[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Intrusion Sets
Hi Gary,
I'm confused. If you're copying some fields from the campaign object, then why not just use the campaign object as the 'intrusion set'? The campaign is for grouping related entities together. You could relate objects together with low confidence relationships when you are collecting potential objects together, and then make them high confidence relationships when you are sure they are real.
Thinking about it maybe we could provide a better solution by adding a new 'possible' confidence level to the relationship confidence field that goes under 'low'. In this way we can demonstrate our hunches through the existing object structure, rather than via a new object.
Another way would be to create the Investigation object (as previously suggested on the list) which would be responsible for grouping together all objects that are currently being used during an investigation, and lump all the related objects together (but thats kind of what you're wanting the intrusion set object to do isn't it? ).
Cheers
Terry MacDonald
Yes, always... Please propose a list of property field names, their types, and descriptions and also any relationships and their associated verbs. Look in the Potential TLOs document for a starter for Intrusion Sets.Thanks,BretBret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTOBlue Coat SystemsPGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."On Jun 3, 2016, at 05:35, Katz, Gary CTR DC3/DCCI <Gary.Katz.ctr@dc3.mil> wrote:Bret,
Since this is something that some of us are going to need in order to share threat information, I'd like to have it in the initial release. Can Paul and I work on something and put out a suggestion for review by next Friday? My goal is to have something as similar as possible to the properties captured in Campaign.
-Gary
-----Original Message-----
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Jordan, Bret
Sent: Thursday, June 02, 2016 6:16 PM
To: cti-stix@lists.oasis-open.org
Subject: [Non-DoD Source] [cti-stix] Intrusion Sets
After this weeks working call, I think I understand what Gary wants out of the Intrusion Set TLO and I think I can get on board with it. However, I do not think we will be able to deliver it for the summer release. I just do not feel like we fully understand what properties will be needed yet. Therefor I would like to suggest that we push Intrusion Sets off to the Winter release... Is everyone okay with that?
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]