cti-stix message

Subject: Re: [cti-stix] Labels versus marking

From: Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu>
To: cti-stix@lists.oasis-open.org
Date: Wed, 21 Sep 2016 11:14:27 +0200

On 21/09/16 00:36, Bret Jordan (CS) wrote:
> Can you give some examples of what you are wanting to do?  
> 
> The current labels property is a way of tracking the old "malware type" for example.  It also allows products to add extra labels or tags to an object for use in their classifications.  I view this as means of mimicking Evernote's or GMail's labels.

Sure. We are currently evaluating the options to support properly the taxonomy in MISP
when doing STIX import and export. The two options are marking or labels. The main issue
for us is the labels being limited to some types only and you cannot do any granular marking.

Until now, the approach we want to take is the following:

{
  "type": "marking-definition",
  "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
  "created": "2016-08-01T00:00:00Z",
  "modified": "2016-08-01T00:00:00Z",
  "version": 1,
  "definition_type": "misp-taxonomies",
  "definition": {
    "tag": "misp:confidence-level=\"usually-confident\""
  }
}


{
  "type": "marking-definition",
  "id": "marking-definition--78ad9b3b-8113-4454-a04e-7d433dadae07",
  "created": "2016-08-01T00:00:00Z",
  "modified": "2016-08-01T00:00:00Z",
  "version": 1,
  "definition_type": "misp-taxonomies",
  "definition": {
    "tag": "adversary:infrastructure-status=\"compromised\""
  }
}



"indicators": [
    {
      "type": "indicator",
      "id": "indicator--33fe3b22-0201-47cf-85d0-97c02164528d",
      "version": 1,
      "created": "2014-05-08T09:00:00.000000Z",
	  "modified": "2014-05-08T09:00:00.000000Z",
      "name": "IP Address for known C2 channel",
      "labels": ["malicious-activity"],
      "object_marking_refs": ["marking-definition--78ad9b3b-8113-4454-a04e-7d433dadae07", "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"]
      "pattern": "ipv4addr-object:value EQ '10.0.0.0'",
	  "pattern_lang": "cybox",
	  "valid_from": "2014-05-08T09:00:00.000000Z"
    }
]

and if you use label (but we won't be able to do marking where we want):

"indicators": [
    {
      "type": "indicator",
      "id": "indicator--33fe3b22-0201-47cf-85d0-97c02164528d",
      "version": 1,
      "created": "2014-05-08T09:00:00.000000Z",
	  "modified": "2014-05-08T09:00:00.000000Z",
      "name": "IP Address for known C2 channel",
      "labels": ["adversary:infrastructure-status=\"compromised\"", "misp:confidence-level=\"usually-confident\""],
      "pattern": "ipv4addr-object:value EQ '10.0.0.0'",
	  "pattern_lang": "cybox",
	  "valid_from": "2014-05-08T09:00:00.000000Z"
    }
]

The other advantage of using the marking is to ensure that parser can support directly
the taxonomies with the type defined compared to labels where this can be a series
of various, tags or machine tags.

If the option of marking is kept, how would we define the marking type in the standard?
Can this be extended in the current proposal?

Cheers

-- 
Alexandre Dulaunoy
CIRCL - Computer Incident Response Center Luxembourg
41, avenue de la gare L-1611 Luxembourg
info@circl.lu - www.circl.lu

Follow-Ups:
- Re: [cti-stix] Labels versus marking
  - From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>

References:
- Labels versus marking
  - From: Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu>
- Re: [cti-stix] Labels versus marking
  - From: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>