-
Notifications
You must be signed in to change notification settings - Fork 16
MAEC v5.0 in a Nutshell
Given the current slate of (extensive) proposals around changes in MAEC 5.0, it may be difficult to grasp what the full proposed set of changes entails, especially in comparison to previous versions of MAEC. As such, this document is intended to provide an overview of these changes, based on their rationale for being included.
The vast majority of major, non backwards compatible changes in MAEC 5.0 revolve around simplifying the data model for both content producers and consumers. Highlighted below are the most critical changes in this regard.
The MAEC Bundle is a separate MAEC output format for malware data that was largely an artifact of early versions of MAEC. With the addition of the MAEC Package and Malware Subject constructs, it has been rendered unnecessary. Accordingly, the MAEC Container was added to support potential use cases around MAEC Package management, but has not been widely used. Thus, deprecating both the MAEC Bundle and MAEC Container allows us to simplify the data model (including removing unnecessary layers of abstraction) and focus on supporting only a single output format, the MAEC Package.
Relationships in previous versions of MAEC were defined on their respective entity (e.g., a Malware Subject), making them awkward to construct and parse. MAEC 5.0 proposes to fix this by making one-to-one relationships distinct objects that can be defined at the top level of a MAEC document. This simplifies their construction and use, as both target and source IDs are captured in one place, and also makes them more flexible as it permits relating any identifiable MAEC entities with a single object (instead of needing a special relationship construct for each type of MAEC entity as before).
In previous versions of MAEC, entities such as CybOX Objects, MAEC Actions, and the like could be either defined inside or referenced from their respective elements. While this leant a great deal of flexibility, it also meant that content could be quite variable from producer to producer, making it more difficult to parse (and necessitating multiple code paths). With MAEC 5.0, we propose making ALL identifiable MAEC entities top-level objects; that is, they can be defined only at the top-level of a MAEC document, and must be referenced everywhere else (from Malware Subjects). This serves to simplify content production as well as parsing, as it will guarantee a consistent form of MAEC content.
Accordingly, the following entities will be made top-level Objects:
- CybOX Objects
- Actions
- Behaviors
- Capabilities
- Tools
- Collections
- Relationships
In the past, MAEC Collections have had separate implementations for each respective MAEC entity (e.g., Actions, Behaviors, etc.), making their implementation overly heavyweight and also inflexible due to its inability to support mixed collections of entities such as Actions and CybOX Objects. MAEC 5.0 proposes to resolve this by having a single Collection implementation that can group any arbitrary set of MAEC entities. This also permits the Collection to serve as a mechanism for specifying many-to-many relationships (i.e. between all entities in the Collection).
Malware Actions in previous versions of MAEC have been derived from their respective generalized implementation in CybOX. While this has ensured compatibility with CybOX in this regard, it also meant that MAEC had to carry and support CybOX-defined fields intended for a more general implementation of Actions than needed, increasing the complexity of Actions. Accordingly, this dependency has meant that any necessary modifications to core Action properties would need to be done in CybOX first and then propagated to MAEC. Thus, MAEC 5.0 proposes a refactored, MAEC-defined implementation of Malware Actions to both simplify their representation and also make them more flexible for future updates in MAEC.
The remaining changes in MAEC 5.0 are around additions of new, useful features previously requested by the MAEC community or noted as candidates for inclusion by the MAEC team. Highlighted below are some of the most relevant new features that are proposed for inclusion.
The ability to capture names (e.g., as reported by an AV tool) for a malware instance, including that of the malware family that it may belong to, can be a useful tool for the rapid identification and correlation of malware. Thus, we propose supporting this capture on the Malware Subject as one of changes in MAEC 5.0.
Previous versions of MAEC had a relatively roundabout way of capturing static malware features via the MAEC Bundle. With the deprecation of the MAEC Bundle in 5.0 and the associated layers it removes, we can now directly support the capture of static malware features (represented as one or more CybOX Objects) that are associated with a Malware Subject.
MAEC 3.x and 4.x supported the capture of AV classifications only on a Malware Subject, which meant that they could not captured on other CybOX Objects defined in a MAEC document. Having the flexibility to capture an AV classification for any CybOX Object is useful for a number of applications, including the triage of files that may be suspicious but not known with some certainty to be malware (and thus Malware Subjects). Thus, we propose deprecating the existing AV classification implementation in favor of a CybOX Object centered approach, via its respective Domain_Specific_Object_Attributes field.
Illustrating the nature of these changes is best done through an example, so below we show what an existing MAEC Package looked like (as of MAEC 4.1), and same MAEC Package incorporating the changes that we've proposed for MAEC 5.0.
