[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability
We should add.
STIX already has a fallback that allows to create a relationship between 2 SDOs and this just provides an explicit naming of that relationship instead of relying on the generic reln.
Allan
From: "cti-stix@lists.oasis-open.org
" <cti-stix@lists.oasis-open.org > on behalf of Sarah Kelley <Sarah.Kelley@cisecurity.org>
Date: Wednesday, August 30, 2017 at 7:39 AM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org >
Subject: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability
GITHUB issue # 15 (https://github.com/oasis-tcs/
cti-stix2/issues/15 )
During the STIX 2.0 CSD comment period, we received a suggestion to add a relationship from an indicator to a vulnerability saying that an indicator “indicates” the vulnerability.
The relationship table for indicator would then look like this (with the change highlighted in yellow):
Embedded Relationships
created_by_ref
identifier (of type identity)
object_marking_refs
identifier (of type marking-definition)
Common Relationships
duplicate-of, derived-from, related-to
Source
Relationship Type
Target
Description
indicator
indicates
attack-pattern, campaign,
intrusion-set,
malware,
threat-actor, tool, vulnerability
This Relationship describes that the Indicator can detect evidence of the related Campaign, Intrusion Set, or Threat Actor. This evidence may not be direct: for example, the Indicator may detect secondary evidence of the Campaign, such as malware or behavior commonly used by that Campaign.
For example, an indicates Relationship from an Indicator to a Campaign object representing Glass Gazelle means that the Indicator is capable of detecting evidence of Glass Gazelle, such as command and control IPs commonly used by that Campaign.
Reverse Relationships
—
—
—
—
Are there any objections to making this change?
Thanks,
Sarah Kelley
Senior Cyber Threat Analyst
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061
518-266-3493
24x7 Security Operations Center
SOC@cisecurity.org - 1-866-787-4722
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . . . .
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]