OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] Add last_seen to campaign and intrusion set


Jason gets my issue in one.

On Nov 18, 2016, at 12:59 PM, Bret Jordan (CS) <Bret_Jordan@symantec.com> wrote:

It is good we are having this discussion now.  We should really talk through a full work flow of this issue on the next working call.  Just to make sure we get this right and we are all on the same page.   I am also thinking that we may need to schedule some ad-hoc calls to deal with some of these issues.  It feels like we have enough content to discuss that we wait for Tuesday calls, we will not get through all of them before the end of December. 

Bret


From: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Friday, November 18, 2016 9:54:17 AM
To: Paul Patrick
Cc: Wunder, John A.; Bret Jordan (CS); Allan Thomson; Sarah Kelley; cti@lists.oasis-open.org
Subject: Re: [cti] Add last_seen to campaign and intrusion set
 
I feel like everyone is glossing ovre the implications of this. It is easy to say "we intended the sighting for third parties, whereas this last_seen as finished intel for the producer" - but the spec is not enforcing this, and I can't see how we could. If we say in the spec that the producer MUST use the last_seen field and that a producer MUST NOT issue sightings for their own Campaign, then this producer no longer has any ability to tie an ObservedData to the campaign anymore - because that is what the sighting does after all, it is communicating not only the time you saw it, but also the evidence for *why* you are saying you saw it.

I actually can not envision how to support this field in a sane way in code, as there is no longer any source of truth as to when the producer actually saw something. As a software implementer, when someone wants to revise their campaign and say they saw it again, I have no idea what I am supposed to do - issue an object update, or a sighting, or do both - and this is a recipe for incompatible implementations, because the person on the recieving end may decide to take the lowest timestamp, or the highest one, or some arbitrarily chosen one, as the interpretation of "the last time this producer saw this campaign".

If we add this "last_seen" field, it is a very bad instance of "two ways to say the same thing", and I am very worried as to what it means for implementers making sane software.

Can we discuss this on a call?
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown 


<graycol.gif>Paul Patrick ---11/18/2016 12:46:41 PM---+1 on John’s comments. Paul Patrick

From: Paul Patrick <Paul.Patrick@FireEye.com>
To: "Wunder, John A." <jwunder@mitre.org>, "Bret Jordan (CS)" <Bret_Jordan@symantec.com>, Allan Thomson <athomson@lookingglasscyber.com>, Jason Keirstead/CanEast/IBM@IBMCA
Cc: Sarah Kelley <Sarah.Kelley@cisecurity.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 11/18/2016 12:46 PM
Subject: Re: [cti] Add last_seen to campaign and intrusion set
Sent by: <cti@lists.oasis-open.org>




+1 on John’s comments.


Paul Patrick

      From: <cti@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org>
      Date: 
      Friday, November 18, 2016 at 11:43 AM
      To: 
      "Bret Jordan (CS)" <Bret_Jordan@symantec.com>, Allan Thomson <athomson@lookingglasscyber.com>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>
      Cc: 
      Sarah Kelley <Sarah.Kelley@cisecurity.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
      Subject: 
      Re: [cti] Add last_seen to campaign and intrusion set

      Yeah I’m thinking the same thing here…it still seems like different types of data to me. A sighting is low-level data about what people thought they saw, why the Campaign object itself or the Intrusion Set object itself is more finished intel backed by the producer creating the object. Many orgs will not have the capacity or skillbase to evaluate Sightings coming from many different producers and will just rely on their vendors or more capable partners to tell them stuff…and IMO STIX should support that.

      I know we need to enable the ability for people to “show their work” and provide raw data so that more advanced organizations can do something with it, but I also worry that we’re assuming every org has the skillbase to analyze that data when in reality many do not and just need people to tell them the summaries.

      John

      From: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
      Date: 
      Friday, November 18, 2016 at 11:33 AM
      To: 
      John Wunder <jwunder@mitre.org>, Allan Thomson <athomson@lookingglasscyber.com>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>
      Cc: 
      Sarah Kelley <Sarah.Kelley@cisecurity.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
      Subject: 
      Re: [cti] Add last_seen to campaign and intrusion set

      Sorry for being late to this discussion. When I first proposed the sighting object, it was not my intent for it to replace the information that exists in other objects. So lets back up a sec:

      1) A piece of intel that is generated by company X may gather the knowledge for that intel from who knows where. They may even infer certain parts based on past analysis. So there may NEVER be a "sighting". It may just be intel. 

