Re: [cti-stix] Re: Reviewing External-Reference

["Wunder, John A." <jwunder@mitre.org>]

So here’s some thoughts. Obviously some of these will be more common (malware, report, COA) than others (Sighting, Observation) but it seems valuable to me to have this consistently available.

 

As the overarching use cases:

 

-          Sources for information (URLs to non-STIX reports, URLs to forum posts, etc.)

-          IDs for the concept in non-STIX databases (or databases where the primary ID is not a STIX ID)

-          IDs for the concept in external content libraries (CAPEC, CVE)

 

More specifically:

 

Campaign – Sources

Course of Action – ID for COA in a COA database (SANS top 25, OWASP top 10)

Identity – HSPD7 sector ID, or other external IDs for identities

Indicator – local ID for indicator (e.g. alert #)

Malware – Antivirus names

Marking Definition – the FIRST IEP has an ID field that might not be compatible with STIX, might want to represent that. Dave Cridland also talked about referencing some existing policies by ID (that might not be a STIX ID)

Observation – Probably more rare given these are so automated, but we did have a ticket for this in 1.2.

Relationship – Also probably more rare, but when we talked about this as a TLO it was mentioned that it could be used to reference sources, which would be important for relationship assertions

Report – URL to PDF version of the report, a local ID for the report (i.e. US-CERT JIB number)

Sighting – maybe not common for most indicator sightings, but for sightings of things like campaigns or malware (which is permitted) you might have either a case number (assuming you don’t create a full-blown STIX incident) or tags for the alert in the system that originally issued it (things coming from SIEMs)

Threat Actor – TA tracking codenames

 

John

 

From: Rich Piazza <rpiazza@mitre.org>
Date: Wednesday, June 15, 2016 at 9:37 AM
To: "Jordan, Bret" <bret.jordan@bluecoat.com>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: RE: [cti-stix] Re: Reviewing External-Reference

 

Hi Bret,

 

If we were just supporting external_ids, I would probably agree with you – but we are supporting external references also (URLs).  Before this proposal was made, external_reference was a full-fledged TLO, which any other TLO could have a relationship with – so this enables us to handle that use case.

 

BTW, in the examples I included several uses which were not Attack Pattern related:  Incident referring to a JIRA or VERIS external id, Report referring to a PDF report (I know Incident isn’t in MVP – yet J ).

 

                Rich

 

From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Jordan, Bret
Sent: Wednesday, June 15, 2016 6:39 AM
To: Wunder, John A. <jwunder@mitre.org>; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Re: Reviewing External-Reference

 

That is fine...  But can we get an explanation of how it would be used or how it would make sense for all TLOs not just a subset of the TLOs?  The only one I have heard an example for is Attack Pattern and that is so you can link against a CAPEC ID.  

 

How would this be used for each of the following:

 

Campaign

Course of Action

Identity

Indicator

Malware

Marking Definition

Observation

Relationship

Report       

Sighting

Threat Actor

 

I think it will be a huge stretch to justify it for Relationship, Marking Definition and maybe even Report if not also some of the others.

 

 

Bret

 

 

 

 

---

From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Wunder, John A. <jwunder@mitre.org>
Sent: Tuesday, June 14, 2016 6:32 PM
To: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Re: Reviewing External-Reference

 

I come at this from the opposite perspective I think. Back in STIX 1.2, we had this field in two places: Indicator and Incident. In Indicator it was called Alternative_IDs and in Incident it was called External_IDs. At that time we had an issue to add it to Observable (now Observation) as well: https://github.com/CybOXProject/schemas/issues/386. Lastly, based on those usages and the intent to use it on Vulnerability and Attack Pattern, we added a ticket to just make it consistent across all objects: https://github.com/STIXProject/schemas/issues/358. We discussed it back in February as part of the core object properties discussion (http://markmail.org/message/4jqzqj4mdoqygbk2?q=external+reference+list:org%2Eoasis-open%2Elists%2Ecti+date:201602+&page=1#query:external%20reference%20list%3Aorg.oasis-open.lists.cti%20date%3A201602%20+page:1+mid:zfwhga2ayoosjblh+state:results) and decided at that point to add it. It was discussed in the context of the Report and Sighting object at that point (on both the CTI list and the CTI STIX list).

Add Alternative_IDs to ObservableType · Issue #386 · CybOXProject/schemas github.com This would serve the same purpose as Alternative_ID on Incident and External_ID on Incident. (suggested by someone who wanted to remain anonymous)

 

 

Later on, we altered course a bit and rather than having it as a property on all TLOs we added “External Reference” as a separate TLO and said we would use relationships for this concept and so it was removed. Now that we’re moving back to having it as properties, in my opinion we should just move it back to what we discussed previously and add it across all TLOs. It’s more consistent that way and is a change based on actual experience with an inconsistent approach in STIX 1.2.

 

So, long story long, I think we should add it across all TLOs.

 

John

 

From: <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com>
Date: Tuesday, June 14, 2016 at 6:51 PM
To: Rich Piazza <rpiazza@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Re: Reviewing External-Reference

 

I would prefer that we only add things to the Common TLO Properties section once we know that it is in fact needed on every TLO.  I do not want to just artificially add things to TLOs that may never need them.

 

So lets use the external-reference type for Attack Pattern and see if anything else needs it in the future.  My guess is that only a small handful of things will actually end up needing it.  

 

Bret

 

 

---

From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Piazza, Rich <rpiazza@mitre.org>
Sent: Tuesday, June 14, 2016 10:35 AM
To: cti-stix@lists.oasis-open.org
Subject: [cti-stix] Reviewing External-Reference

 

When reviewing the External Reference type (https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.cez46v5quobo ), please consider the usages of it.

 

In the original proposal, as discussed on a previous working call, it was suggested that external_references be added as a Common TLO field. 

However, the Common TLO section’s status was already “Consensus”, so your humble editors didn’t want to change that text without discussion.

 

An alternative is to only include it for particular TLOs.  It originally was discussed by John Wunder as a way to support external_ids like CAPEC.  Therefore, it would be make sense for it to be a field of Attack Pattern, for instance.  However, it was broadened to include URLs, so it was thought that all TLOs might need this concept.  So……

 

…as we finalize External References, we must also approve how it is used.  The choices are:

 

·         external_references is a Common TLO field

·         external_references is a field on a TLO if there is an explicit use case for it (e.g., Attack Pattern).