OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]


To be clear - everything we are discussing here is credibility of the event.

As Alan stated, we dug into this a bit at the F2F and it is obvious that there are going to have to be other metrics affiliated with STIX data - confidence, credibility, relevance are obvious, but there are potentially others. But - we need to tackle one at a time (or just go out on a limb and give the same scale for each).

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Inactive hide details for Dave Cridland ---09/14/2016 11:02:25 AM---I don't think you can map Admiralty Code to a single ConfidDave Cridland ---09/14/2016 11:02:25 AM---I don't think you can map Admiralty Code to a single Confidence score - Admiralty Code doesn't equat

From: Dave Cridland <dave.cridland@surevine.com>
To: "Jordan, Bret" <bret.jordan@bluecoat.com>
Cc: "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 09/14/2016 11:02 AM
Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]
Sent by: <cti-stix@lists.oasis-open.org>





I don't think you can map Admiralty Code to a single Confidence score - Admiralty Code doesn't equate to confidence, quite. The code divides into two, but one is the Source Reliability and the other is the Credibility of the particular event.

The idea is that you can express "we think this is very plausible, though it is uncorroborated and our source is unreliable", versus "we think this is unlikely, but the source has been historically reliable". It feels, to my mind, that these might influence an overall confidence but they have considerable nuance, and I'm not convinced they're directly comparable, and the next steps - to improve confidence - are different in each case (the former case is "get corroboration", the latter might be "ask the source for more information").

On top of that, even if you pretend the likelihood scoring is a simple 1-5 confidence score (and 6 "I dunno"), then it's not clear it maps evenly across a linear scale - but it might.

Finally, even if you figure out a mapping to a single numeric score, you're never going to be able to map back.

On 13 September 2016 at 20:12, Jordan, Bret <bret.jordan@bluecoat.com> wrote:


--

Dave Cridland

phone  +448454681066
email  dave.cridland@surevine.com
skype  dave.cridland.surevine

Participate | Collaborate | Innovate

Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND
If you think you have received this message in error, please notify us.




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]