MAEC 4.1 Proposals - Round 2

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

MAEC 4.1 Proposals - Round 2

Kirillov, Ivan A.

All,

 

Below are a few more proposals for additions to MAEC for the upcoming 4.1 minor release. We would likewise greatly welcome your feedback, thoughts and comments on these. We plan on closing comments for these items in a little less than a week, on February 3rd, so that they can be incorporated into the upcoming MAEC 4.1 Release Candidate.

                                                                  

·        Add Support for Capturing Malware Development Environment

·        Add Support for Capturing Errors Generated During Sandboxing

·        Expand MAEC Malware Subject Relationship Vocabulary

 

Regards,

Ivan Kirillov

MITRE

 

Reply | Threaded
Open this post in threaded view
|

Re: MAEC 4.1 Proposals - Round 2

Terry MacDonald

Add Support for Capturing Malware Development Environment

  1. Does it make sense to add such a capability to MAEC?
    [Terry] - Yep.
  2. Do the defined types, their child properties, and their datatypes makes sense? Should they be changed in any way?
    [Terry] - Should the name and version of the malware development tool be captured as well? All I can see is the type of tool, and a debugging file path. 
    What is the debugging_file_path for? Is it the path that the malware writer used to debug their development instances?
  3. Do the values for the MalwareDevelopmentToolVocab and their descriptions make sense? Are there any other tools associated with malware development that we should capture in this vocabulary?
    [Terry] - None I can think of.

 Add Support for Capturing Errors Generated During Sandboxing

  1. Does it make sense to add such a capability to MAEC?
    [Terry] - Will this be useful if some of the errors are generated due to the configuration of the sandbox?
  2. Do the defined types, their child properties, and their datatypes makes sense? Should they be changed in any way?
    [Terry] - There needs to be a way of recording the order that the exceptions were generated. 

Expand MAEC Malware Subject Relationship Vocabulary

Nothing to add here...


Cheers

Terry MacDonald


Terry MacDonald


On 29 January 2014 07:05, Kirillov, Ivan A. <[hidden email]> wrote:

All,

 

Below are a few more proposals for additions to MAEC for the upcoming 4.1 minor release. We would likewise greatly welcome your feedback, thoughts and comments on these. We plan on closing comments for these items in a little less than a week, on February 3rd, so that they can be incorporated into the upcoming MAEC 4.1 Release Candidate.

                                                                  

·        Add Support for Capturing Malware Development Environment

·        Add Support for Capturing Errors Generated During Sandboxing

·        Expand MAEC Malware Subject Relationship Vocabulary

 

Regards,

Ivan Kirillov

MITRE

 


Reply | Threaded
Open this post in threaded view
|

RE: MAEC 4.1 Proposals - Round 2

Kirillov, Ivan A.

Hi Terry,

Add Support for Capturing Malware Development Environment

1.     [Terry] - Should the name and version of the malware development tool be captured as well? All I can see is the type of tool, and a debugging file path. 
What is the debugging_file_path for? Is it the path that the malware writer used to debug their development instances?

The Name and Version (and many other properties) can be captured  via the ToolInformationType from the CybOX Common schema that is used in the Tools/Tool field.

 

Debugging_File_Path is intended to capture the path (including name) of any debugging files, such as PDBs, associated with the malware instance. These paths are sometimes embedded in the binary itself, and can be useful for attribution. I was a little hesitant to include a property for capturing “just” the debugging file path, but I’m not sure how useful capturing details of the files themselves would be, and they’re also rarely available in conjunction with the malware instance itself.

 

 Add Support for Capturing Errors Generated During Sandboxing

1.     Does it make sense to add such a capability to MAEC?
[Terry] - Will this be useful if some of the errors are generated due to the configuration of the sandbox?

I think so – it could still be used to capture these errors, though one wouldn’t be able to state what caused the error, i.e. the configuration or something else. Would it be worthwhile to try and capture the reason for the error? Just wondering if it would be possible to create a structure to capture this fairly generically.

2.     Do the defined types, their child properties, and their datatypes makes sense? Should they be changed in any way?
[Terry] - There needs to be a way of recording the order that the exceptions were generated. 

Good point! I think we can add some attribute for capturing the ordinality of the errors.

 

Regards,

Ivan Kirillov

MAEC Project

MITRE

 

From: Terry MacDonald [mailto:[hidden email]]
Sent: Wednesday, January 29, 2014 4:04 AM
To: Kirillov, Ivan A.
Cc: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: Re: MAEC 4.1 Proposals - Round 2

 

Add Support for Capturing Malware Development Environment

  1. Does it make sense to add such a capability to MAEC?
    [Terry] - Yep.

2.     Do the defined types, their child properties, and their datatypes makes sense? Should they be changed in any way?
[Terry] - Should the name and version of the malware development tool be captured as well? All I can see is the type of tool, and a debugging file path. 
What is the debugging_file_path for? Is it the path that the malware writer used to debug their development instances?

3.     Do the values for the MalwareDevelopmentToolVocab and their descriptions make sense? Are there any other tools associated with malware development that we should capture in this vocabulary?
[Terry] - None I can think of.

 Add Support for Capturing Errors Generated During Sandboxing

  1. Does it make sense to add such a capability to MAEC?
    [Terry] - Will this be useful if some of the errors are generated due to the configuration of the sandbox?

2.     Do the defined types, their child properties, and their datatypes makes sense? Should they be changed in any way?
[Terry] - There needs to be a way of recording the order that the exceptions were generated. 

Expand MAEC Malware Subject Relationship Vocabulary

Nothing to add here...

 

Cheers

Terry MacDonald


Terry MacDonald

 

On 29 January 2014 07:05, Kirillov, Ivan A. <[hidden email]> wrote:

All,

 

Below are a few more proposals for additions to MAEC for the upcoming 4.1 minor release. We would likewise greatly welcome your feedback, thoughts and comments on these. We plan on closing comments for these items in a little less than a week, on February 3rd, so that they can be incorporated into the upcoming MAEC 4.1 Release Candidate.

                                                                  

·        Add Support for Capturing Malware Development Environment

·        Add Support for Capturing Errors Generated During Sandboxing

·        Expand MAEC Malware Subject Relationship Vocabulary

 

Regards,

Ivan Kirillov

MITRE