cti-stix message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: "Kirillov, Ivan A." <ikirillov@mitre.org>
- Date: Fri, 30 Oct 2015 13:36:42 -0400
In fact, this is what I am writing in my own STIX 1.x code as we speak, since it is really the only way for me to proceed :
However, the way I am doing it is very implementation specific and probably would be seen as "hackish", its certainly not a general-purpose observable hashing function.
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
"Kirillov, Ivan A." ---2015/10/30 02:28:06 PM---Just jumping in here, but it sounds to me like this is calling out for some kind of Observable hashi
From: "Kirillov, Ivan A." <ikirillov@mitre.org>
To: Jason Keirstead/CanEast/IBM@IBMCA, "Jordan, Bret" <bret.jordan@bluecoat.com>
Cc: Terry MacDonald <terry@soltra.com>, "Davidson II, Mark S" <mdavidson@mitre.org>, "Barnum, Sean D." <sbarnum@mitre.org>, Jerome Athias <athiasjerome@gmail.com>, "Taylor, Marlon" <Marlon.Taylor@hq.dhs.gov>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 2015/10/30 02:28 PM
Subject: Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0
Just jumping in here, but it sounds to me like this is calling out for some kind of Observable hashing function. If we can algorithmically ensure some unique output for a particular Observable input, that can effectively be used in place of an Observable ID and referenced in sightings and elsewhere.
Regards,
Ivan
From: <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead
Date: Friday, October 30, 2015 at 12:51 PM
To: Bret Jordan
Cc: Terry MacDonald, Mark Davidson, Sean Barnum, Jerome Athias, Marlon Taylor, John Wunder, "cti-stix@lists.oasis-open.org"
Subject: Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0
So here is my question.
"Firewall sees something bad.. The firewall generates an observable and emits that on to a TAXII 2.0 channel. "
How is that firewall going to generate and persist that observable ID to be re-referenced by the "light bulb sighting"? Because if he sees the same "something bad" 1 minute, hour, or day later, he should be sending the same observable ID - otherwise, the sightings numbers would all be reset every time he sees it.
IE - the problem I describe extends beyond sightings, it also extends to observables and even indicators. Most producers of this information won't have the ways and means to build a giant database (of ie. all of the IP addresses they have ever seen) so that they know they will re-use the same ID if they want to re-emit an observable. As such if they want an ID that can be re-referenceable, they will have to generate an ID based on the current data, since the current data is all they have to go on.
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
"Jordan, Bret" ---2015/10/30 12:36:36 PM---Thanks for catching this Jason. For sightings I am not sure why you would do an ID... Let me expla
From: "Jordan, Bret" <bret.jordan@bluecoat.com>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: Terry MacDonald <terry@soltra.com>, Mark Davidson <mdavidson@mitre.org>, "Sean D. Barnum" <sbarnum@mitre.org>, Jerome Athias <athiasjerome@gmail.com>, "Taylor, Marlon" <Marlon.Taylor@hq.dhs.gov>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 2015/10/30 12:36 PM
Subject: Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0
Sent by: <cti-stix@lists.oasis-open.org>
Thanks for catching this Jason. For sightings I am not sure why you would do an ID... Let me explain how I see the workflow going....
Firewall sees something bad.. The firewall generates an observable and emits that on to a TAXII 2.0 channel. All of the end point devices (clients, phones, printers, ip enabled light bulbs) can see that indicator and respond with a sighting if the so desire.
The sighting will have an IDREF or similar back to the objects it is referencing. Now the original client or a message handler running on the TAXII server (if the TAXII server is a broker + query repo) could pick up and aggregate all of the sightings coming back for that original observable and either store it or do something with it. In the TAXII server case (broker + repo) it might store the data in a database or bubble it up to an analyst for review before sending it out a different channel group.
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." On Oct 30, 2015, at 06:30, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:I know historically I have been pushing for an RFC-Compliant UUID as mandatory component of this - now i am going to backtrack on my previous argument :)
I actually think that having a UUID be mandatory is not workable, and here is why: For many (most?) products looking to produce observable and sightings, there is no system-wide "ID" in their product that could be used to represent something like an observable. Similarly, STIX producers like embedded devices and endpoints, do not have the resources or processing capacity to start storing these relationships. As such, said producers have two options for generating sightings:
a) Have a randomly-generated UUID (which is of no use to anyone in the end because it will remove all traceability and create rampant data duplication)
b) Have an algorithmically derived ID based on the data (IE, any time I issue an observable for Equals 1.2.3.4, the same ID will be derived)
(b) Is really the only workable ID mechanism for most products.
I have recently started to run into this in practice in my own product work, so I know it is a real problem that is going to hit a lot of people if we start mandating IDs and UUIDs.
Here is an assertion - why is ID even a mandatory field for a sighting? I am not sure why it is useful. If a STIX repository needs an ID for an internal record, it can generate its own in any way it wants. I am not sure why a producer needs to specify an ID.
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
<graycol.gif>Terry MacDonald ---2015/10/29 06:51:35 PM---Mark, That should change with the top-level relationship object. It will be quite possible to send j
From: Terry MacDonald <terry@soltra.com>
To: "Davidson II, Mark S" <mdavidson@mitre.org>, "Jordan, Bret" <bret.jordan@bluecoat.com>, "Barnum, Sean D." <sbarnum@mitre.org>
Cc: Jerome Athias <athiasjerome@gmail.com>, "Taylor, Marlon" <Marlon.Taylor@hq.dhs.gov>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 2015/10/29 06:51 PM
Subject: RE: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0
Sent by: <cti-stix@lists.oasis-open.org>
Mark,
That should change with the top-level relationship object. It will be quite possible to send just a relationship object in a package. This will mean that the consumer will need the ability to contact the original producer of the reference STIX data object to ask if they are allowed the full object rather than just the reference to it. Having the ability to find the TAXII server from just the STIX object ID is critical to allow this to happen.
This functionality also allows more secretive providers to ‘hide’ their data, such that consumers can understand that relationships exist, but that only a small subset of approved consumers will have access to the actual STIX object data. It gives the ability to hide stuff.
Cheers
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 | terry@soltra.com
From: Davidson II, Mark S [mailto:mdavidson@mitre.org]
Sent: Friday, 30 October 2015 5:05 AM
To: Jordan, Bret <bret.jordan@bluecoat.com>; Barnum, Sean D. <sbarnum@mitre.org>
Cc: Jerome Athias <athiasjerome@gmail.com>; Terry MacDonald <terry@soltra.com>; Taylor, Marlon <Marlon.Taylor@hq.dhs.gov>; Wunder, John A. <jwunder@mitre.org>; cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0
If want the ability to dereference arbitrary STIX IDs (for use in accessing some kind of repository, let’s say), then I think requiring a rule whereby STIX IDs can be turned into a URL could be a good requirement (Note: URLs as IDs would satisfy this requirement). While there is a concept for idref today, I personally haven’t seen an implementation that dereferences STIX IDs outside of the document containing the idref.
Thank you.
-Mark
PS, a notional example: <stix:Indicator idref=”https://example.org/stix121/indicators/123”/>
[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]
[attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM]
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]