Re: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH

[Bret Jordan <Bret_Jordan@symantec.com>]

Caitlin,

Let me rephrase my question a bit....

From what you are saying it sounds like the opinion object is just not going to work for analysts, at least at the level of specificity that we have currently defined.  

Does this mean that we:

1) Remove the Opinion object from 2.1 and replace it with your new object?

2) Take all of the new properties you have defined and add them to the Opinion object for the 2.1 release 

3) Or is there a use case for having both?  Keeping in mind that we like to avoid having two ways of doing something. 

From my initial skim of your document, it feels like 1 or 2 is the correct answer here. But I would like your take.

Thanks

Bret

---

From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Caitlin Huey <caitlin@eclecticiq.com>
Sent: Wednesday, October 10, 2018 7:31:29 AM
To: Bret Jordan
Cc: cti-stix@lists.oasis-open.org
Subject: [cti-stix] RE: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH

 

Hey Brett,

 

I think we are thinking an entirely new object. At first, we were thinking of how we could use the Opinion, but it looks like the functionality is not quite there.

 

Problem areas we found in “doing” ACH this with the current 2.1 Opinion object:

 

- The current specification does not address how the community should use and apply the Opinion object

- One of the largest caveats of the Opinion object is that sharing communities are still encouraged to provide clear guidelines to their constituents regarding best practice for the use of Opinion objects. What this means is that there is still no fundamental agreement on when and how to best use this object

- The Opinion object does not apply any additional structure beyond the free-text  `explanation` as to why an author has an opinion in the first place

- There is no way to consistently track or see patterns in `explanations` for Opinions over time

 

I think the last limitation is super interesting and speaks to the need to have a way to structure the ACH process/outcomes of going through that process.

 

 

-Caitlin

 

From: Bret Jordan <Bret_Jordan@symantec.com>
Sent: Wednesday, October 10, 2018 2:57 PM
To: Caitlin Huey <caitlin@eclecticiq.com>
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH

 

Thanks for working on this.  A clarifying question, is this a replacement for the new Opinion object or additions to that object, or does it need to be a totally new object. 

 

Bret 

Sent from my Commodore 64 

 

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

On Oct 10, 2018, at 4:31 AM, Caitlin Huey <caitlin@eclecticiq.com> wrote:

Hi all,

 

Wanted to share some work we’ve been doing about approaching the 2.1 Opinion object to structure the process of Analysis of Competing Hypotheses (ACH).  Working on language and prototypes, seems some of us on our team are in favor of moving past the STIX 2.1 Opinion object, noting that the Opinion object’s functionality to structure ACH is limited. Seems that a “new” object is needed to help structure and show this process of conducting ACH.

 

TL;DR: STIX 2.1 introduces the Opinion object to allow consumers and collaborators of intelligence to express agreement and disagreement on entities and relationships. The Opinion object is a STIX 2.1 entity that is closest to being able to provide a way to represent validation of an entity or a relationship between two entities. However, the Opinion object is limited in its application and flexibility. There is a need to move beyond the Opinion object and to introduce a new entity that would allow consumers/producers of intelligence to go beyond validating entities and to apply structure to evidence driven hypotheses. This new entity’s working name is the Hypothesis object.

 

Wanted to open up a dialogue about how and what this could look like, knowing that some assumptions have already been made about what this “new” object could look like. I have attached a working draft (work in progress!), and appreciate thoughts and feedback.

 

Feel free to reach out, am interested in talking to more people about this.

 

 

Caitlin Huey

EclecticIQ Fusion Center | Senior Threat Intelligence Analyst

Amsterdam, Netherlands

 

<StructuringACH_MovingPastSTIX2.1Opinion.pdf>

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://clicktime.symantec.com/a/1/M4I5yHr0Vksx8PiJqQRoF3Nowt1ZMJIiM9RijXD6UK8=?d=j3NR_uqvn-pHjERh0bY3mvM_xfkswwh4YFnysJFUZvNE7Hjge4Bl-lNpbFfinAb9HVL4-bMPSxskbLG7ibQlnkWtUpnyAeCjSqHq9_hCJZtyJOxZo6BYnJ7OW3pC36GNe0HpmbvUocjMxmuqAOsKzCD8p4MX7tNFJZqAFC2sQjb2Fnc-nOiuXm1oczvfJ7rU3-4ie_dgJ7DfV5YDsC3ht-hnf0uh-_X6BzNvUcF2sHDFyzpFlorVv2ZvSqXQscBMaF0NMNQoI7Zsefg5R6Og-x4ReLm3Yrq5LdPlgmdNXnVWYD20ytob_UL4gO_TtQmxw1iR7qfvujJ46vVTjHUUDaVlLpGEYAQKLiWSSTR_kW-yo9WE8KsVkTThef_Ym335m_khGs9ElUeH4WM2_bvS12edZDjtV7xzPlAR6vM-OWKbgSNH50Mz3YxH_65gu5nujDes-8sIVOJPc0pkp3zf2j_cLfjfUNn5YVj-wJpmTL7_AWhkKzBioLqmkFHJL4dhsYytGRSNk6Q%3D&u=https%3A%2F%2Fwww.oasis-open.org%2Fapps%2Forg%2Fworkgroup%2Fportal%2Fmy_workgroups.php