Re: [cti-stix] Classification Proposal

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

Brett commented on the document that he
thinks we should adjust this scale as well, and I am in agreement, lets
discuss it.

My main goal is to get enough consensus
in the community that this is an important enough topic that we should
consider it in 2.1 so we can spin up a working group and finalize the proposal.

I have feedback from more than one party
that they simply can not adopt STIX until this problem is solved. 

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security

Without data, all you are is just another person with an opinion - Unknown




From:      
 Alexandre Dulaunoy
<Alexandre.Dulaunoy@circl.lu>
To:      
 cti-stix@lists.oasis-open.org
Date:      
 07/13/2017 11:03 AM
Subject:    
   Re: [cti-stix]
Classification Proposal
Sent by:    
   <cti-stix@lists.oasis-open.org>

---

On 13/07/17 15:31, Jason Keirstead wrote:
> Hello everyone;
> 
> A while back I submitted a proposal for a Classification object in
the 
> playground. This proposal can be found here: 
> https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q0b5OxXCaCV14/edit#heading=h.snfvxw2o7p1u
> 
> A key example of the reason we need this object are threat intelligence
> vendors. Feeds of threat intelligence data do not only contain "bad
> things", they also contain "known good things". For
example, if I go to a 
> URL reputation site and put in www.amazon.com,
it will have a low risk 
> score. If I look up 
> https://virustotal.com/en/file/1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455/analysis/
> , it is a known-good file in Virus Total and comes up as a "trusted
> source". Today, we have no way to denote this type of information
in STIX. 
> I have no way to reply to a TAXII query that a file hash is known
good, or 
> any way to encode known good indicators that resulted from a sandbox
> destruction.
> 
> Brett Jordan added a few small comments, but in general I haven't
seen 
> much feedback in either direction.
> 
> I would like some folks to comment on the list what they think of
this 
> proposal for STIX 2.1 or 2.2 release.
> 
> Thanks,
> 
> -
> Jason Keirstead
> STSM, Product Architect, Security Intelligence, IBM Security Systems
> www.ibm.com/security
> 
> Without data, all you are is just another person with an opinion -
Unknown 
> 
> 
> 
> 

Hello Jason,

we have a similar issue with STIX 2.x in general, being able to exchange
things that are "not bad things" as you describe, something that
we have in MISP but cannot translate to STIX, so I'm
definitely interested where this is going.

However, after a quick glance at the proposal I was curious about something,
the risk_level has 3 options (low, medium, high) wouldn't a no risk option
make sense?

Best regards,

-- 
Alexandre Dulaunoy
CIRCL - Computer Incident Response Center Luxembourg
41, avenue de la gare L-1611 Luxembourg
info@circl.lu - www.circl.lu- (+352) 247 88444

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php