Open ikiril01 opened 9 years ago
ikiril01
commented
9 years ago Perhaps having timestamped relationships in combination with the ability to capture field data in the MalwareSubjectType is enough:
<Relationship type="downloads" timestamp="2015-03-16T09:30:10.5" source="malware_subject_1" target="malware_subject_2">This is primarily with regards to the evolution of malware Capabilities and Behaviors. In this regard, perhaps we should consider adding timestamps to these constructs:
<Capability id="capability-1" name="persistence" timestamp="2015-03-16T09:30:10.5"/>
<Behavior id="behavior-1" name="detect debugging" timestamp="2015-04-03T08:25:33.4"/>Another possibility is to capture this implicitly through Analyses (something we already support):
<Analysis id="analysis-1" start_datetime="2015-04-03T08:25:33.4">
<Entity_Reference entity_id="behavior-1"/>
</Analysis>
We should add the ability to more explicitly capture how a Malware Subject evolves over time. This can include some things that we currently express implicitly (e.g., changes in AV classifications over time), but there are likely components that would need to be made more explicit. For instance, a bot receiving a new configuration file and downloading a new payload is not something that we can currently capture. One possibility of achieving this is through timestamped relationships.