[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Results of today's CTI working call on the topic of refactoring "sources"
>In other words make the Tool a global and interchangeable construct.
This is one of the side benefits of this approach for source. Breaking out tool helps us clarify and address the source use case but also gives us a foundation for addressing other tool-related issues as you point out here including the ability to talk
about tools from a malicious, benign or defensive perspective as well as tools used in relation to COAs.
Breaking out identity has similar benefits in setting us up for some of the issues to be tackled in next month’s tranche (identity-based abstraction for source, victim, actor (threat actor, defender, 3rd party), etc.
I had originally had these side benefits listed in my status email out of the call but removed them as I did not want to sidetrack the conversation around source.
I think we will tackle those issues at the right time and this proposed solution sets us up for better chances of success when we get there.
sean
From: Patrick Maroney <Pmaroney@Specere.org>
Date: Wednesday, February 10, 2016 at 10:14 AM To: "Jordan, Bret" <bret.jordan@bluecoat.com>, "Barnum, Sean D." <sbarnum@mitre.org>, Terry MacDonald <terry@soltra.com> Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Subject: Re: [cti] Results of today's CTI working call on the topic of refactoring "sources" I hesitate going too far down the rabbit-hole, but since I jumped in:
My thinking was that a "tool" sub-class should be an independent construct (perhaps within TTP? - presuming one subscribes to the notion of White Hat TTPs). Relationships to COA, Sightings, etc.
Therefore one can reference the "Tool" (i.e., Yara & Yara Rule) in the original assertion that I established the "badness" of "threat x" using "Tool".
...Then others can share sightings of "threat x" based on "Tool" : using "Tool" I 'sighted ' this activity.
....And others can report I mitigated "threat x" using COA "Tool"
In other words make the Tool a global and interchangeable construct. Note that the "Yara Rule" itself in this example would have a "Source", Versioning, and Provenance...
Patrick Maroney
President Integrated Networking Technologies, Inc. Desk: (856)983-0001 Cell: (609)841-5104 Email: pmaroney@specere.org Pat, I would agree that sometimes when talking about a tool you are talking about a method. Other times a tool may be the source of the information itself (e.g. an ML scanning osint and creating STIX asserting that a particular TTP was leveraged as part
of a Campaign).
Can you help us see what would be gained by making a distinction a tool as method vs source here? Is the same information not captured either way?
I think we are looking to keep it as simple as possible and still support the necessary use cases.
Having identities, tools and references treated as types of “sources” seems to be simpler than breaking tools off into a new concept of “method”.
>Also note that I may use multiple "Tools" to establish the basis for my assertion(s).
I believe you can still do this with the current proposal simply by specifying each tool and asserting a “has-source” relationship (maybe with a new “role” value more specific to this sort of case) between your assertion and the tools.
Is there something we are missing by doing it the proposed way? I am genuinely interested in understanding.
Thanks,
sean
Fro Patrick Maroney <Pmaroney@Specere.org>
Date: Wednesday, February 10, 2016 at 9:19 AM To: "Jordan, Bret" <bret.jordan@bluecoat.com>, Terry MacDonald <terry@soltra.com> Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, "Barnum, Sean D." <sbarnum@mitre.org> Subject: Re: [cti] Results of today's CTI working call on the topic of refactoring "sources" Isn't "Tool" better related to a Method (i.e.: ==Using==>) relationship? (I'm paraphrasing here)
In other words, an entity is still the Source of an assertion, the tool(s) used to make that assertion are the Method. Also note that I may use multiple "Tools" to establish the basis for my assertion(s).
Patrick Maroney
President Integrated Networking Technologies, Inc. Desk: (856)983-0001 Cell: (609)841-5104 Email: pmaroney@specere.org _____________________________
From: Jordan, Bret <bret.jordan@bluecoat.com> Sent: Tuesday, February 9, 2016 7:25 PM Subject: Re: [cti] Results of today's CTI working call on the topic of refactoring "sources" To: Terry MacDonald <terry@soltra.com> Cc: <cti@lists.oasis-open.org>, Barnum, Sean D. <sbarnum@mitre.org> "source-tool" does seem to be more clear. Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE
7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]