As far as adding first and last seen, I think that is also an option we should look at.
Bret
Sent from my Commodore 128D
PGP
Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
You could say the same thing for Attack Pattern.
This goes back to the "TTP objects vs non-TTP objects" discussion from last week's working call & Brett's spreadsheet. There are a subset of SDOs which are used to communicate TTPs, that when you look at
them objectively *should* have a common set of base properties. But we did not do that, there is a lot of inconsistency.
-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security
"Would you like me to give you a formula for success? It's quite simple, really. Double your rate of failure."
- Thomas J. Watson
From: Trey Darley <trey.darley@cert.be>
To: OASIS CTI TC STIX SC list <cti-stix@lists.oasis-open.org>
Date: 06/14/2019 08:13 AM
Subject: [EXTERNAL] [cti-stix] Why do we have first_seen / last_seen on Intrusion Set but not on Threat Actor?
Sent by: <cti-stix@lists.oasis-open.org>
Hey, y'all -
Somehow this escaped me until now. Was this an intentional decision or
is this an accidental omission?
--
Cheers,
Trey Darley
Co-Chair, OASIS CTI TC
CTI Strategist, CERT.be
--
CERT.be
Centre for Cyber Security Belgium
Mail: trey.darley@cert.be
GPG: CA5B 29E4 937E 151E 2550 6607 AE9A 7FF2 8000 0E4E
--
Under the authority of the Prime Minister
Wetstraat 16 - 1000 Brussels - Belgium
Visiting address : Rue Ducale 4 â 1000 Brussels â Belgium
Contact: https://www.cert.be
[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]
|