OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]

Suggest that we try to avoid myopic views of use cases in these decision processes.  

CTI Interexchange within a Community of Trust and external CTI sharing are indeed primary applications.  However, as the stated objective of widespread vendor adoption is achieved, we should fully expect a significant increase in internal CTI Inter-exchange.

Along these lines, suggest we consider the addition of another highly subjective measure: "Business Impact".  This applies primarily to COA and represents the organizational impact of mitigation actions.  Prior suggestions on this with examples are in the historical discourse.   

"Business Impact" is both a (human) Mitigation Analyst and machine driven/enhanced determination.  

For example, Company "A"  and "B" receive CTI stating 1.2.3.4 is "bad".  Company "A's" CTI automated processes check on ingestion and find that they have not seen any activity to/from 1.2.3.4 in the last 12 months.  A "Business Impact" rating of ("0","None",".001", "Low", pick your scale ;-) can be assigned and used in the decision process for automated blocking.  In this case a Mitigation Analyst review is not required.     Company "B's" CTI automated processes check on ingestion and find significant ongoing activity.  A high value for potential "Business Impact" is calculated.   These triggers the workflow to send to a Mitigation Analyst for review.  The other received subjective measures (High Certainty, High Confidence) along with high rating for this Source could influence these automated ingestion decisions and both block the activity and send to to the Operational Mitigation Work-flow.   

The mitigation analyst could discover that "1.2.3.4" belongs to one it's prime web services customers and that blocking it would severely impact business revenue/relationships.

In another "real world" example, it has been determined by very good analysts that actor "X", ALWAYS uses highly randomized Google.Com email addresses to target sector "Y", AND there's a high risk active zero day attack underway.  Company "A" disallows use of Google.com email address for business purposes (sender or receiver) and sets "Business Impact" accordingly.   Company "B" solely uses Google for all of it's business communication and collaboration.

So the key point is that these subjective measures are used both internally and externally.  Their value or relevance is very much context specific, but I believe warrant consistent representation, therefore inclusion, in "Our Thing".

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org

_____________________________
From: Terry MacDonald <terry.macdonald@cosive.com>
Sent: Friday, September 16, 2016 4:03 PM
Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]
To: Jason Keirstead <jason.keirstead@ca.ibm.com>
Cc: <cti-stix@lists.oasis-open.org>, Alexandre Dulaunoy <alexandre.dulaunoy@circl.lu>, John A. Wunder <jwunder@mitre.org>


Direct sharing of credibility for an information source may still be shared amongst community members of they are talking about a third-party. I think it's as likely as someone sharing information about their relevance score, I.e. applicable to those who are sharing 'internally' between one another in the same close knit group.

I do believe that this is where the opinion object would help. An opinion object would allow people to indicate their disagreement or agreement with an assertion made by a producer. This opinion object agreement or disagreement would allow consumers to derive how the credibility of the producer, by analysing how many agreements they get versus how many disagreements.

I would treat a producer who gets a lot of agreement objects differently to one that gets a lot of disagreements. Likewise I would treat a producer who gets lots of agreements from other producers I trust even higher than one that gets agreements from those I don't know. In this way each consumer can build up their own credibility score without needing to share it publically.

If we do share credibility directly and publically it could end up as negative as warring election campaigns.... (And maybe even some sort of libel suits if their information gets out!)

Cheers
Terry MacDonald


On 16 Sep 2016 11:46 PM, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com> wrote:

I can take a stab at it - non-normative, high level....

    Confidence - The trust in the data behind the intelligence / the accuracy of the intelligence

    Credibility - The trust in the source providing the intelligence

    Severity - The criticality level of the exploit / malware / incident / event

    Relevance - How relevant the exploit / malware / incident / event is to your organization

As I said - Relevance is normally tracked internally and would rarely leave an organization boundary - however tools still need to share it via STIX in my opinion.

"Credibility" to me is murky in that it is something likely tracked internally for an organization or ISAO, and not necessarily shared back. IE I am not going to want to publicize the fact that I do not trust intelligence from source X...

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Inactive hide details for "Wunder, John A." ---09/15/2016 11:34:58 AM---Can somebody provide definitions that clearly define an"Wunder, John A." ---09/15/2016 11:34:58 AM---Can somebody provide definitions that clearly define and distinguish all of these? Also do all of th

From: "Wunder, John A." <jwunder@mitre.org>
To: Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 09/15/2016 11:34 AM
Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]
Sent by: <cti-stix@lists.oasis-open.org>



Can somebody provide definitions that clearly define and distinguish all of these?

Also do all of them apply to all STIX Objects, or are some/all only applied to a subset?

John

On 9/15/16, 9:57 AM, "cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy" <cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu> wrote:

   On 15/09/16 15:48, Jordan, Bret wrote:
   > Does everyone agree with these 4 properties?  If so, we can then start the discussion about how to classify values for each one.
   >
   > 1) Confidence
   > 2) Credibility
   > 3) Severity
   > 4) Relevance
   
   Likelihood probability (ICD 203) is also regularly used.
   
   https://github.com/MISP/misp-taxonomies/blob/master/estimative-language/machinetag.json
   
   Cheers.
   
   
   --
   Alexandre Dulaunoy
   CIRCL - Computer Incident Response Center Luxembourg
   41, avenue de la gare L-1611 Luxembourg
   info@circl.lu - www.circl.lu
   
   ---------------------------------------------------------------------
   To unsubscribe from this mail list, you must leave the OASIS TC that
   generates this mail.  Follow this link to all your TCs in OASIS at:
   https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
   
   







GIF image

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]