[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Relationship name tweaks - attributed-to
This is one of the reasons why way back when I proposed that there not be really a "relationship-type" other than one of the three core relationship types. Then we would use the "labels" field to have extra and more detailed context.
So in effect all relationships would be of type (duplicate-of, derived-from, related-to). And then you would use the "labels" property to add things like "attributed-to". "uses", "executed-by", "planned", "planned-by", "mitigates" etc.
Bret
Hi all,
It's not an either/or decision. The great thing about relationships in the graph model that we use it that there can be many types of relationships between the same types of objects. For example campaign X and Threat actor A can have an attributed relationship between them (from org V) and a planned-by relationship (from org V) and an executed-by relationship (from org W).
In my opinion we should be using multiple relationships everywhere to help better describe the relationships we want to describe rather than forcing ourselves down to a single type of relationship. That's such a STIX 1.x way of thinking.
So - why not have all of them?
Cheers
Terry MacDonald
Cosive
That’s a good point, I’m changing my answer to 1.
Relationships do have labels now btw, so you could use “attributed-to” and have a label of “executed-by”.
From: Allan Thomson <athomson@lookingglasscyber.
com >
Date: Wednesday, September 21, 2016 at 2:36 PM
To: "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org >
Subject: Re: [cti-stix] Relationship name tweaks - attributed-to
Prefer Option 1 as it covers both planning and execution whereas the problem with Option 2 and 3 is that they are very specific.
Suggest the more generic ‘attributed-to’ is best for the exchange of relationships.
Could be another reason to have relationships that can be assigned labels to help add this additional context of relationship connections.
allan
From: "cti-stix@lists.oasis-open.org
" <cti-stix@lists.oasis-open.org > on behalf of "Wunder, John" <jwunder@mitre.org>
Date: Wednesday, September 21, 2016 at 11:32 AM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org >
Subject: [cti-stix] Relationship name tweaks - attributed-to
All,
A couple times I’ve alluded to some changes to relationship names that Gary Katz proposed. Given some last-minute changes (removing Incident, mostly) it turns out only one is still applicable for 2.0 so I’d like to raise it now.
The relationship in question is “attributed-to”, when used from a Campaign to a Threat Actor or Intrusion Set. For example, Operation Aurora is attributed to APT1.
Gary (or rather the analysts he worked with) suggested that it might be better to use “executes” or “plans”. So Operation Aurora is planned by APT1, or Operation Aurora was executed by APT1.
So, the decision is:
1. Continue to use “attributed-to” (no change)
2. Use “executed-by”
3. Use “planned-by”
Thoughts? I’m pretty open to either 1 or 2, but #3 sounds different to me.
John
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]