I would think the same way your code “RelatedIndicatorType” now. You make a class for the relationship and property methods for the ends. Perhaps the difference
is that other relationship objects can reference such a relationship so you can “make statements about the statements”.
My code tends to be generic and model driven so I don’t want to confuse you. I could hack some code if you like, but the STIX python library is probably close.
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of John Anderson
Sent: Wednesday, November 11, 2015 1:25 PM
To: Cory Casanave; Jordan, Bret
Cc: Jerome Athias; Sarah Kelley; Ivan Kirillov; Ali Khan; cti-stix@lists.oasis-open.org; cti-cybox@lists.oasis-open.org
Subject: [cti-stix] Re: Stements & relations (was [cti-stix] [cti-cybox] Revoke Cybox Observable)
+1 for the code samples. But UML tends to make us think very abstractly. How would you want to use this in code? (Python, Java, whatever is fine.) I'd offer to hack it
myself, but I'm really not following here.
JSA
From:
cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Cory Casanave <cory-c@modeldriven.com>
Sent: Wednesday, November 11, 2015 1:20 PM
To: Jordan, Bret
Cc: Jerome Athias; Sarah Kelley; Ivan Kirillov; Ali Khan;
cti-stix@lists.oasis-open.org;
cti-cybox@lists.oasis-open.org
Subject: [cti-stix] RE: Stements & relations (was [cti-stix] [cti-cybox] Revoke Cybox Observable)
Here is some “conceptual” UML:
This is shown as a UML “Association Class” in the threat conceptual model. So for example “Membership” associates an actor with an organization. It is
a subclass of “Situation” which (among other things) provides for statements about the time this membership is valid. You can also have metadata about the membership situation, such as confidence and source.
In STIX we see this all the time in “Related_XXX”:
If we were to have a consistent rule I would then always map a UML association to a STIX relationship type, but my preference would be to only have one
intermediate and just have multiple instances for lists.
From: Jordan, Bret [mailto:bret.jordan@bluecoat.com]
Sent: Wednesday, November 11, 2015 12:53 PM
To: Cory Casanave
Cc: Jerome Athias; Sarah Kelley; Ivan Kirillov; Ali Khan;
cti-stix@lists.oasis-open.org;
cti-cybox@lists.oasis-open.org
Subject: Re: Stements & relations (was [cti-stix] [cti-cybox] Revoke Cybox Observable)
Can you give me some code-ish examples or UML-ish examples to help me better understand and follow your ideas? They sounds great, I just want to make sure I fully understand what they mean.
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On Nov 11, 2015, at 10:13, Cory Casanave <cory-c@modeldriven.com> wrote:
Re: I kind of view all of this as people making assertions about something.
Yup!!
One thing this would bring up is consistency in relationships. In some cases STIX relations are not reified (made “real” with their own class/statement) – they are just properties, in other cases there is one class and in others 2 classes – a “set” (has a plural name) and a “relation” (has a “reference” name). I have seen reified relations in a lot of models, STIX is the first time I have seen it “doubled up” like this, I’m not sure that is needed. So the question is when should relations/statements be reified and should there be one or 2 “intermediates”?
· Never reify relations, this information goes somewhere else (so have to say where that is).
· Always reify relations, this is the basis for trust and versioning
· Sometimes reify relations – ok, so what are the rules for when?
· When is there a reified “set” and a reified “ref”?
I find “simple” means consistent. I would go for always reifying relations, but getting rid of the 2-steps. You can put all the metadata you want on each “statement”. I would think calling this a “statement” would also be a good idea as it makes the intent clear. Statements can then have a validity date range, source, confidence, etc. Of course, these are also statements.
-Cory
From: Jordan, Bret [mailto:bret.jordan@bluecoat.com]
Sent: Wednesday, November 11, 2015 11:37 AM
To: Cory Casanave
Cc: Jerome Athias; Sarah Kelley; Ivan Kirillov; Ali Khan; cti-stix@lists.oasis-open.org; cti-cybox@lists.oasis-open.org
Subject: Re: [cti-stix] [cti-cybox] Revoke Cybox Observable
I kind of view all of this as people making assertions about something. Those assertions can be good, bad, valid, invalid, only for a defined time frame etc. Further, people can make assertions about your assertions. You say this threat actor is using this TTP to run this campaign and attack these users types at these companies by doing XYZ.. Someone may come along and challenge part of that assertions and say it is not XYZ but rather ABC and DEF..
From hearing everyones complaints about versioning, I think that is something we should try and fix in the next 7 days. Lets identify the things that should be easy wins to figure out, and lets tackle them one at a time and fix them.
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On Nov 11, 2015, at 06:44, Cory Casanave <cory-c@modeldriven.com> wrote:
I would like to strongly “+1” the idea of using the relationships as a basis for versioning. Deleting data is so 20th century!
If you consider each instance of these relationships a “statement” (or fact) stated by some party at some time, it will always be true that this party said what they said when they said it. In this area of threats, such “historical” statements can be very important even if they are no longer considered “true” by some party (i.e. some statements that made the U.S. go to war in Iraq ). As these statements (relationship instances) are already first-class things they can have a timeframe and confidence. We can say “that statement is invalid” or “That set of statements is not longer true”. If some implementation wants to interpret that as a “delete”, that would be fine but others may want a record of such statements (U.S. national archives likes to do such things).
Most of the infrastructure is already in place to do this, relationships have identity. Adding “second order” statements about them such as “superseded by” or “end date” provides for a very robust distributed knowledge base, which is what we are fundamentally trying to support.
