Re: [cti-stix] RE: [cti-users] STIX 2.1 Propsal - Opinion Object

[Terry MacDonald <terry.macdonald@gmail.com>]

Hi Aharon,

I see that the opinion object would apply to any other SDO or SRO object. This would apply to the relationship object and the sighting object, as well as things like threat actors, indicators, malware, and the rest of the SDO objects. 

I think the application of the Opinion object to an Indicator makes a lot of sense, as you can effectively work out (as a recipient of the information) which Indicators are the ones that are most agreed with, and therefore the ones that are the most 'confirmed'.

The Opinion object won't detract from the Sighting object, as the Sighting object says 'I've seen what this is indicating 4 times in my Organization' whereas the Opinion object is saying ' I think this Indicator is accurate and I agree with it.'

I do think it's important that the Opinion object applies to SDOs as well as SROs, as it allows third-parties to disagree with the object. Yes, as pointed out by others granular level opinions would be more specific, but at present I would suggest that object level opinions will get us 90% of the way there. Object level opinions can still let you disgaree with a particular part of a malware object by selecting an disagree opinion, and then mentioning in the text which bit of the SDO you disagree with. I don't think we need to go down to the granular field-level of opinion to allow the Opinion object to be useful to SDOs. It will still be useful in the form it is at the moment.

Cheers 

Terry MacDonald 

Cosive

On 15 Jan. 2017 03:19, "Aharon Chernin" <aharon@perchsecurity.com> wrote:

Terry,

 

Do you see the opinion object being used to agree/disagree with an indicator assertion? This could allow us to share false positive / true positive recommendations regarding indicators, which would be something that could immediately be used by most consumers.

 

Aharon

 

From: <cti-stix@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
Date: Friday, January 13, 2017 at 9:51 PM
To: Terry MacDonald <terry.macdonald@gmail.com>, Jason Hammerschmidt <Jason.Hammerschmidt@ieso.ca>
Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, Terry Macdonald <terry.macdonald@cosive.com>
Subject: Re: [cti-stix] RE: [cti-users] STIX 2.1 Propsal - Opinion Object

 

I see this being mostly used and maybe initially limited to providing opinions about a relationship.  If you try to do it against another SDO, how do you tell a tool the "part" of the SDO that you are agreeing with or not agreeing with.  This kind of gets in to the whole granular markings stuff, which I think we should avoid for the near-term.

 

Bret

---

From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@gmail.com>
Sent: Monday, January 9, 2017 12:20:25 PM
To: Jason Hammerschmidt
Cc: cti-users@lists.oasis-open.org; cti-stix@lists.oasis-open.org; Terry MacDonald
Subject: [cti-stix] RE: [cti-users] STIX 2.1 Propsal - Opinion Object

 

Hi Jason, 

 

To be clear this object isn't specifically for attribution if you were meaning attribution of attacks to certain threat actors. This object simply allows an organisation to agree or disagree with an 'assertion' that another organisation has made (i.e. object they have published).

 

I expect that it would be most commonly used to either agree or disagree with a relationship between two other STIX Data Objects (SDOs), as relationships between objects are likely to involve more uncertainty and guesswork. It can also be used to agree or disagree with a specific SDO (e.g. An identity object) but I believe this will be much less common.

 

The idea behind the object is to allow recipients within a threat intelligence sharing community to work out which threat intelligence objects are commonly agreed (and therefore can be potentially be more trusted), and which threat intelligence is more contentious and need to be treated more like a guess. It is important to remember that each original object published is a single organisations assertion of the truth, so providing a way for other organisations to comment as to if they agree/disagree with the original assertion of the truth adds the ability for multiple organisations to effectively agree with that assertion of truth, or disagree with it. In either case, that is valuable information for recipients. 

 

Cheers 

Terry MacDonald 

Cosive

 

On 10 Jan. 2017 05:08, "Jason Hammerschmidt" <Jason.Hammerschmidt@ieso.ca> wrote:

I believe this is a valuable addition.  Like other User Generated Content (UGC), attribution is a requirement for the content to be trusted and used, therefore, if added, attribution will be required in some manner for it to be adopted.  I know many people are concerned about attribution but I for one am happy to provide it in this field, in fact I think it will be required moving forward for full adoption, less we only rely a limited set of authoritative feeds.   

 

From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Terry MacDonald
Sent: December 25, 2016 3:24 AM
To: cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org
Subject: [cti-users] STIX 2.1 Propsal - Opinion Object

 

*** EXTERNAL email. Please be cautious and evaluate before you click on links, open attachments, or provide credentials. ***

Hi All,

I'd like to propose the Opinion Object for STIX 2.1.

The Opinion object is an object that allows the creator of the Opinion object to agree/disagree with any other STIX Data Object or STIX Relationship Object. It will allow an Organization to disagree with a relationship between a Threat Actor and a Campaign for example, or agree with the contents of an Course of Action.

This is the first step towards consumers being able to crowd-source the opinion of the community, which will help newcomers to the threat intelligence sharing groups better understand which threats have a high degree of community agreement and which are contentious.

 

Further details in the attached PDF.

 

Cheers

 

Terry MacDonald | Chief Product Officer

 

 

M: +64 211 918 814

E: terry.macdonald@cosive.com

W: www.cosive.com

 

 

 

This e-mail message and any files transmitted with it are intended only for the named recipient(s) above and may contain information that is privileged, confidential and/or exempt from disclosure under applicable law.  If you are not the intended recipient(s), any dissemination, distribution or copying of this e-mail message or any files transmitted with it is strictly prohibited.  If you have received this message in error, or are not the named recipient(s), please notify the sender immediately and delete this e-mail message.

 

	Aharon Chernin / CEO and Founder aharon@perchsecurity.com / +1 8133358965 PERCH http://www.perchsecurity.com
This e-mail message may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is prohibited. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates with us by e-mail is deemed to have accepted these risks. Perch Security is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this message and any attachment are solely those of the author and do not necessarily represent those of the company.