OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] Relationship name tweaks - attributed-to


One thing I worry about in this approach is that not everyone may add both attributed-to and one of the other ones. Then, someone goes to search for relationships “attributed-to” APT1, and they don’t find Operation Aurora because the producer only used “executed-by”.

 

I kind of see what Jason is saying, I’m just not sure that there are enough cases of a threat actor planning but not executing an attack to justify the distinction directly in relationship_type (rather than in labels).

 

From: <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Date: Wednesday, September 21, 2016 at 3:30 PM
To: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Cc: Allan Thomson <athomson@lookingglasscyber.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "Wunder, John A." <jwunder@mitre.org>
Subject: Re: [cti-stix] Relationship name tweaks - attributed-to

 

Why complicate it like that? Having a menu of different relationship type as we have been doing is perfectly fine. A two level relationship naming structure doesn't make it clearer in my opinion. The existing structure we have now will work fine.

I vote for all the names as the attributed-to relationship can be used when you are unsure of any other details about the relationship other than there is one..

Cheers
Terry MacDonald
Cosive

 

On 22 Sep 2016 07:23, "Bret Jordan (CS)" <Bret_Jordan@symantec.com> wrote:

This is one of the reasons why way back when I proposed that there not be really a "relationship-type" other than one of the three core relationship types.  Then we would use the "labels" field to have extra and more detailed context.  

 

So in effect all relationships would be of type (duplicate-of, derived-from, related-to).  And then you would use the "labels" property to add things like "attributed-to". "uses", "executed-by", "planned", "planned-by", "mitigates" etc.

 

Bret

 


From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Sent: Wednesday, September 21, 2016 1:17:17 PM
To: John A. Wunder
Cc: Allan Thomson; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Relationship name tweaks - attributed-to

 

Hi all,

It's not an either/or decision. The great thing about relationships in the graph model that we use it that there can be many types of relationships between the same types of objects. For example campaign X and Threat actor A can have an attributed relationship between them (from org V) and a planned-by relationship (from org V) and an executed-by relationship (from org W).

In my opinion we should be using multiple relationships everywhere to help better describe the relationships we want to describe rather than forcing ourselves down to a single type of relationship. That's such a STIX 1.x way of thinking.

So - why not have all of them?

Cheers
Terry MacDonald
Cosive

 

On 22 Sep 2016 06:39, "Wunder, John A." <jwunder@mitre.org> wrote:

That’s a good point, I’m changing my answer to 1.

 

Relationships do have labels now btw, so you could use “attributed-to” and have a label of “executed-by”.

 

From: Allan Thomson <athomson@lookingglasscyber.com>
Date: Wednesday, September 21, 2016 at 2:36 PM
To: "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Relationship name tweaks - attributed-to

 

Prefer Option 1 as it covers both planning and execution whereas the problem with Option 2 and 3 is that they are very specific.

 

Suggest the more generic ‘attributed-to’ is best for the exchange of relationships.

 

Could be another reason to have relationships that can be assigned labels to help add this additional context of relationship connections.

 

allan

From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John" <jwunder@mitre.org>
Date: Wednesday, September 21, 2016 at 11:32 AM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Relationship name tweaks - attributed-to

 

All,

 

A couple times I’ve alluded to some changes to relationship names that Gary Katz proposed. Given some last-minute changes (removing Incident, mostly) it turns out only one is still applicable for 2.0 so I’d like to raise it now.

 

The relationship in question is “attributed-to”, when used from a Campaign to a Threat Actor or Intrusion Set. For example, Operation Aurora is attributed to APT1.

 

Gary (or rather the analysts he worked with) suggested that it might be better to use “executes” or “plans”. So Operation Aurora is planned by APT1, or Operation Aurora was executed by APT1.

 

So, the decision is:

1.      Continue to use “attributed-to” (no change)

2.      Use “executed-by”

3.      Use “planned-by”

 

Thoughts? I’m pretty open to either 1 or 2, but #3 sounds different to me.

 

John



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]