Re: [cti-stix] SDO Overview

[Jerome Athias <athiasjerome@gmail.com>]

Hi,

few notes on it. (and #1 I could be wrong while I still did not review all the spec. #2 I'm not saying/arguing for changes for now)

- One would note the similarities between Malware and Tool (Malware being a Tool, and both of them being Softwares).

- One would note the similarities between Threat Actor and Victim Target (which is fine). And so interestingly could envision a decomposition with a common model into Organisation/Person Group/Person.

- Regarding Source. From previous STIX version; Information_Source is ever an Identity (Person/Organisation) or a Tool.

((maybe a "is_tool" concept needed there))

As an use case scenario: CTI data could be exchange M2M without human interaction. And/Or knowing that 'this piece of information' is coming from Tool X would be useful if I (as an Organisation or Threat Analyst) has a high level of confidence/trust into this tool (or, at the opposite, knows that this beta Tool Y is not so reliable yet)

- The common properties/attributes identified in grey are interesting from an implementation point of view (if interested, see the CREATIONOBJECT and CHANGERECORD objects in XORCISM)

Thanks again

Best regards

2016-07-13 5:23 GMT+03:00 Jerome Athias <athiasjerome@gmail.com>:

Useful. Thanks for that!

On Wednesday, 13 July 2016, Jordan, Bret <bret.jordan@bluecoat.com> wrote:

All,

I made a diagram to help you visualize all of the SDOs and the fields / properties of each one.  I have also included a red letter R if the field is required.  

You can find the most current version always on my github site, here: 

https://github.com/freetaxii/stix2-graphics/tree/master/diagrams

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."