Apologize for any confusion,
 To clarify, this is another attempt at getting an Incident/Event object through. ÂI am really starting to feel that we should just go with the name âIncidentâ because it is confusing everyone having âEventâ or âSuspicious-Activityâ as the object. We had originally stayed away from âIncidentâ because we were worried about the bad connotations with the word, but it seems like alternative names are just confusing everyone.
ÂÂÂ Please let me know if people would rather that this be renamed âIncidentâ for clarity.
Thanks,
ÂÂÂ -Gary
Ps. Document should now be updatable.Â
From: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Tuesday, July 24, 2018 8:17 AM
To: Kelley, Sarah E. <skelley@mitre.org>
Cc: Allan Thomson <athomson@lookingglasscyber.com>; cti-stix@lists.oasis-open.org; Katz, Gary CTR DC3/TSD <Gary.Katz.ctr@dc3.mil>; Struse, Richard J. <rjs@mitre.org>
Subject: [Non-DoD Source] RE: [cti-stix] FW: Suspicious Activity Object
Agree Sarah, somewhat.
The object seems like a hybrid of Incident/Event, "Group", and Intrusion Set. This is the challenge i have, it seems like it is trying to do 3 jobs.
If the object is just trying to describe an Incident, then I would argue a lot of these fields should not be there, or at the very least should be aligned with Intrusion Set, because right now there is confusing overlap.
-
Jason Keirstead
Lead Architect - IBM Security Cloud
www.ibm.com/security
"Things may come to those who wait, but only the things left by those who hustle." - Unknown
From: "Kelley, Sarah E." <skelley@mitre.org>
To: Allan Thomson <athomson@lookingglasscyber.com>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>, "Katz, Gary" <gary.katz.ctr@dc3.mil>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "Struse, Richard J." <rjs@mitre.org>
Date: 07/24/2018 08:41 AM
Subject: RE: [cti-stix] FW: Suspicious Activity Object
Sent by: <cti-stix@lists.oasis-open.org>
To me this object seems a lot closer to Incident/Event than it does to an intrusion set. It looks like itâs trying to describe a specific instance of suspicious activity, rather than an ongoing, long-term grouping of activity/SDOs. That being said, we worked on Incident/Event for a long time without being able to drive the conversation to a successful conclusion, at which point we agreed to punt it until after 2.1.
This seems like it could be a good candidate for the STIX enhancement process, which I realize is still ill defined. Perhaps the focus should be on finalizing the enhancement process so that suggestions like this can be run through that process to see how they might work.
Thanks,
Sarah Kelley
Lead Cybersecurity Engineer, T8B2
Defensive Operations
The MITRE Corporation
703-983-6242
skelley@mitre.org
From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> On Behalf Of Allan Thomson
Sent: Monday, July 23, 2018 10:31 PM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>; Katz, Gary <gary.katz.ctr@dc3.mil>
Cc: cti-stix@lists.oasis-open.org; Struse, Richard J. <rjs@mitre.org>
Subject: Re: [cti-stix] FW: Suspicious Activity Object
I generally agree with Jasonâs questions and concerns.
Maybe a different way to put the concerns/questions is this.
- What motivated this object to be defined where an intrusion set did not already support the content?
If the differences are minimal, then justifying a new object weighting pros/cons vs just adding to existing object needs to be done.
Allan Thomson
CTO (+1-408-331-6646)
LookingGlass Cyber Solutions
From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Tuesday, July 24, 2018 at 2:03 AM
To: "Gary.Katz.ctr@dc3.mil" <Gary.Katz.ctr@dc3.mil>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "Struse, Richard J." <rjs@mitre.org>
Subject: RE: [cti-stix] FW: Suspicious Activity Object
I got in - commenting seems disabled so I will post them here
In general - having a hard time with the borderline between this object, and an intrusion set?
The difference seems to be that, for Intrusion Set, we know who they are. For this one, we don't. If that is the main difference, why are there so many distinct top level properties?
A Suspicious activity object allows individuals to group information together related to malicious activity, such as an incident, attempted incident or suspicious activity observed outside of their network.
An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a common known or unknown Threat Actor.
REoutcome / suspicious-activity-outcome-ov-
- Suggest the names just be "successful" and "unsuccessful", as "successful-compromise" assumes already the objective was compromise, which perhaps it was not.
- Should "in progress" be an option? Or is that "unknown"?
RE compromise-type/ suspicious-activity-compromise-type-ov-
- Shouldn't this same type of data be able to be used in Intrusion Set? Whats the difference between this and "goals" of intrusion set... seems fuzzy? I know we wanted to encode "destrictive" on Intrusion Set in the past somehow...
RE observation-refs- Shouldn't these be sightings? This object is the epitome of a sighting is it not?
-
Jason Keirstead
Lead Architect - IBM Security Cloud
www.ibm.com/security
"Things may come to those who wait, but only the things left by those who hustle." - Unknown
From: "Katz, Gary CTR DC3/TSD" <Gary.Katz.ctr@dc3.mil>
To: "Struse, Richard J." <rjs@mitre.org>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 07/23/2018 12:40 PM
Subject: RE: [cti-stix] FW: Suspicious Activity Object
Thanks Rich
From: Struse, Richard J. <rjs@mitre.org>
Sent: Monday, July 23, 2018 11:11 AM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>; Katz, Gary CTR DC3/TSD <Gary.Katz.ctr@dc3.mil>
Cc: cti-stix@lists.oasis-open.org
Subject: [Non-DoD Source] Re: [cti-stix] FW: Suspicious Activity Object
The link was messed up: https://docs.google.com/document/d/1I5Cgqfk1Krt9EnYJZcyTLS3c5BtZ5uqvTDXI_i7OJrU/edit
From: <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Monday, July 23, 2018 at 10:46 AM
To: "Katz, Gary" <gary.katz.ctr@dc3.mil>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] FW: Suspicious Activity Object
I can't access the document; are the permissions open to the public?
-
Jason Keirstead
Lead Architect - IBM Security Cloud
www.ibm.com/security
"Things may come to those who wait, but only the things left by those who hustle." - Unknown
From: "Katz, Gary CTR DC3/TSD" <Gary.Katz.ctr@dc3.mil>
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 07/23/2018 11:10 AM
Subject: [cti-stix] FW: Suspicious Activity Object
Sent by: <cti-stix@lists.oasis-open.org>
It seems I was sending these emails to the wrong distro, hopefully this
works this time. Interested in everyone's thoughts
Below is a link to the Suspicious Activity Object proposal. As requested I
updated the object to use the embedded reference, similar to the Malware
proposal rather than using a relationship. Comments welcome.
https://docs.google.com/document/d/1I5Cgqfk1Krt9EnYJZcyTLS3c5BtZ5uqvTDXI_i7O
JrU/edit?usp=sharing
[attachment "image001.jpg" deleted by Jason Keirstead/CanEast/IBM]