Agreed these are different. It appears there are two ways to interpret it, suggesting possibly two data points:
-
Validation as to whether a particular profile is legit or fake
-
Any external information about that profile
From: Jerome Athias [mailto:athiasjerome@gmail.com]
Sent: Thursday, July 28, 2016 10:51 AM
To: Casey, Timothy P <timothy.p.casey@intel.com>
Cc: cti-stix@lists.oasis-open.org; Wunder, John A. <jwunder@mitre.org>; Joep Gommers <joep@eclecticiq.com>
Subject: Re: [cti-stix] Re: TA Social Media Account
Well, as for sure we could have various use cases/scenario (those could be discussed one by one), I will give you one, for maybe, restricting the scope of my initial question.
I (my profile/one instance of my digital identity) receive an invitation/connection request from another profile.
Doing some researches ((analysis)) I identify, with high confidence, that it is a fake profile. (and that there is a certain intent/motive behind it)
PS: note that this would be, imho, a different use case that the examples you provided
On Thu, Jul 28, 2016 at 8:25 PM, Casey, Timothy P <timothy.p.casey@intel.com> wrote:
If analysis is the objective, should the reference field be limited to just a LI account, or even just
to social media? What if things like vendor TA blogs, legal dossiers, government reports, etc. are also available?
Yeah I agree, there’s an important difference between something as an indicator and that same thing as part of an
analysis. It applies here, but also to malicious infrastructure, malware hashes/attributes, and many other places.
FWIW, that exact topic (the difference between an Indicator and a TTP/analysis) came up pretty consistently when
talking about STIX 1.2 so anything we can do in 2.0 to make it more clear is very important.
(I’m not arguing that we do anything to add this now, I agree w/ what Jerome said below that we should tackle it
for 2.1+)
John
Yep I concur
On Thursday, 28 July 2016, Joep Gommers <joep@eclecticiq.com> wrote:
There are indeed two different scenario’s;
- the linkedin account, when observed actively, is an indication of some intelligence (ttps, actors,
campaigns, bla)
- the linkedin account is part of the analysis narrative of an actor, a description of his (potential)
identity.
The first case would be an indicator, the second case would be part of some sort of identity construct.
They can exist in parallel.
From:
<cti-stix@lists.oasis-open.org> on behalf of Jerome Athias <athiasjerome@gmail.com>
Date: Thursday, July 28, 2016 at 7:53 AM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] TA Social Media Account
Hi,
Probably something for 2.1:
Could we want/need a -Profile Object- that would be some sort of (Digital) Identity? (bad or good)
(that could effectively be linked to a User_Account of a -Service- (other object needed?))
On Tue, Jul 26, 2016 at 3:44 PM, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:
You would make an indicator object that had a pattern that matched the LinkedIn account, and use an "indicates" relationship from the indicator to the Threat Actor (this indicator
indicates a presence of this Threat Actor).
There is no specific "LinkedIn account" object in Cybox. I would use the user-account-object.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security |
www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
Jerome
Athias ---07/26/2016 03:33:13 AM---Hi, This would need some work with the Message Objects in the future, but for
From:
Jerome Athias <athiasjerome@gmail.com>
To:
cti-stix@lists.oasis-open.org
Date:
07/26/2016 03:33 AM
Subject:
[cti-stix] TA Social Media Account
Sent by:
<cti-stix@lists.oasis-open.org>
Hi,
This would need some work with the Message Objects in the future, but for now, quick question to the mentor(s):
Would we have a quick & clean way to add a, for example, LinkedIn account to the Threat Actor object?
|