[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Question on Sightings Proposal and Cybox Observations
The problem is, you can't do #1 with sightings and observations as proposed - as I can't use a pattern in a sighting without an attached indicator or observation, and observation can't contain a pattern (as proposed).
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
Aharon Chernin ---04/05/2016 11:02:05 AM---1) Not a fan of using confidence for #1. Wouldn’t you be saying that you have a low confidence that
From: Aharon Chernin <achernin@soltra.com>
To: "Wunder, John A." <jwunder@mitre.org>, Jason Keirstead/CanEast/IBM@IBMCA, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Date: 04/05/2016 11:02 AM
Subject: Re: [cti-stix] Question on Sightings Proposal and Cybox Observations
Sent by: <cti-stix@lists.oasis-open.org>
I have a cross-cutting STIX and Cybox question, and answering it on Slack seems too difficult (bouncing between too many channels).
I have been reading through the STIX Sightings proposal and also the Cybox Observation proposal. I am not sure either of them take into account composite, behavioral use cases for sightings and observations.... but maybe I am simply misunderstanding.
Can someone explain how the below use cases can be done using the existing proposals? The main part I see the existing proposals falling down on are 1-3. I can't figure out how to communicate an observation of behavior, that is not an already existing indicator.
-
1) My SOC needs to be able to tell my threat intelligence group “we are seeing X followed by Y followed by Z, this looks strange”
2) My threat intelligence group needs to be able to ask my ISAO “we are seeing X followed by Y followed by Z, are you seeing anything like this”
3) Org 2 tells Org 1 via the ISAO “yes we are seeing that pattern as well, lets create an indicator for this pattern to publish to ISAO
4) A generalized indicator pattern is created and Org 1 and Org 2 both “+1” the pattern
5) Org 3 (and many other orgs) “+1” the pattern as well
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]