[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Re: [EXT] Re: [cti-stix] Small changes from 2.0 - 2.1 - dates on relationships
I completely agree with John here. Sean Barnum Principal Architect FireEye M: 703.473.8262 E: sean.barnum@fireeye.com From: "Wunder, John A." <jwunder@mitre.org> Well there’s the examples I listed below:
There’s also infrastructure use cases, where actors use some infrastructure for a period of time and move on. I would disagree with Jason a bit about those really being first_seen and last_seen. Yes, you probably believe that they’re using the RAT because you saw them use it, but you’re saying that you think the relationship
is valid for that time period. So the sighting provides the evidence for your assertion, but your assertion is that that relationship is valid or present or whatever. You could have other evidence for believing that though (they bought it on a darkweb forum
or something). So IMO valid_from and valid_to (really valid_until, my bad) capture the core of what we need here. John From: <cti-stix@lists.oasis-open.org> on behalf of "Bret Jordan (CS)" <Bret_Jordan@symantec.com> well it depends on what we are saying and what use-case we are trying to solve. If we are saying that this relationship between this Malware and COA for example is only valid for these time frames, then valid_from
and valid_until are the better choice, just like what we did with Indicators. If we are saying that this relationship was seen between these time frames, that seems like a "sighting". Remember Sighting is just a relationship with an extra property and the ability to have them be one-armed
relationships. So what is the use-cases we are trying to solve with this request??? Bret From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com> We’ve used first_seen and last_seen in other objects. I suggest we be consistent with both terminology and semantics of these properties with prior SDOs. Regards Allan From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of Sean Barnum <sean.barnum@FireEye.com> I could support “valid_from” and “valid_to” Sean Barnum Principal Architect FireEye M: 703.473.8262 E: sean.barnum@fireeye.com From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org> I support this change, which I believe was originally suggested by Allan. You can think of many use cases in real intelligence:
I would say that the big question here is whether we call the fields “valid_from” and “valid_to” or “first_seen” and “last_seen”. I think I have a slight preference for valid_from and valid_to because of some
of the connotations of “last_seen” being present vs. absent. Like if last_seen is not on the object, what does it mean, vs. if last_seen is on the object set to yesterday. Valid_from on the other hand makes it clear that if the producer feels like the relationship
is still valid they don’t provide the field. John From: <cti-stix@lists.oasis-open.org> on behalf of Sarah Kelley <Sarah.Kelley@cisecurity.org> I’m going to be sending a series of emails regarding small changes that have been requested in moving from STIX 2.0 to STIX 2.1. The hope is that these won’t be particularly controversial, but if anyone has
any objections to these changes, please speak up. GITHUB issue #11 (https://github.com/oasis-tcs/cti-stix2/issues/11
) There has been a suggestion to add “first_seen” and “last_seen” properties onto the relationship object. The Relationship object would then look something like this (with the suggested changes highlighted
in yellow): 3.1.2 Properties
Does anyone have any objections to making this change?
Sarah Kelley Senior Cyber Threat Analyst Multi-State Information Sharing and Analysis Center (MS-ISAC) 31 Tech Valley Drive East Greenbush, NY 12061 518-266-3493 24x7 Security Operations Center SOC@cisecurity.org - 1-866-787-4722 This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments
is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments
thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]