-
Notifications
You must be signed in to change notification settings - Fork 16
Proposal: Deprecate MAEC Bundle (as a concept and output format)
Status: Open
Comment Period Closes:
Affects Backwards Compatibility: Yes
Relevant Issues: https://github.com/MAECProject/schemas/issues/104
The MAEC Bundle was the original MAEC output format, and still exists as of v4.1 as a container for purely analysis-derived results relating to the analysis of a malware instance. However, given that the MAEC Package is used almost exclusively today as the de-facto container for MAEC data, it's probably worth considering deprecating the MAEC Bundle as a separate output format. This would simplify the MAEC Bundle by removing certain fields intended for use only when the Bundle was used by itself, and also generally simplify the usage of MAEC by having only a single supported output format.
Accordingly, the second aspect of this proposal is to likewise deprecate the concept of the MAEC Bundle (i.e. as a "Findings_Bundle" on a Malware Subject). Based on comments we've received and our own consensus, we feel that the concept of the Bundle may be an unnecessary layer of abstraction on top of the analysis-derived data that a Bundle contains. Instead, for the sake of simplicity and ease-of-use, it would be useful to promote the data currently contained in a Bundle directly to the Malware Subject level.
Note that these changes do not mean that the core MAEC datatypes (e.g., the MalwareActionType and CapabilityType) currently defined in the MAEC Bundle would be deprecated; rather, it simply means that the Bundle would no longer exist as a concept and corresponding MAEC output format.
This proposal is related to the following proposed change to the schema: https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Container
There are two key components to this proposal - the deprecation of the MAEC Bundle as an output format, and the deprecation of the concept of the MAEC Bundle.
Because there is no strong use case for the MAEC Bundle as a separate output format, we propose simplifying MAEC by deprecating the MAEC Bundle (we've also proposed that the MAEC Container be similarly deprecated) as an output format. As a result, the MAEC Package would be the only MAEC output format available.
This deprecation would simply involve removing the MAEC_Bundle top-level element from the MAEC Bundle schema.
The deprecation of the concept of the MAEC Bundle is more involved and revolves around a number of changes to both the MAEC Package and MAEC Bundle schemas.
The changes to the MAEC Bundle schema would be the following:
- The MAEC Bundle schema would be renamed to "MAEC Core" and accordingly its filename would be changed to "maec_core_schema.xsd".
- The namespace used by the MAEC Core schema would become
http://maec.mitre.org/XMLSchema/maec-core-1. - The version number used by the MAEC Core would become
1.0, since this would be the first release of this schema. - All Bundle-related types in the schema would be deprecated, including the following:
BundleType,BundleReferenceType,BundleContentTypeEnum.
The changes to the MAEC Package schema would be the following:
- The
FindingsBundleListTypewould be deprecated. - The corresponding changes would be made to the
AnalysisType:- The
Findings_Bundle_Referencefield would be replaced with anEntity_Referencefield ofEntityReferenceType(defined below). This will permit the Analysis to more granularly reference the MAEC entities (e.g., Objects, Actions, etc.) that it discovered, via their IDs.
- The
- The corresponding changes would be made to the
MalwareSubjectType:- The
Findings_Bundlesfield will be deprecated. Instead, the entities previously captured in Bundles (e.g., Actions) will be directly attached to theMalwareSubjectType, as described below. - A new field,
Capabilities, of typemaecCore:CapabilityListType(equivalent to the existingmaecPackage:CapabilityListType), will be added. This field permits the capture of the Capabilities associated with the Malware Subject more directly, at its root-level. - A new field,
Behaviors, of typemaecCore:BehaviorListType(equivalent to the existingmaecPackage:BehaviorListType), will be added. This field permits the capture of Behaviors associated with the Malware Subject more directly, at its root-level. - A new field,
Actions, of typemaecCore:ActionListType(equivalent to the existingmaecPackage:ActionListType), will be added. This field permits the capture of Actions associated with the Malware Subject more directly, at its root-level. - A new field,
Process_Trees, of new typemaecCore:ProcessTreeListType, will be added. This field permits the capture of the Process Trees associated with the Malware Subject more directly, at its root-level. - A new field,
Static_Features, of new typemaecCore:ObjectReferenceListType, will be added. This field permits the capture of the static features associated with the Malware Subject more directly, at its root-level.
