OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: cti-stats update

Hi All,

 

Thanks to Trey’s amazing work we now have some real ‘based-on-fact’ statistics to better understand which CybOX Objects are used, and which STIX top-level Objects are used. This is going to be a huge help for us in determining where things may be too difficult or too incorrect to use. But it also made me think that we are possibly under-using this awesome tool.

 

So I would like to propose that we add in some functionality to help us learn about how people are using STIX objects before we get to them as part of the STIX v2.0 roadmap.  I know that Trey is quite busy at the moment, and there really should be a community contribution to this, so I’m looking for people who are good at python to help Trey add some more statistic gathering ability.

 

But what to gather? That’s where we need your help!

 

Do you have any ideas on statistics that would be useful to gather now to aid us in the future? If so, speak up now! The reason that we are trying to gather as many ideas as possible is that it is understandably difficult to get permission in a lot of threat sharing communities to run this tool over their data. We would like to minimize the number of times that we have to do so.

 

To help kick off the ideas, I’ve used the top 10 items from Sean’s STIX v2.0 roadmap, and mapped them to their related STIX Objects. This will hopefully provide us with more useful data:

 

#1 Sightings (Indicator Marking Obj)

#2 MarkingStructure (and TLPMarking, TOUMarking, SimpleMarking)

#3,#5 Extend the STIX Object counts to also track how many have IDs

#6 Track how often the various relationships are used i.e. Campaign to Threat_Actor, Indicator to TTP

#8 Track how often the controlled vocabs are used. Track how often customer strings are used.

#9 Track how many times Composite_Indicator_Expression, Observable Composition, Related Objects or the ##comma## separated list form of CybOX Objects are used

 

So…

1.       Does anyone else have some ideas of what we could track?

2.       Does anyone else have mad python skillz and want to help Trey out?

 

Please note:

·         We are not looking for statistically accurate numbers or percentages. We are looking for orders of magnitude and for overall indications of usage.

·         We need to realize that the data alone does not view the full story. The data returned may show that objects are not used, but they won’t tell us why they aren’t used. We may need to request more information from end users and implementers to properly understand the issues they are experiencing.

 

Cheers

 

Terry MacDonald

Senior STIX Subject Matter Expert

SOLTRA | An FS-ISAC and DTCC Company

+61 (407) 203 206 | terry@soltra.com

 

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]