<maecPackage:MAEC_Package id="example:package-1" schema_version="2.1">
<maecPackage:Malware_Subjects>
<maecPackage:Malware_Subject id="example:malware_subject-1">
<maecPackage:Malware_Instance_Object_Attributes>
<cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
<FileObj:File_Name>dg003_improve_8080_V132.exe</FileObj:File_Name>
<FileObj:Size_In_Bytes>196608</FileObj:Size_In_Bytes>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value>4EC0027BEF4D7E1786A04D021FA8A67F</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</maecPackage:Malware_Instance_Object_Attributes>
<maecPackage:Label xsi:type="maecVocabs:MalwareLabelVocab-1.0">dropper file</maecPackage:Label>
<maecPackage:Relationships>
<maecPackage:Relationship>
<maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">drops</maecPackage:Type>
<maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-2"/>
</maecPackage:Relationship>
</maecPackage:Relationships>
</maecPackage:Malware_Subject>
<maecPackage:Malware_Subject id="example:malware_subject-2">
<maecPackage:Malware_Instance_Object_Attributes>
<cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
<FileObj:File_Name>msvcr.dll</FileObj:File_Name>
</cybox:Properties>
</maecPackage:Malware_Instance_Object_Attributes>
<maecPackage:Label xsi:type="maecVocabs:MalwareLabelVocab-1.0">downloader</maecPackage:Label>
<maecPackage:Relationships>
<maecPackage:Relationship>
<maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">dropped by</maecPackage:Type>
<maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-1"/>
</maecPackage:Relationship>
<maecPackage:Relationship>
<maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">downloads</maecPackage:Type>
<maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-3"/>
<maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-4"/>
<maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-5"/>
</maecPackage:Relationship>
</maecPackage:Relationships>
</maecPackage:Malware_Subject>
<maecPackage:Malware_Subject id="example:malware_subject-3">
<maecPackage:Malware_Instance_Object_Attributes>
<cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
<FileObj:File_Name>fvcwin32.exe</FileObj:File_Name>
</cybox:Properties>
</maecPackage:Malware_Instance_Object_Attributes>
<maecPackage:Relationships>
<maecPackage:Relationship>
<maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">downloaded by</maecPackage:Type>
<maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-2"/>
</maecPackage:Relationship>
</maecPackage:Relationships>
</maecPackage:Malware_Subject>
<maecPackage:Malware_Subject id="example:malware_subject-4">
<maecPackage:Malware_Instance_Object_Attributes>
<cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
<FileObj:File_Name>acvcwin32.exe</FileObj:File_Name>
</cybox:Properties>
</maecPackage:Malware_Instance_Object_Attributes>
<maecPackage:Relationships>
<maecPackage:Relationship>
<maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">downloaded by</maecPackage:Type>
<maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-2"/>
</maecPackage:Relationship>
</maecPackage:Relationships>
</maecPackage:Malware_Subject>
<maecPackage:Malware_Subject id="example:malware_subject-5">
<maecPackage:Malware_Instance_Object_Attributes>
<cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
<FileObj:File_Name>avcwin32.exe</FileObj:File_Name>
</cybox:Properties>
</maecPackage:Malware_Instance_Object_Attributes>
<maecPackage:Relationships>
<maecPackage:Relationship>
<maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">downloaded by</maecPackage:Type>
<maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-2"/>
</maecPackage:Relationship>
</maecPackage:Relationships>
</maecPackage:Malware_Subject>
</maecPackage:Malware_Subjects>
<maecPackage:Grouping_Relationships>
<maecPackage:Grouping_Relationship>
<maecPackage:Type xsi:type="maecVocabs:GroupingRelationshipTypeVocab-1.0">observed together</maecPackage:Type>
</maecPackage:Grouping_Relationship>
</maecPackage:Grouping_Relationships>
</maecPackage:MAEC_Package><maecPackage:MAEC_Package id="example:package-1" schema_version="5.0">
<maecPackage:Objects>
<cybox:Object id="example:object-1">
<cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
<FileObj:File_Name>dg003_improve_8080_V132.exe</FileObj:File_Name>
<FileObj:Size_In_Bytes>196608</FileObj:Size_In_Bytes>
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value>4EC0027BEF4D7E1786A04D021FA8A67F</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
<cybox:Object id="example:object-2">
<cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
<FileObj:File_Name>msvcr.dll</FileObj:File_Name>
</cybox:Properties>
</cybox:Object>
