OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] Top-level Sighting Object from last meeting


Can someone go through the workflow for using these assertion-type sightings? It is far from clear to me how these are planned to be used.

- The only way negative assertions work in practice is if we are now saying that when one consumes an object, they should reply with either a positive or negative assertion.
- Going down the track that *every indicator* should be responded to with a sighting, either positive or negative.
- Now you have another problem, for how long do you report these "negative assertions"? Forever? Indicators do not have a life-span attribute.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Inactive hide details for Joep Gommers ---2015/10/29 10:57:52 AM---I’m not sure about the semantics. Other then in our threat Joep Gommers ---2015/10/29 10:57:52 AM---I’m not sure about the semantics. Other then in our threat model (STIX) we need to be able to make s

From: Joep Gommers <joep@eclecticiq.com>
To: "Jordan, Bret" <bret.jordan@bluecoat.com>, Jason Keirstead/CanEast/IBM@IBMCA, "Sean D. Barnum" <sbarnum@mitre.org>, "Cory Casanave" <cory-c@modeldriven.com>, "Thompson, Dean" <Dean.Thompson@anz.com>, Terry MacDonald <terry@soltra.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 2015/10/29 10:57 AM
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting
Sent by: <cti-stix@lists.oasis-open.org>





I’m not sure about the semantics. Other then in our threat model (STIX) we need to be able to make statements around

I [machine or human] [certaintly|almost certaintly|probably|evenly|probably not|have not] [have observed|have not observed] [something on my abstraction level] when evaluating against [information source]

E.g.

I machine have certainly observed 213.197.30.28 on network X, firewall B
I human have probably observed TTP X on host Y, AV scanner X
I machine have probably observed indicator X (e.g. 80% match) on SIEM B, model Y, logevents XYS
I machine have not observed file.exe on SIEM C, logs until 2015-01-01
I human have almost certainly observed report Y while watching raw network packets in ASCII

Not sure (also not natively my language, my apologies) about it being sightings/assertions/etc.

J-

From: "Jordan, Bret" <bret.jordan@bluecoat.com>
Date:
Thursday, October 29, 2015 at 2:49 PM
To:
Joep Gommers <joep@eclecticiq.com>
Cc:
Jason Keirstead <Jason.Keirstead@ca.ibm.com>, "Sean D. Barnum" <sbarnum@mitre.org>, Cory Casanave <cory-c@modeldriven.com>, "Thompson, Dean" <Dean.Thompson@anz.com>, Terry MacDonald <terry@soltra.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject:
Re: [cti-stix] Top-level Sighting Object from last meeting

Joep,

Would these be assertions or actual sightings?


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."





[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]