|
Bret & All:
One of the problems I'm running into as I delve into data on a
TIP is wrapping the IOCs in some sort of context; that is, if the
original Producer of the data did not add the background
information that is associated with the IOCs. As a analyst trying
to work my way up the pyramid of pain by reverse engineering the
malware, analyzing the (probably spoofed) geolocation information,
looking for clues in the linkages within the malicious
infrastructure, etc... I am often in the dark unless I have that
richer context.
Granted, this is only one of the Use Cases; the one where human
analysts are looking at the data. But in this instance, I find
that contextual information is very helpful. Furthermore, I am
working within the context of several ISAOs and ISACs where the
level of adoption and sharing-maturity varies all across the
board. It is my sense that the human impediments to the adoption
of a "sharing" paradigm is the more difficult problem in this
vision of a CTI community. Therefore, there will be a period
whereby a transition from human analyst Use Cases to a pure MRTI
ecosystem will be long and painful. This will be the case
throughout the period when vendors are tooling up and products are
rolling out. Even after that, there will be a lag between the
vision of those of us here and market adoption. This will be due,
in part, to the need to build out the workforce for CTI.
As such, I think we need to think of the Opinion and Intel Note
objects as very important and
SEPARATE objects that should be added as soon as possible to the
STIX data model. It may be that, in the future, as the entire
ecosystem transitions from Use Cases where human analysts are
working the data to MRTI Use Cases, we can even depreciate one or
the other object. But, at this time, I strongly support the camp
that is calling for two separate objects for Opinion and Intel
Note.
Option #2 is my choice.
Jane Ginn
CTIN
*****************************************************
Against 2 objects
Jason Keirstead - IBM
Bret Jordan - Symantec
Rich Shok - US Bank
Nicholas Hayden - Anomali
Pat Maroney - Wapack Labs
Stefan Hagen
In the Middle
Allan Thompson - Looking Class
Dave Cridland - Survive
For 2 objects
John Wunder - MITRE
Sarah Kelley - CIS
Nathan Reller - JH APL
Terry MacDonald
If you have not spoken up, please do so.
Bret
,
After a lot of
conversation on intel note and opinion, we’ve narrowed
down a lot of the questions on these two objects but
have one big one remaining. Specifically, with both
intel note and opinion existing as separate objects a
few people (notably Jason and Bret) have noted that
there may be overlap and in fact the objects should be
merged into one. The thinking is that giving an opinion
is essentially the same as giving extra analysis about
something (or is at least handled the same way most of
the time) and having two separate objects will be
confusing for people. So, here’s how I would outline the
questions:
1. Should
opinion and intel note remain separate objects?
a. Merging
them would provide a single object to provide a simple
opinion on a scale (agree/disagree), an opinion on a
scale with a text explanation (agree and here’s why),
and added analysis w/ no opinion scale (here’s extra
info about this object).
b. Separating
them would distinguish providing an opinion
(agree/disagree) from providing extra analysis
2. If we go
with option b and we have two separate objects, should
opinion have an optional description field?
a. Having a
description on opinion keeps all information about the
opinion in a single object.
b. Not having
a description on opinion would mean that opinions are
just the agree/disagree statements. People would use the
intel note object to capture their explanation and
therefore all text commentary would be provided by intel
note.
It seems like the
key thing people are wrestling with is whether there’s a
distinction between giving extra analysis or context to
something and giving an opinion about something. I.e.,
when people are doing shared analysis is it important to
distinguish me providing an opinion on your object
(agree/disagree/neutral) from me adding extra context
(human-readable notes) to your data?
So, combining those
questions, we have three options:
1. Opinion
and intel note are separate objects, and opinion has a
description. To have a text explanation of an opinion,
you would use the description field on the opinion
object.
2. Opinion
and intel note are separate objects, and opinion does
not have a description. To have a text explanation of an
opinion, you would use an intel note and link it to the
opinion.
3. Opinion
and intel note are merged (likely calling it intel note,
since not all of them would be opinions) and you would
use that object to describe opinions, opinions w/
descriptions, and added analysis
People can reply
with their reasoning and pros/cons, but I’m particularly
interested in hearing people who have not chimed in yet.
What is your preferred option? Any thoughts on the
reasoning?
FYI, here are the
latest working versions of intel note and opinion, in
Google Docs. These are roughly option #1, based on the
recent working call and a poll in Slack.
- Intel
note: https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.74spnst8naxc
- Opinion:
https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.haeazu2sh3sq
My own opinion
(sorry I know this pun is getting old) is that giving an
opinion is distinct from adding analyst notes or extra
context and therefore I prefer #1. My second choice
would be #2, because I think #3 results in an ambiguous
object that does too many things and can have completely
orthogonal sets of fields, which to me is an indication
that it really should be two objects.
Thanks,
John
--
Jane Ginn, MSIA, MRP
CTI-TC Co-Secretary
Cyber Threat Intelligence Network, Inc.
jg@ctin.us
|