Add Ability to Capture Dependencies/Data Files

[ikiril01]

We should add the ability to characterize files (e.g., configuration) that a malware instance may be dependent on, along with any other data files that may be created or used by a Malware Subject. It's currently possible to capture the latter as separate Malware Subjects, but there's no way to explicitly refer to the "nature" of the files.

[ikiril01]

We should also include the ability to capture the encoding or encryption used on these files.

[ikiril01]

This could potentially be accomplished with first-class relationships, as described in #74.

<Relationship source_id="malware-subject-1" target_id="object-1">
    <Type>has dependency</Type>
</Relationship>
<Relationship source_id="malware-subject-1" target_id="object-1">
    <Type>has data file</Type>
</Relationship>

[ikiril01]

Should we care about capturing the "type" of the Object with regards to dependencies, e.g. configuration file, etc.? One of the cleanest ways of doing so is to capture this using the Description field, though this means that we won't be able to use a standardized vocabulary for doing so (though maybe this isn't a big deal if we document a list of "suggested" descriptions). E.g.,

<Relationship source_id="malware-subject-1" target_id="object-1">
  <Type>has dependency</Type>
</Relationship>

<Object id="object-1">
  <Description>configuration file</Description>
  <Properties xsi:type="FileObj:FileObjectType">
     <File_Name>qwerty.dat</File_Name>
  </Properties>
</Object>

[dzbeck]

I think it would be useful to capture the fact that object-1 is a config file for malware-subject-1, but I think that information should be associated with the relationship, not with the Object itself. There may be Objects which are related to two different entities in different ways. what about further specifying dependency types? so in addition to a general "has dependency" type there could be a "has configuration file" type?

[ikiril01]

@dzbeck I think that makes good sense - after all, a configuration file (or any other associated file) may or may not be a dependency. In the case that is a dependency, would we then want to use two relationships to specify this?

E.g.,

<Relationship source_id="malware-subject-1" target_id="object-1">
  <Type>has dependency</Type>
</Relationship>

<Relationship source_id="malware-subject-1" target_id="object-1">
  <Type>has configuration file</Type>
</Relationship>

[dzbeck]

How about making a list of types in a Relationship? So it would look like:

<Relationship source_id="malware-subject-1" target_id="object-1">
  <Types>
    <Type>has dependency</Type>
    <Type>has configuration file</Type>
  </Types>
</Relationship>