OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: Relationship name tweaks - attributed-to


I agree – 2 sounds different from 3 – but it also seems to be a viable relationship.

 

That’s why I would stick with 1 – it covers both of those cases, and others….

 

From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Wunder, John A.
Sent: Wednesday, September 21, 2016 2:33 PM
To: cti-stix@lists.oasis-open.org
Subject: [cti-stix] Relationship name tweaks - attributed-to

 

All,

 

A couple times I’ve alluded to some changes to relationship names that Gary Katz proposed. Given some last-minute changes (removing Incident, mostly) it turns out only one is still applicable for 2.0 so I’d like to raise it now.

 

The relationship in question is “attributed-to”, when used from a Campaign to a Threat Actor or Intrusion Set. For example, Operation Aurora is attributed to APT1.

 

Gary (or rather the analysts he worked with) suggested that it might be better to use “executes” or “plans”. So Operation Aurora is planned by APT1, or Operation Aurora was executed by APT1.

 

So, the decision is:

1.       Continue to use “attributed-to” (no change)

2.       Use “executed-by”

3.       Use “planned-by”

 

Thoughts? I’m pretty open to either 1 or 2, but #3 sounds different to me.

 

John



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]