Jane, (and perhaps Jyoti),
you be able to describe the use case a little more? I’m
thinking along the lines of what’s been started on the STIX
use cases wiki  – nominally including a description and a
main success scenario. That would help me understand who
takes which actions when and in what order, which in turn
would help me form an opinion about how well proposed
solutions meet the use case.
the data model level, this sounds like a possible use of a
top level relationship object. Just throwing something
against the wall here (I’m not a cyber analyst and I don’t
play one on TV), but could this use case be accomplished by
relating multiple objects to a campaign with a low
On Behalf Of Jane Ginn - email@example.com
Sent: Thursday, October 29, 2015 4:53 PM
To: firstname.lastname@example.org; Sarah.Kelley@cisecurity.org;
Jerome Athias <email@example.com>; Bret Jordan
Subject: Re: [cti-stix] Need for Investigation/Tag
Terry & All:
This is an actual Use Case that I've
seen operationally in one of the ISAOs I participate in. It is
not theoretical. .. and the real-time nature of this helps the
non-targeted members of the ISAO to take proactive actions in
response to what is known (shared) about the Threat Actor, the
IoCs, and the TTPs. Offensive countermeasures in action.
I could see this Use Case evolving
into a very important one for driving adoption of threat intel
platforms... especially if the CybOX objects are extracted,
used in other tools for enrichment, then reconstructed as STIX
again. Thus later permutation aligns with the Use Case Jyoti
introduced in the CybOX Subcommittee call today.
Jane Ginn, MSIA, MRP
Cyber Threat Intelligence Network, Inc.
-------- Original Message --------
From: Terry MacDonald <firstname.lastname@example.org>
Sent: Tuesday, October 27, 2015 01:03 PM
To: Sarah Kelley <Sarah.Kelley@cisecurity.org>,Unknown
Subject: [cti-stix] Need for Investigation/Tag object?
CC: "Baker, Jon" <email@example.com>,"Jonathan
Bush (DTCC)" <firstname.lastname@example.org>,Cory
email below reminded me of some thoughts that have been
bubbling around for a while.
think there is a need for us to support describing and
sharing Threat intelligence while it is still under
investigation. Historically STIX has been used by
Organizations who are generally sharing information about
attacks after they have finished. It seems to me
that we are rapidly moving towards an automated future
where Organizations are sharing information about attacks
while they are happening. This change is a subtle
one, but one that has implications for STIX.
present we have no way for an Organizations to temporarily
‘group’ different STIX objects together. When one is
conducting an investigation into a series of suspicious
events prompted by your Organization’s monitoring
processes, we often want to tag/relate these events
together, without actually creating an official ‘Incident’
(as we’re not sure anything has actually happened yet).
The Incident object is where one would put the information
when it is confirmed there is a problem, but I believe we
at least need a way of ‘tagging’ and ‘grouping’
potentially related items together.
anyone else see the need for something like this?
STIX Subject Matter Expert
An FS-ISAC and DTCC Company
(407) 203 206 |
am a huge proponent of letting (almost) anything link
to anything. In fact, limiting what can have an
association/link/relationship with what is my current
biggest frustration with Stix (we use workarounds to
get around this limitation).
would add the possible use cases:
org observed 3 instances of this threat actor hitting
org observed 12 instances of the Poison Ivy TTP on our
org was hit by this particular campaign 27 times
for Internet Security (CIS)
Intelligence Center (IIC)
Information Sharing and Analysis Center (MS-ISAC)