cti-stix message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Classification Proposal
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: cti-stix@lists.oasis-open.org
- Date: Thu, 13 Jul 2017 10:31:07 -0300
Hello everyone;
A while back I submitted a proposal
for a Classification object in the playground. This proposal can be found
here: https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q0b5OxXCaCV14/edit#heading=h.snfvxw2o7p1u
A key example of the reason we need
this object are threat intelligence vendors. Feeds of threat intelligence
data do not only contain "bad things", they also contain "known
good things". For example, if I go to a URL reputation site and put
in www.amazon.com,
it will have a low risk score. If I look up https://virustotal.com/en/file/1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455/analysis/, it is a known-good file in Virus Total and comes up as a "trusted
source". Today, we have no way to denote this type of information
in STIX. I have no way to reply to a TAXII query that a file hash is known
good, or any way to encode known good indicators that resulted from a sandbox
destruction.
Brett Jordan added a few small comments,
but in general I haven't seen much feedback in either direction.
I would like some folks to comment on
the list what they think of this proposal for STIX 2.1 or 2.2 release.
Thanks,
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
Without data, all you are is just another person with an opinion - Unknown
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]