Re: [cti-stix] Labels on STIX TLOs

["Wunder, John A." <jwunder@mitre.org>]

Based on what we have in the vocabularies now and what we had in the STIX 1.2 vocabularies, I believe what we were calling “type” is pretty much “labels”. So, I think we should go ahead and add it everywhere as an optional property, defining open vocabs for the TLOs where it makes sense and we have time. So we could have “labels” on all TLOs, but the open vocab for malware labels would be specific to malware while the open vocab for indicator labels would be specific to indicators.

 

We could note that in the specification using the same dark gray highlighting we use for “type” to indicate that we’re overriding the field with further specification.

 

John

 

From: Bret Jordan <bret.jordan@bluecoat.com>
Date: Thursday, June 30, 2016 at 8:28 PM
To: "Ted Bedwell (tebedwel)" <tebedwel@cisco.com>
Cc: Jason Keirstead <Jason.Keirstead@ca.ibm.com>, Terry MacDonald <terry.macdonald@cosive.com>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Labels on STIX TLOs

 

I think we can all agree that we should have a general "tagging" or "labeling" object on the TLO Common Properties for all TLOs...  The question is, should it be different from the existing Indicator Type (now called labels) or Malware Type (also now called labels).  What does everyone think?  

 

 

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

On Jun 30, 2016, at 13:19, Ted Bedwell (tebedwel) <tebedwel@cisco.com> wrote:

 

​+1

 

Providing a generic tag mechanism would allow for a given organization to annotate intelligence specific to their operational workflows and have that context/metadata transmitted via STIX.  As a tool developer, being able to consume/maintain that context as an opaque value allows my tool to remain relevant within that operational environment without having to know about it a priori.

 

$0.02

 

Ted Bedwell

Principal Engineer

Network Threat Defense

.:|:.:|:. CISCO .:|:.:|:.

 

---

From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Thursday, June 30, 2016 8:57 AM
To: Terry MacDonald
Cc: John A. Wunder; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Labels on STIX TLOs

 

Myself, I would prefer that "tag" or "labels" be added to the base TLO Common Properties instead of having special properties for many TLOs but for some other TLOs we do not have any label / tag method.

Analysts should be able to tag / label anything in STIX with anything they want. This facility will help them be able to quickly "look up" and categorize objects. 

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown 


<graycol.gif>Terry MacDonald ---06/29/2016 06:58:00 PM---I don't like the labels field myself. I would prefer the addition of a genetic tag TLO. The communit

From: Terry MacDonald <terry.macdonald@cosive.com>
To: "John A. Wunder" <jwunder@mitre.org>
Cc: cti-stix@lists.oasis-open.org
Date: 06/29/2016 06:58 PM
Subject: Re: [cti-stix] Labels on STIX TLOs
Sent by: <cti-stix@lists.oasis-open.org>

---

I don't like the labels field myself. I would prefer the addition of a genetic tag TLO. The community does prefer the labels field however, and so...

I would make the label field optional, and leave it applied just to the objects we can make a case for. I would worry about using it everywhere, as that will restrict us in the future if we decide to make it more specific to each object. Having one list across all objects would worry me that we are restricting our choices later on.

Cheers
Terry MacDonald
Cosive

On 30/06/2016 01:24, "Wunder, John A." <jwunder@mitre.org> wrote:

All,

  

One of the topics that came up across several items on the call yesterday was the “labels” field that currently exists on Indicator, Malware, and Tool. The field is an array of values from an open vocabulary (indicator-label-ov, malware-label-ov, and tool-label-ov respectively). 

  

We have a couple of open questions: 

  

1.       Should the labels field be required or optional? 

a.       If we make labels required, do we need to add a value of “other” to the vocabulary? This will help tools/users who can’t find an existing value in the vocabulary that works but don’t want to make one up.

2.       Which TLOs need the labels field? It’s on Indicator, Malware, and Tool now but has not been added to Campaign or Attack Pattern.

a.       Allan has suggested adding it across all top-level objects. Does that make sense, or should we consider it on a case-by-case basis?

b.       Allan also suggested that if we don’t add it across all top-level objects, it should be added to Campaign. Are there other TLOs that we should add it to, even if we don’t add it across all of them?

To be honest I don’t really have a strong opinion either way. What do you think?

  

John 

 

<graycol.gif>
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php