[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions
Bernd, Thank you for the clarification. It is helpful. sean On 10/26/15, 4:32 AM, "Grobauer, Bernd" <Bernd.Grobauer@siemens.com> wrote: >Hi Sean, > >> May I suggest that rather than talking about removing the property that >> we instead have a structured discussion around collaboratively >> improving the values and more directly characterizing how different >> players may wish to use that property and its values? > >Like I wrote in my previous email: my call for getting rid of >the IndicatorType element several weeks ago had been part >of a calculated provocation to gauge the scope there might be >for simplifying the standard. I don't use such >provocations lightly, but at the time I felt it important >to get some clarification on where we stand regarding changes >towards STIX 2.0 and CybOX 3.0. And I think the discussion that >ensued was helpful... > >So let me state now in all clarity: I am not calling for >the removal of IndicatorType and I am all in favor for improving the >values and understanding how it is used and should be used. > > >> >> I think the first step would be to enter an issue in the tracker for >> this so that we can get it on the table. I also agree with an earlier > >John-Mark Gurney has done so (thanks!): > >https://github.com/STIXProject/specifications/issues/35 > >> As an aside, it may be useful to know that one of the uses for the >> IndicatorType property that some community members expressed intent for >> in the past was for aiding in automated filtering and orchestration of >> Indicators upon ingest. For example, automated routing of 'IP >> Watchlist' or 'Domain Watchlist’ Indicators to network analysts or >> tools while routing 'File Hash Watchlist’ to host/endpoint analysts or >> tools or routing “Malware Artifacts” or “C2” to malware analysts for >> further investigation. >> I don’t necessarily think that saying “C2” in IndicatorType and >> associating the Indicator with “Command and Control” as a Kill Chain >> phase are the same thing. They are both mentioning C2 but for different >> reasons and in different contexts. >> Just thought I would point out how some have mentioned using the >> property. > >Thanks, that has given me a better picture of why the vocabulary >looks the way it does! > >Kind regards, > >Bernd > > > > >> >> sean >> >> >> >> >> On 10/23/15, 6:49 AM, "cti-users@lists.oasis-open.org on behalf of >> Grobauer, Bernd" <cti-users@lists.oasis-open.org on behalf of >> Bernd.Grobauer@siemens.com> wrote: >> >> >Hi, >> > >> >> I heard a recent proposal to remove it entirely. What would be the >> >> impact of that? >> > >> >I had made the suggestion to remove the IncidentType entirely in >> >my somewhat provocative mail a few weeks ago, in which I wanted >> >to explore how much potential for simplification in going towards >> >STIX 2.0 there might be. >> > >> >Why had I suggested to remove it? >> > >> >The main reason is that I do not find the values that are currently >> part of the >> >standard vocabulary particularly useful: >> > >> >- Why would I put 'IP Watchlist' or 'Domain Watchlist' or 'File Hash >> Watchlist' >> > into the Indicator Type? I could understand "Watchlist", which tells >> you >> > to watch for whatever Observable Patterns are indicated in the >> indicator. >> > >> >- Another type is 'C2' -- at the same time I have the ability to >> reference >> > in the indicator a kill chain phase ... and if the referenced kill >> chain >> > is of any use, it will have something corresponding to 'C2'. >> > >> > Now I have (again) two ways of expressing the same thing ... we have >> > just stumbled over this issue a few days ago in a sharing group we >> > are part of: we use the reference to the killchain phase to indicate >> > C2-activity, others use the indicator type. >> > >> > Similarly, "Exfiltration" -- should that not be described with a >> reference >> > from the indicator to an TTP "Exfiltration"? >> > >> >Other entries in the standard vocabulary ("Malicious Email", "Host >> Characteristics") >> >seem like there would be no end to the list of allowed vocabulary >> (think >> >"Malicious <enter CybOX object type here>" as pattern for generating >> vocabulary...) >> > >> >My suggestion to get rid of the indicator type was really a bit of a >> calculated >> >provocation -- I have no trouble with keeping it in STIX. But we >> should >> >ensure that the standard vocabulary is defined such that it really >> adds >> >value rather than adding confusion by allowing yet more ways to >> describe >> >the same thing in different ways. >> > >> >Kind regards, >> > >> >Bernd >> > >> >---------------- >> > >> >Bernd Grobauer, Siemens CERT >> > >> > >> > >> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]