I didn’t see the other piece to that, but yes I agree, with the second bullet as well, Anomali currently uses the term itype.
Best Regards, Nicholas Hayden, CISSP, GICSP, CNDA, CEH, Sec+ 808 Winslow St Redwood City, CA 94063 Phone: (650) 257-0867 | Twitter: @anomali
Hi Nicholas;There are two things I am trying to
cover with this proposal:- The need for an entity to classify
something according to risk or severity - from 0 to 10 or 0 to 100 or whatever- The need for an entity to classify
something according to a defined ontology. For example "Anonymization",
"P2P Hosting", "Spam Relay", etc. Anyone who has ever
done a URL categorization is very familiar with this - we all use these
categories every day. We have to be able to express this in STIX in order
for threat intelligence vendors to be able to communicate their information.
If all of this is done via custom properties, then it is going to greatly
hamper interoperability from vendor to vendor... consuming software will
have to hard-code support for certain feed vendors.- Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security
Without data, all you are is just another person with an opinion - Unknown
From:
Nicholas Hayden <nhayden@anomali.com>To:
Alexandre Dulaunoy
<Alexandre.Dulaunoy@circl.lu>Cc:
cti-stix@lists.oasis-open.orgDate:
07/13/2017 02:52 PMSubject:
Re: [cti-stix]
Classification ProposalSent by:
<cti-stix@lists.oasis-open.org> I would have to agree with Alexandre why couldn’t we
just add a severity/risk level of 0? I’m running into this exact
same issue right now with malware analysis write ups. Malware will
drop or use ps.exe as part of its infection, this is technically part of
the Malware process but the file itself is legitimate windows file.Best Regards, Nicholas Hayden, CISSP, GICSP, CNDA, CEH, Sec+ Director of Engineering Anomali | anomali.com808 Winslow St Redwood City, CA 94063Phone: (650) 257-0867 | Twitter: @anomali
On Jul 13, 2017, at 7:02 AM, Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu>
wrote:On 13/07/17 15:31, Jason Keirstead wrote:Hello everyone;
A while back I submitted a proposal for a Classification object in the
playground. This proposal can be found here: https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q0b5OxXCaCV14/edit#heading=h.snfvxw2o7p1u
A key example of the reason we need this object are threat intelligence
vendors. Feeds of threat intelligence data do not only contain "bad
things", they also contain "known good things". For example,
if I go to a URL reputation site and put in www.amazon.com,
it will have a low risk score. If I look up https://virustotal.com/en/file/1e675cb7df214172f7eb0497f7275556038a0d09c6e5a3e6862c5e26885ef455/analysis/ , it is a known-good file in Virus Total and comes up as a "trusted
source". Today, we have no way to denote this type of information
in STIX. I have no way to reply to a TAXII query that a file hash is known good,
or any way to encode known good indicators that resulted from a sandbox destruction.
Brett Jordan added a few small comments, but in general I haven't seen
much feedback in either direction.
I would like some folks to comment on the list what they think of this
proposal for STIX 2.1 or 2.2 release.
Thanks,
- Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security
Without data, all you are is just another person with an opinion - Unknown
Hello Jason,
we have a similar issue with STIX 2.x in general, being able to exchange
things that are "not bad things" as you describe, something that
we have in MISP but cannot translate to STIX, so I'm definitely interested where this is going.
However, after a quick glance at the proposal I was curious about something,
the risk_level has 3 options (low, medium, high) wouldn't a no risk option
make sense?
Best regards,
-- Alexandre Dulaunoy CIRCL - Computer Incident Response Center Luxembourg 41, avenue de la gare L-1611 Luxembourg info@circl.lu- www.circl.lu- (+352) 247 88444
--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
|