Comments on: Combat the APT by Sharing Indicators of Compromise https://blog.mandiant.com/archives/766?utm_source=rss&utm_medium=rss&utm_campaign=combat-apt-sharing-indicators-compromise The Ammunition You Need to Find Evil and Solve Crime Mon, 06 Feb 2012 23:03:19 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Doug Wilson https://blog.mandiant.com/archives/766/comment-page-1#comment-157 Doug Wilson Mon, 06 Feb 2012 23:03:19 +0000 http://blog.mandiant.com/?p=766#comment-157 It looks like some blog comments from a long time ago got stuck in the moderation queue. To address these questions: Where is the .xsd? The base IOC schema is here: http://schemas.mandiant.com/2010/ioc/ioc.xsd and the audit schemas are described at http://schemas.mandiant.com However, of more interest to those writing IOCs are the lists of Indicator Terms, which describe the specific things which we look for and use to populate the schema to build IOCs. Those and other resources for writing IOCS in (what is now) OpenIOC can be found at http://OpenIOC.org. How is this different than MAEC? The Malware Attribution Enumeration and Characterization (or MAEC) project from MITRE is focused on all facets of malware, including specific artifacts up to categorizing types of malware by functionality, family, etc. MAEC is used specifically to describe artifacts involving, surrounding, and originating from malware. OpenIOC can be used to describe malware, as artifacts of malware are almost definitely Indicators of Compromise. But compromises and intrusions cover a lot more ground than just malware -- if you were to look at only indications of malware in an enterprise, you would miss most of the footprint of even a semi-skilled attacker. IOCs allow you to describe a wide variety of indicators, including attacker activities, movement, and methodology, as well as specific forensic artifacts of malicous executables and exploits. OpenIOC is more alike to the newer MITRE offering, CybOX (for Cyber Observables) -- CybOX is an incredibly broad effort to be able to define all observables within an enterprise -- the CybOX team has chosen to include OpenIOC as a specific set of observables within their framework. While all of these tools have their uses, we still feel that in the specific arena of Incident Response or sharing Threat Intelligence artifacts, OpenIOC is the best choice for those subject areas. More information about OpenIOC is available at http://openioc.org The MAEC project homepage is at: http://maec.mitre.org/ The CybOX project homepage is at: http://cybox.mitre.org/ It looks like some blog comments from a long time ago got stuck in the moderation queue.

To address these questions:

Where is the .xsd?

The base IOC schema is here: http://schemas.mandiant.com/2010/ioc/ioc.xsd and the audit schemas are described at http://schemas.mandiant.com

However, of more interest to those writing IOCs are the lists of Indicator Terms, which describe the specific things which we look for and use to populate the schema to build IOCs. Those and other resources for writing IOCS in (what is now) OpenIOC can be found at http://OpenIOC.org.

How is this different than MAEC?

The Malware Attribution Enumeration and Characterization (or MAEC) project from MITRE is focused on all facets of malware, including specific artifacts up to categorizing types of malware by functionality, family, etc. MAEC is used specifically to describe artifacts involving, surrounding, and originating from malware.

OpenIOC can be used to describe malware, as artifacts of malware are almost definitely Indicators of Compromise. But compromises and intrusions cover a lot more ground than just malware — if you were to look at only indications of malware in an enterprise, you would miss most of the footprint of even a semi-skilled attacker. IOCs allow you to describe a wide variety of indicators, including attacker activities, movement, and methodology, as well as specific forensic artifacts of malicous executables and exploits.

OpenIOC is more alike to the newer MITRE offering, CybOX (for Cyber Observables) — CybOX is an incredibly broad effort to be able to define all observables within an enterprise — the CybOX team has chosen to include OpenIOC as a specific set of observables within their framework. While all of these tools have their uses, we still feel that in the specific arena of Incident Response or sharing Threat Intelligence artifacts, OpenIOC is the best choice for those subject areas.

More information about OpenIOC is available at http://openioc.org
The MAEC project homepage is at: http://maec.mitre.org/
The CybOX project homepage is at: http://cybox.mitre.org/

]]> By: jonbv https://blog.mandiant.com/archives/766/comment-page-1#comment-131 jonbv Thu, 18 Aug 2011 01:50:15 +0000 http://blog.mandiant.com/?p=766#comment-131 How is OpenIOC different from MITRE's Malware Attribution Enumeration and Charaterization project? (http://maec.mitre.org/) How is OpenIOC different from MITRE’s Malware Attribution Enumeration and Charaterization project? (http://maec.mitre.org/)

]]> By: Sean https://blog.mandiant.com/archives/766/comment-page-1#comment-107 Sean Mon, 03 Jan 2011 12:38:59 +0000 http://blog.mandiant.com/?p=766#comment-107 It doesn't look like the .xsd file is included in the newest release. Can it be made available? Thanks. It doesn’t look like the .xsd file is included in the newest release. Can it be made available? Thanks.

]]> By: mfrazier https://blog.mandiant.com/archives/766/comment-page-1#comment-64 mfrazier Tue, 06 Jul 2010 23:07:16 +0000 http://blog.mandiant.com/?p=766#comment-64 The schemas for OpenIOC are published as part of the free OpenIOC-compatible editor, IOCe. You can download it from this link: http://www.mandiant.com/products/free_software/ioce/ You'll find the XML Schema Definition (.xsd) files defining the schemas in the Schemas folder within the zip archive. If you have any questions or want to follow OpenIOC discussions on our forums, check out https://forums.mandiant.com/forum/open-ioc The schemas for OpenIOC are published as part of the free OpenIOC-compatible editor, IOCe. You can download it from this link:
http://www.mandiant.com/products/free_software/ioce/

You’ll find the XML Schema Definition (.xsd) files defining the schemas in the Schemas folder within the zip archive.

If you have any questions or want to follow OpenIOC discussions on our forums, check out https://forums.mandiant.com/forum/open-ioc

]]> By: Bob https://blog.mandiant.com/archives/766/comment-page-1#comment-63 Bob Tue, 06 Jul 2010 17:34:58 +0000 http://blog.mandiant.com/?p=766#comment-63 Did you guys ever publish the IOC XML schema anywhere? Did you guys ever publish the IOC XML schema anywhere?

]]>