There are a lot of good ideas in Jason's classification proposal but they definitely need a lot more work and feel more like a 2.2 thing to me - that was the consensus when we discussed risk-scoring (which this overlaps) at the May F2F.
Sent with BlackBerry Work
Date: Tuesday, Oct 03, 2017, 11:47 PM
Subject: Re: [cti-stix] Grouping SDO Open Questions
I think the Grouping object looks fairly good. My thoughts:
- The classification object is currently being discussed as a way to convey risk. This doesn’t seem to align (currently) with if the data is ‘validated’ or not. I would say leave
it alone for now, but if the classification proposal changes in the future, we can revisit this decision.
- I think we’ve already agreed they should be separate, once we make that call, we shouldn’t reopen it unless there is a VERY good reason to do so
- I can understand with the desire for the shared context field, but I agree with John. I think people won’t know when to use which and it will be confusing. Plus, what would
you put in the description of a grouping if not the description of why you made the group (aka the context)?
Senior Cyber Threat Analyst
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061
24x7 Security Operations Center
SOC@cisecurity.org - 1-866-787-4722
From: <email@example.com> on behalf of "Wunder, John A." <firstname.lastname@example.org>
Date: Tuesday, October 3, 2017 at 10:38 AM
To: "email@example.com" <firstname.lastname@example.org>
Subject: [cti-stix] Grouping SDO Open Questions
I wanted to get the Grouping SDO out there for another round of reviews. To remind everyone, this is an SDO similar to Report but targeted less at finished reports that you would publish as a PDF and more
at ad-hoc collections/groupings of intelligence that may not even be fully validated. This was a use case initially requested by MISP, then supported by FireEye.
I believe we’re approaching consensus on a few discussion topics:
- Most people feel that Grouping should be a separate SDO from Report, based on the idea that they’re used differently.
- People seemed mostly amenable to adding some kind of label to indicate whether the information in the Grouping had been fully validated (this was initially discussed as “automatable”,
but we moved to “validated” because it described what the producer meant rather than what the consumer should do).
There are still a few open questions:
- Jason has brought up the idea of using his risk scoring classifications to track whether the information is validated. Proposal is here:
- Bret brought up that if we end up doing that, we may want to go back to merging Grouping into Report
- Sean has suggested adding a required “context” field, separate from description. This would track the shared context in the referenced grouping. Sean’s comment: “I do not believe that
the description property is adequate for this purpose. The description property is used almost exclusively for informative expository purposes (e.g. to be presented in a UI) but is not used for constructive purposes. Given the purpose of this object to convey
a set of content with a shared context, it should require a statement of what that shared context is.
Please let us know what you think about those open questions.
- Maybe, though I worry that the “Classification” object would create a lot of markup if it ends up as a separate SDO…it would require like 10-20 lines of markup and 1-2 separate objects
just to add the label, which seems bulky. IMO we should conditionally go with the label for now, discuss the risk proposal, and if we end up doing it and eventually arrive at something that conveys the same thing we can revert to that. But I don’t think the
classifications proposal as-is is really workable.
- While I can see how the classification proposal might change the need for the label indicating “unverified”, I don’t think we should revisit the Grouping vs. Report discussion based
on representing whether information has been validated differently. And I say that having been one of the people that originally said they should be one SDO.
- I think I can see the conceptual distinction here, but in practice I don’t know how people will know when to use one field (description) vs. the other (context). It would become one
of those cases where we create a subtle distinction and end up having “two ways of doing something”. I do see Sean’s point though that you need to represent the context for why you’re grouping these things, and therefore I’d suggest that we just update the
description of the description property to make it clearer that you should include why the things are related there. I would also be open to renaming it and/or making it required, but feel pretty strongly that having both “description” and “context” will just
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
immediately and permanently delete the message and any attachments.
. . . . .