Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]

[Terry MacDonald <terry.macdonald@cosive.com>]

While I agree that there may be Threat Intel automatically generated by machines, I don't necessarily agree that this means we should use a single 0-100 range for confidence.

We shouldn't conflate multiple different confidence systems together as there is to much risk for misinterpretation. The admiralty code, for example, rates the Reliability of the source as well as the Reliability of the information. We need to decide if we are going to pick one system for confidence and mandate it (like admiralty code), or if we are going to allow multiple different confidence systems and will only mandate a MTI version (e.g. a Confidence object similar to the marking object).

As John mentioned earlier in this email chain, each type of confidence system has its own meanings for things at a different level. Without a way for the producer to specify which confidence level they are using, we run a real change of consumers interpreting the confidence level incorrectly. In addition, if the overall confidence is tracked via multiple types of confidence (e.g confidence in the source of the information well as the information itself) then tracking it via a single number won't work.

One way we can use the Admiralty code within STIX is to create an Admiralty code Confidence object for use on all STIX objects. Then when people receive the Threat Intel they know that it is 'encoded' as an Admiralty code Confidence and can consumer it appropriately.

The Admiralty code Confidence object would contain two fields that track:
- information reliability (confidence the info is true)
- source reliability (confidence the source is telling the truth)

I'm not sure that a single 0-100 number is good enough or flexible enough for our needs.

We really need those committee members who've worked in intelligence organisations to say what they used internally.

Cheers
Terry MacDonald
Cosive

On 14 Sep 2016 3:14 AM, "Allan Thomson" <athomson@lookingglasscyber.com> wrote:

I agree with Jason’s arguments. Both on mapping and how the numbers will be assigned by machines & humans.

 

STIX should focus on exchanging a ‘value’ for machine-to-machine. It’s a data exchange format not a UI exchange. How this information is relayed to a human or entered by a human can and may be different.

 

If a number of 0-100 is chosen then that can be mapped by products to something a human may more easily assign such as admiralty.

 

allan

 

From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Tuesday, September 13, 2016 at 7:58 AM
To: "Wunder, John" <jwunder@mitre.org>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]

 

There is another reason that a numerical scale should be used, that I haven't yet mentioned as I didn't want to conflate the whole "confidence" problem - but I also didn't expect it to be so controversial, so here we go...

The problem with the admiralty scale is it is very human-focused, but in the current world of CTI you can't make the assumption that the confidence value is being assigned by humans. It will also be assigned by machines as a result of algorithmic and analytical processes on the underlying data. When a product produces an intelligent feed of data based on analytics, it will be able to figure out and assign its own confidence metric, that will be calculated based on the confidence levels it has on all of the other pieces of data that were factors in the decision. IE, when I am taking 100 pieces of data - each of which has its own confidence value - and producing this other derived piece of data, it's confidence is derived based on all of the other confidence (in the simplest scenario, it might be thought of as the simple weighted average of all of the other confidences). You can't do this type of thing with something as simple as the admiralty scale.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


"Wunder, John A." ---09/13/2016 09:34:38 AM---The wider scale certainly seems like the path of least resistance. Tools get to do what they want an

From: "Wunder, John A." <jwunder@mitre.org>
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 09/13/2016 09:34 AM
Subject: Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]
Sent by: <cti-stix@lists.oasis-open.org>

---

The wider scale certainly seems like the path of least resistance. Tools get to do what they want and for the most part things should just work. A couple worries (perhaps edge cases?) I would have:

1. The admiralty scale has specific semantics for each level that tools not using it would of course not honor. So someone who set a confidence of “high” in ToolA, which maps to 100 (let’s say), would get translated to a 1 in the admiralty scale when displayed by ToolB. But was it actually confirmed by other sources?
2. There would potentially be issues where people map scales over differently. I.e. (None, Low, Medium, High) would have a different range than (Low, Medium, High) and so a score of “Low” in ToolC might translate to “None” in ToolD and confuse people. Then you have to explain to the user that “well, in reality it’s a 1-100 scale underneath and the products use different scales and……”

I’m not totally opposed btw, just wanted to point out some of these issues.

John

On 9/13/16, 7:42 AM, "cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy" <cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu> wrote:

   On 13/09/16 12:31, Jason Keirstead wrote:
   > Yes, exactly.
   >
   > The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less.
   
   Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly
   for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both.
   
   Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale
   and a clear description for analysts.
   
   [1] http://stixproject.github.io/data-model/1.2/stixVocabs/HighMediumLowVocab-1.0/
   [2] https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L31
   
   --
   Alexandre Dulaunoy
   CIRCL - Computer Incident Response Center Luxembourg
   41, avenue de la gare L-1611 Luxembourg
   info@circl.lu - www.circl.lu
   
   ---------------------------------------------------------------------
   To unsubscribe from this mail list, you must leave the OASIS TC that
   generates this mail.  Follow this link to all your TCs in OASIS at:
   https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php