Proposal: Expand Tool Type Vocabulary, Update Annotations
Status: CLOSED
Comment Period Closes: 12/09/2013
Affects Backwards Compatibility: NO
Relevant Issue: https://github.com/CybOXProject/schemas/issues/158
The tool type vocabulary is the default vocabulary used for the Tool_Type field of MeasureSourceType and allows for the identification of the general type of a tool that was used to "measure" (collect) information about an observable. Note that it is NOT currently used for ToolInformationType/Type.
In CybOX 2.0.1, this vocabulary contains the following items:
| Item | Description |
|---|---|
| NIDS | The NIDS value specifies the Network Intrusion Detection System tool. |
| NIPS | The NIPS value specifies the Network Intrusion Protection System tool. |
| HIDS | The HIDS value specifies the Host-based Intrusion Detection System tool. |
| HIPS | The HIPS value specifies the Host-based Intrusion Protection System tool. |
| Firewall | The Firewall value specifies a cyber observation made using a firewall. |
| Router | The Router value specifies a cyber observation made using a router. |
| Proxy | The Proxy value specifies a cyber observation made using a network proxy. |
| Gateway | The Gateway value specifies a cyber observation made using a network gateway. |
| SNMP/MIBs | The SNMP/MIBs value specifies a cyber observation made using the Simple Network Management Protocol or via the Management Information Bases. |
| A/V | The A/V value specifies a cyber observation made using Anti-Virus tools and/or software. |
| DBMS Monitor | The DBMS value specifies a cyber observation made using a Database Management System monitor. |
| Vulnerability Scanner | The Vulnerability Scanner value specifies a cyber observation made using a vulnerability scanner. |
| Configuration Scanner | The Configuration Scanner value specifies a cyber observation made using a configuration scanner. |
| Asset Scanner | The Asset Scanner value specifies a cyber observation made using an asset scanner. |
| SIM | The SIM value specifies a cyber observation made using Security Information Management tools. |
| SEM | The SEM value specifies a cyber observation made using Security Event Management tools. |
For the ToolTypeEnum in the CybOX controlled vocabularies, we should consider expanding that set to cover additional entities required by the community. Specific suggestions have been:
| Item | Description |
|---|---|
| Digital Forensics | The Digital Forensics value specifies a digital forensics tool. |
| Static Malware Analysis | The Static Malware Analysis value specifies a static malware Analysis tool. |
| Dynamic Malware Analysis | The Dynamic Malware Analysis value specifies a dynamic malware Analysis tool. |
| System Configuration Management Tool | The System Configuration Management value specifies a system configuration management tool. |
| Network Configuration Management Tool | The Network Configuration Management value specifies a network configuration management tool. |
| Packet Capture and Analysis | The Network Configuration Management value specifies a packet capture and analysis tool. |
| Network Flow Capture and Analysis | The Network Configuration Management value specifies a network flow capture and analysis tool. |
| Intelligence Service Platform | The Network Configuration Management value specifies an intelligence service platform tool. |
Additionally, the team has noted that some of the vocabulary descriptions contain references to the context of this vocabulary used for measuring Cyber Observation sources. While this is currently the only place where this is the default vocabulary, the vocabulary is more generic than that and may be used in other places in the future. Therefore, we propose changing these descriptions to remove references to "a cyber observation made using". As an example, the description for "Firewall" will change from "The Firewall value specifies a cyber observation made using a firewall." to "The Firewall value specifies a firewall tool."
The process for this expansion will be the standard for changing a vocabulary:
- Create a new vocabulary,
ToolTypeVocab-1.1, as a clone ofToolTypeVocab-1.0 - Add the new values to the vocabulary
- Update the default vocabulary for the
MeasureSourceType/Tool_Typefield to the newToolTypeVocab-1.1.
There is no expected compatibility impact. Producers will have the option to use values in the new vocabulary and consumers can choose to use the new vocabulary or not as before.
- Do all of the items being suggested for inclusion make sense? Are the descriptions and names accurate?
- Should we add any other values beyond the ones already suggested?
- Should we update the descriptions for existing items to remove references to "cyber observations"?
- Should we update any other descriptions or values in the existing (2.0.1) vocabulary?