Re: [cti-stix] STIX Suspicious Activity Grouping Object

[Sean Barnum <sean.barnum@FireEye.com>]

So, our group decision to use the Grouping object for now to capture/convey suspicious activity was a consensus compromise after several months of unfruitful discussion and debate around how best to model Events and Investigations.

I think there was universal agreement on the importance of modeling Events and Investigations but there was significant disagreement on how best to do that at this point. There was even significant lack of consensus on what the meaning of the terms Event and Investigation should mean.

We agreed to not try to solve the meanings of these terms or the appropriate property names and structures for now.

We agreed to simply use Grouping to convey that a set of content was related to some “suspicious activity” and to wait for more real-world practical experience in modeling these concepts among CTI members to help inform more concrete and expressive definitions in a future version of STIX.

At FireEye, we strongly value finding consensus solutions with standards but first and foremost want to avoid making premature decisions that paint us into corners. First do no harm.

 

Gary, we agree with you that the sort of information you call out in your message below are useful/necessary but are the exact sort of things that we could not reach consensus on for now and decided to stop debating until more experience was in hand for a future STIX version.

We would strongly object to reopening Pandora’s box on trying to officially work these things into the current version of STIX.

We would propose that if an organization finds these properties to be necessary immediately then they should use custom objects or properties on Grouping for now. My understanding is that this is what we agreed to for now.

That being said, in an unofficial capacity, if DC3 or anyone else was interested in discussing how FireEye is thinking about and tackling these issues we would be happy to chat. I think this sort of unofficial collaboration is likely to lead to the sort of real-world informative experience we are looking for as a precursor to tackling these structures officially in STIX.

 

Sean Barnum

Principal Architect

FireEye

M: 703.473.8262

E: sean.barnum@fireeye.com

From: <cti-stix@lists.oasis-open.org> on behalf of "Katz, Gary CTR DC3/TSD" <Gary.Katz.ctr@dc3.mil>
Date: Thursday, April 19, 2018 at 2:27 PM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] STIX Suspicious Activity Grouping Object

 

I’m looking at modeling suspicious activity (an incident/event), which we had talked about putting into the Grouping object and I’m running into some issues.  While most information related to suspicious activity would be held through relationships, timestamps are important and would instead be held in the object itself. 

 

Specifically, the following timestamps should be on each object:

Date suspicious activity was discovered

Date suspicious activity occurred

Date suspicious activity was mitigated

 

In addition other artifacts are useful, such as:

Detection Method

Type of Compromise

Incident Outcome (i.e. successful compromise, blocked, etc.)

 

I believe most of the rest of the data could be modeled through relationships or is specific to my organization.

 

Interested in thoughts on whether people agree that this information would be useful to capture and suggestions on how to capture the data.

 

Thanks,

    -Gary

This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.