[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [Non-DoD Source] Re: [cti] Quality of the specs (UNCLASSIFIED)
CLASSIFICATION: UNCLASSIFIED Up front - I recommend having an indicator title and it being optional. It sounds to me that this discussion has been overlapping the two concepts of a title and an identifier. I may be misunderstanding or not completely knowledgeable of the STIX indicator object but a title is human understandable (context) only. I don't believe tool vendors will have a barrier to entry because of a title because tools can't get context from a title only humans do. The vendors will be able to associate with the indicator, if no unique 'ID' is available, through character matching, right? However, this is why an indicator 'ID' and a 'TITLE' is needed. Indicator 'ID' will enable non-redundant unique mostly computer readable identification. Indicator 'TITLE will enable humans to make a quick visual and cognitive "context" out of a title. Also, the 'ID' and 'TITLE' should have associated naming conventions (RULES) to ensure uniqueness and understanding as much as possible. So my recommendation is to have the indicator title, albeit optional, but STIX also needs a mandatory indicator ID. Vr James -----Original Message----- From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of Aharon Chernin Sent: Wednesday, February 10, 2016 9:28 AM To: Wunder, John A. <jwunder@mitre.org>; cti@lists.oasis-open.org Subject: [Non-DoD Source] Re: [cti] Quality of the specs All active links contained in this email were disabled. Please verify the identity of the sender, and confirm the authenticity of all links contained within the message prior to copying and pasting the address to a Web browser. ________________________________ Requiring that security tools have to parse the entire STIX high level object structure, just to get the context that an indicator title used to contain, is likely a high barrier to entry for tool vendors. Most tools are literally going to just pull the observables out of the indicator and build a signature. The title gives them some context for the signature. Also, most tools use Indicator title as a quick and easy way to browse indicator content or as a very brief summary of the object that can be displayed within a tool when the indicator is detected. We have have had to auto-generate titles in the past when a user is not present to define them. In most cases, an auto-generated title is still better than an indicator with no title. I am in favor of making indicator title mandatory. Aharon From: <cti@lists.oasis-open.org < Caution-mailto:cti@lists.oasis-open.org > > on behalf of "Wunder, John A." <jwunder@mitre.org < Caution-mailto:jwunder@mitre.org > > Date: Wednesday, February 10, 2016 at 8:38 AM To: "cti@lists.oasis-open.org < Caution-mailto:cti@lists.oasis-open.org > " <cti@lists.oasis-open.org < Caution-mailto:cti@lists.oasis-open.org > > Subject: Re: [cti] Quality of the specs I’m still having trouble understanding what people want to put in to an indicator title. Can someone give us a few examples of what they would use it for, in particular when it’s not just capturing information that’s already in the indicated behavior (malware, attack pattern, actor, campaign, etc) or in the pattern? From: <cti@lists.oasis-open.org < Caution-mailto:cti@lists.oasis-open.org > > on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com < Caution-mailto:bret.jordan@bluecoat.com > > Date: Tuesday, February 9, 2016 at 7:27 PM To: Jason Keirstead <Jason.Keirstead@ca.ibm.com < Caution-mailto:Jason.Keirstead@ca.ibm.com > > Cc: Sean Barnum <sbarnum@mitre.org < Caution-mailto:sbarnum@mitre.org > >, Aharon Chernin <achernin@soltra.com < Caution-mailto:achernin@soltra.com > >, Sarah Kelley <Sarah.Kelley@cisecurity.org < Caution-mailto:Sarah.Kelley@cisecurity.org > >, "cti@lists.oasis-open.org < Caution-mailto:cti@lists.oasis-open.org > " <cti@lists.oasis-open.org < Caution-mailto:cti@lists.oasis-open.org > > Subject: Re: [cti] Quality of the specs agreed Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." On Feb 9, 2016, at 14:27, Jason Keirstead <Jason.Keirstead@ca.ibm.com < Caution-mailto:Jason.Keirstead@ca.ibm.com > > wrote: Keeping "title" as optional and removing it are two very different things. There are many instances where there won't be a human at the keyboard to put a title on an indicator. If "title" is made mandatory, then in those situations the title will be auto generated from the content, and probably not very useful. I do not think indicator title is the same class as TTP information. There are use cases for indicators without human created titles. Sent from IBM Verse Jordan, Bret --- Re: [cti] Quality of the specs --- From: "Jordan, Bret" <bret.jordan@bluecoat.com < Caution-mailto:bret.jordan@bluecoat.com > > To: "Barnum, Sean D." <sbarnum@mitre.org < Caution-mailto:sbarnum@mitre.org > > Cc: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com < Caution-mailto:Jason.Keirstead@ca.ibm.com > >, "Aharon Chernin" <achernin@soltra.com < Caution-mailto:achernin@soltra.com > >, "Sarah Kelley" <Sarah.Kelley@cisecurity.org < Caution-mailto:Sarah.Kelley@cisecurity.org > >,cti@lists.oasis-open.org < Caution-mailto:cti@lists.oasis-open.org > Date: Fri, Feb 5, 2016 12:44 PM Subject: Re: [cti] Quality of the specs ________________________________ I would love to hear from some of these "current users" on how and why they think the field is useful.. I would suggest that we have a design goal to not force TLOs to look and feel the same. If they happen to end up that way do to real need, then great. But lets not force a field on one TLO just because it is valid in 4 others. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." On Feb 5, 2016, at 13:38, Barnum, Sean D. <sbarnum@mitre.org < Caution-mailto:sbarnum@mitre.org > > wrote: I would agree to some degree though I do not believe we can/should remove it. I believe that Mark is far from unique in his desire to see this property consistently populated. Several other current users have talked about how they feel this field is useful and plan to use it. That is completely aside from the desire to treat top-level objects consistently. sean CLASSIFICATION: UNCLASSIFIED
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]