OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] RE: STIX Sightings


I agree that a Sighting should just be a positive, “I saw this”. I’d love to keep the complexity down here for our initial pass. I believe that implementing a negative sighting is probably going to be orders of more magnitude than a positive sighting for a tool vendor. A positive Sighting can be sent as a TAXII client operation due to the limited number of them that will be generated (ie. Not infinite) and the fact that no question is being asked. However, if we have to ask someone “Have you saw this", we will likely require the tool vendor implement a TAXII server to send these negatives.

TLDR
Positive Sightings = STIX w/TAXII Client operation
Negative Sightings = STIX w/TAXII Server 

What if we implement RFIs using TAXII 2 query instead? We could send a TAXII query request asking if a particular observable has been seen.

Aharon

From: <cti-stix@lists.oasis-open.org> on behalf of "Davidson II, Mark S" <mdavidson@mitre.org>
Date: Thursday, October 29, 2015 at 7:50 AM
To: Joep Gommers <joep@eclecticiq.com>, "Jonathan Bush (DTCC)" <jbush@dtcc.com>, 'Patrick Maroney' <Pmaroney@Specere.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: RE: [cti-stix] RE: STIX Sightings

The Request/Response case and the negative sighting case seem to be slightly different to me. For the request/response case, you have a request and a specific response to that request. Some form of “empty” response in that context could be sufficient for the “negative sighting” (vs. adding a field to the data model).

 

In terms of a sighting that was not requested (e.g., event-based exchanges, like a sensor that sends sightings as they are seen), I don’t see how a negative sighting would be useful, since there is an infinite number of things that e.g., a sensor hasn’t seen at any given point in time.

 

Based on the above, I see how the ability to say “I haven’t seen that” makes sense, but I’m not sold that it needs to be accomplished with a field in the sighting object.

 

Thank you.

-Mark

 

From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Joep Gommers
Sent: Thursday, October 29, 2015 9:32 AM
To: Bush, Jonathan <jbush@dtcc.com>; 'Patrick Maroney' <Pmaroney@Specere.org>; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] RE: STIX Sightings

 

+1 on what Patrick and Jonathan said

 

From: "Bush, Jonathan" <jbush@dtcc.com>
Date: Thursday, October 29, 2015 at 2:30 PM
To: 'Patrick Maroney' <
Pmaroney@Specere.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, Joep Gommers <joep@eclecticiq.com>
Subject: RE: [cti-stix] RE: STIX Sightings

 

So from an implementation perspective (the part I was more eluding to conversation on), we would need a “positive/negative” indicator as a mandatory field, no?  Any other implementation implications?

 

From: Patrick Maroney [mailto:Pmaroney@Specere.org]
Sent: Thursday, October 29, 2015 9:29 AM
To:
cti-stix@lists.oasis-open.org; Bush, Jonathan; 'Joep Gommers'
Subject: Re: [cti-stix] RE: STIX Sightings

 

Source:  RFI: Have you seen this?

Recipient: No.

...Or more nuanced:

Recipient: No I looked over this period of time using this method and have this level of certainty we've not had anything matching this pattern.

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk:
(856)983-0001
Cell:
(609)841-5104
Email:
pmaroney@specere.org

 




On Thu, Oct 29, 2015 at 6:23 AM -0700, "Bush, Jonathan" <jbush@dtcc.com> wrote:

A “negative sighting”?  Mind = Blown!

 

Can you talk about that some more? 

 

From:cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Joep Gommers
Sent: Thursday, October 29, 2015 5:39 AM
To:
cti-stix@lists.oasis-open.org
Subject: [cti-stix] STIX Sightings

 

Dear list,

 

My view on sightings:

 

Threat Intelligence is in part about moving unknown unknown’s to known unknown, e.g. discovery new “threats” (ignoring for just a second the analytical construct of it). Part moving these known unknown, to known knowns, by understanding the problem well enough to meet stakeholder’s information needs in whatever spectrum of deterrence, defeat or prevention they are working. For example; the SOC (deter) requires indicator and warning information, the IR teams (defeat) require ad-hoc intelligence support and/or executives/commanders need strategic intelligence reports (prevention).

 

The emerging threat intelligence or threat management function in the large enterprise and government institution revolves around Threat Management. In effect some variation of the above process with the additional strategic questions; are we “managing” / “in control” of the threats we identified. This is done in part by validating if your constituency is informed, effected and if – or to what extent – they have deference, defeat or preventive measures in place.

 

Sightings play a part in this process, by ensuring a Threat Management capability can validate if – based on current information position – the constituency is potentially effected or not. Further analysis will determine if incident management is required to really judge if the organization is affected or not and to what extent it is managed. For me this implies a couple of things for STIX Sightings:

·         Sightings should be either positive (I’ve seen a potential indication of a threat) or negative (I haven’t seen an indication)

·         Sightings are either produced by machines or by humans.

·         In the interplay between man and machine, it is not a given that the machine is aware of every detail that can potentially be sighted (e.g. A specific observable). Sometimes the interpretation of an analyst is required to determine this. For example, a STIX indicator with nothing more then a rough description could be enough for a human analyst to interpret and sight it. Similarly, if a hypothesis is described in a report object, without any further technical indication or observable information, it should allow for human interpretation and potential sighting.

·         In conclusion; sightings should be thought of as MUCH wider then observables and indicators. Surely into TTP, Exploit Targets, Incidents, Reports, etc. In part because you can’t ASSUME that the full context is available to be sighted.

·         Estimative language or estimative judgement in an important construct to consider in the world of Sightings, Relationships and the future of STIX. Human judgement allows for estimate judgement and machines allow for probability based on pattern interpretation of STIX intelligence.

 

Lastly, at EclecticIQ we’ve actually implemented a Sightings Object alongside the world of STIX objects that behaves in much of the way I describe above – with success. 

 

I’ll try and find time in the next two weeks to share more real-world lessons learned to inform STIX 2.0. 

 

Best regards,

Joep

 

 


DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses.  The company accepts no liability for any damage caused by any virus transmitted by this email.


DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses.  The company accepts no liability for any damage caused by any virus transmitted by this email.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]