Re: [cti-stix] Labels versus marking

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

My own naive view of labels vs markings is this...

Data markings are meant to enforce policy, either automated or manual.

Tags, on the other hand, are meant to facilitate analysis and searching.

If you are making the data to help an analyst understad what it is, and/or find it in a tool, use labels. If you are making the data to ensure that a tool or human treats it in a certain way when they recieve it, you would use a marking.

Is my view in alignment with the community? We probably need to figure out how to describe this in STIX...

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Alexandre Dulaunoy ---09/21/2016 06:16:04 AM---On 21/09/16 00:36, Bret Jordan (CS) wrote: > Can you give some examples of what you are wanting to d

From: Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu>
To: cti-stix@lists.oasis-open.org
Date: 09/21/2016 06:16 AM
Subject: Re: [cti-stix] Labels versus marking
Sent by: <cti-stix@lists.oasis-open.org>

---

On 21/09/16 00:36, Bret Jordan (CS) wrote:
> Can you give some examples of what you are wanting to do?  
> 
> The current labels property is a way of tracking the old "malware type" for example.  It also allows products to add extra labels or tags to an object for use in their classifications.  I view this as means of mimicking Evernote's or GMail's labels.

Sure. We are currently evaluating the options to support properly the taxonomy in MISP
when doing STIX import and export. The two options are marking or labels. The main issue
for us is the labels being limited to some types only and you cannot do any granular marking.

Until now, the approach we want to take is the following:

{
  "type": "marking-definition",
  "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
  "created": "2016-08-01T00:00:00Z",
  "modified": "2016-08-01T00:00:00Z",
  "version": 1,
  "definition_type": "misp-taxonomies",
  "definition": {
    "tag": "misp:confidence-level=\"usually-confident\""
  }
}


{
  "type": "marking-definition",
  "id": "marking-definition--78ad9b3b-8113-4454-a04e-7d433dadae07",
  "created": "2016-08-01T00:00:00Z",
  "modified": "2016-08-01T00:00:00Z",
  "version": 1,
  "definition_type": "misp-taxonomies",
  "definition": {
    "tag": "adversary:infrastructure-status=\"compromised\""
  }
}



"indicators": [
    {
      "type": "indicator",
      "id": "indicator--33fe3b22-0201-47cf-85d0-97c02164528d",
      "version": 1,
      "created": "2014-05-08T09:00:00.000000Z",
                   "modified": "2014-05-08T09:00:00.000000Z",
      "name": "IP Address for known C2 channel",
      "labels": ["malicious-activity"],
      "object_marking_refs": ["marking-definition--78ad9b3b-8113-4454-a04e-7d433dadae07", "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"]
      "pattern": "ipv4addr-object:value EQ '10.0.0.0'",
                   "pattern_lang": "cybox",
                   "valid_from": "2014-05-08T09:00:00.000000Z"
    }
]

and if you use label (but we won't be able to do marking where we want):

"indicators": [
    {
      "type": "indicator",
      "id": "indicator--33fe3b22-0201-47cf-85d0-97c02164528d",
      "version": 1,
      "created": "2014-05-08T09:00:00.000000Z",
                   "modified": "2014-05-08T09:00:00.000000Z",
      "name": "IP Address for known C2 channel",
      "labels": ["adversary:infrastructure-status=\"compromised\"", "misp:confidence-level=\"usually-confident\""],
      "pattern": "ipv4addr-object:value EQ '10.0.0.0'",
                   "pattern_lang": "cybox",
                   "valid_from": "2014-05-08T09:00:00.000000Z"
    }
]

The other advantage of using the marking is to ensure that parser can support directly
the taxonomies with the type defined compared to labels where this can be a series
of various, tags or machine tags.

If the option of marking is kept, how would we define the marking type in the standard?
Can this be extended in the current proposal?

Cheers

-- 
Alexandre Dulaunoy
CIRCL - Computer Incident Response Center Luxembourg
41, avenue de la gare L-1611 Luxembourg
info@circl.lu - www.circl.lu

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php