Do you think tools will be doing correlation based on ID or doing correlation based on the contents of an observable?
As an example, imagine you have a sighting for an e-mail:
- Subject: PLS OPEN ME KTHXBYE
- Attachment: (some hash)
Then you have this other sighting:
- Subject: PLS OPEN ME KTHXBYE
- Attachment: (some other hash)
Then this one:
- Subject: PLS OPEN ME KTHXBYE
Which of those should match? I feel like we’re talking about this as if sightings are either the same or different when in reality there will mostly likely be degrees of similarity (0-100). So my conclusion is that IDs, even generated based on
the content, are probably not all that useful for matching sightings.
That said, that doesn’t mean sightings shouldn’t have IDs. If I autogen IDs for sightings then you can delete them, revoke them, ask for more info about them, etc. Maybe not everyone will do or support that (a firewall generating millions of sightings
won’t persist the ID, but the threat intel tool working human-to-human sightings might) but by having an ID we can at least support it.
John
Really good points Jason.... It is amazing how things like this bubble up as you start writing code. I can now see how the ID and IDREF elements will break down rapidly and fall apart in to little pieces all over the floor. Maybe the ID and IDREF thing needs
to happen in a WorkBench tool that is listening on a TAXII channel.... ???
We just need to figure out how devices can emit things they see in STIX format based on a rule or policy.
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
So here is my question.
"Firewall sees something bad.. The firewall generates an observable and emits that on to a TAXII 2.0 channel.
"
How is that firewall going to generate and persist that observable ID to be re-referenced by the "light bulb sighting"? Because if he sees the same "something bad" 1 minute, hour, or day later, he should be sending the same observable ID - otherwise, the sightings
numbers would all be reset every time he sees it.
IE - the problem I describe extends beyond sightings, it also extends to observables and even indicators. Most producers of this information won't have the ways and means to build a giant database (of ie. all of the IP addresses they have ever seen) so that
they know they will re-use the same ID if they want to re-emit an observable. As such if they want an ID that can be re-referenceable, they will have to generate an ID based on the current data, since the current data is all they have to go on.
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security |
www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
<graycol.gif>"Jordan, Bret" ---2015/10/30 12:36:36 PM---Thanks for catching this Jason. For sightings I am not sure why you would do an ID... Let me expla
From: "Jordan, Bret" <bret.jordan@bluecoat.com>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: Terry MacDonald <terry@soltra.com>, Mark Davidson <mdavidson@mitre.org>, "Sean D. Barnum"
<sbarnum@mitre.org>, Jerome Athias <athiasjerome@gmail.com>, "Taylor, Marlon" <Marlon.Taylor@hq.dhs.gov>,
"Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 2015/10/30 12:36 PM
Subject: Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0
Sent by: <cti-stix@lists.oasis-open.org>
Thanks for catching this Jason. For sightings I am not sure why you would do an ID... Let me explain how I see the workflow going....
Firewall sees something bad.. The firewall generates an observable and emits that on to a TAXII 2.0 channel. All of the end point devices (clients, phones, printers, ip enabled light bulbs) can see that indicator and respond with a sighting
if the so desire.
The sighting will have an IDREF or similar back to the objects it is referencing. Now the original client or a message handler running on the TAXII server (if the TAXII server is a broker + query repo) could pick up and aggregate all
of the sightings coming back for that original observable and either store it or do something with it. In the TAXII server case (broker + repo) it might store the data in a database or bubble it up to an analyst for review before sending it out a different
channel group.
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On Oct 30, 2015, at 06:30, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:
I know historically I have been pushing for an RFC-Compliant UUID as mandatory component of this - now i am going to backtrack on my previous argument :)
I actually think that having a UUID be mandatory is not workable, and here is why: For many (most?) products looking to produce observable and sightings, there is no system-wide "ID" in their product that could be used to represent something like an observable.
Similarly, STIX producers like embedded devices and endpoints, do not have the resources or processing capacity to start storing these relationships. As such, said producers have two options for generating sightings:
a) Have a randomly-generated UUID (which is of no use to anyone in the end because it will remove all traceability and create rampant data duplication)
b) Have an algorithmically derived ID based on the data (IE, any time I issue an observable for Equals 1.2.3.4, the same ID will be derived)
(b) Is really the only workable ID mechanism for most products.
I have recently started to run into this in practice in my own product work, so I know it is a real problem that is going to hit a lot of people if we start mandating IDs and UUIDs.
Here is an assertion - why is ID even a mandatory field for a sighting? I am not sure why it is useful. If a STIX repository needs an ID for an internal record, it can generate its own in any way it wants. I am not sure why a producer needs to specify an ID.
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security |
www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
<graycol.gif>Terry MacDonald ---2015/10/29 06:51:35 PM---Mark, That should change with the top-level relationship object. It will be quite possible to send j
From: Terry MacDonald <terry@soltra.com>
To: "Davidson II, Mark S" <mdavidson@mitre.org>, "Jordan, Bret" <bret.jordan@bluecoat.com>,
"Barnum, Sean D." <sbarnum@mitre.org>
Cc: Jerome Athias <athiasjerome@gmail.com>, "Taylor, Marlon" <Marlon.Taylor@hq.dhs.gov>,
"Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>
Date: 2015/10/29 06:51 PM
Subject: RE: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0
Sent by: <cti-stix@lists.oasis-open.org>
Mark,
That should change with the top-level relationship object. It will be quite possible to send just a relationship object in a package. This will mean that the consumer will need the ability to contact the original producer of the reference STIX data object to
ask if they are allowed the full object rather than just the reference to it. Having the ability to find the TAXII server from just the STIX object ID is critical to allow this to happen.
This functionality also allows more secretive providers to ‘hide’ their data, such that consumers can understand that relationships exist, but that only a small subset of approved consumers will have access to the actual STIX object data. It gives the ability
to hide stuff.
Cheers
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 | terry@soltra.com
From: Davidson II, Mark S [mailto:mdavidson@mitre.org]
Sent: Friday, 30 October 2015 5:05 AM
To: Jordan, Bret <bret.jordan@bluecoat.com>;
Barnum, Sean D. <sbarnum@mitre.org>
Cc: Jerome Athias <athiasjerome@gmail.com>;
Terry MacDonald <terry@soltra.com>; Taylor, Marlon <Marlon.Taylor@hq.dhs.gov>;
Wunder, John A. <jwunder@mitre.org>;
cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0
If want the ability to dereference arbitrary STIX IDs (for use in accessing some kind of repository, let’s say), then I think requiring a rule whereby STIX IDs can be turned into a URL could be a good requirement (Note: URLs as IDs would satisfy this requirement).
While there is a concept for idref today, I personally haven’t seen an implementation that dereferences STIX IDs outside of the document containing the idref.
Thank you.
-Mark
PS, a notional example: <stix:Indicator idref=”https://example.org/stix121/indicators/123”/>
[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]
|