Re: [cti-stix] STIX MVP Priorities

[Jerome Athias <athiasjerome@gmail.com>]

Issue there is that different things are mixed up.
- Things related to the domain information (or UML (or data)) model

Here the hierarchy (Class Tree) between the Concepts (Objects) seems
still not commonly understood by all members of the TC.

e.g.: Identity vs Threat Actor, Identity vs Asset, Asset vs Target...
e.g.: Identity vs Party, Person, Organization (Enterprise*) like in
OASIS CIQ https://en.wikipedia.org/wiki/EDXL#Customer_Information_Quality
(note a reference to NIEM* i.e. nc:PersonType)

Maybe a simple formulation, triples-like, (and referenced somewhere)
could help (for abstraction, a (potentially visual) hierarchy, class
tree, or simplistic ontology...)
e.g.:
An Organization is an Identity
A Person is an Identity
A Threat Actor is an Identity
or
A Threat Actor is an Organization or a Person
A Person is an Asset for an Organization
A Target is an Organization or Asset (or group of Assets)
(so a Person could be a Target since a Person is an Asset)
or
An Asset in the CTI domain is always an IT-Asset

An Incident affects an Organization, a Person or an Asset

A Malware is a Tool
A Malware is an Asset of a Threat Actor
A Tool could be an Asset of an Organization or Person

A Report is produced by an Identity
An Indicator is produced by an Identity
An Intrusion Set is produced by an Identity
An Observation is produced by an Identity
An Observation involves one or more Asset(s)
An Observation produces one or more Indicator(s)
A Sighting is produced by an Identity on an Observation

A Malicious Infrastructure is a group of Assets used by one or more
Threat Actor(s)

(Please correct)
An Intrusion Set is a group of Indicators
or
An Intrusion Set is a group of TTPs

...

- Things related to the Associations* (Relationships)

e.g.: Observation, Indicator, Intrusion Set, Infrastructure


- Things related to the exchange of information

Internationalization (string language [RFC3066] in OASIS EDXL, and in
(Please review!)
https://github.com/json-schema/json-schema/wiki/translations-(v5-proposal)
)
Sighting
(Granular) Data Markings



For each of these elements, IMHO, different skill sets/experience are required.
For example, I would see benefits having:
- Modeling SMEs (Subject Matter Experts)
- CTI Domain SMEs (e.g. Strategists, Analysts, CTI operations practitioners)
- Architecture, Product Design and Development/Coding SMEs

I think we would avoid friction going this way.
Everybody would still be involved, but dispatching the work, with the
(identified) SMEs discussing their domain first between them, before
submitting work for review by the other SMEs (i.e. as a top-down
approach) could be, IMHO, more efficient use of our resources.



2016-06-24 18:17 GMT+03:00 Wunder, John A. <jwunder@mitre.org>:
> Hey all,
>
>
>
> We’re getting down to the wire now so I also wanted to take this chance to
> outline our major topic areas and make sure we’re working towards a solid
> MVP release. At a high level, I believe this covers the major topics we need
> to finish up. I’ve ordered these in my priority order.
>
>
>
> 1.       Sighting, Observation, Indicator
>
> 2.       Malware and Tool
>
> 3.       Identity
>
> 4.       Internationalization
>
> 5.       Threat Actor
>
> 6.       Malicious Infrastructure
>
> 7.       Incident
>
> 8.       Asset
>
> 9.       Target
>
> 10.   Intrusion Set
>
> 11.   Opinion
>
> 12.   Granular Markings
>
>
>
> IMO we should delay MVP if we don’t finish 1-5. My personal goal is to be
> able to finish 1-8.
>
>
>
> We really need to prioritize these topics and make decisions so we can be
> sure to have something complete by MVP. I’m a little bit worried we’ll spend
> too much time deciding on asset vs. infrastructure and won’t have time to
> get identity or target right, for example. So I would ask everyone to think
> about your priorities and let us know what to focus on. Can you rank the
> above items in your order of priority, and then help us focus on the top
> priority items? Is there anything we could postpone until after MVP, or at
> least hold off on discussing further until we’ve finished the other items?
>
>
>
> This isn’t to say that those of you focusing on intrusion set, opinion,
> incident, asset, or infrastructure should stop work. Just keep in mind that
> we really need to get identity right because we use it all over or we’re
> going to be in trouble. I do think we’re close on asset vs. infrastructure
> and so will still send out some mail on that topic to see if we can’t get
> the definitions at least on the same page.
>
>
>
> John