[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Results of today's CTI working call on the topic of refactoring "sources"
We had a good constructive conversation on today’s CTI working call on the topic of refactoring source representations and relationships within STIX.
We Invite further comments and discussion on this topic with a goal of reaching official consensus this week.
On the call, a request was made to break the problem down into a clear high-level statement of what is being proposed, some of the value propositions asserted for the proposal, and a breakdown of separate more detailed sub-issues that will need to be decided.
Here is my stab at a clear high-level statement of what is being proposed.
I will follow this email with a separate one focused on a breakdown of the detailed sub-issues to discuss/decide.
High level statement of what is being proposed:
For anyone who was unclear before, does this help?
Here is a little more detail if you find it useful. There is also a simple diagram attached showing some more various use case scenarios than just those presented below.
Break Information Source Out of Top-Level Objects
In STIX 1.x, Information Source was a field in each top-level object. For example:
For STIX 2.0, we propose breaking information source into top-level objects, for example:
This allows for less repetition, helps prevent consumers from having to correlate identities on name, and allows people to easily pivot on sources.
Break Information Source into Individual Types
In STIX 1.x, Information Source covered Identity, Tools, and References. For example:
While this somewhat made sense since it was embedded in individual constructs, with the move to separating them out to top-level objects it would be nice to reference them separately. So, for STIX 2.0, we propose breaking it apart into individual TLOs:
This would allow you to track “MITRE” as a separate identity from “CRITS” as a tool, etc. If MITRE’s SOC later produced something with a different tool, you probably want to be able to separately pivot on “MITRE” as an identity and that tool that we used.
Relating TLOs to Identities, Tools and References
In STIX 1.x, we used the “Role” field in information source to describe the role of that source in creating the construct.
For 2.x, we’ve developed a consensus proposal that uses a “Has Source” Relationship object to relate TLOs to their various sources. This “Has Source” relationship has an extended Roles property serving a similar function to the Role field in STIX 1.x.
In addition, strictly for the creator of the actual STIX content it also supports an optional “created_by_ref” property on each TLO.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]