OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] relationships

Hey Bret,

 

I don’t think I’m following the distinction between saying “campaign [detectable-by] indicator” and “indicator [can-detect] campaign”…it seems like the semantics of this are identical to me and if we had both relationships defined it would just be two ways of saying the same thing. Can you elaborate a bit (over e-mail, slack, or maybe we should have a call) on the important distinction between those two statements?

 

I had always thought we would just pick a consistent direction (probably the active direction, so “can detect”) and use that everywhere, minimizing cases where one org says “indicator detects campaign” and another says “campaign is detected by indicator”.

 

John

 

From: <cti-stix@lists.oasis-open.org> on behalf of Bret Jordan <bret.jordan@bluecoat.com>
Date: Friday, July 15, 2016 at 1:33 AM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] relationships

 

I took a hard look at the relationships we have defined so far, and really tried to question each one.  I made a lot of comments in the docs for us to review.  I focused on what is the relationship trying to say, and does it make since in both directions.  What I came up with is that in some cases it does make since in both directions, however, what you are trying to say is actually different.  

 

I guess it all comes down to what you are starting with, and what you are trying to say about that which you started with.  Take the example of an Indicator linking to a Campaign.  

 

1) If you start with the Campaign, you might say that that "This Campaign is [detectable-by] this Indicator"

 

2) If you start with the Indicator, you might say, that "This Indicator [can-detect] this Campaign" or "This Indicator [indicates] the presence of this Campaign".  

 

So it really depends on what you have to start with, and what you are trying to say.  So for some of these, we may actually need to define the relationships both ways. 

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]