[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Proposal - Top Level Relationship Object
Good points (and the Rumsfeld reference is very fitting :) ). I’m definitely in agreement that an unknown assertion is the same as one with no backing.
So it seems like what we’re getting to here is:
That seems workable to me.
Regards,
Ivan
From: Jason Keirstead
Date: Wednesday, July 29, 2015 at 4:09 PM To: Ivan Kirillov Cc: Aharon Chernin, Jon Baker, Bret Jordan, Chris O'Brien, "cti-stix@lists.oasis-open.org", JG on CTI-TC, John Wunder Subject: Re: [cti-stix] Proposal - Top Level Relationship Object What is the difference between having an unknown assertion and an assertion with no backing... isn't it the same thing? Zero confidence to me implies that one has some backing data supporting the confidence assertion (or lack thereof), which is different from it being unknown. However, I can’t really fathom why you’d ever want to express a negative assertion such as zero confidence. Also, while we’re on this topic, I’m not a big fan of “unknown”, “other”, and similar catch-alls. IMO, if something like the confidence level in a relationship is unknown, it should simply not be included. Regards, Ivan From: <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead Date: Wednesday, July 29, 2015 at 3:25 PM To: John Wunder Cc: Aharon Chernin, Jon Baker, Bret Jordan, Chris O'Brien, "cti-stix@lists.oasis-open.org", JG on CTI-TC Subject: Re: [cti-stix] Proposal - Top Level Relationship Object Well... 0 would be exactly what it says... zero confidence, aka "no confidence".
I don't know, what does a confidence of 0 mean? To me the statement that the confidence is unknown is quite different from the statement that the confidence very low. From: <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead Date: Wednesday, July 29, 2015 at 3:19 PM To: "Wunder, John A." Cc: "Jordan, Bret", Aharon Chernin, Jon Baker, JG on CTI-TC, Chris O'Brien, "cti-stix@lists.oasis-open.org" Subject: Re: [cti-stix] Proposal - Top Level Relationship Object What is the difference between having confidence be optional or "unknown" and assigning a value of 0?
I agree with you on reducing optionality but to me these "unknown" values are just hiding optionality rather than eliminating it. If anything it seems like having the field not present vs. a special "unknown" value is more obvious and explicit because it makes it clear that it's a special case. Otherwise you're going to have a lot of "if val == 'unknown'" code paths, and hardcoded strings with special meanings are bad. John From: "Jordan, Bret" Date: Wednesday, July 29, 2015 at 1:55 PM To: Aharon Chernin Cc: Jon Baker, "Wunder, John A.", JG on CTI-TC, Chris O'Brien, "cti-stix@lists.oasis-open.org" Subject: Re: [cti-stix] Proposal - Top Level Relationship Object It has to be that way... Confidence has to be required, even if the the value is "unknown". We need to reduce the optionality and make code decision trees easier. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
Have you considered the case where an analyst wants to simply say that this collection of objects seems to be related? Wouldn't this just be a low confidence relationship? Aharon Chernin CTO SOLTRA | An FS-ISAC & DTCC Company 18301 Bermuda green Dr Tampa, fl 33647 813.470.2173 | achernin@soltra.com www.soltra.com From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Baker, Jon <bakerj@mitre.org> Sent: Wednesday, July 29, 2015 8:37 AM To: Wunder, John A.; Jordan, Bret Cc: JG on CTI-TC; Chris O'Brien; cti-stix@lists.oasis-open.org Subject: RE: [cti-stix] Proposal - Top Level Relationship Object John, Have you considered the case where an analyst wants to simply say that this collection of objects seems to be related? Imagine a case where you think that a bunch of things (incidents/observables/etc) are related, but you have not yet done the in depth analysis to understand the nature of their relationship. I had this sort of generic grouping of things in mind for a top level relationship object. In this case, I don’t think you could always have a From and To IDREF. You might just have a collection of IDREFs. Jon ============================================ Jonathan O. Baker J83D - Cyber Security Partnerships, Sharing, and Automation The MITRE Corporation Email: bakerj@mitre.org From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Wunder, John A. Sent: Tuesday, July 28, 2015 4:15 PM To: Jordan, Bret <bret.jordan@bluecoat.com> Cc: JG on CTI-TC <jg@ctin.us>; Chris O'Brien <COBrien@cert.gov.uk>; cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Proposal - Top Level Relationship Object Sure...personally I would do this, which is almost identical to what we do now (other than being at the top level rather than within an