OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]


Does everyone agree with these 4 properties?  If so, we can then start the discussion about how to classify values for each one.

1) Confidence
2) Credibility
3) Severity
4) Relevance 




Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Symantec
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Sep 15, 2016, at 05:34, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

The four that immediately come to mind are confidence, credibility, severity, and relevance.

    Relevance is unlikely to be shared outside an organizational boundary, but may be within some trust groups. Tools will also need to be able to communicate it over STIX, regardless of if it leaves the boundary.

      -
      Jason Keirstead
      STSM, Product Architect, Security Intelligence, IBM Security Systems
      www.ibm.com/security | www.securityintelligence.com

      Without data, all you are is just another person with an opinion - Unknown


      <graycol.gif>"Jordan, Bret" ---09/14/2016 05:59:41 PM---Maybe this is the exact discussion we should be having.... What are the confidence like properties

      From: "Jordan, Bret" <bret.jordan@bluecoat.com>
      To: Jason Keirstead/CanEast/IBM@IBMCA
      Cc: Dave Cridland <dave.cridland@surevine.com>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
      Date: 09/14/2016 05:59 PM
      Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]
      Sent by: <cti-stix@lists.oasis-open.org>




      Maybe this is the exact discussion we should be having.... What are the confidence like properties we should include on all objects? Is it 2, 3, or 4 different properties? Once we have those figured out, we can work on their definitions and how best to use them.


      Thanks,

      Bret



      Bret Jordan CISSP
      Director of Security Architecture and Standards | Office of the CTO
      Blue Coat Systems
      PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
      "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
          On Sep 14, 2016, at 10:49, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

          To be clear - everything we are discussing here is credibility of the event.

          As Alan stated, we dug into this a bit at the F2F and it is obvious that there are going to have to be other metrics affiliated with STIX data - confidence, credibility, relevance are obvious, but there are potentially others. But - we need to tackle one at a time (or just go out on a limb and give the same scale for each).

          -
          Jason Keirstead
          STSM, Product Architect, Security Intelligence, IBM Security Systems

          www.ibm.com/security | www.securityintelligence.com

          Without data, all you are is just another person with an opinion - Unknown


          <graycol.gif>
          Dave Cridland ---09/14/2016 11:02:25 AM---I don't think you can map Admiralty Code to a single Confidence score - Admiralty Code doesn't equat

          From:
          Dave Cridland <dave.cridland@surevine.com>
          To:
          "Jordan, Bret" <bret.jordan@bluecoat.com>
          Cc:
          "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
          Date:
          09/14/2016 11:02 AM
          Subject:
          Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]
          Sent by:
          <cti-stix@lists.oasis-open.org>






          I don't think you can map Admiralty Code to a single Confidence score - Admiralty Code doesn't equate to confidence, quite. The code divides into two, but one is the Source Reliability and the other is the Credibility of the particular event.


          The idea is that you can express "we think this is very plausible, though it is uncorroborated and our source is unreliable", versus "we think this is unlikely, but the source has been historically reliable". It feels, to my mind, that these might influence an overall confidence but they have considerable nuance, and I'm not convinced they're directly comparable, and the next steps - to improve confidence - are different in each case (the former case is "get corroboration", the latter might be "ask the source for more information").


          On top of that, even if you pretend the likelihood scoring is a simple 1-5 confidence score (and 6 "I dunno"), then it's not clear it maps evenly across a linear scale - but it might.


          Finally, even if you figure out a mapping to a single numeric score, you're never going to be able to map back.


          On 13 September 2016 at 20:12, Jordan, Bret <
          bret.jordan@bluecoat.com> wrote:
              I also think we should call out in the specification how you would map this to the Admiralty score. This way, for people that want to do it, they all do it the same way.


              Thanks,


              Bret




              Bret Jordan CISSP

              Director of Security Architecture and Standards | Office of the CTO
              Blue Coat Systems

              PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
              "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
                      On Sep 13, 2016, at 13:09, Jordan, Bret <bret.jordan@BLUECOAT.COM> wrote:

                      As I just said in my last email, I think for things like this we just pre-define them in normative text. If you have a 1-5 scale, this is what it looks like, if you have a 1-3 scale, this is how it works.



                      Thanks,


                      Bret




                      Bret Jordan CISSP

                      Director of Security Architecture and Standards | Office of the CTO
                      Blue Coat Systems

                      PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
                      "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
                              On Sep 13, 2016, at 06:34, Wunder, John A. <jwunder@mitre.org> wrote:

                              The wider scale certainly seems like the path of least resistance. Tools get to do what they want and for the most part things should just work. A couple worries (perhaps edge cases?) I would have:

                              1. The admiralty scale has specific semantics for each level that tools not using it would of course not honor. So someone who set a confidence of “high” in ToolA, which maps to 100 (let’s say), would get translated to a 1 in the admiralty scale when displayed by ToolB. But was it actually confirmed by other sources?
                              2. There would potentially be issues where people map scales over differently. I.e. (None, Low, Medium, High) would have a different range than (Low, Medium, High) and so a score of “Low” in ToolC might translate to “None” in ToolD and confuse people. Then you have to explain to the user that “well, in reality it’s a 1-100 scale underneath and the products use different scales and……”

                              I’m not totally opposed btw, just wanted to point out some of these issues.

                              John

                              On 9/13/16, 7:42 AM, "
                              cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy" <cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu> wrote:

                              On 13/09/16 12:31, Jason Keirstead wrote:
                                      Yes, exactly.

                                      The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less.

                              Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly
                              for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both.

                              Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale
                              and a clear description for analysts.

                              [1]
                              http://stixproject.github.io/data-model/1.2/stixVocabs/HighMediumLowVocab-1.0/
                              [2]
                              https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L31

                              --
                              Alexandre Dulaunoy
                              CIRCL - Computer Incident Response Center Luxembourg
                              41, avenue de la gare L-1611 Luxembourg
                              info@circl.lu - www.circl.lu

                              ---------------------------------------------------------------------
                              To unsubscribe from this mail list, you must leave the OASIS TC that
                              generates this mail. Follow this link to all your TCs in OASIS at:
                              https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php





          --

          Dave Cridland

          phone +448454681066
          email
          dave.cridland@surevine.com
          skype dave.cridland.surevine


          Participate | Collaborate | Innovate

          Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND
          If you think you have received this message in error, please notify us.


      [attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]



      Attachment: signature.asc
      Description: Message signed with OpenPGP using GPGMail



      [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]