OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Classification Proposal


Hello everyone;

A while back I submitted a proposal for a Classification object in the playground. This proposal can be found here: https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q0b5OxXCaCV14/edit#heading=h.snfvxw2o7p1u

A key example of the reason we need this object are threat intelligence vendors. Feeds of threat intelligence data do not only contain "bad things", they also contain "known good things". For example, if I go to a URL reputation site and put in www.amazon.com, it will have a low risk score. If I look up https://virustotal.com/en/file/1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455/analysis/, it is a known-good file in Virus Total and comes up as a "trusted source". Today, we have no way to denote this type of information in STIX. I have no way to reply to a TAXII query that a file hash is known good, or any way to encode known good indicators that resulted from a sandbox destruction.

Brett Jordan added a few small comments, but in general I haven't seen much feedback in either direction.

I would like some folks to comment on the list what they think of this proposal for STIX 2.1 or 2.2 release.

Thanks,

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security

Without data, all you are is just another person with an opinion - Unknown



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]