[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)
Comments inline
On 10/26/15, 11:06 AM, "cti-users@lists.oasis-open.org on behalf of Jason Lewis" <cti-users@lists.oasis-open.org on behalf of
jlewis@lgscout.com> wrote:
[sean]Just a clarifying FYI in regards to the current STIX ontology/data-model and its intent: What you describe above is the exact intent for the STIX Observable construct (which leverages CybOX) expressing an observable
instance or, if you prefer, an observation. It is an immutable statement of something that was observed to have occurred either through direct observation (Event/Action) or through observation of its effects (Object). These observations very explicitly do
not assert context such as good or bad. They are just the facts.
If you wish to assert and characterize a negative context for an observable you would do this using an Indicator that asserts a mapping between a particular observable pattern (derived from one or more observable instances)
and a particular TTP. This is where the negative context comes in. The semantic meaning for the Indicator construct is at its root a relationship assertion saying that observation of observable pattern 1 INDICATES TTP 2.
It should be noted that the current STIX semantics automatically apply a negative denotation to any TTP and thereby to any Indicator. It has been proposed in the past that the sorts of things characterized using TTP
could also be Tactics, Techniques and Procedures leveraged by defenders not just attackers and that it may be useful to abstract TTP to characterize the concept in general with specific Adverserial_TTP and Defender_TTP derivations or at least a property letting
you assert the “polarity”. This would in turn allow Indicators to be leveraged to describe patterns that indicate good things in addition to bad things. This is just an idea that has not been explored in depth but should probably be on the table for consideration
in STIX 2.0
[sean]I think this sort of approach allowing the consumer to blend context asserted by the producer with their own context to determine scoring makes sense.
It sounds like you are describing specific functionality implemented within your tools use. I think it is less clear (though not complete opaque) where the dividing line lies for what should go in STIX and what should be handled by tooling (such
as yours) at the consumer end.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]