[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Re: Reviewing External-Reference
So here’s some thoughts. Obviously some of these will be more common (malware, report, COA) than others (Sighting, Observation) but it seems valuable to me to have this
consistently available. As the overarching use cases: -
Sources for information (URLs to non-STIX reports, URLs to forum posts, etc.) -
IDs for the concept in non-STIX databases (or databases where the primary ID is not a STIX ID) -
IDs for the concept in external content libraries (CAPEC, CVE) More specifically: Campaign – Sources Course of Action – ID for COA in a COA database (SANS top 25, OWASP top 10) Identity – HSPD7 sector ID, or other external IDs for identities Indicator – local ID for indicator (e.g. alert #) Malware – Antivirus names Marking Definition – the FIRST IEP has an ID field that might not be compatible with STIX, might want to represent that. Dave Cridland also talked about
referencing some existing policies by ID (that might not be a STIX ID) Observation – Probably more rare given these are so automated, but we did have a ticket for this in 1.2.
Relationship – Also probably more rare, but when we talked about this as a TLO it was mentioned that it could be used to reference sources, which would
be important for relationship assertions Report – URL to PDF version of the report, a local ID for the report (i.e. US-CERT JIB number) Sighting – maybe not common for most indicator sightings, but for sightings of things like campaigns or malware (which is permitted) you might have either
a case number (assuming you don’t create a full-blown STIX incident) or tags for the alert in the system that originally issued it (things coming from SIEMs) Threat Actor – TA tracking codenames John From:
Rich Piazza <rpiazza@mitre.org> Hi Bret, If we were just supporting external_ids, I would probably agree with you – but we are supporting external references also (URLs). Before this proposal was made, external_reference
was a full-fledged TLO, which any other TLO could have a relationship with – so this enables us to handle that use case. BTW, in the examples I included several uses which were not Attack Pattern related: Incident referring to a JIRA or VERIS external id, Report referring to a PDF report (I
know Incident isn’t in MVP – yet J ). Rich From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Jordan, Bret That is fine... But can we get an explanation of how it would be used or how it would make sense for all TLOs not just a subset of the TLOs? The only one I have heard
an example for is Attack Pattern and that is so you can link against a CAPEC ID. How would this be used for each of the following: Campaign Course of Action Identity Indicator Malware Marking Definition Observation Relationship Report
Sighting Threat Actor I think it will be a huge stretch to justify it for Relationship, Marking Definition and maybe even Report if not also some of the others. Bret
From:
cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Wunder, John A. <jwunder@mitre.org> I come at this from the opposite perspective I think. Back in STIX 1.2, we had this field in two places: Indicator and Incident. In Indicator it was
called Alternative_IDs and in Incident it was called External_IDs. At that time we had an issue to add it to Observable (now Observation) as well:
https://github.com/CybOXProject/schemas/issues/386. Lastly, based on those usages and the intent to use it on Vulnerability and Attack Pattern, we added a ticket to just make
it consistent across all objects:
https://github.com/STIXProject/schemas/issues/358. We discussed it back in February as part of the core object properties discussion (http://markmail.org/message/4jqzqj4mdoqygbk2?q=external+reference+list:org%2Eoasis-open%2Elists%2Ecti+date:201602+&page=1#query:external%20reference%20list%3Aorg.oasis-open.lists.cti%20date%3A201602%20+page:1+mid:zfwhga2ayoosjblh+state:results)
and decided at that point to add it. It was discussed in the context of the Report and Sighting object at that point (on both the CTI list and the CTI STIX list).
Later on, we altered course a bit and rather than having it as a property on all TLOs we added “External Reference” as a separate TLO and said we would
use relationships for this concept and so it was removed. Now that we’re moving back to having it as properties, in my opinion we should just move it back to what we discussed previously and add it across all TLOs. It’s more consistent that way and is a change
based on actual experience with an inconsistent approach in STIX 1.2. So, long story long, I think we should add it across all TLOs. John From:
<cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com> I would prefer that we only add things to the Common TLO Properties section once we know that it is in fact needed on every TLO. I do not want to just artificially add
things to TLOs that may never need them. So lets use the external-reference type for Attack Pattern and see if anything else needs it in the future. My guess is that only a small handful of things will actually
end up needing it. Bret From:
cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Piazza, Rich <rpiazza@mitre.org> When reviewing the External Reference type (https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.cez46v5quobo
), please consider the usages of it. In the original proposal, as discussed on a previous working call, it was suggested that
external_references be added as a Common TLO field.
However, the Common TLO section’s status was already “Consensus”, so your humble editors didn’t want to change that text without discussion. An alternative is to only include it for particular TLOs. It originally was discussed by John Wunder as a way to support external_ids like CAPEC. Therefore,
it would be make sense for it to be a field of Attack Pattern, for instance. However, it was broadened to include URLs, so it was thought that all TLOs might need this concept. So…… …as we finalize External References, we must also approve how it is used. The choices are: ·
external_references is a Common TLO field ·
external_references is a field on a TLO if there is an explicit use case for it (e.g., Attack Pattern). |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]