Proposal: Make Actions, Behaviors, and Capabilities Top Level Entities

Status: CLOSED
Comment Period Closes: September 24th, 2015
Affects Backwards Compatibility: Yes

Background Information

Currently, MAEC allows Actions, Behaviors, and Capabilities to be used in two distinct ways in a MAEC document: they can be defined inline, or they can be used to reference another entity (of the same type) via the idref field. While this offers a great deal of flexibility for producers of MAEC content, it also leads to inconsistencies by resulting in both inlined and referenced entities. Therefore, to simplify how entities are captured and represented in MAEC, we propose making Actions, Behaviors, and Capabilities top-level entities - that is, they would only be allowed to be defined in a single location and would have to be referenced for all other uses.

Note that as indicated in the Related Proposals section below, we previously proposed that Collections, Relationships, Objects, and Tools also be top-level entities in MAEC 5.0.

Related Proposals

This proposal is related to the following proposed changes to the schema:

• https://github.com/MAECProject/schemas/wiki/Proposal:-Deprecate-MAEC-Bundle-(as-a-concept-and-output-format)
• https://github.com/MAECProject/schemas/wiki/Proposal:-Make-Collections-Top-Level-Entities
• https://github.com/MAECProject/schemas/wiki/Proposal:-Make-Relationships-Top-Level-Entities
• https://github.com/MAECProject/schemas/wiki/Proposal:-Make-CybOX-Objects-Top-Level-Entities
• https://github.com/MAECProject/schemas/wiki/Proposal:-Make-Tools-Top-Level-Entities
• https://github.com/MAECProject/schemas/wiki/Proposal:-Refactor-Capabilities
• https://github.com/MAECProject/schemas/wiki/Proposal:-Refactor-Behaviors

Proposal

The core of this proposal revolves around using top-level entity lists in the MAEC Package to define Actions, Behaviors, and Capabilities and then replacing all other uses of Actions, Behaviors, and Capabilities with references to the top-level entities. This will enable more efficient re-use of MAEC entities (e.g., if two or more Malware Subjects have the same Capability, the Capability can be defined once and referenced by both Malware Subjects). Making these entities top-level will also:

• Allow the arbitrary characterization and sharing of Actions, Behaviors, and Capabilities without having to associate them with a Malware Subject.
• Eliminate any confusion as to when these entities should be defined inline or referenced.
• Make make it easier to extract and manipulate these entities because they will all be in one location.

We recognize that making Actions, Behaviors, and Capabilities top-level entities may make creating content more difficult for consumers because these entities will initially have to be referenced and later will need to be de-referenced; however, these potential issues can be handled effectively in an API.

---

This change will require three new fields in the PackageType of the MAEC Package schema:

Field	Type	Multiplicity	Description
Actions	maecCore:ActionListType	0-1	The Actions field captures a set of one or more Actions relevant to the Package content.
Behaviors	maecCore:BehaviorListType	0-1	The Behaviors field captures a set of one or more Behaviors relevant to the Package content.
Capabilities	maecCore:CapabilityListType	0-1	The Capabilities field captures a set of one or more Capabilities relevant to the Package content.

---

As outlined in MAEC Bundle Deprecation proposal, the MAEC Bundle will be renamed to "MAEC Core" and will include the following name changes:

• maecBundle:ActionListType will be renamed maecCore:ActionListType
• maecBundle:BehaviorListType will be renamed maecCore:BehaviorListType
• maecBundle:CapabilityListType will be renamed maecCore:CapabilityListType

Example

This example assumes that all related proposals will be implemented.

<MAEC_Package>
  <Objects>
    <Object id="maec-tst-obj-1">
      <Properties type=FileObjectType>
        <File_Name>qwerty.exe</File_Name>
      </Properties>
    </Object>
    <Object id="maec-tst-obj-2">
      <Properties type=RegistryKeyObjectType>
        <Key>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</Key>
        <Hive>HKEY_LOCAL_MACHINE</Hive>
        <Values>
          <Value>
            <Name>MSInfo</Name>
            <Data>%Windir%\AVBgle.exe</Data>
          </Value>
        </Values>
      </Properties>
    </Object> 
  </Objects>
    
  <Capabilities>
    <Capability id="maec-tst-cpb-1">
      <Name xsi:type="maecVocabs:CapabilityNameVocab-1.0">persistence</Name>
    </Capability>
  </Capabilities>
    
  <Behaviors>
    <Behavior id="maec-tst-bhv-1">
      <Name xsi:type="maecVocabs:BehaviorNameVocab-1.0">persist after system reboot</Name>
      <Action_Reference action_id="maec-tst-act-1"/>
    </Behavior>
  </Behaviors>
    
  <Actions>
    <Action id="maec-tst-act-1" name="create registry key value">
      <Associated_Object_Reference object_idref="maec-tst-obj-2"/>
    </Action>
  </Actions>
    
  <Malware_Subjects>
    <Malware_Subject id="maec-test-sub-1">
      <Instance_Object object_idref="maec-tst-obj-1"/>
            
      <Analysis id="maec-tst-ana-1" method="static" type="in-depth">
        <Discovered_Entities>
          <Capability_Reference capability_idref="maec-tst-cpb-1"/>
          <Behavior_Reference behavior_idref="maec-tst-bhv-1"/>
          <Action_Reference action_idref="maec-tst-act-1"/>  
        </Discovered_Entities>
      </Analysis>
            
      <Capabilities>
        <Capability_Reference capability_idref="maec-tst-cpb-1"/>
      </Capabilities>
            
      <Behaviors>
        <Behavior_Reference behavior_idref="maec-tst-bhv-1"/>
      </Behaviors>
            
      <Actions>
        <Action_Reference action_idref="maec-tst-act-1">
      </Actions>
    </Malware_Subject>
  </Malware_Subjects>
</MAEC_Package>

Impact

This change will not be backward compatible and is one of several revisions planned in new major version.

Requested Feedback

1. Should Actions, Behaviors, and Capabilities be captured as top-level entities?