[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] TA Social Media Account
I agree with the observation and suggestion regarding Source/Identity (concepts/objects hierarchy - abstraction - abstracted class). Pushing it further, in an automated M2M scenario, for example, the Source of an Indicator could be a Tool (i.e an IDS) - you could want to link Indicator with Tool with a 'created_by' relationship to represent the source of the object Basically, that's why I've been using "Asset" to abstract "Identity and Tool" On Fri, Jul 29, 2016 at 11:09 PM, Terry MacDonald <terry.macdonald@cosive.com> wrote: > It seems to me that we could rename the Source object to a more generic > Identity object, and we would gain the ability to track identities, and use > relationships to associate these identities with different parts of STIX. > > - you could link threat actor with identity with a 'persona_of' relationship > to represent a fake identity the threat actor uses > - you could link threat actor with identity with a 'identity_of' > relationship to represent the real identity of the threat actor > - you could link object creator directly with identity to represent the > source of the object. > - you could link tool creator with identity with a 'created_by' relationship > to represent the real identity of the tool creator (malware would link to > threat actor) > - you could link victimtarget with identity with a 'identity_of' > relationship to represent the real identity of the victimtarget (if we are > talking specific victims) > > An Identity object seems more flexible to me than a Source object, which > appears to be an identity object restricted to just representing who created > something. > > Cheers > Terry MacDonald > Cosive > > > On 30/07/2016 6:40 AM, "Jordan, Bret" <bret.jordan@bluecoat.com> wrote: >> >> Just to be clear, just because we are finishing up STIX 2.0 and working >> through its final phases, that does not preclude the community from starting >> to work on STIX 2.1 items. >> >> >> Thanks, >> >> Bret >> >> >> >> Bret Jordan CISSP >> Director of Security Architecture and Standards | Office of the CTO >> Blue Coat Systems >> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 >> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that >> can not be unscrambled is an egg." >> >> On Jul 29, 2016, at 10:40, Casey, Timothy P <timothy.p.casey@intel.com> >> wrote: >> >> Agreed these are different. It appears there are two ways to interpret >> it, suggesting possibly two data points: >> - Validation as to whether a particular profile is legit or fake >> - Any external information about that profile >> >> >> From: Jerome Athias [mailto:athiasjerome@gmail.com] >> Sent: Thursday, July 28, 2016 10:51 AM >> To: Casey, Timothy P <timothy.p.casey@intel.com> >> Cc: cti-stix@lists.oasis-open.org; Wunder, John A. <jwunder@mitre.org>; >> Joep Gommers <joep@eclecticiq.com> >> Subject: Re: [cti-stix] Re: TA Social Media Account >> >> Well, as for sure we could have various use cases/scenario (those could be >> discussed one by one), I will give you one, for maybe, restricting the scope >> of my initial question. >> >> I (my profile/one instance of my digital identity) receive an >> invitation/connection request from another profile. >> Doing some researches ((analysis)) I identify, with high confidence, that >> it is a fake profile. (and that there is a certain intent/motive behind it) >> >> How do I share that? >> >> PS: note that this would be, imho, a different use case that the examples >> you provided >> >> >> >> >> >> On Thu, Jul 28, 2016 at 8:25 PM, Casey, Timothy P >> <timothy.p.casey@intel.com> wrote: >> >> If analysis is the objective, should the reference field be limited to >> just a LI account, or even just to social media? What if things like vendor >> TA blogs, legal dossiers, government reports, etc. are also available? >> >> From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] >> On Behalf Of Wunder, John A. >> Sent: Thursday, July 28, 2016 5:34 AM >> To: Jerome Athias <athiasjerome@gmail.com>; Joep Gommers >> <joep@eclecticiq.com> >> Cc: Jason Keirstead <Jason.Keirstead@ca.ibm.com>; >> cti-stix@lists.oasis-open.org >> Subject: Re: [cti-stix] Re: TA Social Media Account >> >> Yeah I agree, there’s an important difference between something as an >> indicator and that same thing as part of an analysis. It applies here, but >> also to malicious infrastructure, malware hashes/attributes, and many other >> places. >> >> FWIW, that exact topic (the difference between an Indicator and a >> TTP/analysis) came up pretty consistently when talking about STIX 1.2 so >> anything we can do in 2.0 to make it more clear is very important. >> >> (I’m not arguing that we do anything to add this now, I agree w/ what >> Jerome said below that we should tackle it for 2.1+) >> >> John >> >> From: <cti-stix@lists.oasis-open.org> on behalf of Jerome Athias >> <athiasjerome@gmail.com> >> Date: Thursday, July 28, 2016 at 5:17 AM >> To: Joep Gommers <joep@eclecticiq.com> >> Cc: Jason Keirstead <Jason.Keirstead@ca.ibm.com>, >> "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> >> Subject: [cti-stix] Re: TA Social Media Account >> >> Yep I concur >> >> On Thursday, 28 July 2016, Joep Gommers <joep@eclecticiq.com> wrote: >> >> There are indeed two different scenario’s; >> >> - the linkedin account, when observed actively, is an indication of some >> intelligence (ttps, actors, campaigns, bla) >> - the linkedin account is part of the analysis narrative of an actor, a >> description of his (potential) identity. >> >> The first case would be an indicator, the second case would be part of >> some sort of identity construct. They can exist in parallel. >> >> J- >> >> >> >> From: <cti-stix@lists.oasis-open.org> on behalf of Jerome Athias >> <athiasjerome@gmail.com> >> Date: Thursday, July 28, 2016 at 7:53 AM >> To: Jason Keirstead <Jason.Keirstead@ca.ibm.com> >> Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> >> Subject: Re: [cti-stix] TA Social Media Account >> >> Hi, >> >> thanks for the answer. >> Probably something for 2.1: >> Could we want/need a -Profile Object- that would be some sort of (Digital) >> Identity? (bad or good) >> (that could effectively be linked to a User_Account of a -Service- (other >> object needed?)) >> >> Best regards >> >> >> On Tue, Jul 26, 2016 at 3:44 PM, Jason Keirstead >> <Jason.Keirstead@ca.ibm.com> wrote: >> >> You would make an indicator object that had a pattern that matched the >> LinkedIn account, and use an "indicates" relationship from the indicator to >> the Threat Actor (this indicator indicates a presence of this Threat Actor). >> >> There is no specific "LinkedIn account" object in Cybox. I would use the >> user-account-object. >> >> - >> Jason Keirstead >> STSM, Product Architect, Security Intelligence, IBM Security Systems >> www.ibm.com/security | www.securityintelligence.com >> >> Without data, all you are is just another person with an opinion - Unknown >> >> >> <image001.png>Jerome Athias ---07/26/2016 03:33:13 AM---Hi, This would >> need some work with the Message Objects in the future, but for >> >> From: Jerome Athias <athiasjerome@gmail.com> >> To: cti-stix@lists.oasis-open.org >> Date: 07/26/2016 03:33 AM >> Subject: [cti-stix] TA Social Media Account >> Sent by: <cti-stix@lists.oasis-open.org> >> >> ________________________________ >> >> >> >> >> Hi, >> This would need some work with the Message Objects in the future, but for >> now, quick question to the mentor(s): >> Would we have a quick & clean way to add a, for example, LinkedIn account >> to the Threat Actor object? >> >> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]