Re: [cti-stix] Proposal - Top Level Relationship Object

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

Part of the problem IMO (and I've called this out many times over the months) is because there is no declared standard for the ID... there are some suggested practices, but that is all. If we want ID to be the source of name-space, that should be required, not a suggested practice. I think it is very odd that STIX never specifies the required format for IDs. There are a lot of assumptions made about IDs that are not codified (to illustrate how vague it is, I believe it isn't even actually required in the specification that IDs be unique inside a single document.) If the ID is assumed to be a QName, then that should be absolutely enforced in STIX and any document without that format be rejected. You can't write code around STIX to make decisions based on ID, when an ID can be any string.

RE use of QName itself.. this doesn't really solve my query because it is not sufficiently accurate. For example, if I make an assertion with ID "ibm:relationship-79090715-8d6a-46b7-943b-c0bb9e063788" - that does not actually tell anyone who at IBM made that assertion, which is quite important IMO as that document may float around inside IBM for a few days with many contributors before making it out to an ISAO, who thinks that my own assertion is invalid while others from IBM are not, and may want to reach out for more information on why the assertion was made... without a way to track who made what assertion, it is very hard to refer to them.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Aharon Chernin ---2015/07/30 10:53:59 AM---I am starting to not be a fan of using the ID Namespace for identifying producer. Based on my experi

From: Aharon Chernin <achernin@soltra.com>
To: "Wunder, John A." <jwunder@mitre.org>, "Thompson, Dean" <Dean.Thompson@anz.com>, "'Jordan, Bret'" <bret.jordan@bluecoat.com>
Cc: "'Patrick Maroney'" <Pmaroney@Specere.org>, "'Terry MacDonald'" <terry.macdonald@threatloop.com>, Jason Keirstead/CanEast/IBM@IBMCA, "'cti-stix@lists.oasis-open.org'" <cti-stix@lists.oasis-open.org>, "'Chris O'Brien'" <cobrien@cert.gov.uk>, "'JG on CTI-TC'" <jg@ctin.us>, "Baker, Jon" <bakerj@mitre.org>
Date: 2015/07/30 10:53 AM
Subject: Re: [cti-stix] Proposal - Top Level Relationship Object

---

I am starting to not be a fan of using the ID Namespace for identifying producer. Based on my experience with community usage of STIX today, most organizations are using a shortname in the namespace and using their full properly stated name "pretty print name" in producer fields.  

Aharon Chernin
CTO
SOLTRA | An FS-ISAC & DTCC Company
18301 Bermuda green Dr
Tampa, fl 33647
813.470.2173 | achernin@soltra.com
www.soltra.com

---

From: Wunder, John A. <jwunder@mitre.org>
Sent: Thursday, July 30, 2015 9:14 AM
To: Aharon Chernin; Thompson, Dean; 'Jordan, Bret'
Cc: 'Patrick Maroney'; 'Terry MacDonald'; 'Jason Keirstead'; 'cti-stix@lists.oasis-open.org'; 'Chris O'Brien'; 'JG on CTI-TC'; Baker, Jon
Subject: Re: [cti-stix] Proposal - Top Level Relationship Object 
 
Yeah I completely agree, object-level markings are the way to go. I had mocked this up as something like:

marking_ids: ["us-cert:TLP-GREEN", "mitre.org:marking-1234"]

TLP would be some hardcoded marking IDs, no reason to redefine TLP:GREEN in every document. For things like copyright statements you could have a top-level marking object that defines the markings and reference by ID in the objects.

This would not allow field-level markings. If you really need to do that you would publish multiple versions of the object, each with different data and different markings. That approach would work for multiple languages as well without requiring all description and title fields to be multiples.

To address information source again (Jason's question), my opinion is that information source is contained in the ID and in the mechanism by which you get the document. TAXII can tell you who *actually* sent you the document, the ID namespace tells you who created it (assuming you trust the person that actually sent it to you).

John

From: Aharon Chernin
Date: Thursday, July 30, 2015 at 8:42 AM
To: "Wunder, John A.", "Thompson, Dean", "'Jordan, Bret'"
Cc: Patrick Maroney, 'Terry MacDonald', 'Jason Keirstead', "'cti-stix@lists.oasis-open.org'", 'Chris O'Brien', 'JG on CTI-TC', Jon Baker
Subject: Re: [cti-stix] Proposal - Top Level Relationship Object

I really like how this object is shaping up. I am going to throw another wrench in

I would like us to move towards object level markings vs document level markings. One of the ways we can prepare for this is to ensure that all high level objects have the ability to be marked. How does the group feel about adding marking to the relationship object?

