cti-stix message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [cti-stix] RE: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: Caitlin Huey <caitlin@eclecticiq.com>
- Date: Wed, 10 Oct 2018 12:35:23 -0300
Is it truely a new object though, or just
extensions to Opinion? Couldn't we add an optional "evidence"
section to the Opinion to allow it to perform these use cases?
This conversation seems to me like further
due-diligence since we created Opinion shows that it is not up to the task
at hand and we need this more robust object, shouldn't we look at that,
and perhaps re-vamp opinion? Why would we release a known broken object...
Opinion object sponsors are listed as
DHS, JPMC, Perch, and CTIN. I am wondering what their "opinion"
is on this thread.
-
Jason Keirstead
Lead Architect - IBM.Security
www.ibm.com/security
"Things may come to those who wait, but only the things left by those
who hustle." - Unknown
From:
Caitlin Huey <caitlin@eclecticiq.com>
To:
"Kelley, Sarah
E." <skelley@mitre.org>, Bret Jordan <Bret_Jordan@symantec.com>
Cc:
"cti-stix@lists.oasis-open.org"
<cti-stix@lists.oasis-open.org>
Date:
10/10/2018 12:14 PM
Subject:
[cti-stix] RE:
[EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH
Sent by:
<cti-stix@lists.oasis-open.org>
Bret,
When we first started looking at this,
it seems as if we went through similar options that you highlighted below.
However, there seems to be a need for consumers/producers/collaborators
of intelligence to have an object that allows for a free-text and evidence-free
explanation of what their Agreement/Disagreement is for a particular entity
or relationship. We did not want to remove the Opinion object â there
is a need to be able to validate something on a sliding scale of Agreement.
We also wanted to move away from adding additional properties to the 2.1
Opinion â as it seemed that we were diluting its concept and shoehorning
to fit a particular mold.
Agree with Sarahâs points that a new
entity, rather than an amended Opinion, could highlight the process of
testing multiple hypotheses and proposed realities. I want to be able to
see the evidence used to support/deny a set of hypotheses, and to be able
to identify _which_ hypothesis scored highest from H1, H2, H3 across
the available evidence.
I think this ânewâ object will work
very well for analysts in some of the following ways:
1 â Analysts go this process regularly,
but with no ability to structure it with STIX
2 â To be able to go through this process
of testing hypotheses - It might be N. Korea because X, It might
be China because Y, and it might be Russia because Z â and highlight which
hypothesis was most supported by the evidence available
3 â To be able to represent that analyst/teamsâ
scoring of a certain hypothesis
4 â To be able to incorporate other
teamsâ hypothesis testing with your own (??) Producer A thinks it is China
for X reasons, but as an analyst I may look at that and think it is also
China for X + Y reasons, where Y adds value to the original assessment
I think that it would not only works
well for analysts who go through this process to create this structure,
but also for teams who are consuming intelligence and need a way to identify
and view othersâ tested hypotheses.
-Caitlin
From: Kelley, Sarah E. <skelley@mitre.org>
Sent: Wednesday, October 10, 2018 4:11 PM
To: Bret Jordan <Bret_Jordan@symantec.com>; Caitlin Huey <caitlin@eclecticiq.com>
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring
ACH
Bret,
I would think that ACH and opinion are
actually totally different concepts that are likely used by different people.
I see an opinion object being used by the recipient of an object to say
âI (dis)agree with what youâve publishedâ. I see an ACH as a way of
people who are still in the process of doing analysis to have multiple
possible options, and show the evidence for each. Picture the Olympic
Destroyer malware. I heard three different competing hypotheses for who
was behind it, each of which had its own evidence. That is the scenario
this new object would allow you to convey. âIt might be N. Korea because
X, It might be China because Y, and it might be Russia because Zâ.
Sarah
From: cti-stix@lists.oasis-open.org<cti-stix@lists.oasis-open.org>
On Behalf Of Bret Jordan
Sent: Wednesday, October 10, 2018 9:47 AM
To: Caitlin Huey <caitlin@eclecticiq.com>
Cc: cti-stix@lists.oasis-open.org
Subject: [cti-stix] Re: [EXT] [cti-stix] Moving past 2.1 Opinion object
- Structuring ACH
Caitlin,
Let me rephrase my question a bit....
From what you are saying it sounds like the opinion object
is just not going to work for analysts, at least at the level of specificity
that we have currently defined.
Does this mean that we:
1) Remove the Opinion object from 2.1 and replace it with
your new object?
2) Take all of the new properties you have defined and
add them to the Opinion object for the 2.1 release
3) Or is there a use case for having both? Keeping
in mind that we like to avoid having two ways of doing something.
From my initial skim of your document, it feels like 1
or 2 is the correct answer here. But I would like your take.
