[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-cybox] Re: [cti-stix] Question on Sightings Proposal and Cybox Observations
| From: | "Wunder, John A." <jwunder@mitre.org> |
| To: | "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>, cti-stix@lists.oasis-open.org, cti-cybox@lists.oasis-open.org |
| Date: | Mon, Apr 4, 2016 5:54 PM |
| Subject: | [cti-cybox] Re: [cti-stix] Question on Sightings Proposal and Cybox Observations |
I have a cross-cutting STIX and Cybox question, and answering it on Slack seems too difficult (bouncing between too many channels).
I have been reading through the STIX Sightings proposal and also the Cybox Observation proposal. I am not sure either of them take into account composite, behavioral use cases for sightings and observations.... but maybe I am simply misunderstanding.
Can someone explain how the below use cases can be done using the existing proposals? The main part I see the existing proposals falling down on are 1-3. I can't figure out how to communicate an observation of behavior, that is not an already existing indicator.
-
1) My SOC needs to be able to tell my threat intelligence group “we are seeing X followed by Y followed by Z, this looks strange”
2) My threat intelligence group needs to be able to ask my ISAO “we are seeing X followed by Y followed by Z, are you seeing anything like this”
3) Org 2 tells Org 1 via the ISAO “yes we are seeing that pattern as well, lets create an indicator for this pattern to publish to ISAO
4) A generalized indicator pattern is created and Org 1 and Org 2 both “+1” the pattern
5) Org 3 (and many other orgs) “+1” the pattern as well
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]