[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] STIX 2.0 - Sightings object
John, just working through this with you. I don't have a super strong opinion here.
> 1. I’ve noticed that a lot of these exchanges also include a sightings count. For example, it’ll say that org. X saw the indicator 35 times. Is that something we need to support?
After a lot of thought over the year, I have started to dislike sightings counts. Every tool has a different definition of what a sighting is or how they are counted. It's so different that I believe sightings will likely be a qualitative measurement that happens to include a number. Does this have a lot of sightings versus a small number of sightings. If sightings are so qualitative, then let's have systems just send a single sightings 1 time or a sighting 1,000 times. We can do this without a count field.
> 2. A lot of times people will want to sight an indicator (or even an observable) and include more details about what exactly was seen. For example, the indicator might be for an IP address but the sighting producer wants to include the actual network
connection. So, given that, also consider that you might have sighting as a relationship between a full CybOX observable and the indicator that it matched (with the information source on the observable being who did the sighting) rather than a relationship
between the producer and the indicator.
You could sight any object using the relationships. While it may not be as powerful as you define here, I think it is easier to implement. I am ok with reducing complexity at the cost of flexibility.
> 3. Do you sight indicators or observables (the age old question). Or, both? Can you sight a piece of malware even without an indicator? If we leveraged the relationship object, you could sight any type of STIX object.
Aharon Chernin
CTO SOLTRA
| An FS-ISAC & DTCC Company
18301 Bermuda green Dr
Tampa, fl 33647
From: Wunder, John A. <jwunder@mitre.org>
Sent: Thursday, August 20, 2015 9:21 AM To: Aharon Chernin Cc: cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] STIX 2.0 - Sightings object It’s funny you say that because I’ve had this same exact thought. I do think this is a good way to think about it.
A few complexities / things to think about
1. I’ve noticed that a lot of these exchanges also include a sightings count. For example, it’ll say that org. X saw the indicator 35 times. Is that something we need to support?
2. A lot of times people will want to sight an indicator (or even an observable) and include more details about what exactly was seen. For example, the indicator might be for an IP address but the sighting producer wants to include the actual
network connection. So, given that, also consider that you might have sighting as a relationship between a full CybOX observable and the indicator that it matched (with the information source on the observable being who did the sighting) rather than a relationship
between the producer and the indicator.
3. Do you sight indicators or observables (the age old question). Or, both? Can you sight a piece of malware even without an indicator?
John
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]