OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] relationships


Yeah, upon further reflection around 3:00, I realized I sent this a bit early.  I do not think you actually need both.

Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Jul 15, 2016, at 07:06, Wunder, John A. <jwunder@mitre.org> wrote:

Hey Bret,
 
I don’t think I’m following the distinction between saying “campaign [detectable-by] indicator” and “indicator [can-detect] campaign”…it seems like the semantics of this are identical to me and if we had both relationships defined it would just be two ways of saying the same thing. Can you elaborate a bit (over e-mail, slack, or maybe we should have a call) on the important distinction between those two statements?
 
I had always thought we would just pick a consistent direction (probably the active direction, so “can detect”) and use that everywhere, minimizing cases where one org says “indicator detects campaign” and another says “campaign is detected by indicator”.
 
John
 
From: <cti-stix@lists.oasis-open.org> on behalf of Bret Jordan <bret.jordan@bluecoat.com>
Date: Friday, July 15, 2016 at 1:33 AM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] relationships
 
I took a hard look at the relationships we have defined so far, and really tried to question each one.  I made a lot of comments in the docs for us to review.  I focused on what is the relationship trying to say, and does it make since in both directions.  What I came up with is that in some cases it does make since in both directions, however, what you are trying to say is actually different.  
 
I guess it all comes down to what you are starting with, and what you are trying to say about that which you started with.  Take the example of an Indicator linking to a Campaign.  
 
1) If you start with the Campaign, you might say that that "This Campaign is [detectable-by] this Indicator"
 
2) If you start with the Indicator, you might say, that "This Indicator [can-detect] this Campaign" or "This Indicator [indicates] the presence of this Campaign".  
 
So it really depends on what you have to start with, and what you are trying to say.  So for some of these, we may actually need to define the relationships both ways. 

 

Thanks,
 
Bret
 
 
 
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 
 

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]