RE: [cti-users] Indicator Type / Vocabulary Implementation Questions

Pardon me if I am off base with this thought but throwing out to see what sticks.

In another group, they had similar problem of divergent lists of “vocabularies” or “dictionaries”.

Example was how many states are in a sequence of a work flow and what are they called.

Common problem seems to be that your list is not my list.

In the end, they used they used a:

DictionaryOwner: e.g. one or another standards body or proprietary (e.g. OASIS-CTI)

DictionaryAttribute: e.g. the variable name (e.g. IndicatorType)

DictionaryValue: e.g. the variable value (of form string)

Where the Owner provided the context for what permissible Values could be used.

The hope in some cases was that a sufficiently well-defined standard set could obviate the need for proprietary ones.

Regularly updating the standard, could help minimize the other lists.

However, if a set needed to be “these and only these values”, then the need for multiple sets remains.

________________________________

Michael Hammer

Principal Engineer

michael.hammer@yaanatech.com

Mobile: +1 408 202 9291

542 Gibraltar Drive

Milpitas, CA 95035 USA

www.yaanatech.com

From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jerome Athias
Sent: Saturday, October 24, 2015 9:19 AM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: Joep Gommers <joep@eclecticiq.com>; Grobauer, Bernd <Bernd.Grobauer@siemens.com>; Cliff.Palmer@gd-ms.com; cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org; John-Mark Gurney <jmg@newcontext.com>; Wunder, John A. <jwunder@mitre.org>; Barnum, Sean D. <sbarnum@mitre.org>
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions

What you're pointing there is another thing I thought about which is the relationships between different vocabularies.

While partially implemented in my tools in an effort to avoid inconstancy, it was not yet introduced in the mailinglists

(Again, a structure à la CWE/CAPEC could be mid-term solution before a RDF/OWL ontology)

On Saturday, 24 October 2015, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

Should be pretty self-explanatory....
Anomalous Activity <Could be any but usually Reconnaissance/Weaponization/Delivery>
Malicious Activity <Delivery / Exploitation>
Command and Control <Command and Control>
Anonymization <Actions>
Data Exfiltration <Actions>
Lateral Movement <Installation>
Privilege Escalation <Installation>
Reconnaissance <Reconnaissance >
Host/Process Compromise <Installation>
Watchlist <N/A>
Quantified Risk <N/A>
Policy Violation ** <N/A>
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

Joep Gommers ---2015/10/24 06:33:42 AM---Jason, How would you feel this relates to killchain?

From: Joep Gommers <joep@eclecticiq.com>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: John-Mark Gurney <jmg@newcontext.com>, "Barnum, Sean D." <sbarnum@mitre.org>, "Grobauer, Bernd" <Bernd.Grobauer@siemens.com>, "Wunder, John A." <jwunder@mitre.org>, "Cliff.Palmer@gd-ms.com" <Cliff.Palmer@gd-ms.com>, "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 2015/10/24 06:33 AM
Subject: Re: [cti-users] Re: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions

Jason,

How would you feel this relates to killchain?

J

Sent from my iPhone

On 24 Oct 2015, at 11:05, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:
I like the direction this is going
"Removing type information would reduce the IndicatorTypeVocab down to:
Compromised
Malicious
Watchlist
C2
Anonymization
Exfiltration
"
This is very similar to what I have been working through

This was my internal list so far - thoughts?
Anomalous Activity
Malicious Activity
Command and Control *
Anonymization
Data Exfiltration
Lateral Movement
Privilege Escalation
Reconnaissance
Host/Process Compromise
Watchlist
Quantified Risk
Policy Violation **

* I prefer descriptive names other than acronyms like "C2", it makes it easier for translation purposes.

** Not sure about this one... its kind of straying outside the CTI realm.. although i do see a great value / need for it in the vocabulary.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

<graycol.gif>John-Mark Gurney ---2015/10/23 03:57:30 PM---I have created an issue for this as when I was reviewing the vocab list, it did not cover our use ca

From: John-Mark Gurney <jmg@newcontext.com>
To: "Barnum, Sean D." <sbarnum@mitre.org>
Cc: "Grobauer, Bernd" <Bernd.Grobauer@siemens.com>, "Wunder, John A." <jwunder@mitre.org>, Jason Keirstead/CanEast/IBM@IBMCA, "Cliff.Palmer@gd-ms.com" <Cliff.Palmer@gd-ms.com>, "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>, cti-stix@lists.oasis-open.org
Date: 2015/10/23 03:57 PM
Subject: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions
Sent by: <cti-stix@lists.oasis-open.org>

I have created an issue for this as when I was reviewing the vocab list, it did not cover our use case.

The issue I created:
https://github.com/STIXProject/specifications/issues/35

I believe that this will help people use the Vocab better, and may reduce the need for custom vocabs.

Please comment on this issue to provide feed back.

Thanks.

I have included the text of the issue here for reference:
There is a discussion on cti-users and cti-stix about improving the IndicatorTypeVocab.

I believe that having a vocab is a useful thing. But I believe the existing vocab needs to be improved.

First off, type information, like e-mail, ip, file hash, domain, etc. should be removed. You should/must be able to get this information from the Observable that is part of the Indicator.

For one, there is no vocab to describe a malicious observiable, say network packet, stream, or other activity. Though if the e-mail type is removed from Malicious E-mail, and it just became Malicious (Observable), then we would have something.

Removing type information would reduce the IndicatorTypeVocab down to:
Compromised
Malicious
Watchlist
C2
Anonymization
Exfiltration

The first three are interesting, Compromised means that this Observable indicates that you ARE compromised. The Malicious means that you WILL be compromised by this Observable and Watchlist means that you MAY get compromised by this Observable.

Arguably, C2 should fall under Compromised, but as it probably requires further investigation to figure out the original compromised host, I'm fine leaving this as it's own separate type.

On Fri, Oct 23, 2015 at 7:19 AM, Barnum, Sean D. <sbarnum@mitre.org> wrote:
I think the first step would be to enter an issue in the tracker for this so that we can get it on the table. I also agree with an earlier statement that the issue of default vocab values has clear overlap with the interoperability SC so while we need to work internally within the STIX SC for ensuring our default vocabs have the appropriate values for STIX use cases it probably also makes sense to work at a higher level on the process by which we define and manage the various default controlled vocabs.
[attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM] [attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM]

cti-users message