Ability to view, easily export samples of malware

securitiz commented 8 months ago

Use case

A common question is "what samples of do we have?" - this enables threat hunting, and proper tracking of malware samples.

The proper way to create a relationship between a sample and the Malware object is: Malware object-> sample -> File object. This creates a nested relationship

While I understand that STIX differentiates between nested and regular relationships, to the user this is confusing (I reference this here)

In this case, the issue becomes that when creating a sample relationship, the file object isn't easily accessible or exportable in the Malware object's Knowledge view. It's not listed as an observable of the Malware. It's referenced in the Overview under "Nested Objects" - this list can't be exported. In my view, this should be moved to the Knowledge page.

Current Workaround

Don't use "sample" relationships, and use the more generic "related to" relationship

Proposed Solution

Slowly get rid of the distinction in the UX between nested and regular relationships

In the more immediate term - ensure that Files that have a "sample" relationship to a Malware show up in the Malware's list of Observables (found in the Malware's Knowledge page)

Additional Information

Shows that we have a sample of the Cactus malware. It's in the Nested Objects under Overview - the file can't be exported from this view

Shows that despite the fact that we have a sample, the Knowledge view shows no observables. The same is true for "Related entities". There is no way to easily view and export a list of all samples of a malware object

If the feature request is approved, would you be willing to submit a PR?

Yes / No (Help can be provided if you need assistance submitting a PR)

nino-filigran commented 8 months ago

@securitiz just to make sure we're thinking in the correct way here:

what's your exact use case here? If I understand, you need to find these relations in an easier way to perform threat hunting, and for this you need to be able export these relations. Am I correct, or do I miss a point?
therefore, based on your use case, is the only missing functionality the export?
When exporting them, how would you use them (importing in another software...)?

securitiz commented 8 months ago

Use case:

We need to identify IOCs associated with a particular kind of malware, say Cobalt Strike. There are many reasons we may want this: proactive hunting, internal research, blog posts, etc. So yes - we want to be able to export the IOCs.

Missing functionality:

The export functionality for nested relations would be the simplest fix.
^^However, this would require analysts to export from two different places if they desire to get all IOCs for a type of Malware: 1) Overview -> Nested Objects, 2) Knowledge -> Observables

Export use case:

We import into other software (EDR, etc)
We also have a use case to share malware-specific IOCs with third parties

nino-filigran commented 8 months ago

Thanks for all the details, this is really helpful. There's definitively something missing here, we'll update the ticket when we'll work on this.

OpenCTI-Platform / opencti