[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Re: Opinion Object Proposal
I can support this.
Sarah Kelley
Senior CERT Analyst
Center for Internet Security (CIS)
Integrated Intelligence Center (IIC)
Multi-State Information Sharing and Analysis Center (MS-ISAC)
1-866-787-4722 (7×24 SOC)
Email: cert@cisecurity.org
www.cisecurity.org
Follow us @CISecurity
From: <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Date: Thursday, June 23, 2016 at 7:38 PM To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: [cti-stix] Re: Opinion Object Proposal Hi All,
Can I take it that the lack of responses means that you all think this is a great idea? If so that's excellent, as it means it can drop straight into the MVP build as it doesn't require any modification :).
Though seriously, if everyone is OK with the idea of this object which I've been banging on about for about a year then please speak up so we can get it added and allow people to have opinions about other's assertions. This object opens up the ability
for people to effectively 'upvote' or 'downvote' a piece of threat intelligence. This will allow consumers to crowd-source how much they should trust the assertions made in that threat intelligence - which is a key enabler for consumers to effectively use
the threat intelligence they receive.
I passionately believe we need this object in MVP.
Use Case (bad intel):
- Threat Intel Vendor A provides some high confidence threat intel saying that 8.8.8.8 (Google DNS) is a malicious asset.
- 30 other vendors, producers and generate Opinion objects that all strongly disagree with the intel that Vendor A released.
- A consumer can now see that Vendor A's intel shouldn't be trusted to have a high confidence, and therefore shouldn't probably be used in production.
OUTCOME: Confidence in the value of the threat intel is decreased
Use Case (good intel):
- Threat Intel Vendor B provides some low confidence threat intel saying that they think that
www.compromisedsite.com has been compromised by Angler.
- Threat Intel Vendor C sends an Opinion Object strongly agreeing with Threat Intel Vendor C as they believe they are correct
- A consumer can now see that Vendor B's intel is pretty good, and they can potentially increase their confidence in that intel, and maybe use it in production.
OUTCOME: Confidence in the value of the threat intel is increased
What say you STIX community?
Cheers
Terry MacDonald | Chief Product Officer
On Thu, Jun 16, 2016 at 11:00 PM, Terry MacDonald
<terry.macdonald@cosive.com> wrote:
... . . . |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]