Re: [cti-stix] Relationship Timestamp Properties: proposed description for the 2 timestamp parameters

[Allan Thomson <athomson@lookingglasscyber.com>]

Sean – I don’t love the time window sentences that you changed. I get the concept of time windows and what you are trying to convey but I think the suggestion is clunky and we can improve it.

 

Here’s another update to hopefully address the concerns:

 

1. Relationship Timestamp Field #1
   1. This optional timestamp represents the earliest time at which the relationship between the objects is established. If the timestamp field #1 is a future timestamp, at the time of the updated field is defined, then this represents an estimate by the producer of the intelligence on the earliest time at which relationship will be asserted to be true. If not specified then there is no determination of when that the relationship between the objects was established.
2. Relationship Timestamp Field #2
   1. This optional timestamp represents the latest time at which the relationship between the objects exists. If the timestamp field #2 is a future timestamp, at the time of the updated field is defined, then this represents an estimate by the producer of the intelligence on the latest time at which relationship will be asserted to be true. If the timestamp field #2 is defined, then it MUST be later than the timestamp #1 value. If not specified then there is no determination of when that the relationship between the objects was established.
   2.  

 

 

Allan Thomson,

CTO, Lookingglass Cyber Solutions

This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential. The information in this message is intended only for use by the individual(s) to whom it is addressed.  If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure, copying or distribution of the contents contained within is strictly prohibited

 

 

From: Sean Barnum <sean.barnum@FireEye.com>
Date: Friday, September 1, 2017 at 11:50 AM
To: Allan Thomson <athomson@lookingglasscyber.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Relationship Timestamp Properties: proposed description for the 2 timestamp parameters

 

I have a few issues with the way they are defined here.

 

I believe that some people reading “the first time that the relationship between the objects was determined to have occurred” will interpret it to mean what was determined to be the initial time that the relationship is true while others might read it as the time that a determination of the beginning of the time window occurred. These are significantly different things. It is even more unclear in “the last time that this relationship between the objects was determined to connect those 2 objects”.

 

I would also take issue with the use of “the first time” and “the last time” in the definitions as they imply discrete time events when in reality these fields on a relationship represent the bounds of a continuous time region.

I would suggest that more continuous terminology be used such as “earliest time” and “latest time”.

 

I believe the term “occurred” is also somewhat troublesome. First it implies that a relationship is something that happens (as in an action) rather than an assertion on a state of being. I would assert Relationship objects are the former and not the latter. Second, it implies that it is past tense which while the common case is certainly not always the case.

 

The second sentence of the Field #1 definition looks fine.

 

I think the third sentence of the Field #1 definition could be better worded. I think what an absence of a starting time stamp for the window really says is that there is no beginning bound to the window. If you specify an end time but no start time then you are saying any time before the end time. If you specify a start time and no end time then you are saying any time from the start time onward.

 

The second sentence of the Field #2 definition has an issue in its use of “no longer exist”. This wording implies that the producer is making an explicit assertion that the relationship will not be true after the end time. I would suggest that in common practice these sorts of time windows on relationships are intended to convey that the relationship will be true at least until the end time. There is typically not enough evidence to make a hard assertion that it does not hold true after a given time as proving a negative is very difficult.

 

The third sentence of the Field #2 definition is good.

 

 

I am sure that it sounds like I am being very picky. I am just concerned that ambiguity in these definitions is very likely to lead to confusion and inconsistent use.

 

One of my main concerns here, as I have said before, is that we avoid any confusion that the timestamps might convey when an observation occurred or when a decision occurred on the beginning of the time window rather than the window itself.

This might seem like splitting hairs but based on the active debates over first/last_seen, I think that this is a valid concern.

 

As the comments above show, I am also concerned with making it very clear what we mean when using these fields to bound the time window associated with the assertion of a Relationship.

 

 

So, to avoid being the guy who complains but offers no alternatives, here would be my suggested improvements:

 

1. Relationship Timestamp Field #1
   1. This optional timestamp represents the earliest time at which the relationship between the objects is asserted to be true. If the timestamp field #1 is a future timestamp, at the time of the updated field is defined, then this represents an estimate by the producer of the intelligence on the earliest time at which relationship will be asserted to be true. If not specified then there is no lower bound on the time window that the relationship between the objects is asserted to be true.
2. Relationship Timestamp Field #2
   1. This optional timestamp represents the latest time at which the relationship between the objects is asserted to be true. If the timestamp field #2 is a future timestamp, at the time of the updated field is defined, then this represents an estimate by the producer of the intelligence on the latest time at which relationship will be asserted to be true. If the timestamp field #2 is defined, then it MUST be later than the timestamp #1 value. If not specified then there is no upper bound on the time window that the relationship between the objects is asserted to be true.

 

I believe this more clearly and accurately conveys the meaning of these fields and uses consistent terminology and structure across the sentences and across the two field definitions which should help reduce potential confusion.

 

 

 

Sean Barnum

Principal Architect

FireEye

M: 703.473.8262

E: sean.barnum@fireeye.com

 

From: <cti-stix@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Friday, September 1, 2017 at 1:53 PM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Relationship Timestamp Properties: proposed description for the 2 timestamp parameters

 

Hi –

 

I had taken an action item to propose the descriptions for 2 relationship timestamp properties. Please review below and suggest changes or acknowledge that these descriptions would be acceptable.

 

To avoid folks focusing on the name of the property I’ve chosen to just call them Relationship Timestamp Field #1 and #2.

 

1. Relationship Timestamp Field #1
   1. This optional timestamp represents the first time that the relationship between the objects was determined to have occurred. If the timestamp field #1 is a future timestamp, at the time of the updated field is defined, then this represents an estimate by the producer of the intelligence on when that relationship will exist. If not specified then the relationship between those objects has no determined timestamp.
2. Relationship Timestamp Field #2

1. This optional timestamp represents the last time that this relationship between the objects was determined to connect those 2 objects. If the timestamp field #2 is a future timestamp, at the time of the updated field is defined, then this represents an estimate by the producer of the intelligence on when that relationship will no longer exist. If the timestamp field #2 is defined, then it MUST be later than the timestamp #1 value. If not specified then the relationship between those objects is considered a persistent relationship.

 

 

Regards

 

Allan

This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.