This appears to be a reasonable suggestion, however, a close analysis of the definition of the SDOs shows that the Indicator, as the fundamental element of
intelligence, focuses more on providing information to objectively describe or indicate a specific “Intrusion Set”, not a Vulnerability.
Dr Edilson Arenas, Ph.D.
Discipline Leader – Networks and Information Security | School of Engineering and Technology, Higher Education Division
CQUniversity Australia, Level 3, 120 Spencer Street, Melbourne 3000
P +61 3 9616 0570 (x50570) | E e.arenas@cqu.edu.au
P
Please consider the environment before printing this message.
From: cti-comment@lists.oasis-open.org [mailto:cti-comment@lists.oasis-open.org]
On Behalf Of Mckay, Terrance L
Sent: Wednesday, 29 March 2017 7:41 AM
To: cti-comment@lists.oasis-open.org
Subject: [cti-comment] STIX 2.0 Relationship Comment
Upon review of the STIX 2.0 standard I have found what appears to be a missing relationship between the Indicator and Vulnerability objects. It would seem prudent that an "Indicator" object would be able to "indicate" a "Vulnerability".
However the draft standard does not list this as a defined type of relationship. I believe this is an important relationship for the standard, as being able to publish proactive indicators that indicate a vulnerability would be very beneficial to detect and
remediate a vulnerability before it is exploited by an adversary.
Thanks for your consideration in adding this to the standard.
Terrance McKay
Critical Infrastructure Analyst
Idaho National Laboratory
Email:
Terrance.McKay@inl.gov