[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Need for Investigation/Tag object?
Yes, this is vital and one of the key use cases we have identified for TAXII 2.0. We need a way for researchers intra-org and inter-org to communicate what they are seeing and what they "think" before they actually "know". This is done today via email and IM, but it would be nice if STIX and TAXII could support this so APPs could be written to do it.Thanks,BretBret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTOBlue Coat SystemsPGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."On Oct 27, 2015, at 13:03, Terry MacDonald <terry@soltra.com> wrote:Hi All,Sarah’s email below reminded me of some thoughts that have been bubbling around for a while.I think there is a need for us to support describing and sharing Threat intelligence while it is still under investigation. Historically STIX has been used by Organizations who are generally sharing information about attacks after they have finished. It seems to me that we are rapidly moving towards an automated future where Organizations are sharing information about attacks while they are happening. This change is a subtle one, but one that has implications for STIX.At present we have no way for an Organizations to temporarily ‘group’ different STIX objects together. When one is conducting an investigation into a series of suspicious events prompted by your Organization’s monitoring processes, we often want to tag/relate these events together, without actually creating an official ‘Incident’ (as we’re not sure anything has actually happened yet). The Incident object is where one would put the information when it is confirmed there is a problem, but I believe we at least need a way of ‘tagging’ and ‘grouping’ potentially related items together.Does anyone else see the need for something like this?CheersTerry MacDonaldSenior STIX Subject Matter ExpertSOLTRA | An FS-ISAC and DTCC Company+61 (407) 203 206 | terry@soltra.comFrom: Sarah Kelley [mailto:Sarah.Kelley@cisecurity.org]
Sent: Tuesday, 27 October 2015 10:18 PM
To: Unknown Unknown <athiasjerome@gmail.com>; Jordan, Bret <bret.jordan@bluecoat.com>
Cc: Terry MacDonald <terry@soltra.com>; Baker, Jon <bakerj@mitre.org>; Jonathan Bush (DTCC) <jbush@dtcc.com>; Cory Casanave <cory-c@modeldriven.com>; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Conceptul model for sightingI am a huge proponent of letting (almost) anything link to anything. In fact, limiting what can have an association/link/relationship with what is my current biggest frustration with Stix (we use workarounds to get around this limitation).I would add the possible use cases:My org observed 3 instances of this threat actor hitting our networkMy org observed 12 instances of the Poison Ivy TTP on our networkOr even (though weaker):My org was hit by this particular campaign 27 timesSarah KelleySenior CERT AnalystCenter for Internet Security (CIS)Integrated Intelligence Center (IIC)Multi-State Information Sharing and Analysis Center (MS-ISAC)1-866-787-4722 (7×24 SOC)Email: cert@cisecurity.orgFollow us @CISecurity
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]