- The
The new fields on the AnalysisType would be the following:
| Field | Type | Multiplicity | Description |
|---|---|---|---|
| Entity_References | EntityReferenceListType |
0-1 | The Entity_References field specifies a reference to one or more existing MAEC entities in the document that represent the findings of the Analysis. |
The new fields on the MalwareSubjectType would be the following:
| Field | Type | Multiplicity | Description |
|---|---|---|---|
| Capabilities | maecCore:CapabilityListType |
0-1 | The Capabilities field captures a list of Capabilities possessed by the Malware Subject. |
| Behaviors | maecCore:BehaviorListType |
0-1 | The Behaviors field captures a list of Behaviors exhibited by the Malware Subject. |
| Actions | maecCore:ActionListType |
0-1 | The Actions field captures a list of Actions observed during one or more executions of the Malware Subject. |
| Process_Trees | maecCore:ProcessTreeListType |
0-1 | The Process_Trees field captures a list of Process Trees observed during one or more executions of the Malware Subject. |
| Static_Features | maecCore:ObjectReferenceListType |
0-1 | The Static_Features field captures one or more Static Features associated with the Malware Subject. |
Accordingly, the new types in the MAEC Core schema (formerly MAEC Bundle schema) would be:
ProcessTreeListType
| Field | Type | Multiplicity | Description |
|---|---|---|---|
| Process_Tree | maecCore:ProcessTreeType |
0-1 | The Process_Tree field specifies a single process tree of execution, as recorded during an execution of the Malware Subject. |
EntityReferenceListType
| Field | Type | Multiplicity | Description |
|---|---|---|---|
| Entity_Reference | EntityReferenceType |
1-N | The Entity_Reference field specifies a reference to an existing MAEC entity in the document, via its ID. |
EntityReferenceType
| Field | Type | Multiplicity | Description |
|---|---|---|---|
| entity_idref | xs:anyURI |
1-1 | The required entity_idref field provides a reference to an existing entity in the MAEC document, via its ID. For example, if an Action has an ID value of "action-1", setting the entity_idref field to this value would serve as a reference to this Action. |
The following represents an example of a typical Malware Subject with an Analysis and Findings Bundle before this set of proposed changes (i.e., as of MAEC v4.1).
<maecPackage:Malware_Subject id="maec-test-sub-1">
<maecPackage:Malware_Instance_Object_Attributes id="maec-tst-obj-1">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name>qwerty.exe</FileObj:File_Name>
</cybox:Properties>
</maecPackage:Malware_Instance_Object_Attributes>
<maecPackage:Analysis id="maec-tst-ana-1" method="static" type="in-depth">
<maecPackage:Findings_Bundle_Reference bundle_idref="maec-tst-bnd-1"/>
</maecPackage:Analysis>
<maecPackage:Findings_Bundles>
<maecPackage:Bundle id="maec-tst-bnd-1" defined_subject="false" schema_version="4.1">
<maecBundle:Capabilities>
<maecBundle:Capability id="maec-tst-cpb-1" name="persistence"/>
</maecBundle:Capabilities>
<maecBundle:Behaviors>
<maecBundle:Behavior id="maec-tst-bhv-1">
<maecBundle:Description>System Reboot Persistence via Registry Startup</maecBundle:Description>
<maecBundle:Action_Composition>
<maecBundle:Action_Reference action_id="maec-tst-act-1"/>
</maecBundle:Action_Composition>
</maecBundle:Behavior>
</maecBundle:Behaviors>
<maecBundle:Actions>
<maecBundle:Action id="maec-tst-act-1">
<cybox:Name xsi:type="maecVocabs:RegistryActionNameVocab-1.0">create registry key value</cybox:Name>
<cybox:Associated_Objects>
<cybox:Associated_Object id="maec-tst-obj-2">
<cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType">
<WinRegistryKeyObj:Key>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</WinRegistryKeyObj:Key>
<WinRegistryKeyObj:Hive>HKEY_LOCAL_MACHINE</WinRegistryKeyObj:Hive>
<WinRegistryKeyObj:Values>
<WinRegistryKeyObj:Value>
<WinRegistryKeyObj:Name>MSInfo</WinRegistryKeyObj:Name>
<WinRegistryKeyObj:Data>%Windir%\AVBgle.exe</WinRegistryKeyObj:Data>
</WinRegistryKeyObj:Value>
</WinRegistryKeyObj:Values>
</cybox:Properties>
</cybox:Associated_Object>
</cybox:Associated_Objects>
</maecBundle:Action>
</maecBundle:Actions>
</maecPackage:Bundle>
</maecPackage:Findings_Bundles>
</maecPackage:Malware_Subject>The following represents an example of the same Malware Subject as above, assuming that this set of proposed changes is incorporated (i.e., as of MAEC v5.0).