Aharon Chernin
CTO
SOLTRA | An FS-ISAC & DTCC Company
18301 Bermuda green Dr
Tampa, fl 33647
813.470.2173 | achernin@soltra.com
www.soltra.com

---

From: Wunder, John A. <jwunder@mitre.org>
Sent: Thursday, July 30, 2015 8:04 AM
To: Thompson, Dean; 'Jordan, Bret'
Cc: 'Patrick Maroney'; 'Terry MacDonald'; 'Jason Keirstead'; 'cti-stix@lists.oasis-open.org'; 'Chris O'Brien'; 'JG on CTI-TC'; Baker, Jon; Aharon Chernin
Subject: Re: [cti-stix] Proposal - Top Level Relationship Object 
 
Thanks Bret, good points. Updated and removed the redundancy of both occurrence and optional/required statements.

ID [1]: The ID of the relationship
Version [1]: The version of the relationship; a simple number to be used with the ID for version control (instead of timestamp)
Type [1]: The “type” of relationship being expressed. (Not sure of how this works yet)
Descriptions [0..N]: Words about the relationship.
Source_ID [1] : The ID of one or more source entities in the relationship as a URI (not QName)
Target_IDs [1..N]: The ID of one or more targets in the relationship as a URI (not QName)
Start_Time [1]: A timestamp in UTC stating when the relationship between the objects started, or the text 'unknown'.
End_Time [1]: A timestamp in UTC stating when the relationship between the objects ended, or the text 'ongoing', or the text 'unknown'.
Reliability/Confidence [1]: A measure of confidence in the relationship using the Information Reliability scale.
Timestamp [1]: A timestamp in UTC stating when the relationship object was created.

Also I apparently missed that Description is multiple elements. Is the intent behind that multiple languages? Multiple markings? Multiple paragraphs? If we do that, does that mean description needs to be something other than a plain array of strings?

Keep in mind that STIX 1.2 is complicated for a reason. If we try to do everything that STIX 1.2 does we will end up with something just as complicated. Sometimes a simple 90% solution is better than a very complicated 99.9% solution. (If you can't tell, I would prefer to allow a single string description.)

John

From: "Thompson, Dean"
Date: Thursday, July 30, 2015 at 3:33 AM
To: "'Jordan, Bret'", "Wunder, John A."
Cc: Patrick Maroney, 'Terry MacDonald', 'Jason Keirstead', "'cti-stix@lists.oasis-open.org'", 'Chris O'Brien', 'JG on CTI-TC', Jon Baker, 'Aharon Chernin'
Subject: RE: [cti-stix] Proposal - Top Level Relationship Object

 
Hi,
 
Whilst I agree that Start_Time should be made compulsory (although there could be reasons when you don’t know the exact start date), I am not sure that you can make End_Time [1] rather than [0..1].  There are times when you might not know the End_Time (for example a web site is still redirecting Angler malware), a security event of incident may be on-going.
 
If we force End_Time to be compulsory, then that will either force producers to put in some fairy land End_Date, or for them to stamp the time that a STIX document was produced as the End_Time of the incident/indicator or relationship.  This will cause issues later on or those that implement these repositories of data as well as consumers using the data because they may expire or dis-regard valid data primarily on the basis of the current time being greater than End_Time.
 
Regards,
 
Dean
 
 
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Jordan, Bret
Sent: Thursday, 30 July 2015 1:59 PM
To: Wunder, John A.
Cc: Patrick Maroney; Terry MacDonald; Jason Keirstead; cti-stix@lists.oasis-open.org; Chris O'Brien; JG on CTI-TC; Baker, Jon; Aharon Chernin
Subject: Re: [cti-stix] Proposal - Top Level Relationship Object
 
Timestamp is required so we need to change the value from [0..1] to just [1].  We should probably do the same for Start_Time and End_Time.  I would also suggest that we maintain plurality rules so things that can have multiple we should make them plural.  Target_IDs and Descriptions 
 
Thanks,
 
Bret
 
 
 
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."