OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0


Do you think tools will be doing correlation based on ID or doing correlation based on the contents of an observable?

As an example, imagine you have a sighting for an e-mail:

- Subject: PLS OPEN ME KTHXBYE
- From: defnotaspammer@example.com
- Attachment: (some hash)

Then you have this other sighting:

- Subject: PLS OPEN ME KTHXBYE
- Attachment: (some other hash)

Then this one:

- Subject: PLS OPEN ME KTHXBYE

Which of those should match? I feel like we’re talking about this as if sightings are either the same or different when in reality there will mostly likely be degrees of similarity (0-100). So my conclusion is that IDs, even generated based on the content, are probably not all that useful for matching sightings.

That said, that doesn’t mean sightings shouldn’t have IDs. If I autogen IDs for sightings then you can delete them, revoke them, ask for more info about them, etc. Maybe not everyone will do or support that (a firewall generating millions of sightings won’t persist the ID, but the threat intel tool working human-to-human sightings might) but by having an ID we can at least support it.

John

On Oct 30, 2015, at 1:24 PM, Jordan, Bret <bret.jordan@BLUECOAT.COM> wrote:

Really good points Jason....  It is amazing how things like this bubble up as you start writing code.  I can now see how the ID and IDREF elements will break down rapidly and fall apart in to little pieces all over the floor.  Maybe the ID and IDREF thing needs to happen in a WorkBench tool that is listening on a TAXII channel.... ???  

We just need to figure out how devices can emit things they see in STIX format based on a rule or policy.  


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Oct 30, 2015, at 10:51, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

So here is my question.

    "Firewall sees something bad.. The firewall generates an observable and emits that on to a TAXII 2.0 channel. "

How is that firewall going to generate and persist that observable ID to be re-referenced by the "light bulb sighting"? Because if he sees the same "something bad" 1 minute, hour, or day later, he should be sending the same observable ID - otherwise, the sightings numbers would all be reset every time he sees it.

IE - the problem I describe extends beyond sightings, it also extends to observables and even indicators. Most producers of this information won't have the ways and means to build a giant database (of ie. all of the IP addresses they have ever seen) so that they know they will re-use the same ID if they want to re-emit an observable. As such if they want an ID that can be re-referenceable, they will have to generate an ID based on the current data, since the current data is all they have to go on.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


<graycol.gif>"Jordan, Bret" ---2015/10/30 12:36:36 PM---Thanks for catching this Jason. For sightings I am not sure why you would do an ID... Let me expla

From: "Jordan, Bret" <bret.jordan@bluecoat.com>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: Terry MacDonald <terry@soltra.com>, Mark Davidson <mdavidson@mitre.org>, "Sean D. Barnum" <sbarnum@mitre.org>, Jerome Athias <athiasjerome@gmail.com>, "Taylor, Marlon" <Marlon.Taylor@hq.dhs.gov>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 2015/10/30 12:36 PM
Subject: Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0
Sent by: <cti-stix@lists.oasis-open.org>




Thanks for catching this Jason. For sightings I am not sure why you would do an ID... Let me explain how I see the workflow going....


Firewall sees something bad.. The firewall generates an observable and emits that on to a TAXII 2.0 channel. All of the end point devices (clients, phones, printers, ip enabled light bulbs) can see that indicator and respond with a sighting if the so desire.

The sighting will have an IDREF or similar back to the objects it is referencing. Now the original client or a message handler running on the TAXII server (if the TAXII server is a broker + query repo) could pick up and aggregate all of the sightings coming back for that original observable and either store it or do something with it. In the TAXII server case (broker + repo) it might store the data in a database or bubble it up to an analyst for review before sending it out a different channel group.



Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
      On Oct 30, 2015, at 06:30, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

      I know historically I have been pushing for an RFC-Compliant UUID as mandatory component of this - now i am going to backtrack on my previous argument :)

      I actually think that having a UUID be mandatory is not workable, and here is why: For many (most?) products looking to produce observable and sightings, there is no system-wide "ID" in their product that could be used to represent something like an observable. Similarly, STIX producers like embedded devices and endpoints, do not have the resources or processing capacity to start storing these relationships. As such, said producers have two options for generating sightings:


          a) Have a randomly-generated UUID (which is of no use to anyone in the end because it will remove all traceability and create rampant data duplication)

          b) Have an algorithmically derived ID based on the data (IE, any time I issue an observable for Equals 1.2.3.4, the same ID will be derived)

      (b) Is really the only workable ID mechanism for most products.

      I have recently started to run into this in practice in my own product work, so I know it is a real problem that is going to hit a lot of people if we start mandating IDs and UUIDs.

      Here is an assertion - why is ID even a mandatory field for a sighting? I am not sure why it is useful. If a STIX repository needs an ID for an internal record, it can generate its own in any way it wants. I am not sure why a producer needs to specify an ID.

      -
      Jason Keirstead
      Product Architect, Security Intelligence, IBM Security Systems

      www.ibm.com/security | www.securityintelligence.com

      Without data, all you are is just another person with an opinion - Unknown


      <graycol.gif>
      Terry MacDonald ---2015/10/29 06:51:35 PM---Mark, That should change with the top-level relationship object. It will be quite possible to send j

      From:
      Terry MacDonald <terry@soltra.com>
      To:
      "Davidson II, Mark S" <mdavidson@mitre.org>, "Jordan, Bret" <bret.jordan@bluecoat.com>, "Barnum, Sean D." <sbarnum@mitre.org>
      Cc:
      Jerome Athias <athiasjerome@gmail.com>, "Taylor, Marlon" <Marlon.Taylor@hq.dhs.gov>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
      Date:
      2015/10/29 06:51 PM
      Subject:
      RE: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0
      Sent by:
      <cti-stix@lists.oasis-open.org>




      Mark,


      That should change with the top-level relationship object. It will be quite possible to send just a relationship object in a package. This will mean that the consumer will need the ability to contact the original producer of the reference STIX data object to ask if they are allowed the full object rather than just the reference to it. Having the ability to find the TAXII server from just the STIX object ID is critical to allow this to happen.


      This functionality also allows more secretive providers to ‘hide’ their data, such that consumers can understand that relationships exist, but that only a small subset of approved consumers will have access to the actual STIX object data. It gives the ability to hide stuff.


      Cheers


      Terry MacDonald

      Senior STIX Subject Matter Expert

      SOLTRA
      | An FS-ISAC and DTCC Company
      +61 (407) 203 206 |
      terry@soltra.com


      From:
      Davidson II, Mark S [mailto:mdavidson@mitre.org]
      Sent:
      Friday, 30 October 2015 5:05 AM
      To:
      Jordan, Bret <bret.jordan@bluecoat.com>; Barnum, Sean D. <sbarnum@mitre.org>
      Cc:
      Jerome Athias <athiasjerome@gmail.com>; Terry MacDonald <terry@soltra.com>; Taylor, Marlon <Marlon.Taylor@hq.dhs.gov>; Wunder, John A. <jwunder@mitre.org>; cti-stix@lists.oasis-open.org
      Subject:
      RE: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0

      If want the ability to dereference arbitrary STIX IDs (for use in accessing some kind of repository, let’s say), then I think requiring a rule whereby STIX IDs can be turned into a URL could be a good requirement (Note: URLs as IDs would satisfy this requirement). While there is a concept for idref today, I personally haven’t seen an implementation that dereferences STIX IDs outside of the document containing the idref.


      Thank you.
      -Mark


      PS, a notional example: <stix:Indicator idref=”
      https://example.org/stix121/indicators/123”/>
[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]






[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]