      2) Since on the Object Creator can update an object, I though a Sighting would be a great way for a producer to get feedback about things they produced. Thus the "sighting object" was proposed. 

      So in a normal work flow I see people producing content about things, and people responding to that intel in the form of Sightings. Now, a producer may also through like an Incident release a bunch of Sighting objects as well, to certain people, but I do not think that will be the norm. 

      A sighting object in my mind is really saying something different than the content that may exist in other objects. At least that is how I originally proposed it. 

      Bret

      From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Wunder, John A. <jwunder@mitre.org>
      Sent:
       Thursday, November 17, 2016 6:59:22 PM
      To:
       Allan Thomson; Jason Keirstead
      Cc:
       Sarah Kelley; cti@lists.oasis-open.org
      Subject:
       Re: [cti] Add last_seen to campaign and intrusion set 

      I agree with Allan here…though there is a bit of overlap I think there’s sufficient difference to keep both.
          1. A sighting indicates that something is seen, but not that it was *first* seen. So having a campaign with a sighting at 8pm doesn’t mean the campaign was first seen at 8pm…it means it was seen at 8pm. Same for last_seen.
          2. Both campaign and intrusion set are pretty high level analytic objects and I would agree that in general an analyst will be manually setting first_seen (to be honest I had not really imagined the same with last_seen but I can see why some might want to).

      John

      From: <cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
      Date: 
      Thursday, November 17, 2016 at 8:24 PM
      To: 
      Jason Keirstead <Jason.Keirstead@ca.ibm.com>
      Cc: 
      Sarah Kelley <Sarah.Kelley@cisecurity.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
      Subject: 
      Re: [cti] Add last_seen to campaign and intrusion set

      I would suggest the problem of updating the campaign/intrusion_set object or the sighting object exists regardless of adding the field or not. As first_seen is duplicative of sighting attribute first_seen. So should an implementation create a sighting object each time they create a campaign or intrusion set? Currently the specification does not state one way or another either.

      Your question on whether a ‘user’ updates 1 object or 2 objects is really a product question on whether the product exposes the STIX model directly to the UI or attempts to abstract some of the model in preference to exposing a simpler UI/workflow to the user.

      I would say that what a user sees is a product question not a STIX exchange question.

      So the question should be, “is it easier for a product to be implemented to send 1 object or 2 objects when 1 attribute changes”. 

      I would suggest in this specific case adding the last_seen attribute to campaign/intrusion_set is easier than always requiring sighting to be used for time-based observations of intelligence objects such as campaigns/intrusions_sets….etc.

      But if the community disagrees and we want consistent behavior for when a sighting object is created then we should remove first_seen from campaign/intrusion_set and *always* require sighting to be used for those time elements.

      As previously communicated, I’m not a fan of that approach as it seems extreme but is at least consistent.

      Allan


      From: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
      Date: 
      Thursday, November 17, 2016 at 5:13 PM
      To: 
      Allan Thomson <athomson@lookingglasscyber.com>
      Cc: 
      Sarah Kelley <Sarah.Kelley@cisecurity.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
      Subject: 
      Re: [cti] Add last_seen to campaign and intrusion set

      Right but what happens when that user sees the next instance of that campaign.

      Do they submit a revision and update the last_seen? Or submit a sighting? Or do both? It is two ways to communicate the same thing, that could get mid aligned if someone updated one but didn't do the other. 
      So as piece of software, which do you treat as the true "last seen", the sighting data, or the field?

      And meanwhile, other users can *only* say they saw it using sighting, since they can't submit any revisions. So it seems like software would HAVE to treat that as source of truth, no?

      --
      Sent from my mobile device, please excuse any typos.

      Allan Thomson --- Re: [cti] Add last_seen to campaign and intrusion set --- 
          From:
          To:
          Cc:
          Date:
          Thu, Nov 17, 2016 6:02 PM
          Subject:
          Re: [cti] Add last_seen to campaign and intrusion set



      A sighting would seem unnecessary given that campaign and intrusion set already have the attributes for first_seen. 

      If we want to remove first_seen from campaign/intrusion_set and solely rely on sighting to convey first_seen/last_seen in a consistent manner for all objects then that might work. But I was proposing a slightly more incremental approach than that.

      The thought was this.

      “Campaign by Threat Actor Group XXXX was originally started in Jan 2015 and we last saw the campaign used Aug 2016”.

      This is useful context. If you don’t know the information or don’t want to have to publish an update then you just state

      “Campaign by Threat Actor Group XXXX was originally started in Jan 2015”

      The former adds useful context and the later provides a little less.

