I can see the reasoning for both (apart from the increase in object types that we keep worrying about). To us, event and incident mean very specific things. And there are definitely things
that we deal with that we would call an ‘incident’, which the word ‘event’ wouldn’t really cover. But, I also understand not wanting to call something an incident if it isn’t one, given the connotations behind that word and how much people can overreact to
it.
All that to say, I could get behind using both like Bret suggested.
Sarah Kelley
Senior CERT Analyst
Center for Internet Security (CIS)
Integrated Intelligence Center (IIC)
Multi-State Information Sharing and Analysis Center (MS-ISAC)
1-866-787-4722 (7×24 SOC)
Email: cert@cisecurity.org
www.cisecurity.org
Follow us @CISecurity
From:
<cti-stix@lists.oasis-open.org> on behalf of "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Date: Tuesday, November 8, 2016 at 1:44 PM
To: "Taylor, Marlon" <Marlon.Taylor@hq.dhs.gov>, "'Katz, Gary CTR DC3\DCCI'" <Gary.Katz.ctr@dc3.mil>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Re: Possible items for STIX 2.1
I get where you are going, and I am not against it. I wonder if we should do both objects? Just like with Campaigns and Intrusion Sets, I can see the same sort of progression or semantics. You would identify
an Event and you may share that Event. At some point this Event may turn in to an actual Incident that you need to share and report on.
Thoughts?
Bret
From: Taylor, Marlon <Marlon.Taylor@hq.dhs.gov>
Sent: Tuesday, November 8, 2016 11:17:47 AM
To: 'Katz, Gary CTR DC3\DCCI'; Bret Jordan (CS); cti-stix@lists.oasis-open.org
Subject: RE: Possible items for STIX 2.1
I like Events.
-Marlon
-----Original Message-----
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Katz, Gary CTR DC3\DCCI
Sent: Tuesday, November 08, 2016 12:01 PM
To: 'Bret Jordan (CS)'; cti-stix@lists.oasis-open.org
Subject: [cti-stix] RE: Possible items for STIX 2.1
Bret,
Sorry for not making the call today. I would like to propose replacing Incident with Event. Events allow us to capture non-incident information that is still valuable. For example, a threat actor standing up or breaking down infrastructure. It also doesn't
have the same connotations as Incidents. Some CISOs may take issues to saying there was an Incident on their network, but an Event may be more palatable and make it easier for organizations to share. Organizations may also categorize an Incident differently.
Some may count Reconnaissance activity as an Incident while others only call something an Incident when there was loss of control. Events though are more general and therefore easier to capture activity.
We put together a version of the Event object based upon our own analysts' inputs. If it's an object that the CTI community wants to move forward on, let me know and I can share it out.
Thoughts?
-Gary
-----Original Message-----
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Bret Jordan (CS)
Sent: Tuesday, November 08, 2016 11:36 AM
To: cti-stix@lists.oasis-open.org
Subject: [Non-DoD Source] [cti-stix] Possible items for STIX 2.1
Infrastructure
Malware
Incident
Course of Action - OpenC2
Internationalization
Confidence (source confidence)
Comments
Location
When the location information was looked up / assigned.
Service used to look up the location
Accuracy of the service or methodology
Self Reported
Add organizational relationships
Employees
Threat Actor -> Threat Actor relationship Intel Notes
Bret
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
immediately and permanently delete the message and any attachments.