<maecPackage:Malware_Subject id="maec-test-sub-1">
<maecPackage:Malware_Instance_Object_Attributes id="maec-tst-obj-1">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:File_Name>qwerty.exe</FileObj:File_Name>
</cybox:Properties>
</maecPackage:Malware_Instance_Object_Attributes>
<maecPackage:Analysis id="maec-tst-ana-1" method="static" type="in-depth">
<maecPackage:Entity_References>
<maecPackage:Entity_Reference entity_idref="maec-tst-cpb-1"/>
<maecPackage:Entity_Reference entity_idref="maec-tst-bhv-1"/>
<maecPackage:Entity_Reference entity_idref="maec-tst-act-1"/>
</maecPackage:Entity_References>
</maecPackage:Analysis>
<maecCore:Capabilities>
<maecCore:Capability id="maec-tst-cpb-1" name="persistence"/>
</maecCore:Capabilities>
<maecCore:Behaviors>
<maecCore:Behavior id="maec-tst-bhv-1">
<maecCore:Description>System Reboot Persistence via Registry Startup</maecCore:Description>
<maecCore:Action_Composition>
<maecCore:Action_Reference action_id="maec-tst-act-1"/>
</maecCore:Action_Composition>
</maecCore:Behavior>
</maecCore:Behaviors>
<maecCore:Actions>
<maecCore:Action id="maec-tst-act-1">
<cybox:Name xsi:type="maecVocabs:RegistryActionNameVocab-1.0">create registry key value</cybox:Name>
<cybox:Associated_Objects>
<cybox:Associated_Object id="maec-tst-obj-2">
<cybox:Properties xsi:type="WinRegistryKeyObj:WindowsRegistryKeyObjectType">
<WinRegistryKeyObj:Key>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</WinRegistryKeyObj:Key>
<WinRegistryKeyObj:Hive>HKEY_LOCAL_MACHINE</WinRegistryKeyObj:Hive>
<WinRegistryKeyObj:Values>
<WinRegistryKeyObj:Value>
<WinRegistryKeyObj:Name>MSInfo</WinRegistryKeyObj:Name>
<WinRegistryKeyObj:Data>%Windir%\AVBgle.exe</WinRegistryKeyObj:Data>
</WinRegistryKeyObj:Value>
</WinRegistryKeyObj:Values>
</cybox:Properties>
</cybox:Associated_Object>
</cybox:Associated_Objects>
</maecCore:Action>
</maecCore:Actions>
</maecPackage:Malware_Subject>This change will not be backward compatible and is one of several revisions planned in the new major version.
- Does it make sense to deprecate the MAEC Bundle as an output format? Are there any use cases that we're missing that would require the use of the Bundle?
- Does it make sense to deprecate the concept of the MAEC Bundle, and accordingly rename it to "MAEC Core"?
- Do the corresponding schema changes make sense?