[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions
Just to throw one kink into this conversation.
From our perspective (we use the Soltra Edge implementation of Stix, and have close to 25,000 things in it), the ONLY indicator types we have used to date are Malicious Email, IP Watchlist, Domain Watchlist, File Hash Watchlist, and URL Watchlist.
It almost sounds like we have a completely different understanding of how the “Indicator Type” is supposed to be used. We’ve been using it to categorize the type of data we’ve been feeding it for our network sensors.
Sarah Kelley
Senior CERT Analyst
Center for Internet Security (CIS)
Integrated Intelligence Center (IIC)
Multi-State Information Sharing and Analysis Center (MS-ISAC)
1-866-787-4722 (7×24 SOC)
Email: cert@cisecurity.org
www.cisecurity.org
Follow us @CISecurity
From: <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Saturday, October 24, 2015 at 5:04 AM To: John-Mark Gurney <jmg@newcontext.com> Cc: "Barnum, Sean D." <sbarnum@mitre.org>, "Grobauer, Bernd" <Bernd.Grobauer@siemens.com>, "Wunder, John A." <jwunder@mitre.org>, "Cliff.Palmer@gd-ms.com" <Cliff.Palmer@gd-ms.com>, "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: Re: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions I like the direction this is going
Malicious Watchlist C2 Anonymization Exfiltration This was my internal list so far - thoughts?
Malicious Activity Command and Control * Anonymization Data Exfiltration Lateral Movement Privilege Escalation Reconnaissance Host/Process Compromise Watchlist Quantified Risk Policy Violation ** * I prefer descriptive names other than acronyms like "C2", it makes it easier for translation purposes. ** Not sure about this one... its kind of straying outside the CTI realm.. although i do see a great value / need for it in the vocabulary. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security | www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown John-Mark Gurney ---2015/10/23 03:57:30 PM---I have created an issue for this as when I was reviewing the vocab list, it did not cover our use ca From: John-Mark Gurney <jmg@newcontext.com> To: "Barnum, Sean D." <sbarnum@mitre.org> Cc: "Grobauer, Bernd" <Bernd.Grobauer@siemens.com>, "Wunder, John A." <jwunder@mitre.org>, Jason Keirstead/CanEast/IBM@IBMCA, "Cliff.Palmer@gd-ms.com" <Cliff.Palmer@gd-ms.com>, "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>, cti-stix@lists.oasis-open.org Date: 2015/10/23 03:57 PM Subject: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions Sent by: <cti-stix@lists.oasis-open.org> I have created an issue for this as when I was reviewing the vocab list, it did not cover our use case. The issue I created: https://github.com/STIXProject/specifications/issues/35 I believe that this will help people use the Vocab better, and may reduce the need for custom vocabs. Please comment on this issue to provide feed back. Thanks. I have included the text of the issue here for reference: There is a discussion on cti-users and cti-stix about improving the IndicatorTypeVocab. I believe that having a vocab is a useful thing. But I believe the existing vocab needs to be improved. First off, type information, like e-mail, ip, file hash, domain, etc. should be removed. You should/must be able to get this information from the Observable that is part of the Indicator. For one, there is no vocab to describe a malicious observiable, say network packet, stream, or other activity. Though if the e-mail type is removed from Malicious E-mail, and it just became Malicious (Observable), then we would have something. Removing type information would reduce the IndicatorTypeVocab down to: Compromised Malicious Watchlist C2 Anonymization Exfiltration The first three are interesting, Compromised means that this Observable indicates that you ARE compromised. The Malicious means that you WILL be compromised by this Observable and Watchlist means that you MAY get compromised by this Observable. Arguably, C2 should fall under Compromised, but as it probably requires further investigation to figure out the original compromised host, I'm fine leaving this as it's own separate type. On Fri, Oct 23, 2015 at 7:19 AM, Barnum, Sean D. <sbarnum@mitre.org> wrote:
... . . . |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]