[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Including Incident and Assets in STIX MVP
Hi Rich - Did we not review the list of objects and vote on what was required for MVP? Should we not be focusing on that MVP list before we start introducing more objects or classes? Given that its already June 10th and the goal
is to have a MVP spec by July it would seem we need to focus and put some of these items on the backlog for a future release. Regarding the statement on STIX 2.0 without an incident object. How many organizations are sharing incidents? Vs sharing campaigns, TTPs, intrusion sets, indicators….etc? What does an incident convey that the other TLOs do not? If there’s a strong case for incident and asset in MVP then we should add them for sure. But I’m not sure there is. Allan From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of "Piazza, Rich" <rpiazza@mitre.org> It is difficult to imagine STIX 2.0 without an Incident TLO and if we include Incident, that implies that we also need an Asset TLO. Before I present a proposal for these two TLOs, I thought I might describe how these concepts are defined
in STIX 1.x and how that fits into our current design goals for STIX 2.0. Both of these objects in STIX 1.x were very “meaty”.
I have some comments and questions below. Knowing the community’s thoughts on them could help me come up with a better initial proposal. Also, a lot of the features were based on VERIS. I wrote a stix2veris converter a few years ago, therefore, I’m aware of the similarities and differences between STIX 1.2 and VERIS. For STIX 1.x documentation, see
http://stixproject.github.io/data-model/1.2/incident/IncidentType/ and
http://stixproject.github.io/data-model/1.2/incident/AffectedAssetType/ The Incident object in STIX 1.x can be summarized into five groupings of fields (fields in
italics are already not part of STIX 2.0): Basic: ID, Title, Description,
Short_Description, Handling, Information_Source,
External_ID, etc. Metadata: Time, Status (cv),
Discovery Method (cv from VERIS),
Categories, Confidence, Security_Compromise (cv) Relationships: Related_Indicators,
Related_Observables, Leveraged_TTPs, Attributed_Threat_Actors, COA_Requested, COA_Taken, Related_Incidents, Affected_Assets,
Related_Packages Details: Impact_Assessment, Intended_Effect, History Associated Identities: Reporter, Responder, Coordinator, Victim, Contact Comments and Questions?
·
Most of the Basic fields are similar to the TLO Common fields in 2.0.
·
Categories is very similar is similar to
Indicator_Type (or labels in 2.0) in that it is currently a cv (http://stixproject.github.io/data-model/1.2/stixVocabs/IncidentCategoryVocab-1.0/)
, but its list of values seems somewhat incomplete. It should probably be an ov in 2.0.
·
Relationships are called out for many of the TLOs, which are appropriate to make explicit?
·
History is a log of actions taken, either as COA or just text notes. Is this MVP?
·
Intended_Effect, Impact_Assessment
– similar to objective field of campaign, which we are representing as a list of strings in 2.0.
·
Victim is probably the identity of the actual victim, not a description of a “general” target.
·
Reporter could be related to
created_by_ref, although the concepts might not totally align.
·
Are Responder, Coordinator and
Contact needed for MVP?
·
Anything missing that we need for 2.0? The Asset object in STIX 1.x can be summarized into three groupings of fields (fields in
italics are already not part of STIX 2.0): Basic: Description Metadata: Type
(cv from VERIS -
http://stixproject.github.io/data-model/1.2/stixVocabs/AssetTypeVocab-1.0/ ),
Ownership_Class
(cv from VERIS), Management_Class
(cv from VERIS), Location_Class
(cv from VERIS), Location Details: Structured_Description, Nature_Of_Security_Effects, Business_Function_Or_Role Comments and Questions?
·
Type seems to be very important here – and the list of values from VERIS is very complete.
·
Are the fields Type and
Description sufficient for MVP?
·
Structured_Description via CybOX is what is specified in STIX 1.x. There might be other standards that we eventually want to reference, but
that is not something for 2.0.
·
Are Ownership_Class, Management_Class, Location_Class part of MVP?
·
Is the Location of the asset something that needs to be specified explicitly in its own field?
·
Nature_Of_Security_Effects
is where CIA (Confidentiality, Integrity, Availability, etc) is specified. These concepts are commonly used to describe cyber-attack activity. These are important concepts in VERIS also. MVP?
·
Anything missing that we need for 2.0? Thanks for reading this long email….
J Rich Rich Piazza The MITRE Corporation 781-271-3760 |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]