OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] Scenario

I feel like one of the problems this illustrates are these top-level fields in the Malware STIX object for file_names and file_hashes.

I understand the motivation for these fields - to work around potential CybOX bloat - but they create more problems than they solve in my opinion.

My own opinion is these fields should be removed, and tackle the root bloat problem, if any.
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

Inactive hide details for "Jordan, Bret" ---09/14/2016 04:01:17 PM---Yes, we can add extra Indicators for lots of those things,"Jordan, Bret" ---09/14/2016 04:01:17 PM---Yes, we can add extra Indicators for lots of those things, I only added one as an example. The reaso

From: "Jordan, Bret" <bret.jordan@bluecoat.com>
To: "Wunder, John A." <jwunder@mitre.org>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 09/14/2016 04:01 PM
Subject: Re: [cti] Scenario
Sent by: <cti@lists.oasis-open.org>

Yes, we can add extra Indicators for lots of those things, I only added one as an example.

The reason I did not use Sighting to link the Observed Data to the Infrastructure is it is not "observed" at this point. It is information gathered from analysis. I am trying to illustrate how this could be done. Since things like Malware, Infrastructure, and Incident (and maybe even Intrusion Sets) will just have Observed Data that gets linked / tied to them. I think Sighting should be reserved for an actual Sighting, especially in the context where you want to tell someone that you "saw" something.

So in this scenario you learn that there is a different /24 used by this Campaign every week that is part of one Infrastructure. Then the Sighting is telling us that we saw one specific IP address at a certain point in time.

If this is confusing or hard for people to understand then we should probably talk through it and figure out if our model and design is solid, in regards to Observed Data.

There are two things I would like to bubble up for discussion:

1) If you want to hunt for something in Observed Data you will need to manually create Indicators with semi-duplicate data, since Indicators use the Patterning Grammar not the CybOX objects. So there will be some duplication there. Just wanted to call it out.

2) Observed Data does not have any ability to give temporal context outside of just the timeframe that it happened in. Which would make all temporal information implicit instead of explicit. For example, if I wanted to say that "this" happened and then within 5 minutes "that" happened followed by 30 seconds later a connection to "this" site was opened, you can not do that explicitly. You could do this as an Indicator with the Patterning Grammar, but you can not do it on this side of the house (the side that documents what happened and your research vs the Indicator side of the house that tells you what to go look for). So something we need to talk about.



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]