OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] RE: Initial stab at grouping-context-ov values based on real-world use cases

What if you have a bunch of indicators and you *believe* they all relate to a threat actor, but you don't know who that threat actor is yet?

That is the way this grouping object has always been described to me - it is how analysts collaborate on incomplete intelligence. If they had the full and complete picture, they wouldn't be using this object in the first place.

Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems

Without data, all you are is just another person with an opinion - Unknown

From:        "Katz, Gary CTR DC3\\DCCI" <Gary.Katz.ctr@dc3.mil>
To:        Sean Barnum <sean.barnum@FireEye.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date:        10/26/2017 06:02 PM
Subject:        [cti-stix] RE: Initial stab at grouping-context-ov values based on real-world use cases
Sent by:        <cti-stix@lists.oasis-open.org>

Hey Sean,
   I’ve been thinking about your proposal these last couple of days and had some comments I wished to share.  I’m interested in if I am thinking about this incorrectly or if there are others that have a similar view.
   In your email you state that the ‘Grouping object is to convey a specific set of STIX content shares some context.’  In my view, the fact that STIX content shares some context should be shown through the relationship links that the content has to other content.  i.e. If you are trying to show Malware analysis relationships, we have a malware analysis object and we have observable data that can be linked.  Do we need a grouping object to further connect it all together?  Don’t the relationships in of themselves show that grouping?  Similarly an objects-relationships grouping would just be shown by sending the core object, related objects and the links between them, we don’t need another object to then encapsulate that information.  Threat-actor-content, campaign-content, intrusion-set-content can all be explained similarly, just send the threat-actor, campaign, or intrusion-set, related objects and relationships and we’re good. 
  In my view this is a key distinction between the suspicious-activity-event and the other grouping types.  For the other grouping types, we have ways to relate the data together, either through a malware object, an intrusion set object, a campaign object, threat actor object, etc.  In the case of the suspicious-activity-event, that IS the object to provide context and relate that data together. 
Interested in everyone’s thoughts,
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Sean Barnum
Monday, October 23, 2017 3:43 PM
[Non-DoD Source] [cti-stix] Initial stab at grouping-context-ov values based on real-world use cases

A couple of weeks ago on the working call I took an action item to provide an initial minimal stab at grouping-context-ov values based on real-world use cases.
I got busy and did not follow through.
So, at the F2F last week we had a small side discussion where I provided an initial minimal stab at grouping-context-ov values based on real-world use cases that we see and then we discussed which ones we might have consensus on as a small initial set, which ones might make longer term sense but not have consensus for an initial set and which ones might be considered a bit more esoteric and considerable for future versions if real-world use proved out their value.
To reiterate for clarity, the purpose of the Grouping object is to convey that a specific set of STIX content shares some context.
It is not intended to be the first choice for sharing any set of related STIX content and is not intended to replace CTI domain-relevant objects.
It is the generalized last resort for specifying this sort of thing when there is no STIX domain-relevant object already available for the given type of context (e.g. STIX content that describes the structure or behavior of a piece of malware would utilize the Malware object,  STIX content that characterizes details of infrastructure would utilize the Infrastructure object, etc).
The context property of the Grouping object is intended to convey the nature of context that the referenced content shares.
The intent of the grouping-context-ov is to provide consistently defined values for common cases of Grouping context while also leaving open the option of specifying values not defined by the standard.
Values of grouping-context-ov fall below the threshold required (at least for now) for defining a new SDO for that sort of context but above the threshold for uncommon or highly specialized forms of grouping context.
Here is the initial stab that resulted from the discussion at the F2F:
Please feel free to offer your thoughts.
Do you disagree with including any of these values?
Do you think that we should start with only the suggested values?
Do you think we should also include any/all of the “common case” or “outlier” values?
Sean Barnum
Principal Architect
M: 703.473.8262
E: sean.barnum@fireeye.com
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]