cti-stix message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [cti-stix] RE: Initial stab at grouping-context-ov values based on real-world use cases
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: "Katz, Gary CTR DC3\\DCCI" <Gary.Katz.ctr@dc3.mil>
- Date: Fri, 27 Oct 2017 08:52:40 -0300
What if you have a bunch of indicators
and you *believe* they all relate to a threat actor, but you don't know
who that threat actor is yet?
That is the way this grouping object
has always been described to me - it is how analysts collaborate on incomplete
intelligence. If they had the full and complete picture, they wouldn't
be using this object in the first place.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
Without data, all you are is just another person with an opinion - Unknown
From:
"Katz, Gary CTR
DC3\\DCCI" <Gary.Katz.ctr@dc3.mil>
To:
Sean Barnum <sean.barnum@FireEye.com>,
"cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date:
10/26/2017 06:02 PM
Subject:
[cti-stix] RE:
Initial stab at grouping-context-ov values based on real-world use cases
Sent by:
<cti-stix@lists.oasis-open.org>
Hey Sean,
I’ve been
thinking about your proposal these last couple of days and had some comments
I wished to share. I’m interested in if I am thinking about this
incorrectly or if there are others that have a similar view.
In your email
you state that the ‘Grouping object is to convey a specific set of STIX
content shares some context.’ In my view, the fact that STIX content
shares some context should be shown through the relationship links that
the content has to other content. i.e. If you are trying to show
Malware analysis relationships, we have a malware analysis object and we
have observable data that can be linked. Do we need a grouping object
to further connect it all together? Don’t the relationships in of
themselves show that grouping? Similarly an objects-relationships
grouping would just be shown by sending the core object, related objects
and the links between them, we don’t need another object to then encapsulate
that information. Threat-actor-content, campaign-content, intrusion-set-content
can all be explained similarly, just send the threat-actor, campaign, or
intrusion-set, related objects and relationships and we’re good.
In my view this
is a key distinction between the suspicious-activity-event and the other
grouping types. For the other grouping types, we have ways to relate
the data together, either through a malware object, an intrusion set object,
a campaign object, threat actor object, etc. In the case of the suspicious-activity-event,
that IS the object to provide context and relate that data together.
Interested in everyone’s
thoughts,
-Gary
From: cti-stix@lists.oasis-open.org
[mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Sean Barnum
Sent: Monday, October 23, 2017 3:43 PM
To: cti-stix@lists.oasis-open.org
Subject: [Non-DoD Source] [cti-stix] Initial stab at grouping-context-ov
values based on real-world use cases
A couple of weeks ago on the working
call I took an action item to provide an initial minimal stab at grouping-context-ov
values based on real-world use cases.
I got busy and did not follow through.
So, at the F2F last week we had a small
side discussion where I provided an initial minimal stab at grouping-context-ov
values based on real-world use cases that we see and then we discussed
which ones we might have consensus on as a small initial set, which ones
might make longer term sense but not have consensus for an initial set
and which ones might be considered a bit more esoteric and considerable
for future versions if real-world use proved out their value.
To reiterate for clarity, the purpose
of the Grouping object is to convey that a specific set of STIX content
shares some context.
It is not intended to be the first choice
for sharing any set of related STIX content and is not intended to replace
CTI domain-relevant objects.
It is the generalized last resort for
specifying this sort of thing when there is no STIX domain-relevant object
already available for the given type of context (e.g. STIX content that
describes the structure or behavior of a piece of malware would utilize
the Malware object, STIX content that characterizes details of infrastructure
would utilize the Infrastructure object, etc).
The context property of the Grouping
object is intended to convey the nature of context that the referenced
content shares.
The intent of the grouping-context-ov
is to provide consistently defined values for common cases of Grouping
context while also leaving open the option of specifying values not defined
by the standard.
Values of grouping-context-ov fall below
the threshold required (at least for now) for defining a new SDO for that
sort of context but above the threshold for uncommon or highly specialized
forms of grouping context.
Here is the initial stab that resulted
from the discussion at the F2F:
- Suggested values
- suspicious-activity-event
A set of STIX content related to a particular
suspicious activity event.
(Answers question: what do we know about
what happened in this suspicious activity/attack?) - indicator-sightings (name specifies
Indicator id)
A set of STIX Sightings for a given
Indicator.
(Answers question: what sightings are
known for this indicator?) - object-relationships (name specifies
object id)
A set of STIX objects related to a given
object along with any relevant Relationship objects.
(Answers question: what objects are
related to this specific object (embedded/external relationship from this
object, embedded/external relationship to this object)?) - malware-analysis
A set of STIX content from a malware
analysis action (sandbox execution, structural analysis, etc).
- Common cases but possibly not consensus
need in initial version of grouping-context-ov
- malware-context (name specifies malware
id)
A set of STIX content related to a given
Malware object.
**It should be
noted that this is not details of the malware which would be conveyed in
a Malware object but rather other STIX content related to the Malware object - threat-actor-context (name specifies
TA id)
A set of STIX content related to a given
ThreatActor object.
**It should be noted that this is not
details of the threat actor which would be conveyed in a ThreatActor object
but rather other STIX content related to the ThreatActor object - campaign-context (name specifies Campaign
id)
A set of STIX content related to a given
Campaign object.
**It should be noted
that this is not details of the campaign which would be conveyed in a Campaign
object but rather other STIX content related to the Campaign object - intrusion-set-context (name specifies
IntrusionSet id)
A set of STIX content related to a given
IntrusionSet object.
**It should be noted that this
is not details of the intrusion set which would be conveyed in a IntrusionSet
object but rather other STIX content related to the IntrusionSet object - identity-context (name specifies Identity
id)
A set of STIX content related to a given
Identity object.
**It
should be noted that this is not details of the identity which would be
conveyed in an Identity object but rather other STIX content related to
the Identity object - location-context (name specifies Location
id)
A set of STIX content related to a given
Location object.
**It should
be noted that this is not details of the location which would be conveyed
in a Location object but rather other STIX content related to the Location
object - tool-context (name specifies Tool id)
A set of STIX content related to a given
Tool object.
**It should be noted that this is not details of the tool which would
be conveyed in a Tool object but rather other STIX content related to the
Tool object - vulnerability-context (name specifies
Vulnerability id)
A set of STIX content related to a given
Vulnerability object.
**It should be noted that this
is not details of the vulnerability which would be conveyed in a Vulnerability
object but rather other STIX content related to the Vulnerability object - observable-context (name specifies observable)
A set of STIX content related to a given
Observable object.
**It should be noted that this
is not details of the observable which would be conveyed in an Observable
object but rather other STIX content related to the Observable object
- Outlier possibilities
- temporal-activity-window (name specifies
time window)
A set of STIX activity content that
occurred within a given time window - temporal-creation-window (name specifies
time window)
A set of STIX content created within
a given time window - selector-result (name specifies selector)
A set of STIX content that matches a
specific selector pattern
Please feel free to offer your thoughts.
Do you disagree with including any of
these values?
Do you think that we should start with
only the suggested values?
Do you think we should also include
any/all of the “common case” or “outlier” values?
Sean Barnum
Principal Architect
FireEye
M: 703.473.8262
E: sean.barnum@fireeye.com
This email and any attachments thereto may contain private,
confidential, and/or privileged material for the sole use of the intended
recipient. Any review, copying, or distribution of this email (or any attachments
thereto) by others is strictly prohibited. If you are not the intended
recipient, please contact the sender immediately and permanently delete
the original and any copies of this email and any attachments thereto.
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]