[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Proposal to establish Sightings (#306) and Relationships (#291) as our official issue topics under active consideration for STIX v2.0
Lets run the FW use case to the ground, since most everyone should understand it... FW 1 see a series of weaponized PDFs come down. Say it sees the same Weaponized PDF 2,000 times over a period of 3 days. A large phishing attack with a lot of click happy users. 1) Now it is highly unlikely with the current model that the FW will remember and use the same ID value (UUID) for each Indicator+Observable+MAEC data blob it issues for this Weaponized PDF. In fact, it will probably have 2,000 different UUID IDs for the same Indicator. 2) Now when you compound this by 60,000 client in the network issuing Sightings, this becomes to blow up quickly. Maybe... Just maybe.... The FW could take the JSON Indicator that it is going to issue and hash the data blob and use that hash as the ID. Then at least each FW that is running the same code and is seeing basically the same thing with the same amount of data-enrichment, will issue the same ID value. We will have a totally different problem in TAXII Land in the Query REST API. Because you will probably want to do something like: /t2/query/indicator/file_name/FreeFood.pdf or /t2/query/indicator/file_hash/<some file hash of the PDF> Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
|
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]