-
Notifications
You must be signed in to change notification settings - Fork 16
Proposal: Rename ExploitType and Expand Fields
Status: CLOSED
Comment Period Closes: July 28th, 2015
Affects Backwards Compatibility: Yes
Relevant Issues: https://github.com/MAECProject/schemas/issues/27
The existing ExploitType in the MAEC Bundle data model is used to characterize any vulnerability that may be exploited by malware through a Behavior. Currently, it has minimal fields and does not align well with the STIX VulnerabilityType defined in the STIX Exploit Target data model.
We propose to rename ExploitType (as it is named in the MAEC v4.1 Bundle schema) to VulnerabilityExploitType.
In addition, we propose to expand the fields of VulnerabilityExploitType to more closely align with the fields of the STIX VulnerabilityType as defined in the STIX Exploit Target data model. However, in order to implement a more flexible approach, we will not exactly match the current fields of the STIX VulnerabilityType. Instead, the following fields would be defined:
| Field | Type | Multiplicity | Description |
|---|---|---|---|
| is_known | xs:boolean |
0-1 | The known_vulnerability field specifies whether the vulnerability that the malware is exploiting has been previously identified. |
| Title | xs:string |
0-1 | The Title field captures a title for the vulnerability exploit and reflects with the content producer thinks the vulnerability exploit as a whole should be called. |
| Description | cyboxCommon:StructuredTextType |
0-1 | The Description field captures a textual description of the vulnerability exploit. Any length is permitted. Optional formatting is supported via the structuring_format property of StructuredTextType. |
| Vulnerability_Reference | VulnerabilityReferenceType |
0-* | The Vulnerability_Reference field specifies the vulnerability targeted by the exploit by referencing well-known vulnerability schemes. |
| Discovered_DateTime | xs:dateTime |
0-1 | The Discovered_DateTime field specifies the date and time at which the vulnerability exploit was discovered. |
| Published_DateTime | xs:dateTime |
0-1 | The Published_DateTime property specifies the date and time at which information about the vulnerability was published. |
| Targeted_Platforms | PlatformListType |
0-1 | The Targeted_Platforms field specifies the platform(s) targeted by the vulnerability exploit. |
The VulnerabilityReferenceType will be a new MAEC type defined with the following fields:
| Field | Type | Multiplicity | Description |
|---|---|---|---|
| ID | xs:string |
0-1 | The ID field specifies the unique identifier for the reference to the vulnerability exploit. |
| Source | xs:string |
0-1 | The Source field captures a textual description of the original source of the vulnerability exploit information. |
| Reference | xs:anyURI |
0-1 | The Reference field specifies a reference for the vulnerability exploit information using a Uniform Resource Identifier (URI). |
<Vulnerability_Exploit>
<Title>Example Vulnerability Exploit</Title>
<Vulnerability_Reference>
<ID>CVE-2015-2239</ID>
<Source>CVE</Source>
<Reference>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2239</Reference>
</Vulnerability_Reference>
<Vulnerability_Reference>
<ID>CWE-2014-45</ID>
<Source>CWE</Source>
<Reference>http://cwe.mitre.org/cgi-bin/cwename.cgi?name=CWE-2014-45</Reference>
</Vulnerability_Reference>
</Vulnerability_Exploit>This change will not be backward compatible and is one of several revisions planned in new major version.
- Should
ExploitTypebe renamed toVulnerabilityExploitType? Or, should it be namedVulnerabilityType? (What is the purpose of the "Exploit" modifier?) - Should
VulnerabilityExploitTypealign as closely as possible with the STIXVulnerabilityTypeor is it better to take a more flexible approach by defining a new MAECVulnerabilityReferenceType? - Should the multiplicity of the Vulnerability_Reference field be 0..* or should a
VulnerabilityReferenceListTypebe defined? - Although not captured in the STIX
VulnerabilityType, should Impact (the effect and extent of the vulnerability) be captured as a field in the MAECVulnerabilityExploitType? - Is the generic use of the ID field in the
VulnerabilityReferenceTypeto capture identifiers (such as CVE and OSVDB identifiers) preferable to defining separate fields that are of restricted string types that correspond to the format of each identifier. For example, a CVE ID would be explicitly defined as a restriction of typeStringsuch that it adheres to the regular expression “CVE-\d\d\d\d+\d+”.