cti-stix message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: RE: [cti-stix] FW: Suspicious Activity Object
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: "Katz, Gary CTR DC3/TSD" <Gary.Katz.ctr@dc3.mil>
- Date: Mon, 23 Jul 2018 15:02:52 -0300
I got in - commenting seems disabled so
I will post them here
In general - having a hard time with
the borderline between this object, and an intrusion set?
The difference seems to be that, for
Intrusion Set, we know who they are. For this one, we don't. If that is
the main difference, why are there so many distinct top level properties?
A Suspicious activity object allows individuals
to group information together related to malicious activity, such as an
incident, attempted incident or suspicious activity observed outside of
their network.
An Intrusion Set is a grouped set of adversarial
behaviors and resources with common properties that is believed to be orchestrated
by a single organization. An Intrusion Set may capture multiple Campaigns
or other activities that are all tied together by shared attributes indicating
a common known or unknown Threat Actor.
REoutcome / suspicious-activity-outcome-ov-
- Suggest the names just be "successful"
and "unsuccessful", as "successful-compromise" assumes
already the objective was compromise, which perhaps it was not.
- Should "in progress" be
an option? Or is that "unknown"?
RE compromise-type/ suspicious-activity-compromise-type-ov-
-
Shouldn't this same type of data be able to be used in Intrusion Set? Whats
the difference between this and "goals" of intrusion set... seems
fuzzy? I know we wanted to encode "destrictive" on Intrusion
Set in the past somehow...
RE observation-refs- Shouldn't these be sightings? This object is the epitome of a sighting
is it not?
-
Jason Keirstead
Lead Architect - IBM Security Cloud
www.ibm.com/security
"Things may come to those who wait, but only the things left by those
who hustle." - Unknown
From:
"Katz, Gary CTR
DC3/TSD" <Gary.Katz.ctr@dc3.mil>
To:
"Struse, Richard
J." <rjs@mitre.org>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc:
"cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>
Date:
07/23/2018 12:40 PM
Subject:
RE: [cti-stix]
FW: Suspicious Activity Object
Thanks Rich
From: Struse, Richard J. <rjs@mitre.org>
Sent: Monday, July 23, 2018 11:11 AM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>; Katz, Gary
CTR DC3/TSD <Gary.Katz.ctr@dc3.mil>
Cc: cti-stix@lists.oasis-open.org
Subject: [Non-DoD Source] Re: [cti-stix] FW: Suspicious Activity Object
The link was messed up: https://docs.google.com/document/d/1I5Cgqfk1Krt9EnYJZcyTLS3c5BtZ5uqvTDXI_i7OJrU/edit
From: <cti-stix@lists.oasis-open.org>
on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Monday, July 23, 2018 at 10:46 AM
To: "Katz, Gary" <gary.katz.ctr@dc3.mil>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] FW: Suspicious Activity Object
I can't access the document; are the permissions
open to the public?
-
Jason Keirstead
Lead Architect - IBM Security Cloud
www.ibm.com/security
"Things may come to those who wait, but only the things left by those
who hustle." - Unknown
From: "Katz,
Gary CTR DC3/TSD" <Gary.Katz.ctr@dc3.mil>
To: "cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>
Date: 07/23/2018
11:10 AM
Subject: [cti-stix]
FW: Suspicious Activity Object
Sent by: <cti-stix@lists.oasis-open.org>
It seems I was sending these emails to the wrong distro, hopefully this
works this time. Interested in everyone's thoughts
Below is a link to the Suspicious Activity Object proposal. As requested
I
updated the object to use the embedded reference, similar to the Malware
proposal rather than using a relationship. Comments welcome.
https://docs.google.com/document/d/1I5Cgqfk1Krt9EnYJZcyTLS3c5BtZ5uqvTDXI_i7O
JrU/edit?usp=sharing
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]