> What you don’t necessarily see is that idref is also allowed per the STIX schema, allowing an object that looks like this: <Indicator id=”1234” idref=”5678”/> and
that doesn’t really make sense.
I agree, this stinks and doesn't make sense.
> As I understand it, the idea is not to preclude an object with an ID from referencing other objects (e.g., an indicator referencing observable(s)). That would
still be valid.
Thats' not how I read it.
Aharon Chernin
CTO
SOLTRA
| An FS-ISAC & DTCC Company
18301 Bermuda green Dr
Tampa, fl 33647
813.470.2173 | achernin@soltra.com
From: Davidson II, Mark S <mdavidson@mitre.org>
Sent: Thursday, August 20, 2015 2:00 PM
To: Jonathan Bush (DTCC); 'Jordan, Bret'; Wunder, John A.
Cc: Aharon Chernin; cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] STIX 2.0 - Sightings object
In STIX today, you see things like: <Indicator id=”1234”/>
What you don’t necessarily see is that idref is also allowed per the STIX schema, allowing an object that looks like this: <Indicator id=”1234” idref=”5678”/> and that doesn’t really
make sense.
I think the underlying thought is that you want an id OR an idref, and that having both on the same object doesn’t make sense.
As I understand it, the idea is not to preclude an object with an ID from referencing other objects (e.g., an indicator referencing observable(s)). That would still be valid.
Did the STIX community think about changing the id/idref thing at some time in the past? I feel like we did, but my memory is a bit hazy.
Thank you.
-Mark
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Bush, Jonathan
Sent: Thursday, August 20, 2015 1:36 PM
To: 'Jordan, Bret' <bret.jordan@bluecoat.com>; Wunder, John A. <jwunder@mitre.org>
Cc: Aharon Chernin <achernin@soltra.com>; Davidson II, Mark S <mdavidson@mitre.org>; cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] STIX 2.0 - Sightings object
Bret – Can you explain this a little?
Going from a database design perspective, wouldn’t you have objects that have primary keys and also foreign keys that relate it to other objects? What am I missing?
And my hope is that in in STIX 2.0 we can get rid of the idea of having both ID and IDREF in the same object. It is either one or the other. It is either a container of data, thus having an ID. Or it is an object like Report that just contains IDREFs.
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
As a place to start, how about in the current STIX model anything that extends from Related___Type is a relationship object, anything with a normal @idref is not?
Sighting wasn’t top-level before so we get to make it up.
We need to make sure it's very clear where the relationship object starts and ends. If I am not forced to use the relationship object for a sighting relationship, then I go back to supporting
an atomic sighting object.
Aharon
Sent using OWA for iPhone
Are you actually forced to use the relationship object to have sighting work there? I see that as a separate use case from relationships, and in cases like this we can still have the target_id
field directly there without the need for a new object. Same thing for an indicator pattern, for example.
While those are references between top-level constructs they seem different than the normal type of relationships we’ve been discussing.
BTW: Any thoughts on setting up a slack channel for STIX dev discussions? Sometimes I think that would be more conducive to these questions than e-mail.
Bret, I almost always prefer atomic objects.
If we do both a relationship object and a Sightings atomic object together, it just seems... well weird.... (not very scientific I know)
Example Sightings Object -
Producer: Who made the sighting
Target_ID: Replaced by Relationship Object
Now I am going to be forced to use the relationship object to make the Sighting work. I am also going to be forced to make a potentially large number of new Sighting Objects (since there is a timestamp). Also,
a sighting by itself, without the looking into the Relationship object is kind of useless.
We can eliminate this extra complexity by eliminating the atomic Sightings object and replacing it with a relationship type.
Just debating <OutlookEmoji-😊.png>
SOLTRA |
An FS-ISAC & DTCC Company
One thing to keep in mind is that we want the objects as small and simple as possible. Some times to make them more broad you have to add a lot of extra fields. This should be avoided. We want them to be as
atomic as possible. Also, if they are separate then they can grow and evolve independently.
This is one of the many things I do not like about how STIX and CybOX is done today. The excessive use of object oriented reuse makes it nearly impossible to fix or change certain things as that would have adverse
effects on other areas that can not take those changes.
Object reuse is not always a good thing.
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
The conversation seemed (to me) to settle on the idea that there were three concepts that are related in some way:
1. Relationships –
A link between objects (e.g., this TTP is related to that Indicator)
2. Assertions – The
+1/-1 concept
3. Sightings – “I saw
that, too!”
It seems that the structures are similar across the three concepts (e.g., id, from, to, assertion, source/confidence/rationale) and that the larger open question is whether humans
are benefitted by these things being variations of the same concept or three different concepts (or something else).
I personally think there is a single set of common properties that can do Relationships, Assertions, and Sightings, and that it looks roughly like what Aharon posted. However, there
was a counter-point that this combining of concepts makes it more difficult to understand.
I’ll leave the group with these questions:
1. Is there a single
set of properties that makes sense for Relationships, Assertions, and Sightings?
2. If there is a single
set of properties, does it make sense to combine them, as Aharon has mentioned?
3. What clarifying
questions, if any, do you have that will help you answer #1 or #2?
a. Note that this might
be the most important of the three questions!
This should be "sightings object rethought". While coming up with a proposal, I spotted a different way of thinking about Sightings. In my opinion, the most important thing is determining which STIX object is being
sighted. However, there is some other bits of information that is useful: sightings producer and date/time of sighting.
Now take a look at the recent relationship object discussions:
Relationship Object Discussion:
ID [1]: The ID of the relationship, a simple random GUID
Marking[1]: The ID of the marking object that you should reference
Version [1]: The version of the relationship; a simple number to be used with the ID for version control
Type [1]: The “type” of relationship being expressed. (Not sure of how this works yet)
Description [1]: A single simple and short description
Source [1] : The ID of one or more source entities in the relationship as a URI (not QName)
Targets [1..N]: The ID of one or more targets in the relationship as a URI (not QName)
Start [1]: A timestamp in UTC stating when the relationship between the objects started, or the text 'unknown'.
End [1]: A timestamp in UTC stating when the relationship between the objects ended, or the text 'ongoing', or the text 'unknown'.
Reliability/Confidence [1]: A measure of confidence in the relationship using the Information Reliability scale.
Producer [1]: A simple producer object like what John calls out
Timestamp [1]: A timestamp in UTC stating when the relationship object was
created.
Could a sighting be a type of Relationship?
Relationship Object Discussion:
Marking[1]: TLP Green
Version [1]: 1
Type [1]: Sighting
Description [1]: Soltra Edge reported Sighting
Source [1] : Soltra
Targets [1..N]: soltra:indicator-<GUID>
Start [1]:
End [1]:
Reliability/Confidence [1]:
Producer [1]: Soltra
Timestamp [1]: <timestamp>
Or is there more meta data we need to collect regarding sightings that a sighting deserves it's own object?
SOLTRA |
An FS-ISAC & DTCC Company
DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email
and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
|