Thanks
Bret
From: cti-stix@lists.oasis-open.org<cti-stix@lists.oasis-open.org>
on behalf of Caitlin Huey <caitlin@eclecticiq.com>
Sent: Wednesday, October 10, 2018 7:31:29 AM
To: Bret Jordan
Cc: cti-stix@lists.oasis-open.org
Subject: [cti-stix] RE: [EXT] [cti-stix] Moving past 2.1 Opinion object
- Structuring ACH
Hey Brett,
I think we are thinking an entirely
new object. At first, we were thinking of how we could use the Opinion,
but it looks like the functionality is not quite there.
Problem areas we found in âdoingâ
ACH this with the current 2.1 Opinion object:
- The current specification does not
address how the community should use and apply the Opinion object
- One of the largest caveats of the
Opinion object is that sharing communities are still encouraged to provide
clear guidelines to their constituents regarding best practice for the
use of Opinion objects. What this means is that there is still no fundamental
agreement on when and how to best use this object
- The Opinion object does not apply
any additional structure beyond the free-text `explanation` as to
why an author has an opinion in the first place
- There is no way to consistently track
or see patterns in `explanations` for Opinions over time
I think the last limitation is super
interesting and speaks to the need to have a way to structure the ACH process/outcomes
of going through that process.
-Caitlin
From: Bret Jordan <Bret_Jordan@symantec.com>
Sent: Wednesday, October 10, 2018 2:57 PM
To: Caitlin Huey <caitlin@eclecticiq.com>
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring
ACH
Thanks for working on this. A
clarifying question, is this a replacement for the new Opinion object or
additions to that object, or does it need to be a totally new object.
Bret
Sent from my Commodore 64
PGP Fingerprint: 63B4 FC53 680A 6B7D
1447 F2C0 74F8 ACAE 7415 0050
On Oct 10, 2018, at 4:31 AM, Caitlin Huey <caitlin@eclecticiq.com>
wrote:
Hi all,
Wanted to share some work weâve been
doing about approaching the 2.1 Opinion object to structure the process
of Analysis of Competing Hypotheses (ACH). Working on language and
prototypes, seems some of us on our team are in favor of moving past the
STIX 2.1 Opinion object, noting that the Opinion objectâs functionality
to structure ACH is limited. Seems that a ânewâ object is needed to help
structure and show this process of conducting ACH.
TL;DR: STIX 2.1 introduces the
Opinion object to allow consumers and collaborators of intelligence to
express agreement and disagreement on entities and relationships. The Opinion
object is a STIX 2.1 entity that is closest to being able to provide a
way to represent validation of an entity or a relationship between two
entities. However, the Opinion object is limited in its application and
flexibility. There is a need to move beyond the Opinion object and to introduce
a new entity that would allow consumers/producers of intelligence to go
beyond validating entities and to apply structure to evidence driven hypotheses.
This new entityâs working name is the Hypothesis object.
Wanted to open up a dialogue about how
and what this could look like, knowing that some assumptions have already
been made about what this ânewâ object could look like. I have attached
a working draft (work in progress!), and appreciate thoughts and feedback.
Feel free to reach out, am interested
in talking to more people about this.
Caitlin Huey
EclecticIQ Fusion Center | Senior Threat
Intelligence Analyst
Amsterdam, Netherlands
<StructuringACH_MovingPastSTIX2.1Opinion.pdf>
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://clicktime.symantec.com/a/1/M4I5yHr0Vksx8PiJqQRoF3Nowt1ZMJIiM9RijXD6UK8=?d=j3NR_uqvn-pHjERh0bY3mvM_xfkswwh4YFnysJFUZvNE7Hjge4Bl-lNpbFfinAb9HVL4-bMPSxskbLG7ibQlnkWtUpnyAeCjSqHq9_hCJZtyJOxZo6BYnJ7OW3pC36GNe0HpmbvUocjMxmuqAOsKzCD8p4MX7tNFJZqAFC2sQjb2Fnc-nOiuXm1oczvfJ7rU3-4ie_dgJ7DfV5YDsC3ht-hnf0uh-_X6BzNvUcF2sHDFyzpFlorVv2ZvSqXQscBMaF0NMNQoI7Zsefg5R6Og-x4ReLm3Yrq5LdPlgmdNXnVWYD20ytob_UL4gO_TtQmxw1iR7qfvujJ46vVTjHUUDaVlLpGEYAQKLiWSSTR_kW-yo9WE8KsVkTThef_Ym335m_khGs9ElUeH4WM2_bvS12edZDjtV7xzPlAR6vM-OWKbgSNH50Mz3YxH_65gu5nujDes-8sIVOJPc0pkp3zf2j_cLfjfUNn5YVj-wJpmTL7_AWhkKzBioLqmkFHJL4dhsYytGRSNk6Q%3D&u=https%3A%2F%2Fwww.oasis-open.org%2Fapps%2Forg%2Fworkgroup%2Fportal%2Fmy_workgroups.php
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]