Skip to content

Proposal: Deprecate MAEC Candidate Indicators in Favor of STIX Indicators

Jump to bottom
Desiree Beck edited this page May 25, 2015 · 20 revisions

Status: Open
Comment Period Closes:
Affects Backwards Compatibility: Yes
Relevant Issues: https://github.com/MAECProject/schemas/issues/84

Background Information

There are currently two separate structures for Indicators: MAEC Candidate Indicators and STIX Indicators. Each is intended to accomplish a different goal: a MAEC Candidate Indicator references MAEC entities - Behaviors, Actions, and CybOX Objects - relevant to a particular malware instance, while a STIX Indicator is inherently a mapping between a specific set of observable conditions (the “observable pattern”, comprised of CybOX Objects and/or Events) and some sort of adversary modus operandi (the TTP). Although each construct serves its own purpose, having two separate Indicator-related structures is redundant and potentially confusing for MAEC and STIX users.

Related Proposals

This proposal is related to the following proposed change to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Make-Collections-Top-Level-Entities

Proposal

Rather than defining MAEC Candidate Indicators, we propose populating STIX TTPs directly with information on Capabilities and Behaviors. Note that this will require modification to STIX TTPs so that they allow references to MAEC-derived malware data (i.e., Actions and Behaviors).

Indicator patterns would be captured in STIX, not in MAEC.

To allow MAEC users to tag data as potential indicators, without needing a full Indicator structure, MAEC Collections could be used. The Collection-related maecVocabs:CollectionEntityTypeEnum that defines the Collection entity_type field would include a "potential indicator" value.

Example

<Collection id="collection-1" entity_type="potential indicator">
  <Name>Example Potential Indicator Collection</Name> 
  <Entity_Reference entity_id="action-1"/>
  <Entity_Reference entity_id="action-2"/>
  <Entity_Reference entity_id="behavior-1"/>
</Collection>

Impact

This change will not be backward compatible and is one of several revisions planned in the new major version.

Requested Feedback

  1. Should MAEC Candidate Indicators be deprecated in favor of using STIX Indicators?
  2. Should potential Indicators be captured in MAEC Collections?
  3. Should an entity_type be specified with value "potential_indicator"?
Clone this wiki locally