MAEC v4.1 Release Schedule

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

MAEC v4.1 Release Schedule

Kirillov, Ivan A.

All,

 

We realized that we’ve been posting proposals and talking about the MAEC 4.1 release without ever publishing an actual release timeline. So, here are the major milestones:

 

  • Initial Draft: January 9 – this will incorporate all major changes and a vast majority of minor changes. It should let you see the overall picture of the new version, but there will almost certainly be minor changes between the draft and the release candidate as we finalize the schemas and do testing.
  • Release Candidate: January 30 – this will be equivalent to the final release unless any issues in it are identified. Its primary purpose is to allow yourselves and us to do some final testing to ensure that what gets published as the final release is as bug-free as possible.
  • Final Release: February 11 – this is the final, official release. If any issues are found in the release candidate they will be fixed, otherwise this will just be a re-release of the release candidate.

 

We plan on sending out proposals starting mid-December that describe the changes and additions for this minor release.

 

Regards,

Ivan Kirillov

MAEC Project Team

 

Reply | Threaded
Open this post in threaded view
|

STIX/MAEC/Malware reports

Gary Warner
Ivan,

Is there a place where there might be an archive of "malware information" exchanged in STIX/MAEC format?  I've been using an XML format to describe malware found in email, and several folks are asking that we deliver that report in STIX format.  Not opposed, but looking for some "working archive" where someone might have at least several dozen such reports that we could look at.

Right now, indicators that we include are:

email subject
email sender_domain
(email body is available, we haven't been using it, but certainly could)

hostile URLs found in email
malware dropped from said URLs

email attachments
 - zip / name, size, md5
 - exe from zip / name, size, md5

=====
Then we do "secondary malware" - or "indicators of compromise".  These are the "if I get infected with the "main" malware, (such as the recent "upadtre droppers") what is my NEXT infection.  For those secondary (and tertiary) malwares, we record which exe "spawned" it, and then the size, hash, (link to VirusTotal defs), and what IPs and network hosts the malware either drops from or interacts with.

If you have suggestions or pointers to a place where people "regular deliver" such reports, I'd love to get some to review and learn from.

Thanks for any suggestions in either STIX or STIX/MAEC format.  I've seen the samples on the STIX/Mitre website, but need many many more.

----------------------------------------------------------

Gary Warner
Director of Research in Computer Forensics
The University of Alabama at Birmingham
Center for Information Assurance and Joint Forensics Research
205.422.2113
[hidden email]

-----------------------------------------------------------

----- Original Message -----
From: "Ivan A. Kirillov" <[hidden email]>
To: "maec-discussion-list Malware Attribute Enumeration Discussion" <[hidden email]>
Sent: Tuesday, December 3, 2013 10:16:30 AM
Subject: MAEC v4.1 Release Schedule




All,



We realized that we’ve been posting proposals and talking about the MAEC 4.1 release without ever publishing an actual release timeline. So, here are the major milestones:



    * Initial Draft : January 9 – this will incorporate all major changes and a vast majority of minor changes. It should let you see the overall picture of the new version, but there will almost certainly be minor changes between the draft and the release candidate as we finalize the schemas and do testing.
    * Release Candidate : January 30 – this will be equivalent to the final release unless any issues in it are identified. Its primary purpose is to allow yourselves and us to do some final testing to ensure that what gets published as the final release is as bug-free as possible.
    * Final Release : February 11 – this is the final, official release. If any issues are found in the release candidate they will be fixed, otherwise this will just be a re-release of the release candidate.




We plan on sending out proposals starting mid-December that describe the changes and additions for this minor release.



Regards,

Ivan Kirillov

MAEC Project Team
Reply | Threaded
Open this post in threaded view
|

RE: STIX/MAEC/Malware reports

Kirillov, Ivan A.
Gary,

Unfortunately, there's no public repository of STIX or MAEC data available that we're aware of. However, this is something that's come up a few times in the past, especially for MAEC, so we're planning on standing up a small library of MAEC sample data (probably as a GitHub repository) in the near future.

It does sound like the IOC or "secondary malware" data that you referred to could be fully characterized with MAEC; if you can share some sample XML from your end, I'd be happy to help you map it to MAEC and STIX.

Regards,
Ivan Kirillov
MAEC Project
MITRE

-----Original Message-----
From: Gary Warner [mailto:[hidden email]]
Sent: Tuesday, December 03, 2013 1:31 PM
To: Kirillov, Ivan A.
Cc: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: STIX/MAEC/Malware reports

Ivan,

Is there a place where there might be an archive of "malware information" exchanged in STIX/MAEC format?  I've been using an XML format to describe malware found in email, and several folks are asking that we deliver that report in STIX format.  Not opposed, but looking for some "working archive" where someone might have at least several dozen such reports that we could look at.

Right now, indicators that we include are:

email subject
email sender_domain
(email body is available, we haven't been using it, but certainly could)

hostile URLs found in email
malware dropped from said URLs

email attachments
 - zip / name, size, md5
 - exe from zip / name, size, md5

=====
Then we do "secondary malware" - or "indicators of compromise".  These are the "if I get infected with the "main" malware, (such as the recent "upadtre droppers") what is my NEXT infection.  For those secondary (and tertiary) malwares, we record which exe "spawned" it, and then the size, hash, (link to VirusTotal defs), and what IPs and network hosts the malware either drops from or interacts with.

If you have suggestions or pointers to a place where people "regular deliver" such reports, I'd love to get some to review and learn from.

