[MAEC] MAEC 5.0 DRAFT Release

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[MAEC] MAEC 5.0 DRAFT Release

Kirillov, Ivan A.

All,

 

The MAEC team and I are pleased to announce the draft release of MAEC 5.0.

 

Attached are the two specifications (core and vocabularies), which are also accessible at the links below. In addition, we have developed a full set of JSON schemas that correspond with the specifications, and also a Cuckoo Sandbox 2.x reporting module that produces native MAEC 5.0 output. We welcome any feedback and comments, and we’re particularly interested in hearing about anything you feel is confusing or under-specified in the specification. The comment period is open from now until COB on September 29th, 2017.

 

 

Regards,

Ivan


MAEC 5.0 Specification - Core.pdf (1M) Download Attachment
MAEC 5.0 Specification - Vocabularies.pdf (658K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [MAEC] MAEC 5.0 DRAFT Release

"이철호"

Hi, All.


I reviewed MAEC 5.0 draft release (August 24, 2017).

My question is as follows:
(1) How to contain MAEC 5.0 documents in the context of STIX 2.0.
    - Can anybody show me an example?
(2) How to use "indicator" of STIX against MAEC 5.0 documents.
    - Of course, I know STIX 2.3+ will have capability "action" matching in STIX patterning language.
      So, MAEC 5.0 is just a reference for a detailed analysis result.. is this ok?

Cheers,

Cheolho Lee.
--------- 원본 메일 ---------
보낸사람 : "Kirillov, Ivan A." <[hidden email]>
받는사람 : <[hidden email]>
받은날짜 : 2017년 8월 29일(화) 01:26:24
제목 : [MAEC] MAEC 5.0 DRAFT Release

All,

 

The MAEC team and I are pleased to announce the draft release of MAEC 5.0.

 

Attached are the two specifications (core and vocabularies), which are also accessible at the links below. In addition, we have developed a full set of JSON schemas that correspond with the specifications, and also a Cuckoo Sandbox 2.x reporting module that produces native MAEC 5.0 output. We welcome any feedback and comments, and we’re particularly interested in hearing about anything you feel is confusing or under-specified in the specification. The comment period is open from now until COB on September 29th, 2017.

 

 

Regards,

Ivan



Reply | Threaded
Open this post in threaded view
|

Re: [MAEC] MAEC 5.0 DRAFT Release

Kirillov, Ivan A.

Hi Cheolho,

 

Thanks for the feedback.

 

> (1) How to contain MAEC 5.0 documents in the context of STIX 2.0.

 

Currently, there is no direct relationship between MAEC 5.0 and STIX 2.0, and therefore no standard way to natively embed MAEC 5.0 documents in STIX 2.0. You could use a custom property for this purpose (e.g., by including a property called “x_maec_package” on the Malware SDO), but it would not be official.

 

> (2) How to use "indicator" of STIX against MAEC 5.0 documents.

 

Related to your first question, there’s no standard way to do this today. What you could do is extract the STIX 2.0 Observable Objects from a MAEC 5.0 Package (included in the “observable_objects” property and which may be used by MAEC Malware Actions) and then create patterns from these Objects.

 

> So, MAEC 5.0 is just a reference for a detailed analysis result.. is this ok?

 

Our goal with MAEC 5.0 is to have a comprehensive language that various types of malware analysis tools can natively output; this output can then be used for further analytics, correlation, etc. I do agree that we should think about the STIX 2.0 relationship, one potential avenue I can see here is to create a script that can take a MAEC 5.0 Package and then create some form of STIX 2.0 from it.

 

Regards,

Ivan

 

From: <[hidden email]> on behalf of 이철호 <[hidden email]>
Date: Monday, August 28, 2017 at 10:24 PM
To: Ivan Kirillov <[hidden email]>
Cc: maec-discussion-list Malware Attribute Enumeration Discussion <[hidden email]>
Subject: RE: [MAEC] MAEC 5.0 DRAFT Release

 

Hi, All.

 

I reviewed MAEC 5.0 draft release (August 24, 2017).

 

My question is as follows:

(1) How to contain MAEC 5.0 documents in the context of STIX 2.0.

    - Can anybody show me an example?

(2) How to use "indicator" of STIX against MAEC 5.0 documents.

    - Of course, I know STIX 2.3+ will have capability "action" matching in STIX patterning language.

      So, MAEC 5.0 is just a reference for a detailed analysis result.. is this ok?

 

Cheers,

 

Cheolho Lee.

--------- 원본 메일 ---------

보낸사람 : "Kirillov, Ivan A." <[hidden email]>
받는사람 : <[hidden email]>
받은날짜 : 2017 8 29() 01:26:24
제목 : [MAEC] MAEC 5.0 DRAFT Release

All,

 

The MAEC team and I are pleased to announce the draft release of MAEC 5.0.

 

Attached are the two specifications (core and vocabularies), which are also accessible at the links below. In addition, we have developed a full set of JSON schemas that correspond with the specifications, and also a Cuckoo Sandbox 2.x reporting module that produces native MAEC 5.0 output. We welcome any feedback and comments, and we’re particularly interested in hearing about anything you feel is confusing or under-specified in the specification. The comment period is open from now until COB on September 29th, 2017.

 

  • Specifications

 

Regards,

Ivan