[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting
Is this a STIX level problem, or an implementation level one? Each consumer of threat intelligence is different. It has different risk profiles, different customers, different business models, different cultures and countries. Is it up to the consumer/recipient to determine how long they think the Indicator will be useful? They are the best ones to understand how that Indicator will be used in their environment. They understand the amount of memory they have in their external router, so they know the maximum size the ACL can be. The producer doesn't know that. They know how many email addresses their mail filter can handle. The producer doesn't know that. But - the producer might know that URLs used by Nuclear last 10 days, so a 5 day half -life would describe it well. Or that the mutex of a piece of malware is ' gangrenb' and that won't change until the next Cutwail malware variant, which is generally within 30 days. This could be beneficial to be documented and distributed in some way. Maybe it's worth adding to Indicators in STIX v2, but allowing the implementations to overwrite it if needed? Terry MacDonald Senior STIX Subject Matter Expert SOLTRA | An FS-ISAC and DTCC Company +61 (407) 203 206 | terry@soltra.com -----Original Message----- From: Trey Darley Sent: Friday, 30 October 2015 8:15 PM To: Jason Keirstead <Jason.Keirstead@ca.ibm.com> Cc: Joep Gommers <joep@eclecticiq.com>; Jordan, Bret <bret.jordan@bluecoat.com>; Sean D. Barnum <sbarnum@mitre.org>; Cory Casanave <cory-c@modeldriven.com>; Thompson, Dean <Dean.Thompson@anz.com>; Terry MacDonald <terry@soltra.com>; cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Top-level Sighting Object from last meeting On 29.10.2015 11:48:16, Jason Keirstead wrote: > - Now you have another problem, for how long do you report these > "negative assertions"? Forever? Indicators do not have a life-span > attribute. > Indicators *should* have some type of lifespan attribute. This is one of the things I really like in OpenTPX. Cf. `score_24hr_decay_i`, page 16 in the OpenTPX Introduction [0]. Should be its own thread, but let's take inspiration from OpenTPX and add a decay mechanism to Indicators and (arguably) Observables. [0]: https://www.opentpx.org/docs/openTPX-introduction.pdf -- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 Soltra | An FS-ISAC & DTCC Company www.soltra.com -- "Every networking problem always takes longer to solve than it seems like it should." --RFC 1925
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]