object): Relationship ID (for the relationship) [required] From IDREF [required] To IDREF [required] Relationship Qualifier [required] Confidence [optional] I'm undecided on whether information source information belongs in the STIX data model at all. By virtue of being in the data model it means someone is asserting it so it's impossible to verify. Digital signatures or something else out of the data model (relying on TAXII, etc.) seem like a better approach to me. But I don't have strong opinions on this and if we do include information source in the data model I would add that here. John From: "Jordan, Bret" Date: Tuesday, July 28, 2015 at 4:05 PM To: "Wunder, John A." Cc: JG on CTI-TC, Chris O'Brien, "cti-stix@lists.oasis-open.org" Subject: Re: [cti-stix] Proposal - Top Level Relationship Object Great... Now we are discussing it... Please spell out what that would look like. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
No directionality or description/qualifier? It seems like you want to be able to say *what* a relationship is describing and also which direction it goes in. I.e. TTP malware "is variant of" other TTP malware vs. TTP malware "is same as" other TTP malware given a different name by a different vendor From: <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" Date: Tuesday, July 28, 2015 at 3:41 PM To: JG on CTI-TC Cc: Chris O'Brien, "cti-stix@lists.oasis-open.org" Subject: Re: [cti-stix] Proposal - Top Level Relationship Object I see the relationship object being pretty simple and straight forward: Relationship IDREF (1-n) Source Confidence Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
Chris: You are not going insane...we are all dealing with these same issues. Some of the more recent discussions (after you made this post) with respect to 'Sightings' seem to make a lot of sense to me...that is, to push the Sighting functionality further down in the data model...That is, down to the CybOX level... And I think we need to think about the Relationship object with respect to 'Communities of Interest'... For example, a malware research Community of Interest that is using Indicator, Observable, TTP and ExploitTarget may seek to express Relationships in a way that shows the Static and Behavioral characteristics of the malware (deep in the data model and at a very refined level of granularity) ...Whereas an Incident Response Community of Interest that is using Indicator, Incident and CourseOfAction may need the Relationship object defined in a separate way.... that is, one that is more tied to "actionable intelligence" which may then tie into ExploitTarget, ThreatActor, and Campaign...which then becomes of interest to a law enforcement Community of Interest. Of course... handling this may take us back into the debate on Profiles... Jane Ginn CTIN On 7/27/2015 3:44 AM, Chris O'Brien wrote:
I'd perhaps throw in to the discussion that it may not need to be a standalone object in its own right - we're currently experimenting with using the existing stix architecture relationships (with a little extra meta data) to achieve the desired effect, but it gets messy quickly and direct references to the relationships are by-way-of the object that they sit on (then you ask...which end of the relationship is the 'master' for that relationship, or must they both be updated when a change is made...what happens if one of them isn't in your namespace, etc, etc). Jimmy-rigging solutions to those issues feels feasible, but messy, prescriptive and makes anyone with a coding background have a little cry to themselves. It's something we're having to think about here at the moment - just wanted to mention that it's still possible and would be less impactful to existing deployments. Cheers, cob PS: If anyone else is looking in to this sort of heuristic / predictive / minority report-esque implementation, it'd be good to hear from you. If only to confirm that I'm not going completely insane. -----Original Message----- From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Jordan, Bret Sent: 24 July 2015 22:57 To: cti-stix@lists.oasis-open.org Subject: [cti-stix] Proposal - Top Level Relationship Object I would like to see a top level relationship object that just contains references to the times that are related. This needs its own ID so people can reference it and disagree with it or sight it or enrich it with other data. Bret Sent from my Commodore 64 --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php -- Jane Ginn, MSIA, MRP Cyber Threat Intelligence Network, Inc. jg@ctin.us --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php [attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM] [attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM] |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]