OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [cti-stix] RE: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH


Rich, that was exactly what I was thinking.

 

From: Struse, Richard J.
Sent: Wednesday, October 10, 2018 3:18 PM
To: Bret Jordan <Bret_Jordan@symantec.com>; Jason Keirstead <Jason.Keirstead@ca.ibm.com>; Caitlin Huey <caitlin@eclecticiq.com>
Cc: cti-stix@lists.oasis-open.org; Kelley, Sarah E. <skelley@mitre.org>
Subject: Re: [cti-stix] RE: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH

 

Another possibility here, rather than âwe got Opinion wrongâ or âwe didnât flesh it out enoughâ is âwe designed an Opinion object to deal with the basic needs of the majority of the communityâ.  The ACH proposal makes a lot of sense for those organizations that have the expertise and resources to engage in this sort of analysis but my sense is that this is an advanced topic for much of the community.  Therefore, isnât ACH a great opportunity for the SEP mechanism whereby ElecticIQ and other interested parties define an extension (either a new object or new properties on the Opinion object) and try it out to see how well it addresses their needs?

 

Just my $0.02 as a TC member.

 

Rich

 

From: <cti-stix@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
Date: Wednesday, October 10, 2018 at 12:24 PM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>, Caitlin Huey <caitlin@eclecticiq.com>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "Kelley, Sarah E." <skelley@mitre.org>
Subject: Re: [cti-stix] RE: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH

 

How does this relate to the assertion object that Jason has been proposing for some time?  

 

Is this Hypothesis object really a new object, or is it a sub-type of all objects?  Should third parties be able to declare a hypothesis about something?  

 

Like Jason the need for this (which I am NOT against), makes me feel like we got Opinion wrong or we did not flesh it out enough.

 

Bret


From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Wednesday, October 10, 2018 9:35:23 AM
To: Caitlin Huey
Cc: Bret Jordan; cti-stix@lists.oasis-open.org; Kelley, Sarah E.
Subject: Re: [cti-stix] RE: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH

 

Is it truely a new object though, or just extensions to Opinion? Couldn't we add an optional "evidence" section to the Opinion to allow it to perform these use cases?

This conversation seems to me like further due-diligence since we created Opinion shows that it is not up to the task at hand and we need this more robust object, shouldn't we look at that, and perhaps re-vamp opinion? Why would we release a known broken object...

Opinion object sponsors are listed as DHS, JPMC, Perch, and CTIN. I am wondering what their "opinion" is on this thread.

-
Jason Keirstead
Lead Architect - IBM.Security
www.ibm.com/security

"Things may come to those who wait, but only the things left by those who hustle." - Unknown




From:        Caitlin Huey <caitlin@eclecticiq.com>
To:        "Kelley, Sarah E." <skelley@mitre.org>, Bret Jordan <Bret_Jordan@symantec.com>
Cc:        "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date:        10/10/2018 12:14 PM
Subject:        [cti-stix] RE: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH
Sent by:        <cti-stix@lists.oasis-open.org>





Bret,
 
When we first started looking at this, it seems as if we went through similar options that you highlighted below. However, there seems to be a need for consumers/producers/collaborators of intelligence to have an object that allows for a free-text and evidence-free explanation of what their Agreement/Disagreement is for a particular entity or relationship. We did not want to remove the Opinion object â there is a need to be able to validate something on a sliding scale of Agreement. We also wanted to move away from adding additional properties to the 2.1 Opinion â as it seemed that we were diluting its concept and shoehorning to fit a particular mold.
 
Agree with Sarahâs points that a new entity, rather than an amended Opinion, could highlight the process of testing multiple hypotheses and proposed realities. I want to be able to see the evidence used to support/deny a set of hypotheses, and to be able to identify _which_ hypothesis scored highest from H1, H2, H3 across the available evidence.
 
I think this ânewâ object will work very well for analysts in some of the following ways:
1 â Analysts go this process regularly, but with no ability to structure it with STIX
2 â To be able to go through this process of testing hypotheses -  It might be N. Korea because X, It might be China because Y, and it might be Russia because Z â and highlight which hypothesis was most supported by the evidence available
3 â To be able to represent that analyst/teamsâ scoring of a certain hypothesis
4 â To be able to incorporate other teamsâ hypothesis testing with your own (??) Producer A thinks it is China for X reasons, but as an analyst I may look at that and think it is also China for X + Y reasons, where Y adds value to the original assessment
 
I think that it would not only works well for analysts who go through this process to create this structure, but also for teams who are consuming intelligence and need a way to identify and view othersâ tested hypotheses.
 
 
-Caitlin
 
 
From: Kelley, Sarah E. <skelley@mitre.org>
Sent:
Wednesday, October 10, 2018 4:11 PM
To:
Bret Jordan <Bret_Jordan@symantec.com>; Caitlin Huey <caitlin@eclecticiq.com>
Cc:
cti-stix@lists.oasis-open.org
Subject:
RE: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH

 
Bret,
 
I would think that ACH and opinion are actually totally different concepts that are likely used by different people. I see an opinion object being used by the recipient of an object to say âI (dis)agree with what youâve publishedâ. I see an ACH as a way of people who are still in the process of doing analysis to have multiple possible options, and show the evidence for each. Picture the Olympic Destroyer malware. I heard three different competing hypotheses for who was behind it, each of which had its own evidence. That is the scenario this new object would allow you to convey. âIt might be N. Korea because X, It might be China because Y, and it might be Russia because Zâ.
 
