Does everyone agree with these 4 properties? If so, we can then start the discussion about how to classify values for each one.
1) Confidence 2) Credibility 3) Severity 4) Relevance
Thanks,
Bret Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO Symantec PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
The four that immediately come to mind are confidence, credibility, severity, and relevance.
Relevance is unlikely to be shared outside an organizational boundary, but may be within some trust groups. Tools will also need to be able to communicate it over STIX, regardless of if it leaves the boundary.
- Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security | www.securityintelligence.comWithout data, all you are is just another person with an opinion - Unknown <graycol.gif>"Jordan, Bret" ---09/14/2016 05:59:41 PM---Maybe this is the exact discussion we should be having.... What are the confidence like propertiesFrom: "Jordan, Bret" <bret.jordan@bluecoat.com>To: Jason Keirstead/CanEast/IBM@IBMCACc: Dave Cridland <dave.cridland@surevine.com>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>Date: 09/14/2016 05:59 PMSubject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]Sent by: <cti-stix@lists.oasis-open.org> Maybe this is the exact discussion we should be having.... What are the confidence like properties we should include on all objects? Is it 2, 3, or 4 different properties? Once we have those figured out, we can work on their definitions and how best to use them. Thanks,BretBret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTOBlue Coat SystemsPGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On Sep 14, 2016, at 10:49, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:
To be clear - everything we are discussing here is credibility of the event.
As Alan stated, we dug into this a bit at the F2F and it is obvious that there are going to have to be other metrics affiliated with STIX data - confidence, credibility, relevance are obvious, but there are potentially others. But - we need to tackle one at a time (or just go out on a limb and give the same scale for each).
- Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
<graycol.gif>Dave Cridland ---09/14/2016 11:02:25 AM---I don't think you can map Admiralty Code to a single Confidence score - Admiralty Code doesn't equat
From: Dave Cridland <dave.cridland@surevine.com> To: "Jordan, Bret" <bret.jordan@bluecoat.com> Cc: "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Date: 09/14/2016 11:02 AM Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September] Sent by: <cti-stix@lists.oasis-open.org>
I don't think you can map Admiralty Code to a single Confidence score - Admiralty Code doesn't equate to confidence, quite. The code divides into two, but one is the Source Reliability and the other is the Credibility of the particular event.
The idea is that you can express "we think this is very plausible, though it is uncorroborated and our source is unreliable", versus "we think this is unlikely, but the source has been historically reliable". It feels, to my mind, that these might influence an overall confidence but they have considerable nuance, and I'm not convinced they're directly comparable, and the next steps - to improve confidence - are different in each case (the former case is "get corroboration", the latter might be "ask the source for more information").
On top of that, even if you pretend the likelihood scoring is a simple 1-5 confidence score (and 6 "I dunno"), then it's not clear it maps evenly across a linear scale - but it might.
Finally, even if you figure out a mapping to a single numeric score, you're never going to be able to map back.
On 13 September 2016 at 20:12, Jordan, Bret <bret.jordan@bluecoat.com> wrote:I also think we should call out in the specification how you would map this to the Admiralty score. This way, for people that want to do it, they all do it the same way.
Thanks,
Bret
Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." On Sep 13, 2016, at 13:09, Jordan, Bret <bret.jordan@BLUECOAT.COM> wrote:
As I just said in my last email, I think for things like this we just pre-define them in normative text. If you have a 1-5 scale, this is what it looks like, if you have a 1-3 scale, this is how it works.
Thanks,
Bret
Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." On Sep 13, 2016, at 06:34, Wunder, John A. <jwunder@mitre.org> wrote:
The wider scale certainly seems like the path of least resistance. Tools get to do what they want and for the most part things should just work. A couple worries (perhaps edge cases?) I would have:
1. The admiralty scale has specific semantics for each level that tools not using it would of course not honor. So someone who set a confidence of “high” in ToolA, which maps to 100 (let’s say), would get translated to a 1 in the admiralty scale when displayed by ToolB. But was it actually confirmed by other sources? 2. There would potentially be issues where people map scales over differently. I.e. (None, Low, Medium, High) would have a different range than (Low, Medium, High) and so a score of “Low” in ToolC might translate to “None” in ToolD and confuse people. Then you have to explain to the user that “well, in reality it’s a 1-100 scale underneath and the products use different scales and……”
I’m not totally opposed btw, just wanted to point out some of these issues.
John
On 9/13/16, 7:42 AM, "cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy" <cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu> wrote:
On 13/09/16 12:31, Jason Keirstead wrote:Yes, exactly.
The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less.
Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both.
Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale and a clear description for analysts.
[1] http://stixproject.github.io/data-model/1.2/stixVocabs/HighMediumLowVocab-1.0/ [2] https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L31
-- Alexandre Dulaunoy CIRCL - Computer Incident Response Center Luxembourg 41, avenue de la gare L-1611 Luxembourg info@circl.lu - www.circl.lu
--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
-- Dave Cridland phone +448454681066 email dave.cridland@surevine.com skype dave.cridland.surevine
Participate | Collaborate | Innovate Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND If you think you have received this message in error, please notify us.
[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]
|