cti-stix message

Subject: RE: [cti-stix] Top-level Sighting Object from last meeting

From: Terry MacDonald <terry@soltra.com>
To: Trey Darley <trey@soltra.com>, Jerome Athias <athiasjerome@gmail.com>
Date: Fri, 30 Oct 2015 20:58:18 +0000

I think both are good. 

There will be times that you want a specific time period to be defined for an Indicator (e.g. Domain Generation Algorithms for malware) so that people only look for them when they need to. It would allow some people to generate lists of DGA created Domains that other can use to see if they have any infections of that particular malware family on their network. And being able to create that an d disseminate that a few days earlier would really help if there is a large volume to be sent out.

And, there are other things that would be great to just have slowly decay and expire (like dropper URLs) over time. 

Can we have both please? :) 

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 | terry@soltra.com 

-----Original Message-----
From: Trey Darley 
Sent: Friday, 30 October 2015 9:05 PM
To: Jerome Athias <athiasjerome@gmail.com>
Cc: Jason Keirstead <Jason.Keirstead@ca.ibm.com>; Joep Gommers <joep@eclecticiq.com>; Jordan, Bret <bret.jordan@bluecoat.com>; Sean D. Barnum <sbarnum@mitre.org>; Cory Casanave <cory-c@modeldriven.com>; Thompson, Dean <Dean.Thompson@anz.com>; Terry MacDonald <terry@soltra.com>; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting

On 30.10.2015 12:29:31, Jerome Athias wrote:
> For the record
> 
> https://stixproject.github.io/data-model/1.2/indicator/IndicatorType/
> Valid_Time_Position 0..n ValidTimeType Specifies the time window for 
> which this Indicator is valid.
> 
> was introduced for some use cases related.
> 

Good point, Jerome, I totally forgot about the Valid_Time_Position property. (Actually, I'm not sure I've ever seen it used in the
field!)

That said, I prefer the OpenTPX approach of allowing indicators to age gradually rather than the current STIX approach of binary start/stop times. It seems to me ultimately more useful to be able to say, "This indicator is still valid but it is *less* valid than it was 10 days ago" than to say, "This indicator is valid between now and next Wednesday."

--
Cheers,
Trey
--
Trey Darley
Senior Security Engineer
4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430 Soltra | An FS-ISAC & DTCC Company www.soltra.com
--
"It is more complicated than you think." --RFC 1925

References:
- Re: [cti-stix] Top-level Sighting Object from last meeting
  - From: "Jordan, Bret" <bret.jordan@bluecoat.com>
- Re: [cti-stix] Top-level Sighting Object from last meeting
  - From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- Re: [cti-stix] Top-level Sighting Object from last meeting
  - From: Joep Gommers <joep@eclecticiq.com>
- Re: [cti-stix] Top-level Sighting Object from last meeting
  - From: "Jordan, Bret" <bret.jordan@bluecoat.com>
- Re: [cti-stix] Top-level Sighting Object from last meeting
  - From: Joep Gommers <joep@eclecticiq.com>
- Re: [cti-stix] Top-level Sighting Object from last meeting
  - From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- Re: [cti-stix] Top-level Sighting Object from last meeting
  - From: Trey Darley <trey@soltra.com>
- Re: [cti-stix] Top-level Sighting Object from last meeting
  - From: Jerome Athias <athiasjerome@gmail.com>
- Re: [cti-stix] Top-level Sighting Object from last meeting
  - From: Trey Darley <trey@soltra.com>