Skip to content

Proposal: Deprecate MAEC Candidate Indicators in Favor of STIX Indicators

Desiree Beck edited this page May 24, 2015 · 20 revisions

Status: Open
Comment Period Closes:
Affects Backwards Compatibility: Yes
Relevant Issues: https://github.com/MAECProject/schemas/issues/84

Background Information

There are currently two separate structures for Indicators: MAEC Candidate Indicators and STIX Indicators. Although they are intended to accomplish different goals, having two separate Indicator-related structures is redundant and potentially confusing for users of MAEC.

Proposal

Rather than defining MAEC Candidate Indicators, we propose populating STIX TTPs directly with information on Capabilities and Behaviors. Note that this will require modification to STIX TTPs so that they allow references to MAEC-derived malware data (e.g., Behaviors).

Collections could be used to capture Behaviors that could be used as Indicators. The entity_type would include a "potential_indicator" value.

Indicator patterns would be captured in STIX, not in MAEC.

Field Type Multiplicity Description
MAEC_Packages MAECPackageListType 0-1 The MAEC_Packages field captures the set of one or more MAEC Packages contained in the Package document.

Accordingly, the MAECPackageListType would have the following structure:

Field Type Multiplicity Description
MAEC_Package PackageType 0-N The MAEC_Package field specifies a single MAEC Package.

Example

<maecPackage:MAEC_Packages>
  <maecPackage:MAEC_Package id="maec-test-pkg-1" schema_version="5.0">
    <maecPackage:Objects>
    ...
    </maecPackage:Objects>
    <maecPackage:Malware_Subjects>
      ...
    </maecPackage:Malware_Subjects>
  </maecPackage:MAEC_Package>
  <maecPackage:MAEC_Package id="maec-test-pkg-2" schema_version="5.0">
    <maecPackage:Malware_Subjects>
      <maecPackage:Malware_Subject>
      ...
      </maecPackage:Malware_Subject>
    </maecPackage:Malware_Subjects>
  </maecPackage:MAEC_Package>
</maecPackage:MAEC_Packages>

Impact

This change will not be backward compatible and is one of several revisions planned in the new major version.

Requested Feedback

  1. Should MAEC Candidate Indicators be deprecated in favor of using STIX Indicators?
  2. Should potential Indicators be captured in MAEC Collections?
  3. Should an entity_type be specified with value "potential_indicator"?
Clone this wiki locally