-Cory
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Jerome Athias
Sent: Tuesday, November 10, 2015 9:08 PM
To: Sarah Kelley
Cc: Jordan, Bret; Ivan Kirillov; Ali Khan; cti-stix@lists.oasis-open.org; cti-cybox@lists.oasis-open.org
Subject: [cti-stix] Re: [cti-cybox] Revoke Cybox Observable
While implementation dependent, imho, the top construct Relationship (remember top of our todo list) will help.
Would be 'easy' to implement a purge procedure of all observables that don't have a Relationship created more than x month/week ago
(Similar to logs or backups/archives management/roll process)
Should we finalize the Relationship?
On Tuesday, 10 November 2015, Sarah Kelley <Sarah.Kelley@cisecurity.org> wrote:At this point, we’re currently just trying to clean up our own database. I’m sure there is a much wider issue involved, but our current context is that we have the same observable in our system five different times (which is obviously unnecessary). The only things that changed were things like TLP, or “Hey, I fat-fingered something!” I understand the concern about "what does it mean to revoke a fact", but what if it’s just wrong? You type 1.1.1.1, and you really meant 2.2.2.2? The first is not correct, but currently is lingering in the system, even after unlinking it from the indicator.
Sarah Kelley
Senior CERT Analyst
Center for Internet Security (CIS)
Integrated Intelligence Center (IIC)
Multi-State Information Sharing and Analysis Center (MS-ISAC)
1-866-787-4722 (7×24 SOC)
Email: cert@cisecurity.org
Follow us @CISecurity
From: "Jordan, Bret" <bret.jordan@bluecoat.com>
Date: Tuesday, November 10, 2015 at 1:16 PM
To: Ivan Kirillov <ikirillov@mitre.org>
Cc: Sarah Kelley <sarah.kelley@cisecurity.org>, Unknown Unknown <athiasjerome@gmail.com>, Ali Khan <akhan@soltra.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] [cti-stix] Re: [cti-cybox] Revoke Cybox Observable
We have talked about this a lot in the past, in regards to STIX, and I now view this as an implementation or process related issue. The reason for that is you can not guarantee that the other end of the link will honor your request. Maybe in "like" systems, meaning all systems built by EclecticIQ or Soltra, you would have some level of success.
But when you span across products there is no guarantee that they have implemented it in their code, nor that the administrator will allow it. Requests like that may go in to a bucket for human review.
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On Nov 10, 2015, at 11:09, Kirillov, Ivan A. <ikirillov@mitre.org> wrote:
Thanks for the context, Sarah - very helpful.
To me, this comes down to being a language versus process question - that is, is Observable revocation something that should be addressed as part of the CybOX language, or should it be considered more as part of the processes in which CybOX is used? I’m leaning towards the latter, for the reason that the notion of revocation around Observables is something that doesn’t seem to fit as part of the data model around them. This is because, at their core, Observables represent some cyber “fact”, and what it does it mean to revoke a “fact”? At least with Indicators, you can argue that the Indicator may no longer be valid, or that its pattern is incorrect. With Observables, I think the semantics of revocation are not as clear and may not really make sense.
At least in your case, it seems like we may need to consider defining some sort of garbage collection process, where Observables (and any other id-able CybOX/STIX entities) that were referenced and/or embedded in another entity and then no longer referenced be pruned from the datastore.
Regards,
Ivan
On 11/10/15, 12:31 PM, "cti-cybox@lists.oasis-open.org on behalf of Sarah Kelley" <cti-cybox@lists.oasis-open.org on behalf of Sarah.Kelley@cisecurity.org> wrote:
Just to give a little context around this question, this came up in a
conversation between Ali (well, several Soltra people) and myself today.
In our instance of Soltra Edge, we have (on many occasions) had to ‘edit’
an observable. Currently this involves editing the indicator, deleting the
link to the current Cybox observable, and creating a new observable. This
leaves lots of orphaned observables in our database that we really need to
have the ability to purge. The understanding we have is that currently
Cybox doesn’t support any sort of revoke/purge like Stix does.
Sarah Kelley
Senior CERT Analyst
Center for Internet Security (CIS)
Integrated Intelligence Center (IIC)
Multi-State Information Sharing and Analysis Center (MS-ISAC)
1-866-787-4722 (7×24 SOC)
Email: cert@cisecurity.org
www.cisecurity.org
Follow us @CISecurity
On 11/10/15, 11:06 AM, "cti-stix@lists.oasis-open.org on behalf of
Kirillov, Ivan A." <cti-stix@lists.oasis-open.org on behalf of
ikirillov@mitre.org> wrote:
Great question Ali; unfortunately I don’t have much insight into this
topic. Moving this to the STIX list - I think revocation is more specific
to STIX (though it clearly touches upon CybOX as well).
Regards,
Ivan
On 11/10/15, 11:00 AM, "cti-cybox@lists.oasis-open.org on behalf of
Jerome Athias" <cti-cybox@lists.oasis-open.org on behalf of
athiasjerome@gmail.com> wrote:
Potential review of this
https://stixproject.github.io/data-model/1.2/indicator/ValidTimeType/
Suggestions welcome
2015-11-10 18:48 GMT+03:00 Ali Khan <akhan@soltra.com>:
What is the cybox committees discussion so far for future versions to
support ability to revoke and remove completely a cybox observable
that was
created and then shared but now there is a need to remove it.
Thank You
Ali Khan
Lead Analyst
SOLTRA | An FS-ISAC & DTCC Company
Tampa, fl 33647
813.470.2197 | akhan@soltra.com
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .