Re: [cti-stix] TA Social Media Account

[Jerome Athias <athiasjerome@gmail.com>]

I agree with the observation and suggestion regarding Source/Identity
(concepts/objects hierarchy - abstraction - abstracted class).

Pushing it further, in an automated M2M scenario, for example,
the Source of an Indicator could be a Tool (i.e an IDS)
- you could want to link Indicator with Tool with a 'created_by'
relationship to represent the source of the object

Basically, that's why I've been using "Asset" to abstract "Identity and Tool"





On Fri, Jul 29, 2016 at 11:09 PM, Terry MacDonald
<terry.macdonald@cosive.com> wrote:
> It seems to me that we could rename the Source object to a more generic
> Identity object, and we would gain the ability to track identities, and use
> relationships to associate these identities with different parts of STIX.
>
> - you could link threat actor with identity with a 'persona_of' relationship
> to represent a fake identity the threat actor uses
> - you could link threat actor with identity with a 'identity_of'
> relationship to represent the real identity of the threat actor
> - you could link object creator directly with identity to represent the
> source of the object.
> - you could link tool creator with identity with a 'created_by' relationship
> to represent the real identity of the tool creator (malware would link to
> threat actor)
> - you could link victimtarget with identity with a 'identity_of'
> relationship to represent the real identity of the victimtarget (if we are
> talking specific victims)
>
> An Identity object seems more flexible to me than a Source object, which
> appears to be an identity object restricted to just representing who created
> something.
>
> Cheers
> Terry MacDonald
> Cosive
>
>
> On 30/07/2016 6:40 AM, "Jordan, Bret" <bret.jordan@bluecoat.com> wrote:
>>
>> Just to be clear, just because we are finishing up STIX 2.0 and working
>> through its final phases, that does not preclude the community from starting
>> to work on STIX 2.1 items.
>>
>>
>> Thanks,
>>
>> Bret
>>
>>
>>
>> Bret Jordan CISSP
>> Director of Security Architecture and Standards | Office of the CTO
>> Blue Coat Systems
>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
>> can not be unscrambled is an egg."
>>
>> On Jul 29, 2016, at 10:40, Casey, Timothy P <timothy.p.casey@intel.com>
>> wrote:
>>
>> Agreed these are different.  It appears there are two ways to interpret
>> it, suggesting possibly two data points:
>> -        Validation as to whether a particular profile is legit or fake
>> -        Any external information about that profile
>>
>>
>> From: Jerome Athias [mailto:athiasjerome@gmail.com]
>> Sent: Thursday, July 28, 2016 10:51 AM
>> To: Casey, Timothy P <timothy.p.casey@intel.com>
>> Cc: cti-stix@lists.oasis-open.org; Wunder, John A. <jwunder@mitre.org>;
>> Joep Gommers <joep@eclecticiq.com>
>> Subject: Re: [cti-stix] Re: TA Social Media Account
>>
>> Well, as for sure we could have various use cases/scenario (those could be
>> discussed one by one), I will give you one, for maybe, restricting the scope
>> of my initial question.
>>
>> I (my profile/one instance of my digital identity) receive an
>> invitation/connection request from another profile.
>> Doing some researches ((analysis)) I identify, with high confidence, that
>> it is a fake profile. (and that there is a certain intent/motive behind it)
>>
>> How do I share that?
>>
>> PS: note that this would be, imho, a different use case that the examples
>> you provided
>>
>>
>>
>>
>>
>> On Thu, Jul 28, 2016 at 8:25 PM, Casey, Timothy P
>> <timothy.p.casey@intel.com> wrote:
>>
>> If analysis is the objective, should the reference field be limited to
>> just a LI account, or even just to social media?  What if things like vendor
