[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Relationship Timestamp Properties: proposed description for the 2 timestamp parameters
I liked the originally proposed wording. The original wording is clear and concise, which is a strong plus for me. The proposed rewording is a little more difficult for me to understand. Thank you. -Mark From: <cti-stix@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com> Sean – I have issues with the words ‘asserted are true’ and how ‘time window’ is described.
The terms “Asserted are true” implies that its purely an analyst making that ‘assertion’. For the same reasons that you have concerns about ‘exist/determined/occurred’ I would say I have the flip concerns on the words asserted. I have tried
to propose terms that might be acceptable to both parties. I suggest we can better potentially achieve consensus with a higher bandwidth conversation on a TC call. I don’t want to fill up people’s inboxes with a lot of emails debating as it seems like the suggested text won’t come together over email after all. Have a good holiday weekend. regards Allan Thomson,
CTO,
Lookingglass Cyber Solutions This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential. The information
in this message is intended only for use by the individual(s) to whom it is addressed. If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure, copying or distribution
of the contents contained within is strictly prohibited From: Sean Barnum <sean.barnum@FireEye.com> I think the term “established” has many of the same issues as “determined” and “occurred” in the original definitions. The primary concern is that they are open to misinterpretation that these timestamps are conveying details of the process used to develop the intelligence rather than the intelligence itself. This is my core concern with first/last_seen
as well. “Established” also has the same concern I described about “occurred” in that they are implying that the time frame of a relationship being true is an action rather than a state of being and further that it is past tense. The other key concern I think we need to consider is recognition that specifying a time window for an asserted relationship is an assertion that the relationship held/holds true during that time window. It is not in any way an assertion
that the relationship does NOT hold true outside that time window. I believe it is dangerous to make assumptions that such a converse is implied. If Org A sees ThreatActor X using Malware Y against them from Jan-Mar, they can make a relationship assertion that ThreatActor X uses Malware Y with a time window of Jan-Mar. This would not be an assertion that ThreatActor X never used
Malware Y before Jan or after Mar. They may have no evidence of either such assertion. What they do have evidence for is the positive assertion Jan-Mar. They may just not have discovered its use against them outside that window or that it is being used against
other orgs outside that window. For these reasons, terminology like “exists” or even more so “ceases to exist” make me very nervous. Bottom line is that I do not believe “established” or “exist” are appropriate here for the reasons outlined above. I am interested to know what you think was clunky about the suggestions. To me the consistent use (thoughout) of commonly used terms for such time ranges (earliest, latest, lower bound, upper bound) is less clunky than using different terms in the two definitions. Obviously, determination of “clunky” is subjective to each person. ;-) Sean Barnum Principal Architect FireEye M: 703.473.8262 E: sean.barnum@fireeye.com From: Allan Thomson <athomson@lookingglasscyber.com> Sorry that last sentence was copy/paste error. Review this one:
Allan Thomson,
CTO,
Lookingglass Cyber Solutions This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential. The information
in this message is intended only for use by the individual(s) to whom it is addressed. If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure, copying or distribution
of the contents contained within is strictly prohibited From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com> Sean – I don’t love the time window sentences that you changed. I get the concept of time windows and what you are trying to convey but I think the suggestion is clunky and we can improve it. Here’s another update to hopefully address the concerns:
Allan Thomson,
CTO,
Lookingglass Cyber Solutions This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential. The information
in this message is intended only for use by the individual(s) to whom it is addressed. If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure, copying or distribution
of the contents contained within is strictly prohibited From: Sean Barnum <sean.barnum@FireEye.com> I have a few issues with the way they are defined here. I believe that some people reading “the first time that the relationship between the objects was determined to have occurred” will interpret it to mean what was determined to be the initial time that the relationship is true while others
might read it as the time that a determination of the beginning of the time window occurred. These are significantly different things. It is even more unclear in “the last time that this relationship between the objects was determined to connect those 2 objects”. I would also take issue with the use of “the first time” and “the last time” in the definitions as they imply discrete time events when in reality these fields on a relationship represent the bounds of a continuous time region. I would suggest that more continuous terminology be used such as “earliest time” and “latest time”. I believe the term “occurred” is also somewhat troublesome. First it implies that a relationship is something that happens (as in an action) rather than an assertion on a state of being. I would assert Relationship objects are the former
and not the latter. Second, it implies that it is past tense which while the common case is certainly not always the case. The second sentence of the Field #1 definition looks fine. I think the third sentence of the Field #1 definition could be better worded. I think what an absence of a starting time stamp for the window really says is that there is no beginning bound to the window. If you specify an end time but
no start time then you are saying any time before the end time. If you specify a start time and no end time then you are saying any time from the start time onward. The second sentence of the Field #2 definition has an issue in its use of “no longer exist”. This wording implies that the producer is making an explicit assertion that the relationship will not be true after the end time. I would suggest
that in common practice these sorts of time windows on relationships are intended to convey that the relationship will be true at least until the end time. There is typically not enough evidence to make a hard assertion that it does not hold true after a given
time as proving a negative is very difficult. The third sentence of the Field #2 definition is good. I am sure that it sounds like I am being very picky. I am just concerned that ambiguity in these definitions is very likely to lead to confusion and inconsistent use. One of my main concerns here, as I have said before, is that we avoid any confusion that the timestamps might convey when an observation occurred or when a decision occurred on the beginning of the time window rather than the window itself. This might seem like splitting hairs but based on the active debates over first/last_seen, I think that this is a valid concern. As the comments above show, I am also concerned with making it very clear what we mean when using these fields to bound the time window associated with the assertion of a Relationship. So, to avoid being the guy who complains but offers no alternatives, here would be my suggested improvements:
I believe this more clearly and accurately conveys the meaning of these fields and uses consistent terminology and structure across the sentences and across the two field definitions which should help reduce potential confusion. Sean Barnum Principal Architect FireEye M: 703.473.8262 E: sean.barnum@fireeye.com From: <cti-stix@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com> Hi – I had taken an action item to propose the descriptions for 2 relationship timestamp properties. Please review below and suggest changes or acknowledge that these descriptions would be acceptable. To avoid folks focusing on the name of the property I’ve chosen to just call them Relationship Timestamp Field #1 and #2.
Regards Allan This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is
strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is
strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]