Re: [cti-cybox] CybOX Objects/Relationships

["Wunder, John A." <jwunder@mitre.org>]

A reason I’d hesitate is, like internationalization, for such a major topic I’d be worried about designing ourselves into a corner and precluding us from doing something in 3.1+ based on decisions we make for 3.0. Switching from embedding to using relationships would be a major change and so, for example on the network connection object, it would be hard to not make the decision now.

From: <cti-cybox@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Saturday, April 9, 2016 at 10:55 PM
To: Terry MacDonald <terry.macdonald@cosive.com>
Cc: "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>, "Jordan, Bret" <bret.jordan@bluecoat.com>, John-Mark Gurney <jmg@newcontext.com>, Ivan Kirillov <ikirillov@mitre.org>
Subject: Re: [cti-cybox] CybOX Objects/Relationships

"We had no standard way of sharing the fact we had received bad emails that contained a zip that contained a malicious PDF."

What I am saying is, is there actual evidence that simply sharing this as 3 observations is not "good enough" for MVP. Why does it matter at the end of the day, for matching purposes, if these are linked together. In most scenarios it wouldn't matter... I'll normally be looking for the malware, not the email it was sent in (which would be constantly morphing)

Yes, we can concoct scenarios where it would matter... but, are they likely to be used, and thus required for mvp? Consider, STIX 1.X has no such relations.

Sent from IBM Verse

Terry MacDonald --- Re: [cti-cybox] CybOX Objects/Relationships ---

From:	"Terry MacDonald" <terry.macdonald@cosive.com>
To:	"Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
Cc:	cti-cybox@lists.oasis-open.org, "Jordan, Bret" <bret.jordan@bluecoat.com>, "John-Mark Gurney" <jmg@newcontext.com>, "Ivan A. Kirillov" <ikirillov@mitre.org>
Date:	Sat, Apr 9, 2016 7:01 PM
Subject:	Re: [cti-cybox] CybOX Objects/Relationships

---

Hi all,

On 10/04/2016 03:47, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com> wrote:
>
> - It is yet to be seen if this would ever actually be used by analysts. If people need it, they will come asking for it... until people ask for it we shouldn't be cooking up potential scenarios IMO.
>

Have we actually even asked the community if my suggestion was a valid scenario? We need to give the cif-users list a chance to comment on this. I think it's probably time for us to try to put together a list of specific use cases (without implementation details in them) so that we can agree on the scenarios that we will focus on in MVP.

Regarding needing it, we  needed at my previous security incident handler role in NZ (before STIX). We had no standard way of sharing the fact we had received bad emails that contained a zip that contained a malicious PDF. Or any format for allowed things to be stored inside it for that matter. This is useful for sharing the details of any malware distribution run. I see these discussions today on groups I'm part of... In fact there was even a series of these messages sent last week on one Australian sharing group i belong to. With STIX and CybOX we have an opportunity to provide incident handlers and analysts with basic building blocks that they can use to put together the bits they need to build the story they want to tell. I really feel that the ability to relate the multiple components of something they observed something that is important.

Cheers
Terry MacDonald