We had talked about this approach but felt that it was clearer to have the properties in separate objects (Sarah suggested it). It reduces the number of top-level objects required to represent
these things and puts the data closer to where it’s relevant (IMO).
I think the use cases below should still be supportable even without having a single Identity object. It would be nice to whiteboard it (when we get to that).
John
From:
Terry MacDonald <terry.macdonald@cosive.com>
Date: Friday, July 29, 2016 at 4:09 PM
To: Bret Jordan <bret.jordan@bluecoat.com>
Cc: "Casey, Timothy P" <timothy.p.casey@intel.com>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, Jerome Athias <athiasjerome@gmail.com>, Joep Gommers <joep@eclecticiq.com>
Subject: Re: [cti-stix] TA Social Media Account
It seems to me that we could rename the Source object to a more generic Identity object, and we would gain the ability to track identities, and use relationships to associate these identities with different parts of STIX.
- you could link threat actor with identity with a 'persona_of' relationship to represent a fake identity the threat actor uses
- you could link threat actor with identity with a 'identity_of' relationship to represent the real identity of the threat actor
- you could link object creator directly with identity to represent the source of the object.
- you could link tool creator with identity with a 'created_by' relationship to represent the real identity of the tool creator (malware would link to threat actor)
- you could link victimtarget with identity with a 'identity_of' relationship to represent the real identity of the victimtarget (if we are talking specific victims)
An Identity object seems more flexible to me than a Source object, which appears to be an identity object restricted to just representing who created something.
Cheers
Terry MacDonald
Cosive
On 30/07/2016 6:40 AM, "Jordan, Bret" <bret.jordan@bluecoat.com> wrote:
Just to be clear, just because we are finishing up STIX 2.0 and working through its final phases, that does not preclude the community from starting to work on STIX 2.1 items.
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
Agreed these are different. It appears there are two ways to interpret it, suggesting possibly two data points:
- Validation as to whether a particular profile is legit or fake
- Any external information about that profile
Well, as for sure we could have various use cases/scenario (those could be discussed one by one), I will give you one, for maybe, restricting the scope of my initial question.
I (my profile/one instance of my digital identity) receive an invitation/connection request from another profile.
Doing some researches ((analysis)) I identify, with high confidence, that it is a fake profile. (and that there is a certain intent/motive behind it)
PS: note that this would be, imho, a different use case that the examples you provided
If analysis is the objective, should the reference field be limited to just a LI account, or even just to social media? What if things like vendor TA blogs, legal dossiers, government
reports, etc. are also available?
Yeah I agree, there’s an important difference between something as an indicator and that same thing as part of an analysis. It applies here, but also to malicious infrastructure, malware
hashes/attributes, and many other places.
FWIW, that exact topic (the difference between an Indicator and a TTP/analysis) came up pretty consistently when talking about STIX 1.2 so anything we can do in 2.0 to make it more clear
is very important.
(I’m not arguing that we do anything to add this now, I agree w/ what Jerome said below that we should tackle it for 2.1+)
There are indeed two different scenario’s;
- the linkedin account, when observed actively, is an indication of some intelligence (ttps, actors, campaigns, bla)
- the linkedin account is part of the analysis narrative of an actor, a description of his (potential) identity.
The first case would be an indicator, the second case would be part of some sort of identity construct. They can exist in parallel.
Probably something for 2.1:
Could we want/need a -Profile Object- that would be some sort of (Digital) Identity? (bad or good)
(that could effectively be linked to a User_Account of a -Service- (other object needed?))
You would make an indicator object that had a pattern that matched the LinkedIn account, and use an "indicates" relationship from the indicator to the Threat Actor (this indicator indicates a presence of
this Threat Actor).
There is no specific "LinkedIn account" object in Cybox. I would use the user-account-object.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
<image001.png>Jerome Athias ---07/26/2016 03:33:13 AM---Hi, This would need some work with the Message Objects in the future, but for
From: Jerome Athias <athiasjerome@gmail.com>
To: cti-stix@lists.oasis-open.org
Date: 07/26/2016 03:33 AM
Subject: [cti-stix] TA Social Media Account
Sent by: <cti-stix@lists.oasis-open.org>
Hi,
This would need some work with the Message Objects in the future, but for now, quick question to the mentor(s):
Would we have a quick & clean way to add a, for example, LinkedIn account to the Threat Actor object?
|