OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] Opinion Object Proposal

Regarding the concept, it's a Yes for me

On Friday, 24 June 2016, Terry MacDonald <terry.macdonald@cosive.com> wrote:
Hi All,

Can I take it that the lack of responses means that you all think this is a great idea? If so that's excellent, as it means it can drop straight into the MVP build as it doesn't require any modification :).

Though seriously, if everyone is OK with the idea of this object which I've been banging on about for about a year then please speak up so we can get it added and allow people to have opinions about other's assertions. This object opens up the ability for people to effectively 'upvote' or 'downvote' a piece of threat intelligence. This will allow consumers to crowd-source how much they should trust the assertions made in that threat intelligence - which is a key enabler for consumers to effectively use the threat intelligence they receive.

I passionately believe we need this object in MVP. 

Use Case (bad intel):
- Threat Intel Vendor A provides some high confidence threat intel saying that 8.8.8.8 (Google DNS) is a malicious asset. 
- 30 other vendors, producers and generate Opinion objects that all strongly disagree with the intel that Vendor A released.
- A consumer can now see that Vendor A's intel shouldn't be trusted to have a high confidence, and therefore shouldn't probably be used in production.
OUTCOME: Confidence in the value of the threat intel is decreased

Use Case (good intel):
- Threat Intel Vendor B provides some low confidence threat intel saying that they think that www.compromisedsite.com has been compromised by Angler. 
- Threat Intel Vendor C sends an Opinion Object strongly agreeing with Threat Intel Vendor C as they believe they are correct
- A consumer can now see that Vendor B's intel is pretty good, and they can potentially increase their confidence in that intel, and maybe use it in production.
OUTCOME: Confidence in the value of the threat intel is increased

What say you STIX community?

Cheers

Terry MacDonald | Chief Product Officer







On Thu, Jun 16, 2016 at 11:00 PM, Terry MacDonald <terry.macdonald@cosive.com> wrote:
Hi All,

As I've mentioned many times over the last year I firmly believe we need a way for third parties to agree or disagree with the threat intelligence they have received. If Org A has released a high confidence relationship between ActorX and Campaign G, and Org B knows that the relationship is wrong, then they need a way of signalling that to the community, so that community members don't blindly accept what Org A has released.

Since late last year I've been suggesting we need an Opinion object. And today I took the step of writing up what that would look like.

I would like to propose that we add this to the draft as proposal, and that we include it in the MVP release.

1.2.Opinion

Type Name: opinion

Status: Proposal

MVP: Undecided


The Opinion object is used to convey the Object creator's opinion about another object produced by a third-party. It will allow each organization to agree or disagree with another organization's assertions, and ultimately will enable consumers to collect and understand the collective opinions of the community about the quality of the threat intelligence they have received.


This is the first step towards consumers being able to crowdsource the opinion of the community, which will help newcomers to the threat intelligence sharing groups better understand which threats have a high degree of third party agreement and which are contentious.

1.2.1.​ Properties

STIX TLO Common Properties

type, id, created_by_ref, revision, created_time, modified_time, revoked, revision_comment, object_markings_refs, granular_markings

Property Name

Type

Description

type (required)

string

The value of this field MUST be opinion

description (optional)

string

A description that provides the recipient with reasoning to back up the opinion identified in this Opinion object.

object_ref(required)

identifier

The id of the object that the Opinion refers to. This id can be any other STIX TLO except another Opinion object.

opinion(required)

list of type controlled-vocab

The opinion that the producer has about the object listed in the object_ref field. This is one of the following options:

  • "strongly-agree"

  • "agree"

  • "neutral"

  • "disagree"

  • "strongly-disagree"

  • "no-opinion"


​1.2.2.​ Source Relationships

These are the relationships defined between the Opinion Object and other objects.

STIX TLO Common Relationships

duplicate-of, related-to

1.2.3.​ Destination Relationships

These are the relationships defined between other objects and the Opinion Object.

Kind of Relationship

Source Type

Description

evidence-of

observation

Relates the Observation to an Opinion providing the evidence that the opinion was based on. This observation is evidence of why the organization formed the opinion it did about the threat intelligence contained within the object_ref field.



Cheers

Terry MacDonald | Chief Product Officer







[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]