bundles. This would provide a clean and logical way to characterize things like multi-partite malware, as well as malware that’s related for other reasons (e.g., clustered together, part of the same intrusion set, etc.). The MAEC
Package also captures all of the analysis and other metadata for a malware instance; to this end, we’re also significantly refactoring the existing MAEC AnalysisType, so that it describes a malware instance and all of the analyses performed upon it inside
of a single element, along with some other improvements.
The creation of the MAEC Package and these aforementioned changes are the primary reasons why we’re calling this upcoming release MAEC v3.0 and not MAEC 2.2.
-We’re slightly refactoring the existing MAEC Bundle by moving any associated metadata that belongs in the MAEC Package there, and we’re also adding a new way for explicitly characterizing the full process tree observed during malware execution.
Thus, the Bundle will now serve solely as a way of encapsulating all of the MAEC Behavior, Action, Object, and Process Tree information for a single malware instance.
-To make development more transparent and to allow for everyone to more easily comment on our work, we’re planning on moving the schemas out to their own GitHub repository. I’ll announce this to the list when it’s up.
More information on the MAEC Package and MAEC Bundle changes can be found inside of our Handshake group. If anyone who doesn’t have access to Handshake would like it, please send me an email and I’ll send out an invite.