OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Moving past 2.1 Opinion object - Structuring ACH


Hi all,

 

Wanted to share some work we’ve been doing about approaching the 2.1 Opinion object to structure the process of Analysis of Competing Hypotheses (ACH).  Working on language and prototypes, seems some of us on our team are in favor of moving past the STIX 2.1 Opinion object, noting that the Opinion object’s functionality to structure ACH is limited. Seems that a “new” object is needed to help structure and show this process of conducting ACH.

 

TL;DR: STIX 2.1 introduces the Opinion object to allow consumers and collaborators of intelligence to express agreement and disagreement on entities and relationships. The Opinion object is a STIX 2.1 entity that is closest to being able to provide a way to represent validation of an entity or a relationship between two entities. However, the Opinion object is limited in its application and flexibility. There is a need to move beyond the Opinion object and to introduce a new entity that would allow consumers/producers of intelligence to go beyond validating entities and to apply structure to evidence driven hypotheses. This new entity’s working name is the Hypothesis object.

 

Wanted to open up a dialogue about how and what this could look like, knowing that some assumptions have already been made about what this “new” object could look like. I have attached a working draft (work in progress!), and appreciate thoughts and feedback.

 

Feel free to reach out, am interested in talking to more people about this.

 

 

Caitlin Huey

EclecticIQ Fusion Center | Senior Threat Intelligence Analyst

Amsterdam, Netherlands

 

Attachment: StructuringACH_MovingPastSTIX2.1Opinion.pdf
Description: StructuringACH_MovingPastSTIX2.1Opinion.pdf



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]