Re: [cti-comment] Using Indicators vs. SCOs

["JG @ OASIS" <jg@ctin.us>]

Yuval:

Thanks for your question on using SDOs versus SCOs.

Here is one way to think about it. SCOs are the most atomic data 
elements that are observed and shared. They represent a very specific 
observed element. In contrast, SDOs have been designed to help the 
analyst or modeller add context to what was observed. In my view the 
Indicator SDO is central to the data model because that is where the 
Patterning Language is embedded (as required properties). This is one 
of the key innovations of STIX2.1 and it is key to its value as a robust 
data model for sharing machine readable threat intelligence (MRTI) that 
can also be read by human analysts.

With that being said, I have seen a lot of implementations that default 
to using the Indicator SDO as almost a catch-all SDO where the embedded 
Pattern contains a single IPv4 or a hash value but does not have a 
comparison expression. In that implementation it does not use all of 
the functionality of the patterning language. Similarly, to default to 
using the Indicator SDO as a catch-all data element does not use STIX2.1 
to its fullest extent to be truly expressive. The more context we can 
add to the modeling of the event or observed activity, the more valuable 
the shared or modeled information is to the trust community.

So, to get to your specific example, I would prefer to see you use the 
Infrastructure SDO that has relationships to your IPv4 SCOs and your 
Malware SDO. You could also form a relationship to an Indicator SDO 
that could provide even more context (with the Pattern), depending on 
what has been observed.

Do you have access to the STIX2.1 Best Practices Document? That might 
also help you think through how you want to express your data. Here is 
a link to the PDF of the Committee Note.

https://docs.oasis-open.org/cti/stix-bp/v1.0.0/stix-bp-v1.0.0.pdf

I hope this helps!!


***************************
R. Jane Ginn, MSIA, MRP
Secretary, TAC TC
OASIS
jg@ctin.us
+1(928)399-0509
***************************

On 4/4/2023 9:36 AM, Yuval Intrater wrote:
> Hi,
>
> I have a question regarding the functionality of Indicator objects.
> I am not sure in which cases I should use SCO objects and in which 
> cases I should use Indicator objects.
>
> For example, I used the example of Infrastructure object from STIX 2.1 
> documentation (infrastructure.json). In this case, two ipv4 objects 
> and a malware object are related to the infrastructure object.
>
> Can I express the same relationship using an Indicator object? For 
> example, I created two indicator objects that contain ipv4 addresses 
> as their patterning properties (indicator1.json). I created a 
> relationship between these objects to the malware object. Does this 
> relationship represent the same concept as the relationships in 
> infrastructure.json?
>
> Are there any other rules to help me understand when I should use 
> Indicator objects and when should I use SCO objects?
>
> Thank you in advance,
>
>
> This publicly archived list offers a means to provide input to the
> OASIS Cyber Threat Intelligence (CTI) Technical Committee.
>
> In order to verify user consent to the Feedback License terms and
> to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: cti-comment-subscribe@lists.oasis-open.org
> Unsubscribe: cti-comment-unsubscribe@lists.oasis-open.org
> List help: cti-comment-help@lists.oasis-open.org
> List archive: http://lists.oasis-open.org/archives/cti-comment/
> Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/