Sarah
 
From: cti-stix@lists.oasis-open.org<cti-stix@lists.oasis-open.org> On Behalf Of Bret Jordan
Sent:
Wednesday, October 10, 2018 9:47 AM
To:
Caitlin Huey <
caitlin@eclecticiq.com>
Cc:
cti-stix@lists.oasis-open.org
Subject:
[cti-stix] Re: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH
 

Caitlin,

 

Let me rephrase my question a bit....

 

From what you are saying it sounds like the opinion object is just not going to work for analysts, at least at the level of specificity that we have currently defined.  

 

Does this mean that we:

 

1) Remove the Opinion object from 2.1 and replace it with your new object?

 

2) Take all of the new properties you have defined and add them to the Opinion object for the 2.1 release

 

3) Or is there a use case for having both?  Keeping in mind that we like to avoid having two ways of doing something.

 

 

From my initial skim of your document, it feels like 1 or 2 is the correct answer here. But I would like your take.

 

Thanks

Bret

 



From: cti-stix@lists.oasis-open.org<cti-stix@lists.oasis-open.org> on behalf of Caitlin Huey <caitlin@eclecticiq.com>
Sent:
Wednesday, October 10, 2018 7:31:29 AM
To:
Bret Jordan
Cc:
cti-stix@lists.oasis-open.org
Subject:
[cti-stix] RE: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH
 
Hey Brett,
 
I think we are thinking an entirely new object. At first, we were thinking of how we could use the Opinion, but it looks like the functionality is not quite there.
 
Problem areas we found in âdoingâ ACH this with the current 2.1 Opinion object:
 
- The current specification does not address how the community should use and apply the Opinion object
- One of the largest caveats of the Opinion object is that sharing communities are still encouraged to provide clear guidelines to their constituents regarding best practice for the use of Opinion objects. What this means is that there is still no fundamental agreement on when and how to best use this object
- The Opinion object does not apply any additional structure beyond the free-text  `explanation` as to why an author has an opinion in the first place
- There is no way to consistently track or see patterns in `explanations` for Opinions over time
 
I think the last limitation is super interesting and speaks to the need to have a way to structure the ACH process/outcomes of going through that process.
 
 
-Caitlin
 
From: Bret Jordan <Bret_Jordan@symantec.com>
Sent:
Wednesday, October 10, 2018 2:57 PM
To:
Caitlin Huey <
caitlin@eclecticiq.com>
Cc:
cti-stix@lists.oasis-open.org
Subject:
Re: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH
 
Thanks for working on this.  A clarifying question, is this a replacement for the new Opinion object or additions to that object, or does it need to be a totally new object.  
 
Bret
Sent from my Commodore 64  
 
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

On Oct 10, 2018, at 4:31 AM, Caitlin Huey <
caitlin@eclecticiq.com> wrote:
Hi all,
 
Wanted to share some work weâve been doing about approaching the 2.1 Opinion object to structure the process of Analysis of Competing Hypotheses (ACH).  Working on language and prototypes, seems some of us on our team are in favor of moving past the STIX 2.1 Opinion object, noting that the Opinion objectâs functionality to structure ACH is limited. Seems that a ânewâ object is needed to help structure and show this process of conducting ACH.
 
TL;DR: STIX 2.1 introduces the Opinion object to allow consumers and collaborators of intelligence to express agreement and disagreement on entities and relationships. The Opinion object is a STIX 2.1 entity that is closest to being able to provide a way to represent validation of an entity or a relationship between two entities. However, the Opinion object is limited in its application and flexibility. There is a need to move beyond the Opinion object and to introduce a new entity that would allow consumers/producers of intelligence to go beyond validating entities and to apply structure to evidence driven hypotheses. This new entityâs working name is the Hypothesis object.
 
Wanted to open up a dialogue about how and what this could look like, knowing that some assumptions have already been made about what this ânewâ object could look like. I have attached a working draft (work in progress!), and appreciate thoughts and feedback.
 
Feel free to reach out, am interested in talking to more people about this.
 
 
Caitlin Huey
EclecticIQ Fusion Center | Senior Threat Intelligence Analyst
Amsterdam, Netherlands
 
<StructuringACH_MovingPastSTIX2.1Opinion.pdf>

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://clicktime.symantec.com/a/1/M4I5yHr0Vksx8PiJqQRoF3Nowt1ZMJIiM9RijXD6UK8=?d=j3NR_uqvn-pHjERh0bY3mvM_xfkswwh4YFnysJFUZvNE7Hjge4Bl-lNpbFfinAb9HVL4-bMPSxskbLG7ibQlnkWtUpnyAeCjSqHq9_hCJZtyJOxZo6BYnJ7OW3pC36GNe0HpmbvUocjMxmuqAOsKzCD8p4MX7tNFJZqAFC2sQjb2Fnc-nOiuXm1oczvfJ7rU3-4ie_dgJ7DfV5YDsC3ht-hnf0uh-_X6BzNvUcF2sHDFyzpFlorVv2ZvSqXQscBMaF0NMNQoI7Zsefg5R6Og-x4ReLm3Yrq5LdPlgmdNXnVWYD20ytob_UL4gO_TtQmxw1iR7qfvujJ46vVTjHUUDaVlLpGEYAQKLiWSSTR_kW-yo9WE8KsVkTThef_Ym335m_khGs9ElUeH4WM2_bvS12edZDjtV7xzPlAR6vM-OWKbgSNH50Mz3YxH_65gu5nujDes-8sIVOJPc0pkp3zf2j_cLfjfUNn5YVj-wJpmTL7_AWhkKzBioLqmkFHJL4dhsYytGRSNk6Q%3D&u=https%3A%2F%2Fwww.oasis-open.org%2Fapps%2Forg%2Fworkgroup%2Fportal%2Fmy_workgroups.php



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]