OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] Add last_seen to campaign and intrusion set


Right but what happens when that user sees the next instance of that campaign.

Do they submit a revision and update the last_seen? Or submit a sighting? Or do both? It is two ways to communicate the same thing, that could get mid aligned if someone updated one but didn't do the other.
So as piece of software, which do you treat as the true "last seen", the sighting data, or the field?

And meanwhile, other users can *only* say they saw it using sighting, since they can't submit any revisions. So it seems like software would HAVE to treat that as source of truth, no?

--
Sent from my mobile device, please excuse any typos.


Allan Thomson --- Re: [cti] Add last_seen to campaign and intrusion set ---

From:"Allan Thomson" <athomson@lookingglasscyber.com>
To:"Jason Keirstead" <Jason.Keirstead@ca.ibm.com>, "Sarah Kelley" <Sarah.Kelley@cisecurity.org>
Cc:cti@lists.oasis-open.org
Date:Thu, Nov 17, 2016 6:02 PM
Subject:Re: [cti] Add last_seen to campaign and intrusion set


A sighting would seem unnecessary given that campaign and intrusion set already have the attributes for first_seen.

 

If we want to remove first_seen from campaign/intrusion_set and solely rely on sighting to convey first_seen/last_seen in a consistent manner for all objects then that might work. But I was proposing a slightly more incremental approach than that.

 

The thought was this.

 

“Campaign by Threat Actor Group XXXX was originally started in Jan 2015 and we last saw the campaign used Aug 2016”.

 

This is useful context. If you don’t know the information or don’t want to have to publish an update then you just state

 

“Campaign by Threat Actor Group XXXX was originally started in Jan 2015”

 

The former adds useful context and the later provides a little less.

 

This is not a big ask. Just the ability to have some additional context without having to use sighting objects to represent this information.

 

Allan

 

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Thursday, November 17, 2016 at 2:45 PM
To: Sarah Kelley <Sarah.Kelley@cisecurity.org>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Add last_seen to campaign and intrusion set

 

I am confused on the purpose of this field - Isn't that the purpose of the sighting object?

And furthermore, since no one can update an object except it's creator - only they can update this last_seen field. So it will either stay stale forever, *or* they will constantly update their object whenever they see it, *and* submit a sighting? Or... ???

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


nactive hide details for Sarah Kelley ---11/17/2016 03:03:27 PM---I’m mosSarah Kelley ---11/17/2016 03:03:27 PM---I’m mostly ambivalent about adding last_seen. I can see why it would be good to have, for instance i

From: Sarah Kelley <Sarah.Kelley@cisecurity.org>
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 11/17/2016 03:03 PM
Subject: Re: [cti] Add last_seen to campaign and intrusion set
Sent by: <cti@lists.oasis-open.org>





I’m mostly ambivalent about adding last_seen.

I can see why it would be good to have, for instance if the last time you saw an intrusion set was 3 years ago, you can possibly assume they’ve moved on. However, my concern would be how would you keep that field up to date? Would it be automatically updated via a sighting? Or would an analyst manually adjust it? Both? Because I can see why an analyst would want to be able to adjust that field, but what happens if they forget? Then it’s suddenly inaccurate, and if you’re basing any analysis on that field it’s now wrong.



Sarah Kelley
Senior Cyber Threat Analyst
Center for Internet Security (CIS)
Integrated Intelligence Center (IIC)
Multi-State Information Sharing and Analysis Center (MS-ISAC)
1-866-787-4722 (7 SOC)
Email: cert@cisecurity.org
www.cisecurity.org
Follow us @CISecurity

From: <cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date:
Tuesday, November 15, 2016 at 6:05 PM
To:
"Wunder, John A." <jwunder@mitre.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject:
Re: [cti] Add last_seen to campaign and intrusion set


John – thanks for sending this email.

I agree with the proposal to add last_seen and also agree with the definition that last_seen is just the last time this entity was seen.

It does not implicitly or explicltly say that the entity is ‘over’ or ‘stopped operating’.

allan

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Wunder, John" <jwunder@mitre.org>
Date:
Tuesday, November 15, 2016 at 9:35 AM
To:
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject:
[cti] Add last_seen to campaign and intrusion set


All,

One of the suggestions we discussed on the call today was the idea of adding a field “last_seen” to the campaign and intrusion set objects. Those objects currently have a “first_seen” field, which describes the first time activity related to them was observed…the suggestion is of course that you should be able to also describe the last time you saw activity related to that campaign/intrusion set.

One important concern is that we want to make sure the implication is NOT that having a “last_seen” field means the campaign is “over”. The producer would be saying “here’s the last time I saw X”, not “here’s the last time I saw X and I don’t expect to see it again”.

Are there any objections to this, or other considerations that we should think about when defining it? Adding a field this late in the game needs to be done carefully and we want to make sure we don’t add something we shouldn’t. Gary and Sarah, you two in particular have mentioned planned usage of campaign and intrusion set. Do you see any concerns with adding this field? And, I guess, do you see the value in adding it…would it be useful to have?

If we did add “last_seen”, we would also add “last_seen_precision” to capture the precision of the last_seen field per our rules about timestamps.

Thanks,
John

Campaign: https://docs.google.com/document/d/1S5XhY6F5OT599b0OuHtUf8IBzFvNY8RysFHIj93DgsY/edit#heading=h.pcpvfz4ik6d6
Intrusion Set: https://docs.google.com/document/d/1S5XhY6F5OT599b0OuHtUf8IBzFvNY8RysFHIj93DgsY/edit#heading=h.5ol9xlbbnrdn



...

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . .

 




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]