[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Relationship name tweaks - attributed-to
I weighed in on Slack but not via email.
I also agree with Terry's reasoning. There is also another benefit - by having these distinct relationships, it gives us the ability and opportunity later to add normalized relationship-specific fields - pieces of data that are only valid for that one type of relationship, as opposed to having to shoe-horn that data all into custom fields.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
"Coderre, Robert" ---09/22/2016 11:05:37 PM---I am coming around to Terry's way of thinking on this. The single level relationship is much easier
From: "Coderre, Robert" <rcoderre@verisign.com>
To: Terry MacDonald <terry.macdonald@cosive.com>
Cc: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, JG on CTI-TC <jg@ctin.us>
Date: 09/22/2016 11:05 PM
Subject: Re: [cti-stix] Relationship name tweaks - attributed-to
Sent by: <cti-stix@lists.oasis-open.org>
We absolutely need this multi-relationship connectivity between SDOs to provide the flexibility for users to accurately describe the nuances of the Threat Intel they are wanting to portray. The suggested open vocabulary will provide the structure to allow automation to occur, and the extensibility of that open vocab will provide flexibility to describe accurately.
I do not like adding another layer to the relationships at all. I would prefer keeping them single level. All a double layer relationship would do is classify the object type at the other end of the relationship, which is an unnecessary addition as the relationship is already able to do that as the id in the target_ref field contains the object_type.
Cheers
Terry MacDonald
Cosive
On 23 Sep 2016 4:26 AM, "Bret Jordan (CS)" <Bret_Jordan@symantec.com> wrote:
Bret
There is a big difference between all three of these proposed relationship names:
"attributed-to" - This is from the POV of an analyst that has either information from another research entity or information from his/her own team. However, it sounds as if he/she is not firm in the approach towards attribution. It sounds a little like legalese.
"executed-by" - This sounds much more definitive; however, the information in the hands of the analyst at the time may or may not be definitive. Therefore, it may be necessary for the analyst to qualify his/her own judgement.
"planned-by" - This seems to be more intimately linked to an interpretation, on the part of the analyst, about internal operations of the APT team. For some of the more advanced APT research teams this may be possible. For others, there may not be enough depth to the bench. Or, for APTs that have been around for a long time and have left a significant temporal footprint (e.g., the Dukes) this interpretation of a "planning" step may be possible. But for newly discovered threats, it might not be possible for an analyst to claim knowledge of pre-attack plans.
I can only say that I would like to have all three of these relationship names available to me so I could choose the one that is most appropriate to the situation. Then, the question becomes, how to automate it for MRTI.
Jane
On 9/21/2016 11:32 AM, Wunder, John A. wrote:
A couple times I’ve alluded to some changes to relationship names that Gary Katz proposed. Given some last-minute changes (removing Incident, mostly) it turns out only one is still applicable for 2.0 so I’d like to raise it now.
The relationship in question is “attributed-to”, when used from a Campaign to a Threat Actor or Intrusion Set. For example, Operation Aurora is attributed to APT1.
Gary (or rather the analysts he worked with) suggested that it might be better to use “executes” or “plans”. So Operation Aurora is planned by APT1, or Operation Aurora was executed by APT1.
So, the decision is:
1. Continue to use “attributed-to” (no change)
2. Use “executed-by”
3. Use “planned-by”
Thoughts? I’m pretty open to either 1 or 2, but #3 sounds different to me.
John
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]