[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-cybox] Re: [cti-stix] Question on Sightings Proposal and Cybox Observations
|From:||"Wunder, John A." <email@example.com>|
|To:||"Jason Keirstead" <Jason.Keirstead@ca.ibm.com>, firstname.lastname@example.org, email@example.com|
|Date:||Mon, Apr 4, 2016 5:54 PM|
|Subject:||[cti-cybox] Re: [cti-stix] Question on Sightings Proposal and Cybox Observations|
I have a cross-cutting STIX and Cybox question, and answering it on Slack seems too difficult (bouncing between too many channels).
I have been reading through the STIX Sightings proposal and also the Cybox Observation proposal. I am not sure either of them take into account composite, behavioral use cases for sightings and observations.... but maybe I am simply misunderstanding.
Can someone explain how the below use cases can be done using the existing proposals? The main part I see the existing proposals falling down on are 1-3. I can't figure out how to communicate an observation of behavior, that is not an already existing indicator.
1) My SOC needs to be able to tell my threat intelligence group “we are seeing X followed by Y followed by Z, this looks strange”
2) My threat intelligence group needs to be able to ask my ISAO “we are seeing X followed by Y followed by Z, are you seeing anything like this”
3) Org 2 tells Org 1 via the ISAO “yes we are seeing that pattern as well, lets create an indicator for this pattern to publish to ISAO
4) A generalized indicator pattern is created and Org 1 and Org 2 both “+1” the pattern
5) Org 3 (and many other orgs) “+1” the pattern as well
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown