[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] relationships
Hey Bret, I don’t think I’m following the distinction between saying “campaign [detectable-by] indicator” and “indicator [can-detect] campaign”…it seems like the semantics of this are identical to
me and if we had both relationships defined it would just be two ways of saying the same thing. Can you elaborate a bit (over e-mail, slack, or maybe we should have a call) on the important distinction between those two statements? I had always thought we would just pick a consistent direction (probably the active direction, so “can detect”) and use that everywhere, minimizing cases where one org says “indicator detects
campaign” and another says “campaign is detected by indicator”. John From:
<cti-stix@lists.oasis-open.org> on behalf of Bret Jordan <bret.jordan@bluecoat.com> I took a hard look at the relationships we have defined so far, and really tried to question each one. I made a lot of comments in the docs for us to review. I focused on what is the relationship trying to say, and does it make since
in both directions. What I came up with is that in some cases it does make since in both directions, however, what you are trying to say is actually different. I guess it all comes down to what you are starting with, and what you are trying to say about that which you started with. Take the example of an Indicator linking to a Campaign. 1) If you start with the Campaign, you might say that that "This Campaign is [detectable-by] this Indicator" 2) If you start with the Indicator, you might say, that "This Indicator [can-detect] this Campaign" or "This Indicator [indicates] the presence of this Campaign". So it really depends on what you have to start with, and what you are trying to say. So for some of these, we may actually need to define the relationships both ways. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]