>> TA blogs, legal dossiers, government reports, etc. are also available?
>>
>> From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
>> On Behalf Of Wunder, John A.
>> Sent: Thursday, July 28, 2016 5:34 AM
>> To: Jerome Athias <athiasjerome@gmail.com>; Joep Gommers
>> <joep@eclecticiq.com>
>> Cc: Jason Keirstead <Jason.Keirstead@ca.ibm.com>;
>> cti-stix@lists.oasis-open.org
>> Subject: Re: [cti-stix] Re: TA Social Media Account
>>
>> Yeah I agree, there’s an important difference between something as an
>> indicator and that same thing as part of an analysis. It applies here, but
>> also to malicious infrastructure, malware hashes/attributes, and many other
>> places.
>>
>> FWIW, that exact topic (the difference between an Indicator and a
>> TTP/analysis) came up pretty consistently when talking about STIX 1.2 so
>> anything we can do in 2.0 to make it more clear is very important.
>>
>> (I’m not arguing that we do anything to add this now, I agree w/ what
>> Jerome said below that we should tackle it for 2.1+)
>>
>> John
>>
>> From: <cti-stix@lists.oasis-open.org> on behalf of Jerome Athias
>> <athiasjerome@gmail.com>
>> Date: Thursday, July 28, 2016 at 5:17 AM
>> To: Joep Gommers <joep@eclecticiq.com>
>> Cc: Jason Keirstead <Jason.Keirstead@ca.ibm.com>,
>> "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
>> Subject: [cti-stix] Re: TA Social Media Account
>>
>> Yep I concur
>>
>> On Thursday, 28 July 2016, Joep Gommers <joep@eclecticiq.com> wrote:
>>
>> There are indeed two different scenario’s;
>>
>> - the linkedin account, when observed actively, is an indication of some
>> intelligence (ttps, actors, campaigns, bla)
>> - the linkedin account is part of the analysis narrative of an actor, a
>> description of his (potential) identity.
>>
>> The first case would be an indicator, the second case would be part of
>> some sort of identity construct. They can exist in parallel.
>>
>> J-
>>
>>
>>
>> From: <cti-stix@lists.oasis-open.org> on behalf of Jerome Athias
>> <athiasjerome@gmail.com>
>> Date: Thursday, July 28, 2016 at 7:53 AM
>> To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
>> Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
>> Subject: Re: [cti-stix] TA Social Media Account
>>
>> Hi,
>>
>> thanks for the answer.
>> Probably something for 2.1:
>> Could we want/need a -Profile Object- that would be some sort of (Digital)
>> Identity? (bad or good)
>> (that could effectively be linked to a User_Account of a -Service- (other
>> object needed?))
>>
>> Best regards
>>
>>
>> On Tue, Jul 26, 2016 at 3:44 PM, Jason Keirstead
>> <Jason.Keirstead@ca.ibm.com> wrote:
>>
>> You would make an indicator object that had a pattern that matched the
>> LinkedIn account, and use an "indicates" relationship from the indicator to
>> the Threat Actor (this indicator indicates a presence of this Threat Actor).
>>
>> There is no specific "LinkedIn account" object in Cybox. I would use the
>> user-account-object.
>>
>> -
>> Jason Keirstead
>> STSM, Product Architect, Security Intelligence, IBM Security Systems
>> www.ibm.com/security | www.securityintelligence.com
>>
>> Without data, all you are is just another person with an opinion - Unknown
>>
>>
>> <image001.png>Jerome Athias ---07/26/2016 03:33:13 AM---Hi, This would
>> need some work with the Message Objects in the future, but for
>>
>> From: Jerome Athias <athiasjerome@gmail.com>
>> To: cti-stix@lists.oasis-open.org
>> Date: 07/26/2016 03:33 AM
>> Subject: [cti-stix] TA Social Media Account
>> Sent by: <cti-stix@lists.oasis-open.org>
>>
>> ________________________________
>>
>>
>>
>>
>> Hi,
>> This would need some work with the Message Objects in the future, but for
>> now, quick question to the mentor(s):
>> Would we have a quick & clean way to add a, for example, LinkedIn account
>> to the Threat Actor object?
>>
>>
>