[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-stix] Grouping SDO Open Questions
Intrusion Sets have a specific meaning within the cyber intelligence community. Part of the reason why I asked for examples of the context field for groups is so we know how they will be used which would give us an understanding of the use cases. I have selfish reasons for this (since I’m one of the people that pushed heavily for intrusion set) but similar to our discussion earlier today, we’ve already made a decision on the Intrusion Set object, I would suggest we do not reopen it. In more general terms though, we are trying to get a community (cyber intel analysts) to accept a model that we created for how to perform their job. I would suggest as much as possible that we use their terminology. Looking at the example in the STIX specification for groupings though, “For example, a threat analyst might create a Grouping to contain references to a series of Campaigns and Indicators that they are currently doing some analysis on and that they wish to collaborate with others on.” I can understand Terry’s question, because that example IS an intrusion set. If FireEye is planning to use Grouping to share information on something like their APT1 APT12, etc. Intrusion Sets, I would suggest that they just use the Intrusion Set object. If they are planning to use it for a different purpose, we should examine those examples. I’ll go the opposite way as Sean in saying, I’m not arguing we remove Groupings, but I would certainly resist any suggestions on not including Intrusion Set simply because we are creating a grouping SDO. ;) From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Sean Barnum An intrusion set is a set of intel content that is all believed to share a common attribution. Grouping is MUCH more general than that. It can be any set of content sharing any sort of context. I would consider an intrusion set to be a subset situation of a grouping where the context is shared attribution. I think IntrusionSet makes sense to have separately as it is a specific concept/construct that is fundamental to the CTI domain. That being said, if we absolutely had to choose either one object or the other I would suggest we should choose Grouping as it allows the intrusion set use case and a ton of other important use cases where IntrusionSet would allow only the one use case and none of the other general ones. Again, I am not arguing we remove IntrusionSet but I would certainly resist any suggestions of not including Grouping simply because IntrusionSet already exists. Sean Barnum Principal Architect FireEye M: 703.473.8262 E: sean.barnum@fireeye.com From: <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com> Hi John, "To remind everyone, this is an SDO similar to Report but targeted less at finished reports that you would publish as a PDF and more at ad-hoc collections/groupings of intelligence that may not even be fully validated." How is this different from the concept of the Intrusion-set? And how will consumers differentiate between an intrusion-set, a report and a grouping object? Cheers Terry MacDonald Cosive On 4/10/2017 03:32, "Wunder, John A." <jwunder@mitre.org> wrote:
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto. |
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]