Re: [cti-users] Indicator Type / Vocabulary Implementation Questions

[Jerome Athias <athiasjerome@gmail.com>]

I think the controlled vocabularies are a great topic for the Interoperability TC

On Thursday, 22 October 2015, Jordan, Bret <bret.jordan@bluecoat.com> wrote:

Extensibility and the whole xsi-type concept only works if you can guarantee that every implementer of every product and device will "fully" implement it.  If not, then you have things breaking all over the place.  And our efforts of making sure we can accommodate every possible use-case, means, that in practical terms no one can actually communicate unless they are using the same software package (which is not realistic).  Simplicity will gain us adoption, and from adoption we can iterate over time and add features. 

I am in strong favor of "one-way-of-doing-things".  I am also in strong favor of getting rid of and simplifying the extensibility so that we can guarantee interoperability.  

To Jason's points, I would suggest we add an option for "other" and we also try to be more diligent about updating the controlled vocabulary.  Maybe go so far as to say that every January we will rev the controlled vocabularies.  

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Oct 22, 2015, at 12:04, Aharon Chernin <achernin@soltra.com> wrote:

In regards to forcing a controlled vocab in STIX 2, I am torn. A controlled vocab would make STIX easier for software developers, but more difficult for product owners who are trying to push the boundaries of STIX within their products. Just the other day I was working on a proposal that had us doing something different with STIX that required us to release a few custom vocab entries. However, I could argue against custom vocabs as I have seen implementations of STIX that do not understand the whole concept of including additional XSDs in the namespace/header portion of the XML document.

Aharon

From: <cti-users@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org>
Date: Thursday, October 22, 2015 at 1:14 PM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>, "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com>
Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions

It would be nice to understand what software is doing with the field. Does it show up in the UI as a sort/filter? Do you base processing on it?

I heard a recent proposal to remove it entirely. What would be the impact of that?

John

From: <cti-users@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Thursday, October 22, 2015 at 1:10 PM
To: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com>
Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions

I would agree, but the spec currently lets you put in any string.

I would propose that in STIX 2.0, if the consensus is that it should be a controlled vocabulary, that that be enforced in the spec, and that documents that don't follow the vocabulary are invalid.

I am not looking to do anything with the indicator at all on the recieving end - this is an indicator the software will produce as a result of an automated response. I find the current vocabulary to be very restrictive and full of obvious gaps. Even simple things like "Compromised Host" are absent. Also, all of the instances current vocabulary should be able to be prefixed with "Potential" in my opinion. ("Potential Malware Artifact")

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


<graycol.gif>"Palmer, Cliff A. (NE)" ---2015/10/22 12:55:52 PM---Jason, it seems to me that there is a value to having a controlled vocabulary for Indicator Type. Y

From: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com>
To: Jason Keirstead/CanEast/IBM@IBMCA, "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Date: 2015/10/22 12:55 PM
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions

---

Jason, it seems to me that there is a value to having a controlled vocabulary for Indicator Type. You can probably enumerate the benefits in your circumstances better than anyone outside of your situation. The value of controlling the vocabulary should translate into a benefit to your users and provide an incentive for adoption.
Others will want to discuss adopting an ontology to control handling of indicators based on type. While my first thought is “There be dragons” (https://en.wikipedia.org/wiki/Here_be_dragons) it’s also true that an indicator type might not be as challenging as other ontologies. Are you able to describe how the indicator type affects the way you understand or treat the indicator?
I have built ontologies and found it interesting work, but it’s definitely non-trivial. I’d like to hear more about how you proceed.

Cliff Palmer

From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jason Keirstead
Sent: Thursday, October 22, 2015 11:18 AM
To: cti-users@lists.oasis-open.org
Subject: [cti-users] Indicator Type / Vocabulary Implementation Questions

HI all, I am producing some new STIX content in an automated fashion, and am looking for feedback on my planned usage of indicator types:

As with many things STIX, the way you do this is so wide open, it makes implementation decisions difficult

"The default vocabulary type is IndicatorTypeVocab-1.1 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd. Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field."

@see http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1/

So essentially, I can stick to the default vocabulary, *OR* I can define my own vocabulary, *OR* I can use it as a free-form string.

The problem i have with the default vocabulary, is this list is very restrictive, and there is no "Other" type.

First question - Has there ever been thought to extending this vocabulary, or adding an "Other" type that one could then annotate in some way? I haven't seen this question come up on the STIX list.

Second question - My other problem is, I can't define a new fixed vocabulary because this is user-generated stuff. I pretty much am stuck with either using the fixed vocabulary, or letting the user type in whatever they want. How many people are sticking to the controlled vocabulary here? If I use this as a free-form string, will it cause some tools to blow up? Anyone have experience here?



-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

<graycol.gif>
This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: cti-users-subscribe@lists.oasis-open.org
Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org
Post: cti-users@lists.oasis-open.org
List help: cti-users-help@lists.oasis-open.org
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/