Re: [cti-stix] Grouping SDO Open Questions

[Sarah Kelley <Sarah.Kelley@cisecurity.org>]

I think the Grouping object looks fairly good. My thoughts:

1. The classification object is currently being discussed as a way to convey risk. This doesn’t seem to align (currently) with if the data is ‘validated’ or not. I would say leave it alone for now, but if the classification proposal changes in the future, we can revisit this decision.
2. I think we’ve already agreed they should be separate, once we make that call, we shouldn’t reopen it unless there is a VERY good reason to do so
3. I can understand with the desire for the shared context field, but I agree with John. I think people won’t know when to use which and it will be confusing. Plus, what would you put in the description of a grouping if not the description of why you made the group (aka the context)?

 

Sarah Kelley

Senior Cyber Threat Analyst

Multi-State Information Sharing and Analysis Center (MS-ISAC)                   

31 Tech Valley Drive

East Greenbush, NY 12061

 

sarah.kelley@cisecurity.org

518-266-3493

24x7 Security Operations Center

SOC@cisecurity.org - 1-866-787-4722

 

                  

 

From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org>
Date: Tuesday, October 3, 2017 at 10:38 AM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Grouping SDO Open Questions

 

Hey all,

 

I wanted to get the Grouping SDO out there for another round of reviews. To remind everyone, this is an SDO similar to Report but targeted less at finished reports that you would publish as a PDF and more at ad-hoc collections/groupings of intelligence that may not even be fully validated. This was a use case initially requested by MISP, then supported by FireEye.

 

I believe we’re approaching consensus on a few discussion topics:

 

• Most people feel that Grouping should be a separate SDO from Report, based on the idea that they’re used differently.
• People seemed mostly amenable to adding some kind of label to indicate whether the information in the Grouping had been fully validated (this was initially discussed as “automatable”, but we moved to “validated” because it described what the producer meant rather than what the consumer should do).

 

There are still a few open questions:

1. Jason has brought up the idea of using his risk scoring classifications to track whether the information is validated. Proposal is here: https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q0b5OxXCaCV14/edit#heading=h.snfvxw2o7p1u
2. Bret brought up that if we end up doing that, we may want to go back to merging Grouping into Report
3. Sean has suggested adding a required “context” field, separate from description. This would track the shared context in the referenced grouping. Sean’s comment: “I do not believe that the description property is adequate for this purpose. The description property is used almost exclusively for informative expository purposes (e.g. to be presented in a UI) but is not used for constructive purposes. Given the purpose of this object to convey a set of content with a shared context, it should require a statement of what that shared context is.

 

https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.t56pn7elv6u7

 

Please let us know what you think about those open questions.

 

My opinions:

 

1. Maybe, though I worry that the “Classification” object would create a lot of markup if it ends up as a separate SDO…it would require like 10-20 lines of markup and 1-2 separate objects just to add the label, which seems bulky. IMO we should conditionally go with the label for now, discuss the risk proposal, and if we end up doing it and eventually arrive at something that conveys the same thing we can revert to that. But I don’t think the classifications proposal as-is is really workable.
2. While I can see how the classification proposal might change the need for the label indicating “unverified”, I don’t think we should revisit the Grouping vs. Report discussion based on representing whether information has been validated differently. And I say that having been one of the people that originally said they should be one SDO.
3. I think I can see the conceptual distinction here, but in practice I don’t know how people will know when to use one field (description) vs. the other (context). It would become one of those cases where we create a subtle distinction and end up having “two ways of doing something”. I do see Sean’s point though that you need to represent the context for why you’re grouping these things, and therefore I’d suggest that we just update the description of the description property to make it clearer that you should include why the things are related there. I would also be open to renaming it and/or making it required, but feel pretty strongly that having both “description” and “context” will just confuse people.

 

John

 

.....

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .