OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] Re: Possible items for STIX 2.1


So this is a great topic for the F2F in January. Gary, will you be able to make it and, if so, can you put together a proposal or some materials for us to go through?

FWIW I think we need to see some more details but I’d probably lean towards events that might be event_type=incident rather than having both as separate TLOs. I’m happy to help you put together the proposal if you want.

John

On 11/9/16, 12:06 PM, "cti-stix@lists.oasis-open.org on behalf of Katz, Gary CTR DC3\DCCI" <cti-stix@lists.oasis-open.org on behalf of Gary.Katz.ctr@dc3.mil> wrote:

    So I'm open to looking at both objects.  We had originally had both objects and after we deconstructed both of them we determined that we did not need Incident any longer.  The larger STIX community may see a use for it, we just found them to be too similar to justify having two objects.  We also felt that it made sure that the different distinctions that individual organizations have between Events and Incidents did not result in some groups calling something an incident and other groups calling it an Event.
    
    -----Original Message-----
    From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Patrick Maroney
    Sent: Wednesday, November 09, 2016 10:41 AM
    To: Jane Ginn - jg@ctin.us; cti-stix@lists.oasis-open.org
    Subject: [Non-DoD Source] Re: [cti-stix] Re: Possible items for STIX 2.1
    
    (1)     [+1] on an Event construct.
    
    (2)     [+1] on an Incident Construct that can support a linked set [List] of Relationships to Event Objects (in the STIX Document or Externally Referenced by Event ID).
    
     
    
     
    
     
    
    From: <cti-stix@lists.oasis-open.org> on behalf of Jane Ginn <jg@ctin.us>
    Date: Tuesday, November 8, 2016 at 8:07 PM
    To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Subject: Re: [cti-stix] Re: Possible items for STIX 2.1
    
     
    
    Gary & All:
    
    I've run into situations where I have had to use 'Incident' in a TIP situation where it was not appropriate... because it was premature to give it such a formal designation. Using a less formal term would give us a lot more flexibility when we are hunting at the left side of the kill chain..before formal designation.
    
    Jane Ginn, MSIA, MRP
    Cyber Threat Intelligence Network, Inc.
    jg@ctin.us
    
    
    
    -------- Original Message --------
    From: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
    Sent: Tuesday, November 8, 2016 01:31 PM
    To: "Coderre, Robert" <rcoderre@verisign.com>,"Katz, Gary CTR DC3\DCCI " <Gary.Katz.ctr@dc3.mil>,"cti-stix@lists.oasis-open.org " <cti-stix@lists.oasis-open.org>
    Subject: [cti-stix] Re: Possible items for STIX 2.1
    
    
    
    
    Well like Campaign, Threat Actor, and Intrusion Set, there probably will not be a lot.  I could see Event having less fields than an Incident.  Maybe Event is a sub-set of Incident.  We would really need to see Gary's example first. 
    
     
    
    Bret
    
    ________________________________
    
    From: Coderre, Robert <rcoderre@verisign.com>
    Sent: Tuesday, November 8, 2016 12:06:47 PM
    To: Katz, Gary CTR DC3\DCCI; Bret Jordan (CS); cti-stix@lists.oasis-open.org
    Subject: RE: Possible items for STIX 2.1 
    
     
    
    FWIW, I like the concept of Event.  Makes much more sense from an external perspective.  I'm curious though, from an object properties standpoint, what's the delta between the 2?
    
    Rob
    
    -----Original Message-----
    From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Katz, Gary CTR DC3\DCCI
    Sent: Tuesday, November 08, 2016 12:01 PM
    To: 'Bret Jordan (CS)'; cti-stix@lists.oasis-open.org
    Subject: [cti-stix] RE: Possible items for STIX 2.1
    
    Bret,
       Sorry for not making the call today.  I would like to propose replacing Incident with Event.  Events allow us to capture non-incident information that is still valuable.  For example, a threat actor standing up or breaking down infrastructure.  It also doesn't have the same connotations as Incidents.  Some CISOs may take issues to saying there was an Incident on their network, but an Event may be more palatable and make it easier for organizations to share.  Organizations may also categorize an Incident differently.  Some may count Reconnaissance activity as an Incident while others only call something an Incident when there was loss of control.  Events though are more general and therefore easier to capture activity.
    
      We put together a version of the Event object based upon our own analysts' inputs.  If it's an object that the CTI community wants to move forward on, let me know and I can share it out.
    
    Thoughts?
    
       -Gary
    
    -----Original Message-----
    From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Bret Jordan (CS)
    Sent: Tuesday, November 08, 2016 11:36 AM
    To: cti-stix@lists.oasis-open.org
    Subject: [Non-DoD Source] [cti-stix] Possible items for STIX 2.1
    
    Infrastructure
    Malware
    Incident
    Course of Action - OpenC2
    Internationalization
    Confidence (source confidence)
    Comments
    Location 
         When the location information was looked up / assigned. 
         Service used to look up the location 
         Accuracy of the service or methodology 
         Self Reported
    Add organizational relationships 
         Employees
    Threat Actor -> Threat Actor relationship Intel Notes 
    
    
    
    
    
    Bret
    
    
    ---------------------------------------------------------------------
    To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
    
    



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]