OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] Targeting in STIX 2.0

I would agree with this.

I think breaking out Victim to its own construct partially but not completely addresses this.
I think that potentially also breaking out Identity to its own construct would even further address this issue and many others.
With Identity broken out, you could define the identity of a party one time and under differing circumstances reference them as a victim, a source, a threat actor, etc.

A lot of these issues and optimal solutions become WAY more clear when we start to model them semantically rather than just structurally/schematically.


From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of Patrick Maroney <Pmaroney@Specere.org>
Date: Monday, September 21, 2015 at 2:05 PM
To: Aharon Chernin <achernin@soltra.com>, John Wunder <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Targeting in STIX 2.0

Target = Victim (or "Intermediary" who is both Victim and Attacker in a "MITM"/Supply Chain Attack TTP).  Plenty of legacy verbiage on why some of us argue that "Target" is a critical missing element/TLO in CTI (most recently when discussing CTI Charter).

We can currently describe who's holding the spear, the attributes of the spear, and the "point" where the "pointy part" is headed/entered...but not the "pointee".

From: <cti-stix@lists.oasis-open.org> on behalf of "Chernin, Aharon"
Date: Monday, September 21, 2015 at 1:56 PM
To: "Wunder, John A.", "cti-stix@lists.oasis-open.org"
Subject: Re: [cti-stix] Targeting in STIX 2.0

For example, a cyber intelligence feed that provides attack target URLS: TTP -> Victim Targeting -> Observable -> URL

Which of my URLs are being attacked?


From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A."
Date: Monday, September 21, 2015 at 1:14 PM
To: "cti-stix@lists.oasis-open.org"
Subject: Re: [cti-stix] Targeting in STIX 2.0

What do you mean by targeting? Can you give a couple examples of how that would make the content smaller/better?

Sorry, just having trouble picturing this.


On Sep 21, 2015, at 12:57 PM, Aharon Chernin <achernin@soltra.com> wrote:

Hate to change the subject. Also, I hate thinking about new high level objects. Not every type of data should be high level object worthy, or else we risk STIX 2.0 having 30 of them and becoming more complex.

I was looking at some proper STIX 1.0 last week. The documents were well formed, but at the same time they were MASSIVE and had tens of thousands of relationships. I wanted to provide some feedback to the author on how to reduce the complexity of the document while preserving the context that the document contained. That’s when it hit me. If targeting wasn’t included within the TTP object, the documents would have been dramatically smaller and easier to digest.

Keep in mind that if we found a good home for targeting, we could use targeting in other concepts (like fraud for example).

  1. Do you agree that we should have open discussion regarding the removal of targeting from TTP in 2.x?
  2. If so, where would it go? A new top level object *sigh*? Or maybe in another existing object?

Aharon Chernin
18301 Bermuda green Dr
Tampa, fl 33647
813.470.2173 | achernin@soltra.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]