      This is not a big ask. Just the ability to have some additional context without having to use sighting objects to represent this information.

      Allan

      From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
      Date: 
      Thursday, November 17, 2016 at 2:45 PM
      To: 
      Sarah Kelley <Sarah.Kelley@cisecurity.org>
      Cc: 
      "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
      Subject: 
      Re: [cti] Add last_seen to campaign and intrusion set

      I am confused on the purpose of this field - Isn't that the purpose of the sighting object?

      And furthermore, since no one can update an object except it's creator - only they can update this last_seen field. So it will either stay stale forever, *or* they will constantly update their object whenever they see it, *and* submit a sighting? Or... ???

      -
      Jason Keirstead
      STSM, Product Architect, Security Intelligence, IBM Security Systems
      www.ibm.com/security | www.securityintelligence.com

      Without data, all you are is just another person with an opinion - Unknown 


      <08091255.gif>Sarah Kelley ---11/17/2016 03:03:27 PM---I’m mostly ambivalent about adding last_seen. I can see why it would be good to have, for instance i

      From: 
      Sarah Kelley <Sarah.Kelley@cisecurity.org>
      To: 
      "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
      Date: 
      11/17/2016 03:03 PM
      Subject: 
      Re: [cti] Add last_seen to campaign and intrusion set
      Sent by: 
      <cti@lists.oasis-open.org>





      I’m mostly ambivalent about adding last_seen. 


      I can see why it would be good to have, for instance if the last time you saw an intrusion set was 3 years ago, you can possibly assume they’ve moved on. However, my concern would be how would you keep that field up to date? Would it be automatically updated via a sighting? Or would an analyst manually adjust it? Both? Because I can see why an analyst would want to be able to adjust that field, but what happens if they forget? Then it’s suddenly inaccurate, and if you’re basing any analysis on that field it’s now wrong.




      Sarah Kelley
      Senior Cyber Threat Analyst
      Center for Internet Security (CIS)
      Integrated Intelligence Center (IIC)
      Multi-State Information Sharing and Analysis Center (MS-ISAC)
      1-866-787-4722 (7
       SOC)
      Email: 
      cert@cisecurity.org
      www.cisecurity.org
      Follow us @CISecurity

      From: 
      <cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
      Date: 
      Tuesday, November 15, 2016 at 6:05 PM
      To: 
      "Wunder, John A." <jwunder@mitre.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
      Subject: 
      Re: [cti] Add last_seen to campaign and intrusion set

      John – thanks for sending this email.


      I agree with the proposal to add last_seen and also agree with the definition that last_seen is just the last time this entity was seen. 


      It does not implicitly or explicltly say that the entity is ‘over’ or ‘stopped operating’.


      allan


      From: 
      "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Wunder, John" <jwunder@mitre.org>
      Date: 
      Tuesday, November 15, 2016 at 9:35 AM
      To: 
      "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
      Subject: 
      [cti] Add last_seen to campaign and intrusion set

      All,


      One of the suggestions we discussed on the call today was the idea of adding a field “last_seen” to the campaign and intrusion set objects. Those objects currently have a “first_seen” field, which describes the first time activity related to them was observed…the suggestion is of course that you should be able to also describe the last time you saw activity related to that campaign/intrusion set.


      One important concern is that we want to make sure the implication is NOT that having a “last_seen” field means the campaign is “over”. The producer would be saying “here’s the last time I saw X”, not “here’s the last time I saw X and I don’t expect to see it again”.


      Are there any objections to this, or other considerations that we should think about when defining it? Adding a field this late in the game needs to be done carefully and we want to make sure we don’t add something we shouldn’t. Gary and Sarah, you two in particular have mentioned planned usage of campaign and intrusion set. Do you see any concerns with adding this field? And, I guess, do you see the value in adding it…would it be useful to have?


      If we did add “last_seen”, we would also add “last_seen_precision” to capture the precision of the last_seen field per our rules about timestamps.


      Thanks,
      John


      Campaign: 
      https://docs.google.com/document/d/1S5XhY6F5OT599b0OuHtUf8IBzFvNY8RysFHIj93DgsY/edit#heading=h.pcpvfz4ik6d6
      Intrusion Set: 
      https://docs.google.com/document/d/1S5XhY6F5OT599b0OuHtUf8IBzFvNY8RysFHIj93DgsY/edit#heading=h.5ol9xlbbnrdn



      ...

      This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. 
      . . .


This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.




Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]