OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Some thoughts on Sightings and conversations to date (Part #3): what should sightings be asserted against?

The third sightings sub-topic I wanted to comment on is around the question of whether sightings should be only against Indicators or also to any other constructs.
I think there has been a range of comments on this one including opinions ranging from sightings of anything to sightings of observable instances to sightings of just indicators.
Again, putting on my expert hat rather than my co-chair hat, I wanted to offer some thoughts on this including some clarifying comments on the intended semantics and structure of the current STIX model which I have intimate knowledge of.
  • I would agree with the few folks who posted espousing the opinion that sightings should only be for Indicators.
    • I think a good deal of this comes down to the intended semantics of the model (partially described in my previous post) and the nature of the information domain that the model intends to support. The model strives to clearly delineate key relevant concepts such as Threat Actors (who), TTP (how), incidents (what, where, when), Indicators (clues of evidence to look for), etc. I believe this delineation, the semantics of each concept and the semantics of the relationships between them are all very important to support effective threat information analysis and sharing.
    • The key here is that an assertion that something has been “sighted” is basically a statement that some particular observable characteristics have been seen. The part of the model that characterizes particular observable characteristics that might be seen and what that means is Indicator. 
      • Other constructs (TTPs, TAs, etc) may be associated with particular observable characteristics that may indicate their presence but a “sighting” is not of them directly but rather of observable characteristics that lead you to believe that it is that other thing (TTP, TA, etc.) that you have seen. The TTPs or TAs were not observed, evidence of their presence or identity were what was actually observed. 
      • We should also remember that the confidence in assertions that particular observable characteristics identify specific TTPs or TAs are almost never 100%. That is why the STIX model provides Confidence constructs for Indicators and any other assertion of relationship. Different observable characteristics may be associated with the same TTP or TA with differing levels of confidence. Because of this it is more appropriate that assertions of sightings are made against the observable patterns (indicators) they actually match rather than skipping right past all the important context (including confidence) and asserting a direct sighting against the higher-order construct. 
      • If you have the higher-order construct (TTP, TA, etc.) along with Indicators associating observable characteristics with them and sightings reports on those indicators your graph includes clear paths between the sighting and the higher-order construct but it also maintains the integrity and pivotability of all the context in between.
    • This is not to say that it is not of use to make assertions that things like TTPs or TAs have been “seen” but for these situations, I believe it would be more appropriate to assert the derived “sighting” as an analytic assertion (currently being referred to in list threads as investigation/tagging) rather than as a hard sighting.
  • Aharon gave the following example to argue against sightings being against Indicators and instead be against Observable instances: "You have 100 indicators with the same observable. Your IDS fires off an alert for that observable. Which of the 100 indicators would you sight?"
    • In my opinion this example actually argues strongly FOR sightings being against Indicators and not just a restatement of observable instances. 
    • If the indicators all define the same observable pattern then what is the difference between them? 
      • I would propose that in the real world different indicators within the set of 100 would be defining different contexts for observation of the pattern (e.g. one asserting it indicates the presence of certain malware, another associating it with infrastructure used by a particular actor, another combining it with other observables to indicate something with higher confidence, etc.). Different parties may all be telling you to look for something “bad” but they may have differing contexts and level of knowledge about why it is “bad”.
      • If all you are saying is that an observable instance was seen without associating it to the relevant Indicators then you are losing all of this context. 
      • If you see an observable instance that matches the observable pattern defined in 100 indicators then you “sight” all of them. 
      • The consumer of this sighting (whether internal or extra-org) can then utilize the various contexts (within the indicators) that the sightings convey.


sean

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]