Yeah I agree Terry, it’s probably worth talking about a “derived-from” relationship on the call Tuesday. Seems like that would be a pretty straightforward way of representing that information.
John
From:
<cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Date: Sunday, July 24, 2016 at 3:25 PM
To: Joep Gommers <joep@eclecticiq.com>
Cc: Jerome Athias <athiasjerome@gmail.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Re: STIX 2.0-CORE Draft 1 8.4. Versioning Question
Hi Joep/Jerome,
Both these topics have been discussed, but consensus was unable to be reached in order to meet the tight MVP timetable.
The important thing to note is that it's always up to reach consumer to determine what threat intel they are comfortable accepting as the 'truth'. A bank has different levels of risk and trust to a military organization, which is different again to a school.
Future features like the Opinion object suggested earlier this year would enable people to agree with or disagree with someone else's STIX object. In that way if someone produces fake counter Intel, then that object can be 'voted down'. Consumers would be
able to crowdsource the communities opinion on that threat intel, and over time would learn which threat intel providers get the most positive opinions.
Additionally, we have talked about authenticating the identity of content creators and require that all threat intel they produce is cryptographically signed. This would allow for consumers to effectively learn which information sources are trusted, and
trust their data more than new content producers.
For versioning, there was discussion of a derived-from relationship that one could use to indicate that your threat intel is based on someone else's work (and point to exactly the piece of intel you used). This would allow for the situation's that Joep described,
but this isn't currently in this draft of STIX. (Though this one seems like we could actually add it quite simply...)
Cheers
Terry MacDonald
Cosive
On 24/07/2016 8:03 PM, "Joep Gommers" <joep@eclecticiq.com> wrote:
I’d be interested in exploring a solution whereby we don’t break the conceptual understanding that In STIX, you convey your insights (analysis, reporting, artifacts) - making
only you or people on your behalf responsible for updates. Here too, we must solve the gateway A->gateway B,C (who both reversion in your namespace)->gateway D who received two different new versions. Merging?
However, perhaps we could allow for something that says that when you reversion an entity from namespace X you can not reversion from namespace Y, but you could make some sort
of similar reference “is associated with”, “is our understanding of”, “….”. Or perhaps literally reversion but simply within your namespace – so that one can see this was “overwritten” by a new org/namespace.
I do understand that and agree for the majority of cases.
To give a -special case- often coming as a concern/question about CTI:
What would happen if an adversary introduces fake/disinformation/counter-CTI?
Yes, one could use Confidence/Opinion/Judgment
But I'm looking for an answer to this, imho, valid concern.
Best regards
On Sunday, 24 July 2016, Joep Gommers <joep@eclecticiq.com> wrote:
For what its worth I’d be interested in this discussion because;
- it makes completely sense that only you can reversion your own intelligence, or people from your namespace, considering your conveying your analysis and insights - not to mention conflicts
of merging etc
- its among the most requested features from our customer/prospect base who view it more as a knowledge base then a collection of our people’s analysis fused with their own (namespace)
On 7/23/16, 6:12 AM, "cti-stix@lists.oasis-open.org on behalf of Jerome Athias" <cti-stix@lists.oasis-open.org on behalf of athiasjerome@gmail.com> wrote:
>Hi,
>
>Reviewing the current draft, I would have this question regarding Versioning:
>(The Only Stupid Question is the One You Don't Ask)
>
>"Only the object creator is permitted to create new versions of a STIX
>Object. Producers other than the object creator MUST NOT create new
>versions of that object."
>vs "Derived Object"
>
>Question: If I want to derive (duplicate/enhance - create a "new
>version" of) one STIX Object (object creator=Org A), as-is, is there a
>mechanism for me (Org B) to reference the ID of the initial Object?
>
>
>
>PS:
>"As with issuing a new version, only the object creator is permitted
>to revoke a STIX object."
>Note: this could have to be reevaluated, investigated further in the future.
>
>---------------------------------------------------------------------
>To unsubscribe from this mail list, you must leave the OASIS TC that
>generates this mail. Follow this link to all your TCs in OASIS at:
>https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
|