[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Add last_seen to campaign and intrusion set
|
Hi Sarah – Some points in response to your comments. 1)
It’s an optional field so it a producer of intel does not see a need to include the information then it can be ignored/not included in the object 2)
Campaigns/intrusion-sets are ‘likely’ generated after intelligence teams have done some level of analysis and that will necessarily mean that it’s not tied to a full machine-to-machine workflow without
human analysts choosing when to say an update is ready to be shared with other within their community they’re sharing with. 3)
There is no requirement on producers to maintain last_seen up-to-dateness/liveness or any other field to be based on what they understand to be the current picture of a campaign/intrusion-set….etc
If a producer did not want to implement maintaining this field for accuracy/liveness then they don’t have to do that. Nothing in the STIX spec requires this across any other object either. 4)
Basing analysis on data that is always going to be based on the most relevant information you have at the time. There are many cases where information will be known to one party but not another.
STIX does not solve this problem. 5)
Object versioning supports the ability to version an object with updated last_seen information if they choose to maintain that field and then share it with their communities.
Allan From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Sarah Kelley <Sarah.Kelley@cisecurity.org> I’m mostly ambivalent about adding last_seen.
I can see why it would be good to have, for instance if the last time you saw an intrusion set was 3 years ago, you can possibly assume they’ve moved on. However, my concern would be how would you keep that
field up to date? Would it be automatically updated via a sighting? Or would an analyst manually adjust it? Both? Because I can see why an analyst would want to be able to adjust that field, but what happens if they forget? Then it’s suddenly inaccurate, and
if you’re basing any analysis on that field it’s now wrong. Sarah Kelley Senior Cyber Threat Analyst Center for Internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7×24 SOC) Email: cert@cisecurity.org Follow us @CISecurity From: <cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com> John – thanks for sending this email. I agree with the proposal to add last_seen and also agree with the definition that last_seen is just the last time this entity was seen.
It does not implicitly or explicltly say that the entity is ‘over’ or ‘stopped operating’. allan From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Wunder, John" <jwunder@mitre.org> All, One of the suggestions we discussed on the call today was the idea of adding a field “last_seen” to the campaign and intrusion set objects. Those objects currently have a “first_seen” field, which describes
the first time activity related to them was observed…the suggestion is of course that you should be able to also describe the last time you saw activity related to that campaign/intrusion set. One important concern is that we want to make sure the implication is NOT that having a “last_seen” field means the campaign is “over”. The producer would be saying “here’s the last time I saw X”, not “here’s
the last time I saw X and I don’t expect to see it again”. Are there any objections to this, or other considerations that we should think about when defining it? Adding a field this late in the game needs to be done carefully and we want to make sure we don’t add
something we shouldn’t. Gary and Sarah, you two in particular have mentioned planned usage of campaign and intrusion set. Do you see any concerns with adding this field? And, I guess, do you see the value in adding it…would it be useful to have? If we did add “last_seen”, we would also add “last_seen_precision” to capture the precision of the last_seen field per our rules about timestamps. Thanks, John Intrusion Set:
https://docs.google.com/document/d/1S5XhY6F5OT599b0OuHtUf8IBzFvNY8RysFHIj93DgsY/edit#heading=h.5ol9xlbbnrdn
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message
and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]