<cybox:Object id="example:object-3">
<cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
<FileObj:File_Name>fvcwin32.exe</FileObj:File_Name>
</cybox:Properties>
</cybox:Object>
<cybox:Object id="example:object-4">
<cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
<FileObj:File_Name>acvcwin32.exe</FileObj:File_Name>
</cybox:Properties>
</cybox:Object>
<cybox:Object id="example:object-5">
<cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
<FileObj:File_Name>avcwin32.exe</FileObj:File_Name>
</cybox:Properties>
</cybox:Object>
<cybox:Object id="example:object-6">
<cybox:Properties xsi:type="WinExecFileObj:WindowsExecutableFileObjectType">
<FileObj:File_Name>system.dll</FileObj:File_Name>
<FileObj:Full_Path>C:\WINDOWS\Debug\Data</FileObj:Full_Path>
</cybox:Properties>
</cybox:Object>
<cybox:Object id="example:object-7">
<cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType">
<WinRegistryKeyObj:Key>.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\{19127AD2-394B-70F5-C650-B97867BAA1F7}</WinRegistryKeyObj:Key>
<WinRegistryKeyObj:Hive>HKEY_USERS</WinRegistryKeyObj:Hive>
</cybox:Properties>
</cybox:Object>
</maecPackage:Objects>
<maecPackage:Actions>
<maecPackage:Action id="example:action-1" action_status="success">
<maecCore:Name xsi:type="maecVocabs:FileActionNameVocab-1.1">create file</maecCore:Name>
<maecCore:Associated_Object_Reference object_idref="example:object-6" association_type="output"/>
</maecPackage:Action>
<maecPackage:Action id="example:action-2" action_status="success">
<maecCore:Name xsi:type="maecVocabs:RegistryActionNameVocab-1.0">create registry key</maecCore:Name>
<maecCore:Associated_Object_Reference object_idref="example:object-7" association_type="output"/>
</maecPackage:Action>
</maecPackage:Actions>
<maecPackage:Relationships>
<maecPackage:Relationship id="example:relationship-1" source_idref="example:malware_subject-1" target_idref="example:malware_subject-2">
<maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">drops</maecPackage:Type>
</maecPackage:Relationship>
<maecPackage:Relationship id="example:relationship-2" source_idref="example:malware_subject-2" target_idref="example:malware_subject-3">
<maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">downloads</maecPackage:Type>
</maecPackage:Relationship>
<maecPackage:Relationship id="example:relationship-3" source_idref="example:malware_subject-2" target_idref="example:malware_subject-4">
<maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">downloads</maecPackage:Type>
</maecPackage:Relationship>
<maecPackage:Relationship id="example:relationship-4" source_idref="example:malware_subject-2" target_idref="example:malware_subject-5">
<maecPackage:Type xsi:type="maecVocabs:MalwareSubjectRelationshipTypeVocab-1.0">downloads</maecPackage:Type>
</maecPackage:Relationship>
</maecPackage:Relationships>
<maecPackage:Collections>
<maecPackage:Collection id="example:collection-1" maec_entity_type="malware subjects" association_type="observed together">
<maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-1"/>
<maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-2"/>
<maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-3"/>
<maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-4"/>
<maecPackage:Malware_Subject_Reference malware_subject_idref="example:malware_subject-5"/>
</maecPackage:Collection>
</maecPackage:Collections>
<maecPackage:Malware_Subjects>
<maecPackage:Malware_Subject id="example:malware_subject-1">
<maecPackage:Instance_Properties object_idref="example:object-1"/>
<maecPackage:Label xsi:type="maecVocabs:MalwareLabelVocab-1.0">dropper file</maecPackage:Label>
</maecPackage:Malware_Subject>
<maecPackage:Malware_Subject id="example:malware_subject-2">
<maecPackage:Instance_Properties object_idref="example:object-2"/>
<maecPackage:Label xsi:type="maecVocabs:MalwareLabelVocab-1.0">downloader</maecPackage:Label>
</maecPackage:Malware_Subject>
<maecPackage:Malware_Subject id="example:malware_subject-3">
<maecPackage:Instance_Properties object_idref="example:object-3"/>
<maecPackage:Actions>
<maecPackage:Action_Reference action_idref="example:action-1"/>
</maecPackage:Actions>
</maecPackage:Malware_Subject>
<maecPackage:Malware_Subject id="example:malware_subject-4">
<maecPackage:Instance_Properties object_idref="example:object-4"/>
<maecPackage:Actions>
<maecPackage:Action_Reference action_idref="example:action-2"/>
</maecPackage:Actions>
</maecPackage:Malware_Subject>
<maecPackage:Malware_Subject id="example:malware_subject-5">
<maecPackage:Instance_Properties object_idref="example:object-5"/>
</maecPackage:Malware_Subject>
</maecPackage:Malware_Subjects>
</maecPackage:MAEC_Package>