Thanks for any suggestions in either STIX or STIX/MAEC format.  I've seen the samples on the STIX/Mitre website, but need many many more.

----------------------------------------------------------

Gary Warner
Director of Research in Computer Forensics
The University of Alabama at Birmingham
Center for Information Assurance and Joint Forensics Research
205.422.2113
[hidden email]

-----------------------------------------------------------

----- Original Message -----
From: "Ivan A. Kirillov" <[hidden email]>
To: "maec-discussion-list Malware Attribute Enumeration Discussion" <[hidden email]>
Sent: Tuesday, December 3, 2013 10:16:30 AM
Subject: MAEC v4.1 Release Schedule




All,



We realized that we’ve been posting proposals and talking about the MAEC 4.1 release without ever publishing an actual release timeline. So, here are the major milestones:



    * Initial Draft : January 9 – this will incorporate all major changes and a vast majority of minor changes. It should let you see the overall picture of the new version, but there will almost certainly be minor changes between the draft and the release candidate as we finalize the schemas and do testing.
    * Release Candidate : January 30 – this will be equivalent to the final release unless any issues in it are identified. Its primary purpose is to allow yourselves and us to do some final testing to ensure that what gets published as the final release is as bug-free as possible.
    * Final Release : February 11 – this is the final, official release. If any issues are found in the release candidate they will be fixed, otherwise this will just be a re-release of the release candidate.




We plan on sending out proposals starting mid-December that describe the changes and additions for this minor release.



Regards,

Ivan Kirillov

MAEC Project Team

Reply | Threaded
Open this post in threaded view
|

RE: MAEC v4.1 Release Schedule

Kirillov, Ivan A.
In reply to this post by Kirillov, Ivan A.

Just wanted to send a quick message to let everyone know that the Initial Draft of MAEC v4.1 is available, which incorporates several but not all significant revisions that we’re planning for this release:

 

http://maec.mitre.org/language/version4.1/

 

For this draft, just the offline-schema zip bundle (with examples) is available; this is intended to provide a snapshot into the current state of the MAEC v4.1 release, and is meant to be used for testing only. The changes in place in this draft are finalized from our end, put please let us know if you have any comments or find any issues.

 

Regards,

Ivan Kirillov

CybOX Project

MITRE

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kirillov, Ivan A.
Sent: Tuesday, December 03, 2013 11:17 AM
To: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: MAEC v4.1 Release Schedule

 

All,

 

We realized that we’ve been posting proposals and talking about the MAEC 4.1 release without ever publishing an actual release timeline. So, here are the major milestones:

 

·        Initial Draft: January 9 – this will incorporate all major changes and a vast majority of minor changes. It should let you see the overall picture of the new version, but there will almost certainly be minor changes between the draft and the release candidate as we finalize the schemas and do testing.

·        Release Candidate: January 30 – this will be equivalent to the final release unless any issues in it are identified. Its primary purpose is to allow yourselves and us to do some final testing to ensure that what gets published as the final release is as bug-free as possible.

·        Final Release: February 11 – this is the final, official release. If any issues are found in the release candidate they will be fixed, otherwise this will just be a re-release of the release candidate.

 

We plan on sending out proposals starting mid-December that describe the changes and additions for this minor release.

 

Regards,

Ivan Kirillov

MAEC Project Team

 

Reply | Threaded
Open this post in threaded view
|

RE: MAEC v4.1 Release Schedule

Kirillov, Ivan A.

All,

 

Just wanted to let you know that we’re pushing back the date of the MAEC 4.1 release candidate a few days to February 4th. This will give allow for more time for feedback and comments on the MAEC proposals, and also allow us to incorporate all of the major changes we’re planning for this release. This will not affect the final release, which will still occur on February 11th.  

 

Regards,

Ivan Kirillov

MAEC Project

MITRE

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kirillov, Ivan A.
Sent: Friday, January 10, 2014 8:51 AM
To: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: RE: MAEC v4.1 Release Schedule

 

Just wanted to send a quick message to let everyone know that the Initial Draft of MAEC v4.1 is available, which incorporates several but not all significant revisions that we’re planning for this release:

 

http://maec.mitre.org/language/version4.1/

 

For this draft, just the offline-schema zip bundle (with examples) is available; this is intended to provide a snapshot into the current state of the MAEC v4.1 release, and is meant to be used for testing only. The changes in place in this draft are finalized from our end, put please let us know if you have any comments or find any issues.

 

Regards,

Ivan Kirillov

CybOX Project

MITRE

 

From: [hidden email] [[hidden email]] On Behalf Of Kirillov, Ivan A.
Sent: Tuesday, December 03, 2013 11:17 AM
To: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: MAEC v4.1 Release Schedule

 

All,

 

We realized that we’ve been posting proposals and talking about the MAEC 4.1 release without ever publishing an actual release timeline. So, here are the major milestones:

 

·        Initial Draft: January 9 – this will incorporate all major changes and a vast majority of minor changes. It should let you see the overall picture of the new version, but there will almost certainly be minor changes between the draft and the release candidate as we finalize the schemas and do testing.

·        Release Candidate: January 30 – this will be equivalent to the final release unless any issues in it are identified. Its primary purpose is to allow yourselves and us to do some final testing to ensure that what gets published as the final release is as bug-free as possible.

·        Final Release: February 11 – this is the final, official release. If any issues are found in the release candidate they will be fixed, otherwise this will just be a re-release of the release candidate.

 

We plan on sending out proposals starting mid-December that describe the changes and additions for this minor release.

 

Regards,

Ivan Kirillov

MAEC Project Team