Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]

[Terry MacDonald <terry.macdonald@cosive.com>]

Direct sharing of credibility for an information source may still be shared amongst community members of they are talking about a third-party. I think it's as likely as someone sharing information about their relevance score, I.e. applicable to those who are sharing 'internally' between one another in the same close knit group.

I do believe that this is where the opinion object would help. An opinion object would allow people to indicate their disagreement or agreement with an assertion made by a producer. This opinion object agreement or disagreement would allow consumers to derive how the credibility of the producer, by analysing how many agreements they get versus how many disagreements.

I would treat a producer who gets a lot of agreement objects differently to one that gets a lot of disagreements. Likewise I would treat a producer who gets lots of agreements from other producers I trust even higher than one that gets agreements from those I don't know. In this way each consumer can build up their own credibility score without needing to share it publically.

If we do share credibility directly and publically it could end up as negative as warring election campaigns.... (And maybe even some sort of libel suits if their information gets out!)

Cheers
Terry MacDonald

On 16 Sep 2016 11:46 PM, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com> wrote:

I can take a stab at it - non-normative, high level....

Confidence - The trust in the data behind the intelligence / the accuracy of the intelligence

Credibility - The trust in the source providing the intelligence

Severity - The criticality level of the exploit / malware / incident / event

Relevance - How relevant the exploit / malware / incident / event is to your organization

As I said - Relevance is normally tracked internally and would rarely leave an organization boundary - however tools still need to share it via STIX in my opinion.

"Credibility" to me is murky in that it is something likely tracked internally for an organization or ISAO, and not necessarily shared back. IE I am not going to want to publicize the fact that I do not trust intelligence from source X...

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


"Wunder, John A." ---09/15/2016 11:34:58 AM---Can somebody provide definitions that clearly define and distinguish all of these? Also do all of th

From: "Wunder, John A." <jwunder@mitre.org>
To: Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 09/15/2016 11:34 AM
Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]
Sent by: <cti-stix@lists.oasis-open.org>

---

Can somebody provide definitions that clearly define and distinguish all of these?

Also do all of them apply to all STIX Objects, or are some/all only applied to a subset?

John

On 9/15/16, 9:57 AM, "cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy" <cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu> wrote:

   On 15/09/16 15:48, Jordan, Bret wrote:
   > Does everyone agree with these 4 properties?  If so, we can then start the discussion about how to classify values for each one.
   >
   > 1) Confidence
   > 2) Credibility
   > 3) Severity
   > 4) Relevance
   
   Likelihood probability (ICD 203) is also regularly used.
   
   https://github.com/MISP/misp-taxonomies/blob/master/estimative-language/machinetag.json
   
   Cheers.
   
   
   --
   Alexandre Dulaunoy
   CIRCL - Computer Incident Response Center Luxembourg
   41, avenue de la gare L-1611 Luxembourg
   info@circl.lu - www.circl.lu
   
   ---------------------------------------------------------------------
   To unsubscribe from this mail list, you must leave the OASIS TC that
   generates this mail.  Follow this link to all your TCs in OASIS at:
   https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php