OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] Question on Sightings Proposal and Cybox Observations

What do you think about using a low-confidence indicator for #1 and #2?

I also noticed that there’s a lot of workflow stuff in those use cases…implicit request from SOC to TI cell to do something, explicit request for sightings, explicit request to create an indicator, explicit +1 of indicator patterns (not necessarily a sighting I assume?). A lot of that stuff is definitely not covered now.

From: <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Monday, April 4, 2016 at 4:11 PM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: [cti-stix] Question on Sightings Proposal and Cybox Observations

I have a cross-cutting STIX and Cybox question, and answering it on Slack seems too difficult (bouncing between too many channels).

I have been reading through the STIX Sightings proposal and also the Cybox Observation proposal. I am not sure either of them take into account composite, behavioral use cases for sightings and observations.... but maybe I am simply misunderstanding.

Can someone explain how the below use cases can be done using the existing proposals? The main part I see the existing proposals falling down on are 1-3. I can't figure out how to communicate an observation of behavior, that is not an already existing indicator.


1) My SOC needs to be able to tell my threat intelligence group “we are seeing X followed by Y followed by Z, this looks strange”

2) My threat intelligence group needs to be able to ask my ISAO “we are seeing X followed by Y followed by Z, are you seeing anything like this”

3) Org 2 tells Org 1 via the ISAO “yes we are seeing that pattern as well, lets create an indicator for this pattern to publish to ISAO

4) A generalized indicator pattern is created and Org 1 and Org 2 both “+1” the pattern

5) Org 3 (and many other orgs) “+1” the pattern as well

Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]