Re: [cti-stix] Classification Proposal

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

Hi Nicholas;

There are two things I am trying to
cover with this proposal:

- The need for an entity to classify
something according to risk or severity - from 0 to 10 or 0 to 100 or whatever

- The need for an entity to classify
something according to a defined ontology. For example "Anonymization",
"P2P Hosting", "Spam Relay", etc. Anyone who has ever
done a URL categorization is very familiar with this - we all use these
categories every day. We have to be able to express this in STIX in order
for threat intelligence vendors to be able to communicate their information.
If all of this is done via custom properties, then it is going to greatly
hamper interoperability from vendor to vendor... consuming software will
have to hard-code support for certain feed vendors.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security

Without data, all you are is just another person with an opinion - Unknown




From:      
 Nicholas Hayden <nhayden@anomali.com>
To:      
 Alexandre Dulaunoy
<Alexandre.Dulaunoy@circl.lu>
Cc:      
 cti-stix@lists.oasis-open.org
Date:      
 07/13/2017 02:52 PM
Subject:    
   Re: [cti-stix]
Classification Proposal
Sent by:    
   <cti-stix@lists.oasis-open.org>

---

I would have to agree with Alexandre why couldn’t we
just add a severity/risk level of 0?  I’m running into this exact
same issue right now with malware analysis write ups.  Malware will
drop or use ps.exe as part of its infection, this is technically part of
the Malware process but the file itself is legitimate windows file.

Best Regards, 
Nicholas Hayden, CISSP, GICSP, CNDA, CEH, Sec+ 
Director of Engineering Anomali | anomali.com
808 Winslow St Redwood City, CA 94063
Phone: (650) 257-0867 | Twitter: @anomali




On Jul 13, 2017, at 7:02 AM, Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu>
wrote:

On 13/07/17 15:31, Jason Keirstead wrote:
Hello everyone;

A while back I submitted a proposal for a Classification object in the
playground. This proposal can be found here: 
https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q0b5OxXCaCV14/edit#heading=h.snfvxw2o7p1u

A key example of the reason we need this object are threat intelligence
vendors. Feeds of threat intelligence data do not only contain "bad
things", they also contain "known good things". For example,
if I go to a 
URL reputation site and put in www.amazon.com,
it will have a low risk 
score. If I look up 
https://virustotal.com/en/file/1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455/analysis/
, it is a known-good file in Virus Total and comes up as a "trusted
source". Today, we have no way to denote this type of information
in STIX. 
I have no way to reply to a TAXII query that a file hash is known good,
or 
any way to encode known good indicators that resulted from a sandbox 
destruction.

Brett Jordan added a few small comments, but in general I haven't seen
much feedback in either direction.

I would like some folks to comment on the list what they think of this
proposal for STIX 2.1 or 2.2 release.

Thanks,

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security

Without data, all you are is just another person with an opinion - Unknown





Hello Jason,

we have a similar issue with STIX 2.x in general, being able to exchange
things that are "not bad things" as you describe, something that
we have in MISP but cannot translate to STIX, so I'm
definitely interested where this is going.

However, after a quick glance at the proposal I was curious about something,
the risk_level has 3 options (low, medium, high) wouldn't a no risk option
make sense?

Best regards,

-- 
Alexandre Dulaunoy
CIRCL - Computer Incident Response Center Luxembourg
41, avenue de la gare L-1611 Luxembourg
info@circl.lu- www.circl.lu- (+352) 247 88444

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php