I too want to know this... As the more I have thought about it, the more I am coming to the idea that the precision field is just theoretical. It does not have an effect in the actual work flow. If it does, please give some concrete real world work flow examples of how this is going to help.
Thanks,
Bret Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
HI Patrick - please see my earlier email around this topic, specifically the part around end-to-end workflow scenarios...
""Well, were reporting this incident now as required by Law, but we are only certain at this point that the activity occurred as far back as yesterday. "
So lets assume for a moment that in the above use case the timestamp said "2015-11-24 00:00:00.000000" and did not indicate any type of "precision" indicating "+/- 24 hours"... why do I as the consumer of that information care.. how does that affect my consumption of that threat report? How can I make more effective use of that information in my system if I have that precision indicator? I am not going to do low-level temporal analysis on this type of indicator, so it doesn't matter from that perspective. What is the workflow where it does matter?
- Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
<graycol.gif>Patrick Maroney ---11/24/2015 04:17:59 PM---[+1] on use of syslog RFC and for support for Precision (in the literal sense). [+~] on being able t
From: Patrick Maroney <Pmaroney@Specere.org> To: Terry MacDonald <terry@soltra.com>, "Barnum, Sean D." <sbarnum@mitre.org>, "Jordan, Bret" <bret.jordan@bluecoat.com>, "Wunder, John A." <jwunder@mitre.org> Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Date: 11/24/2015 04:17 PM Subject: Re: [cti-stix] STIX timestamps and ISO 8601:2000 Sent by: <cti-stix@lists.oasis-open.org>
[+1] on use of syslog RFC and for support for Precision (in the literal sense).[+~] on being able to drive to consensus on this highly critical aspect "our thing" (even though we broke our priority list sequence)But to Sean's point we do as a practical matter deal with "Uncertainty" (AKA "Precision") in Timestamps. There are a dozen use cases I can cite, but think I can simply use the "Well, were reporting this incident now as required by Law, but we are only certain at this point that the activity occurred as far back as yesterday. So we can clearly agree that there should be one and only one way of specifying temporal "values" (whether fixed, relative, or intervals). But his "one way of doing things" means we still need a way to convey "uncertainty" where we need to communicate same.Dose that makes sense?Patrick MaroneyPresidentIntegrated Networking Technologies, Inc.Office: (856)983-0001Cell: (609)841-5104From: <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry@soltra.com> Date: Tuesday, November 24, 2015 at 2:37 PM To: Sean Barnum <sbarnum@mitre.org>, Bret Jordan <bret.jordan@bluecoat.com>, John Wunder <jwunder@mitre.org> Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: RE: [cti-stix] STIX timestamps and ISO 8601:2000I am fine with Trey’s proposal too. Specifically I support all 5 items on Bret’s email. I agree we do not have consensus on #5. A few extra comments though, brought up by a review of the extra restrictions the Syslog RFC (6.2.3 TIMESTAMP) places on implementations. Is this an acceptable full list for the timestamp? (shamelessly borrowed bits from the syslog rfc). The TIMESTAMP field is a formalized timestamp derived from [RFC3339]. Whereas [RFC3339] makes allowances for multiple syntaxes, this document imposes further restrictions. The TIMESTAMP value MUST follow these additional restrictions: 1. An RFC3339 timestamp format MUST be used. 2. All timestamps MUST be in UTC 3. A timezone offset MUST NOT be used. All times MUST be recorded in UTC time. 4. Usage of the "T" and "Z" characters are REQUIRED. 5. The "T" and "Z" characters in this syntax MUST be upper case. 6. The producer SHOULD include as much precision as its clock accuracy and performance permit. 7. Timestamps can have any level of sub-second precision that they support and a simple regex should be used in code to determine the precision Examples: nanoseconds = '2015-11-24T09:42:54.003259294Z' microseconds = '2015-11-24T09:42:54.003259Z' milliseconds = '2015-11-24T09:42:54.003Z' Note: The additional precision field is still up for debate as we currently do not have consensus. What say everybody? Cheers Terry MacDonaldSenior STIX Subject Matter ExpertSOLTRA | An FS-ISAC and DTCC Company+61 (407) 203 206 | terry@soltra.com From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Barnum, Sean D. Sent: Wednesday, 25 November 2015 5:34 AM To: Jordan, Bret <bret.jordan@bluecoat.com>; Wunder, John A. <jwunder@mitre.org> Cc: cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] STIX timestamps and ISO 8601:2000 I am fine with #1-4I disagree with #5.Again, I will assert there IS a need for an explicit precision field. I have tried to explain the context a couple of time but apparently still have not done a good enough job.Unfortunately, I do not have the cycles today to attempt to explain the scenarios for precision on this topic in any further detail.Hopefully I will have a chance to do so tomorrow. I just wanted to make it clear for now that we do not have consensus on #5. Sean