OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] Targeting in STIX 2.0

abstraction of this, following the semantic way, and interoperability
in mind, and research for existing standardization effort, could lead
you to something like the Asset Identification

2015-09-21 21:15 GMT+03:00 Barnum, Sean D. <sbarnum@mitre.org>:
> I would agree with this.
> I think breaking out Victim to its own construct partially but not
> completely addresses this.
> I think that potentially also breaking out Identity to its own construct
> would even further address this issue and many others.
> With Identity broken out, you could define the identity of a party one time
> and under differing circumstances reference them as a victim, a source, a
> threat actor, etc.
> A lot of these issues and optimal solutions become WAY more clear when we
> start to model them semantically rather than just
> structurally/schematically.
> sean
> From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on
> behalf of Patrick Maroney <Pmaroney@Specere.org>
> Date: Monday, September 21, 2015 at 2:05 PM
> To: Aharon Chernin <achernin@soltra.com>, John Wunder <jwunder@mitre.org>,
> "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
> Subject: Re: [cti-stix] Targeting in STIX 2.0
> Target = Victim (or "Intermediary" who is both Victim and Attacker in a
> "MITM"/Supply Chain Attack TTP).  Plenty of legacy verbiage on why some of
> us argue that "Target" is a critical missing element/TLO in CTI (most
> recently when discussing CTI Charter).
> We can currently describe who's holding the spear, the attributes of the
> spear, and the "point" where the "pointy part" is headed/entered...but not
> the "pointee".
> From: <cti-stix@lists.oasis-open.org> on behalf of "Chernin, Aharon"
> Date: Monday, September 21, 2015 at 1:56 PM
> To: "Wunder, John A.", "cti-stix@lists.oasis-open.org"
> Subject: Re: [cti-stix] Targeting in STIX 2.0
> For example, a cyber intelligence feed that provides attack target URLS: TTP
> -> Victim Targeting -> Observable -> URL
> Which of my URLs are being attacked?
> Aharon
> From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A."
> Date: Monday, September 21, 2015 at 1:14 PM
> To: "cti-stix@lists.oasis-open.org"
> Subject: Re: [cti-stix] Targeting in STIX 2.0
> What do you mean by targeting? Can you give a couple examples of how that
> would make the content smaller/better?
> Sorry, just having trouble picturing this.
> John
> On Sep 21, 2015, at 12:57 PM, Aharon Chernin <achernin@soltra.com> wrote:
> Hate to change the subject. Also, I hate thinking about new high level
> objects. Not every type of data should be high level object worthy, or else
> we risk STIX 2.0 having 30 of them and becoming more complex.
> I was looking at some proper STIX 1.0 last week. The documents were well
> formed, but at the same time they were MASSIVE and had tens of thousands of
> relationships. I wanted to provide some feedback to the author on how to
> reduce the complexity of the document while preserving the context that the
> document contained. That’s when it hit me. If targeting wasn’t included
> within the TTP object, the documents would have been dramatically smaller
> and easier to digest.
> Keep in mind that if we found a good home for targeting, we could use
> targeting in other concepts (like fraud for example).
> Questions:
> Do you agree that we should have open discussion regarding the removal of
> targeting from TTP in 2.x?
> If so, where would it go? A new top level object *sigh*? Or maybe in another
> existing object?
> --
> Aharon Chernin
> SOLTRA | An FS-ISAC & DTCC Company
> 18301 Bermuda green Dr
> Tampa, fl 33647
> 813.470.2173 | achernin@soltra.com
> www.soltra.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]