RE: [cti-stix] Relationship name tweaks - attributed-to

["Katz, Gary CTR DC3\\DCCI" <Gary.Katz.ctr@dc3.mil>]

So we currently use the following relationships.  This is just how we are currently capturing things.  To Jane's point, depending on the fidelity of analysis performed by an organization, they may wish to capture things differently.

Intrusion Set -> ATTRIBUTED TO -> Person
Intrusion Set -> ATTRIBUTED TO -> Organization
Intrusion Set -> PLANS -> Campaign
Intrusion Set -> EXECUTES ->Campaign

Hope this helps,
    -Gary

-----Original Message-----
From: cti-stix-publicmirror@lists.oasis-open.org [mailto:cti-stix-publicmirror@lists.oasis-open.org] On Behalf Of Coderre, Robert
Sent: Thursday, September 22, 2016 7:33 AM
To: cti-stix-publicmirror@lists.oasis-open.org
Cc: cti-stix@lists.oasis-open.org
Subject: [Non-DoD Source] [cti-stix-publicmirror] Re: [cti-stix] Relationship name tweaks - attributed-to

I agree with Jane here, in that as described each relationship type can have very specific,  nuanced meanings. That does convey richer information, but as noted elsewhere, can cause problems from an MRTI perspective.  In our graph model for our product, we have multiple relationship types and these are specific and constrained for different object types by schema rules. That works well for us and keeps our data consistent, but I would not necessarily push that onto a larger community.

I am more in favor of a single relationship type ("attributed-to"), with a label to convey additional detail. However, I would have an open vocabulary that predefines most of the relationship types so we can have consistency and better interoperability. It can be extensible, as we do for other vocabs, but the base options should be enumerated. 

Rob

--
Rob Coderre
iDefense, Director of Product Management
Verisign, Inc.
rcoderre@verisign.com

On Sep 21, 2016, at 8:43 PM, JG on CTI-TC <jg@ctin.us> wrote:



	John:

	There is a big difference between all three of these proposed relationship names:

	"attributed-to" - This is from the POV of an analyst that has either information from another research entity or information from his/her own team.  However, it sounds as if he/she is not firm in the approach towards attribution. It sounds a little like legalese.
	

	"executed-by" - This sounds much more definitive; however, the information in the hands of the analyst at the time may or may not be definitive.  Therefore, it may be necessary for the analyst to qualify his/her own judgement.

	"planned-by"  - This seems to be more intimately linked to an interpretation, on the part of the analyst, about internal operations of the APT team.  For some of the more advanced APT research teams this may be possible. For others, there may not be enough depth to the bench.  Or, for APTs that have been around for a long time and have left a significant temporal footprint (e.g., the Dukes) this interpretation of a "planning" step may be possible.  But for newly discovered threats, it might not be possible for an analyst to claim knowledge of pre-attack plans.  
	

	I can only say that I would like to have all three of these relationship names available to me so I could choose the one that is most appropriate to the situation.  Then, the question becomes, how to automate it for MRTI.
	

	Jane  
	


	On 9/21/2016 11:32 AM, Wunder, John A. wrote:
	

		All,

		 

		A couple times I’ve alluded to some changes to relationship names that Gary Katz proposed. Given some last-minute changes (removing Incident, mostly) it turns out only one is still applicable for 2.0 so I’d like to raise it now.

		 

		The relationship in question is “attributed-to”, when used from a Campaign to a Threat Actor or Intrusion Set. For example, Operation Aurora is attributed to APT1.

		 

		Gary (or rather the analysts he worked with) suggested that it might be better to use “executes” or “plans”. So Operation Aurora is planned by APT1, or Operation Aurora was executed by APT1.

		 

		So, the decision is:

		1.       Continue to use “attributed-to” (no change)

		2.       Use “executed-by”

		3.       Use “planned-by”

		 

		Thoughts? I’m pretty open to either 1 or 2, but #3 sounds different to me.

		 

		John


	-- 
	Jane Ginn, MSIA, MRP
	CTI-TC Co-Secretary
	Cyber Threat Intelligence Network, Inc.
	jg@ctin.us

Attachment: smime.p7s
Description: S/MIME cryptographic signature