From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com> Date: Tuesday, November 24, 2015 at 1:24 PM To: John Wunder <jwunder@mitre.org> Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: Re: [cti-stix] STIX timestamps and ISO 8601:2000 So I think we are finally getting somewhere..... Before we claim that we agree, let me paraphrase and summarize just to make sure: 1) A timestamp format of yyyy-mm-dd-Thh:mm:ssZ MUST be usedExamples:2015-11-23T13:35:12Z (for 1:35:12 in UTC format) 2) All timestamps MUST be in UTC a UI will change them as needed for an analyst 3) A timezone offset will NOT be used, all times will be recorded in UTC 4) Timestamps can have any level of sub-second precision that they support and a simple regex should be used in code to determine the precisionExamples:nanoseconds = '2015-11-24T09:42:54.003259294Z' microseconds = '2015-11-24T09:42:54.003259Z' milliseconds = '2015-11-24T09:42:54.003Z'etc. 5) There will be no extra precision field Open questionsA) If the time of day is not known should it be:i) zeroed outExamples:'2015-11-24T11:00:00Z' (known only to the 11th hour)'2015-11-24T00:00:00Z (known only to the day)ii) not included, just like the sub-second (if we do this, is this a violation of RFC3339)Examples:'2015-11-24T11Z' (known only to the 11th hour)'2015-11-24TZ (known only to the day)Thanks, Bret Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTOBlue Coat SystemsPGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." On Nov 24, 2015, at 06:24, Wunder, John A. <jwunder@mitre.org> wrote: I have a slight preference for Trey’s approach but would also be fine with Terry’s.
I prefer Trey’s because IMO support for a standard as-is is better than redefining the standard. RFC3339 allows for accuracy to any arbitrary (second) value and therefore the vast majority of date/time libraries will be able to support that. His approach allows us to use the standard as-is. In fact, the requirement for millisecond precision may make things more difficult for those who just want to use RFC3339 processing libraries because they have to get those libraries to produce *our* version of RFC 3339 rather than anything compatible with the standard.
I don’t think it will allow accuracy to the day unless we move back to ISO 8601 with all the other openness that it brings. But, I tend to agree with Terry that it will matter very little in almost every circumstance so we shouldn’t worry about it.
John
On Nov 24, 2015, at 5:28 AM, Trey Darley <trey@soltra.com> wrote:
On 24.11.2015 02:36:50, Terry MacDonald wrote:
I think that we have to put this whole discussion in perspective. Most organizations have difficulty in discovering they have a breach within days and weeks, not within a second. So going with B) iii) and having the precision within 1 second realistically is good enough in my opinion. It is far more likely that all the clocks on the network are not synchronized, and all the tools are reporting different and unrelated times and that they are way more than a second out of alignment with each other. The zeroed out millisecond timestamp doesn’t impact us much when we have real-world problems such as that.
I agree with Terry however...
On 23.11.2015 20:51:09, Wunder, John A. wrote:
This is not to say that we need a precision field, just that if we do it should be explicit rather than implicit.
...I also agree with John. On the one hand, I can't count the number of times I've seen investigations get thrown under the bus due to clock-sync issues. On the other hand, recent history has shown that historical assumptions made about datetime can come back to bite us with a vengeance.
So I think we should just use the standard explicitly. The producer can use the level of precision they support and intend to communicate, the consumer can easily recognize the level of precision coming from the producer, and handle it appropriately. Doing this in the manner illustrated below imposes less burden on the consumer than handling an optional 'precision' field while accomplishing the same goal.
<snip> #!/usr/bin/env python
import re
nanoseconds = '2015-11-24T09:42:54.003259294Z' microseconds = '2015-11-24T09:42:54.003259Z' milliseconds = '2015-11-24T09:42:54.003Z' seconds = '2015-11-24T09:42:54Z' minutes = '2015-11-24T09:42Z' # You get the idea...
timestamps = [nanoseconds, microseconds, milliseconds, seconds, minutes]
nano_re = re.compile(r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{9}Z') micro_re = re.compile(r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{6}Z') milli_re = re.compile(r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d{3}Z') sec_re = re.compile(r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z') min_re = re.compile(r'\d{4}-\d{2}-\d{2}T\d{2}:\d{2}Z')
for ts in timestamps: if nano_re.match(ts): print('Found nanosecond time...') elif micro_re.match(ts): print('Found microsecond time...') elif milli_re.match(ts): print('Found millisecond time...') elif sec_re.match(ts): print('Found second time...') elif min_re.match(ts): print('Found minute time...') </snip
There! Entirely explicit, uses RFC 3339 as intended, and there's one clear way of doing things without resorting to optional fields.
-- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 Soltra | An FS-ISAC & DTCC Company www.soltra.com -- "It is always something." --RFC 1925
|