Re: [cti-stix] Supporting translations in STIX

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

For those two use cases - I would translate the *observation* and it's title/description - not the Cybox itself.

It's totally unclear to me how one would "translate" a cybox pattern. Consider the pattern might be a regular _expression_ looking for certain words in certain locations, or specific text blobs in an email. If you "translate" that blob, the pattern is invalid because the campiagn is not using your translation in it's emails.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Allan Thomson ---06/29/2016 12:13:00 AM---If a threat actor is communicating in non-english over an IIRC channel and those communications were

From: Allan Thomson <athomson@lookingglasscyber.com>
To: John-Mark Gurney <jmg@newcontext.com>
Cc: "Back, Greg" <gback@mitre.org>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 06/29/2016 12:13 AM
Subject: Re: [cti-stix] Supporting translations in STIX
Sent by: <cti-stix@lists.oasis-open.org>

---

If a threat actor is communicating in non-english over an IIRC channel and those communications were captured and the threat intelligence organization that captured it, wants to share what they said in English translation, would that not be communicated via cybox data?

What if an email is written in non-english and sent as a phishing email to targets, the threat intel organization wants to translate to another language so that their team can understand what the content says for context awareness?

I understand the perspective that CyBox is primarily intended to represent facts in the packets being communicated so for the two use cases above, how would the translated information be provided in STIX/CyBox.

I’m not against doing something a different way if it makes sense, but saying that this is not a valid use case or can’t be supported isn’t really ideal.

allan

On 6/28/16, 2:38 PM, "John-Mark Gurney" <jmg@newcontext.com> wrote:

Allan Thomson wrote this message on Fri, Jun 24, 2016 at 16:00 +0000:
> The sighting points to an indicator that identifies the pattern, which may be in english. But the sighting also points to the observation of the captured information which is in non-english.

We should restrict using language for fields that are human generated
and human consumed..  CybOX data, though may be in a specific language
cannot be translated w/o changing the meaning of it..  If a file name
is in Japanese in an Observation (CybOX data), translating that would
change the meaning of the Observation, and not be helpful...  Labeling
that it's Japense also does not provide any advantage (that I can think
of)..

> On 6/24/16, 8:53 AM, "Back, Greg" <gback@mitre.org> wrote:
> 
> Are there specific sub-components where we would potentially want to support a different language from the parent TLO (for now, given that we can always add it later)?

-- 
John-Mark



---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php