[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] RE: [cti-users] STIX 2.1 Propsal - Opinion Object
I'd like to propose a different approach to meeting this use case (the objectives of which I fully support). Please consider the following: Unless specifically acting as the role of aggregator (which requisite markings to maintain provenance of intelligence one is redistributing), then Sources should only be disseminating intelligence they have originally developed though their own analytic processes or sightings they have directly observed (which can include sightings of observables produced by other Sources). Each Source should "show their work" to the extent possible without exposing "sources and methods" beyond a given Community of Trust. In any case, Sources should include their subjective ratings for analysis driven conclusions. Sightings should be simple statement of facts: "I observed this activity matching this pattern". Sightings can of course include additional enriching analytic conclusions/assertions (i.e., we determined this targeting pattern exactly matches previous campaigns attributed with high certainty to Threat Actor "X"). Source "A" may provide packages with rich context, basis for assertions, etc. Whereas, Source "B" may just provide a list of a handful of Actionable IOCs. While one might assume Source "A" is a "higher value/rating", if the IOCs from Source "B" help to prevent a emerging attack package with new 0Day exploits, then they will receive a high rating until otherwise shown to be less reliable. Over time Consumers will be able derive their own measures of the viability of intelligence (in and of itself) and from a given Source. The measures of this will also, over time, accumulate other subjective factors like "relevance" (A given adversary and related intelligence may only be relevant to Sector "X"). Where I think we should focus in terms of CTI Specifications is on the areas required to enable non-attributional Source Traceability where a consumer can direct an RFI or "Opinion" back to the original Source. A challenge to assertions, if ultimately proven valid, could/should lead to release of a revised package from that Source. An RFI could similarly result in a re-release of a package (or element of same) with additional details, context, clarification, etc. Again, over time Consumers will derive their own measures on a given piece of intelligence or Source. These measures (Positive of Negative) are directly shared today between analysts in many "Communities of Trust". Empowering a channel for communication between Consumers and Producers (vs. a voting system between Consumers) would in my view better provide the outcomes we are seeking. Patrick Maroney Terry, Do you see the opinion object being used to agree/disagree with an indicator assertion? This could allow us to share false positive / true positive recommendations regarding indicators,
which would be something that could immediately be used by most consumers. Aharon From:
<cti-stix@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com> I see this being mostly used and maybe initially limited to providing opinions about a relationship. If you try to do it against another SDO, how do you tell a tool the "part" of the SDO that you are agreeing
with or not agreeing with. This kind of gets in to the whole granular markings stuff, which I think we should avoid for the near-term. Bret From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald
<terry.macdonald@gmail.com> Hi Jason, To be clear this object isn't specifically for attribution if you were meaning attribution of attacks to certain threat actors. This object simply allows an organisation to agree or disagree with an 'assertion' that another organisation
has made (i.e. object they have published). I expect that it would be most commonly used to either agree or disagree with a relationship between two other STIX Data Objects (SDOs), as relationships between objects are likely to involve more uncertainty and guesswork. It can also
be used to agree or disagree with a specific SDO (e.g. An identity object) but I believe this will be much less common. The idea behind the object is to allow recipients within a threat intelligence sharing community to work out which threat intelligence objects are commonly agreed (and therefore can be potentially be more trusted), and which threat intelligence
is more contentious and need to be treated more like a guess. It is important to remember that each original object published is a single organisations assertion of the truth, so providing a way for other organisations to comment as to if they agree/disagree
with the original assertion of the truth adds the ability for multiple organisations to effectively agree with that assertion of truth, or disagree with it. In either case, that is valuable information for recipients. Cheers Terry MacDonald Cosive On 10 Jan. 2017 05:08, "Jason Hammerschmidt" <Jason.Hammerschmidt@ieso.ca> wrote:
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]