Re: [cti-cybox] CybOX Core Review

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

The reason you need both containers is so that you can build relationships inside the data itself.

As an example, you see an email message followed by a data exfiltration. These would be two instances of ObservedData, each with Cybox inside. However, inside the email ObservedData, you may want to have multiple objects, perhaps the Email Message and an Archive Object and a File object, with relations between them. These are not STIX relationship objects, they are Cybox relationships - relationships within the actual instance of observed data, not relationships between individual occurances of observed data. Cybox relationships are only valid within a given instance of cybox data (IE the Cybox container). They have no context outside that because they are simple facts.

The reason object IDs are not UUIDs is because they have no context outside the container so therefore they don't have to be universally unique. They are simple string IDs, so UUID can be used if one wants, but one is not mandated to do so - the thought was that this may make it easier for implementers to re-use their own internal IDs for these objects in many situations.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Terry MacDonald ---07/14/2016 05:54:11 PM---Hi Ivan, I have a few questions about the CybOX core document..

From: Terry MacDonald <terry.macdonald@cosive.com>
To: "Ivan A. Kirillov" <ikirillov@mitre.org>
Cc: cti-cybox@lists.oasis-open.org
Date: 07/14/2016 05:54 PM
Subject: Re: [cti-cybox] CybOX Core Review
Sent by: <cti-cybox@lists.oasis-open.org>

---

Hi Ivan,

I have a few questions about the CybOX core document..

- I understand the idea of the CybOX container for housing multiple CybOX objects together, but how will this work with the STIX ObservedData (observation) object? For example will the ObservedData object contain a list of 3 objects, out will it contain a CybOX container that contains a dictionary of 3 objects? That seems to be another level of nesting that isn't necessarily needed.
- Can CybOX objects be used directly without a CybOX container? If they have simple incrementing integer IDs, then there will be a collision.
- Why are the objects a dictionary and not a list? As far as I can tell the object dictionary labels are just used as a local identifier, and this was just added to make relationships work. Making each object have an explicit uuid id, and changing the object dictionary to a list makes more sense to me. Plus I like having things explicitly stated.
- If the objects have an explicit uuid based is then that opens up the possibility of cross package relationships.

I understand that this object ID topic may have been thrashed to death in the past, but it does seem to create more nesting than seems to be needed.

Cheers

Terry MacDonald
Cosive

On 14/07/2016 07:50, "Kirillov, Ivan A." <ikirillov@mitre.org> wrote:

Trey and I have spent a good number of hours this week updating and polishing the CybOX Core spec and we now feel that it’s ready for broader review:

https://docs.google.com/document/d/1PSGv6Uvo3YyrK354cH0cvdn7gGedbhYJkgNVzwW9E6A/edit?pref=2&pli=1#heading=h.26otuj4t3npf

 

There have a been a number of changes, including:

 

·         Updating datatypes to align with STIX and adding examples

·         Merging in existing high-level Objects specification (extensions, etc.)

·         Added examples wherever applicable

·         Refactored CybOX Object ID specification/object references

 

Once we do another pass, we’ll put up the specification on a vote for approval for MVP, likely early next week.

 

Also, this will be the main topic of discussion during tomorrow’s 10:00am-11:00am EDT working session.

 

Regards,

Ivan