Re: [cti-stix] STIX 2.0 - Sightings object

[Aharon Chernin <achernin@soltra.com>]

John, just working through this with you. I don't have a super strong opinion here.

> 1. I’ve noticed that a lot of these exchanges also include a sightings count. For example, it’ll say that org. X saw the indicator 35 times. Is that something we need to support?

After a lot of thought over the year, I have started to dislike sightings counts. Every tool has a different definition of what a sighting is or how they are counted. It's so different that I believe sightings will likely be a qualitative measurement that happens to include a number. Does this have a lot of sightings versus a small number of sightings.  If sightings are so qualitative, then let's have systems just send a single sightings 1 time or a sighting 1,000 times. We can do this without a count field.

> 2. A lot of times people will want to sight an indicator (or even an observable) and include more details about what exactly was seen. For example, the indicator might be for an IP address but the sighting producer wants to include the actual network connection. So, given that, also consider that you might have sighting as a relationship between a full CybOX observable and the indicator that it matched (with the information source on the observable being who did the sighting) rather than a relationship between the producer and the indicator.

You could sight any object using the relationships. While it may not be as powerful as you define here, I think it is easier to implement. I am ok with reducing complexity at the cost of flexibility.

> 3. Do you sight indicators or observables (the age old question). Or, both? Can you sight a piece of malware even without an indicator?

If we leveraged the relationship object, you could sight any type of STIX object. 

Aharon Chernin
CTO

SOLTRA | An FS-ISAC & DTCC Company

18301 Bermuda green Dr

Tampa, fl 33647

813.470.2173 | achernin@soltra.com

www.soltra.com

---

From: Wunder, John A. <jwunder@mitre.org>
Sent: Thursday, August 20, 2015 9:21 AM
To: Aharon Chernin
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] STIX 2.0 - Sightings object

 

It’s funny you say that because I’ve had this same exact thought. I do think this is a good way to think about it.

A few complexities / things to think about

1. I’ve noticed that a lot of these exchanges also include a sightings count. For example, it’ll say that org. X saw the indicator 35 times. Is that something we need to support?

2. A lot of times people will want to sight an indicator (or even an observable) and include more details about what exactly was seen. For example, the indicator might be for an IP address but the sighting producer wants to include the actual network connection. So, given that, also consider that you might have sighting as a relationship between a full CybOX observable and the indicator that it matched (with the information source on the observable being who did the sighting) rather than a relationship between the producer and the indicator.

3. Do you sight indicators or observables (the age old question). Or, both? Can you sight a piece of malware even without an indicator?

John

On Aug 20, 2015, at 8:24 AM, Aharon Chernin <achernin@soltra.com> wrote:

This should be "sightings object rethought". While coming up with a proposal, I spotted a different way of thinking about Sightings. In my opinion, the most important thing is determining which STIX object is being sighted. However, there is some other bits of information that is useful: sightings producer and date/time of sighting.

Now take a look at the recent relationship object discussions:

Relationship Object Discussion:

ID [1]: The ID of the relationship, a simple random GUID

Marking[1]:  The ID of the marking object that you should reference 
Version [1]: The version of the relationship; a simple number to be used with the ID for version control 
Type [1]: The “type” of relationship being expressed.  (Not sure of how this works yet)
Description [1]: A single simple and short description
Source [1] : The ID of one or more source entities in the relationship as a URI (not QName)
Targets [1..N]: The ID of one or more targets in the relationship as a URI (not QName)
Start [1]: A timestamp in UTC stating when the relationship between the objects started, or the text 'unknown'.
End [1]: A timestamp in UTC stating when the relationship between the objects ended, or the text 'ongoing', or the text 'unknown'.
Reliability/Confidence [1]: A measure of confidence in the relationship using the Information Reliability scale.
Producer [1]:  A simple producer object like what John calls out

Timestamp [1]: A timestamp in UTC stating when the relationship object was created.

Idea:

Could a sighting be a type of Relationship? 

Relationship Object Discussion:

ID [1]: <GUID>

Marking[1]:  TLP Green
Version [1]: 1
Type [1]: Sighting
Description [1]: Soltra Edge reported Sighting
Source [1] : Soltra
Targets [1..N]: soltra:indicator-<GUID>
Start [1]:
End [1]:
Reliability/Confidence [1]:
Producer [1]:  Soltra

Timestamp [1]: <timestamp>

Or is there more meta data we need to collect regarding sightings that a sighting deserves it's own object?

Aharon Chernin
CTO

SOLTRA | An FS-ISAC & DTCC Company

18301 Bermuda green Dr

Tampa, fl 33647

813.470.2173 | achernin@soltra.com

www.soltra.com