Re: [cti-cybox] Revoke Cybox Observable

[Jerome Athias <athiasjerome@gmail.com>]

Ok, something that could be improved (if needed) is the versioning of objects vs recreation of objects.

I see potential improvements possible, but don't want to put too much on the table now (unless you allow me to do so) until we have proper consensus on the top priorities.

On Wednesday, 11 November 2015, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

Something I am not understanding from this trail. This problem all originates from this process:

"In our instance of Soltra Edge, we have (on many occasions) had to ‘edit’ an observable. Currently this involves editing the indicator, deleting the
link to the current Cybox observable, and creating a new observable. This leaves lots of orphaned observables in our database that we really need to
have the ability to purge."

Why can one not simply edit the original observable, preserving links, and not orphaning anything?

If we can't update/edit/append/delete an observable and have that cascade to all linked indicators ... then there is little point to having this linkage vs simply embedding signatures directly in the indicator.

Is the reason you can't do this a problem in STIX/Cybox? Or is this a tool issue (does Edge not let you edit an observable? I am not sure, have never tried)

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Aharon Chernin ---11/10/2015 07:35:51 PM---Sarah, We are throwing around a number of ideas of regarding cleaning up orphaned observables. Our n

From: Aharon Chernin <achernin@soltra.com>
To: Sarah Kelley <Sarah.Kelley@cisecurity.org>, "Jordan, Bret" <bret.jordan@bluecoat.com>, Ivan Kirillov <ikirillov@mitre.org>
Cc: Unknown Unknown <athiasjerome@gmail.com>, Ali Khan <akhan@soltra.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Date: 11/10/2015 07:35 PM
Subject: Re: [cti-stix] Re: [cti-cybox] [cti-stix] Re: [cti-cybox] Revoke Cybox Observable
Sent by: <cti-stix@lists.oasis-open.org>

---

Sarah,

We are throwing around a number of ideas of regarding cleaning up orphaned observables. Our next major release should include a STIX compliant solution.


Aharon


--
Aharon Chernin
CTO
SOLTRA | An FS-ISAC & DTCC Company
18301 Bermuda green Dr
Tampa, fl 33647
813.470.2173 | achernin@soltra.com
www.soltra.com


From: <cti-stix@lists.oasis-open.org> on behalf of Sarah Kelley <Sarah.Kelley@cisecurity.org>
Date: Tuesday, November 10, 2015 at 1:21 PM
To: "Jordan, Bret" <bret.jordan@bluecoat.com>, Ivan Kirillov <ikirillov@mitre.org>
Cc: Unknown Unknown <athiasjerome@gmail.com>, Ali Khan <akhan@soltra.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: [cti-stix] Re: [cti-cybox] [cti-stix] Re: [cti-cybox] Revoke Cybox Observable

At this point, we’re currently just trying to clean up our own database. I’m sure there is a much wider issue involved, but our current context is that we have the same observable in our system five different times (which is obviously unnecessary). The only things that changed were things like TLP, or “Hey, I fat-fingered something!” I understand the concern about "what does it mean to revoke a fact", but what if it’s just wrong? You type 1.1.1.1, and you really meant 2.2.2.2? The first is not correct, but currently is lingering in the system, even after unlinking it from the indicator.

Sarah Kelley
Senior CERT Analyst
Center for Internet Security (CIS)
Integrated Intelligence Center (IIC)
Multi-State Information Sharing and Analysis Center (MS-ISAC)
1-866-787-4722 (7×24 SOC)
Email: cert@cisecurity.org
www.cisecurity.org
Follow us @CISecurity


From: "Jordan, Bret" <bret.jordan@bluecoat.com>
Date: Tuesday, November 10, 2015 at 1:16 PM
To: Ivan Kirillov <ikirillov@mitre.org>
Cc: Sarah Kelley <sarah.kelley@cisecurity.org>, Unknown Unknown <athiasjerome@gmail.com>, Ali Khan <akhan@soltra.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] [cti-stix] Re: [cti-cybox] Revoke Cybox Observable

We have talked about this a lot in the past, in regards to STIX, and I now view this as an implementation or process related issue. The reason for that is you can not guarantee that the other end of the link will honor your request. Maybe in "like" systems, meaning all systems built by EclecticIQ or Soltra, you would have some level of success.

But when you span across products there is no guarantee that they have implemented it in their code, nor that the administrator will allow it. Requests like that may go in to a bucket for human review.


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

On Nov 10, 2015, at 11:09, Kirillov, Ivan A. <ikirillov@mitre.org> wrote:

Thanks for the context, Sarah - very helpful.

To me, this comes down to being a language versus process question - that is, is Observable revocation something that should be addressed as part of the CybOX language, or should it be considered more as part of the processes in which CybOX is used? I’m leaning towards the latter, for the reason that the notion of revocation around Observables is something that doesn’t seem to fit as part of the data model around them. This is because, at their core, Observables represent some cyber “fact”, and what it does it mean to revoke a “fact”? At least with Indicators, you can argue that the Indicator may no longer be valid, or that its pattern is incorrect. With Observables, I think the semantics of revocation are not as clear and may not really make sense.

At least in your case, it seems like we may need to consider defining some sort of garbage collection process, where Observables (and any other id-able CybOX/STIX entities) that were referenced and/or embedded in another entity and then no longer referenced be pruned from the datastore.

Regards,
Ivan



On 11/10/15, 12:31 PM, "cti-cybox@lists.oasis-open.org on behalf of Sarah Kelley" <cti-cybox@lists.oasis-open.org on behalf of Sarah.Kelley@cisecurity.org> wrote:

Just to give a little context around this question, this came up in a
conversation between Ali (well, several Soltra people) and myself today.

In our instance of Soltra Edge, we have (on many occasions) had to ‘edit’
an observable. Currently this involves editing the indicator, deleting the
link to the current Cybox observable, and creating a new observable. This
leaves lots of orphaned observables in our database that we really need to
have the ability to purge. The understanding we have is that currently
Cybox doesn’t support any sort of revoke/purge like Stix does.



Sarah Kelley
Senior CERT Analyst
Center for Internet Security (CIS)
Integrated Intelligence Center (IIC)
Multi-State Information Sharing and Analysis Center (MS-ISAC)
1-866-787-4722 (7×24 SOC)
Email: cert@cisecurity.org
www.cisecurity.org
Follow us @CISecurity






On 11/10/15, 11:06 AM, "cti-stix@lists.oasis-open.org on behalf of
Kirillov, Ivan A." <cti-stix@lists.oasis-open.org on behalf of
ikirillov@mitre.org> wrote:

Great question Ali; unfortunately I don’t have much insight into this
topic. Moving this to the STIX list - I think revocation is more specific
to STIX (though it clearly touches upon CybOX as well).

Regards,
Ivan




On 11/10/15, 11:00 AM, "cti-cybox@lists.oasis-open.org on behalf of
Jerome Athias" <cti-cybox@lists.oasis-open.org on behalf of
athiasjerome@gmail.com> wrote:

Potential review of this
https://stixproject.github.io/data-model/1.2/indicator/ValidTimeType/
Suggestions welcome

2015-11-10 18:48 GMT+03:00 Ali Khan <akhan@soltra.com>:
What is the cybox committees discussion so far for future versions to
support ability to revoke and remove completely a cybox observable
that was
created and then shared but now there is a need to remove it.





Thank You



Ali Khan
Lead Analyst

SOLTRA | An FS-ISAC & DTCC Company

Tampa, fl 33647

813.470.2197 | akhan@soltra.com





---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


...

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . .

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .