[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Object ID format
| The way I see it, all objects except Relationships, will have a valid information source object that can be used to figure out who the ID came from, if the producers will ALLOW you to know where it came from. In the idea of Relationships, as has been previously discussed, you may not know and may not be able to go back directly to the producer of the indicator or malware and get more context. That may also be by design. Think about groups that sell threat intel. They may sell to Bank 1. And Bank 1 may make a relationship object that points to something they bought. That does not mean you have a contract to go back to the threat provider and get more data. You may need to ask Bank 1 for more context and they may have to say. Sorry, can not help you. But for those that have a contract and get the threat feed, they will be able to put the pieces of the puzzle together. I believe the real debate is about the relationship object and how people can go about gaining context about an indicator that they do not have in their database. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." |
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]