Re: [cti] Intel note and opinion

[Terry MacDonald <terry.macdonald@cosive.com>]

I vote for Option #1, followed by #2. I disagree completely with Option #3, and here is why....

My goal with my Opinion object suggestion

When I created the Opinion object, I simply wanted a way for members of a group to agree or disagree with what one of the other members had asserted. In STIX 1.x and 2.0, there was no real way for people to explicitly disagree with each other.

So I proposed that we add the Opinion object. 

In the normal course of operation, Organisations release SDOs and SROs that represent assertions of what that Organisation believes to be the truth. The Opinion object allows a different Organisation to provide an opinion about the assertions that the original Organisation has made i.e. it allows public explicit feedback to be given. This is extremely important for two reasons:

1. Many Organisations have limited visibility of disagreements with threat intel. They just see the vendor produced reports saying things like "this is definitely APT99". They miss the fact that there is often disagreements about the 'right' answer. If we improve the visibility of these disagreements by including them in STIX, we enable recipients to make better judgements.

2. It is up to each recipient/consumer to determine what they believe is the truth. To do this more effectively, and truly understand what the security community thinks, they need to be able to see the disagreements.

An opinion is NOT a vote as some have proposed. A vote implies that it is part of an election, and that there is effectively a mechanism for a 'winner' to be declared within the community. This is absolutely NOT what I envisaged when I suggested this object. A community cannot have an overall winning threat intel answer. Each member of that community has different goals, risk appetites, response abilities and skilled staff. What constitutes a threat is different for each recipient. This in turn means that voting is not an option. 

The Opinion object is simply a way of allowing people to share their opinion, nothing more. Each recipient of that Opinion then needs to determine FOR ITSELF which opinion it will trust, and thereby which assertions it trusts. The recipient Organisations should use this information along with other factors to normalise the threat intel that they receive to ensure that the threat intel feeds are treated in accordance with how much they trust the data within them.  By which I mean if the producer thinks its intel is high confidence but the recipient thinks its actually low confidence, then that translation/scaling should happen within each Organisations platform.

The Opinion's description field will allow recipients to better understand the reasoning behind the opinion the producer is sharing. A simple 'strongly disagree' won't help them as much, as they won't be able to try to understand the reasoning behind the disagreement. 

How I view the Intel Note

An intel note is exactly that. Its a generic place to put notes when there isn't another place to add them. It is an assertion of some information that doesn't fit into any of the other SDOs. I personally believe it should be renamed to Note, to help show its general nature. 

Similar structures doesn't mean they're similar objects

Combining the objects (Option #3) is completely the wrong direction to go as it assumes that similar fields means that the object should be the same.

A Note is an assertion you are making.  An Opinion is an opinion about someone else's assertion. The fact that their structure may be similar DOES NOT make them the same thing.

And lastly....

We need to have a poll to determine which of the three options is supported by the majority of the CTI members rather than continue to go round and round the houses, and move on. We've got a lot of work to do.

Cheers

Terry MacDonald | Chief Product Officer

M: +64 211 918 814

E: terry.macdonald@cosive.com

W: www.cosive.com

On Wed, Apr 12, 2017 at 12:02 PM, Allan Thomson <athomson@lookingglasscyber.com> wrote:

Suggest that in the interests of compromise and moving forward with use cases support that Option 3 below works.

 

That is, merge the objects (intel-note and opinion) into single object; make sure there’s an attribute allows to easily differentiate between the 2 prime use cases of a) providing intelligence assertions to support other intel OR b) providing feedback to the originator/community on the intel accuracy/value.

 

Both use cases are supported and *not* conflated with 1 object provided the attributes identify the intent of the object.

 

allan

 

 

 

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Wunder, John" <jwunder@mitre.org>
Date: Monday, April 10, 2017 at 1:30 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Intel note and opinion

 

Hey everyone,

 

After a lot of conversation on intel note and opinion, we’ve narrowed down a lot of the questions on these two objects but have one big one remaining. Specifically, with both intel note and opinion existing as separate objects a few people (notably Jason and Bret) have noted that there may be overlap and in fact the objects should be merged into one. The thinking is that giving an opinion is essentially the same as giving extra analysis about something (or is at least handled the same way most of the time) and having two separate objects will be confusing for people. So, here’s how I would outline the questions:

 

1.      Should opinion and intel note remain separate objects?

a.      Merging them would provide a single object to provide a simple opinion on a scale (agree/disagree), an opinion on a scale with a text explanation (agree and here’s why), and added analysis w/ no opinion scale (here’s extra info about this object).

b.      Separating them would distinguish providing an opinion (agree/disagree) from providing extra analysis

2.      If we go with option b and we have two separate objects, should opinion have an optional description field?

a.      Having a description on opinion keeps all information about the opinion in a single object.

b.      Not having a description on opinion would mean that opinions are just the agree/disagree statements. People would use the intel note object to capture their explanation and therefore all text commentary would be provided by intel note.

 

It seems like the key thing people are wrestling with is whether there’s a distinction between giving extra analysis or context to something and giving an opinion about something. I.e., when people are doing shared analysis is it important to distinguish me providing an opinion on your object (agree/disagree/neutral) from me adding extra context (human-readable notes) to your data?

 

So, combining those questions, we have three options:

 

1.      Opinion and intel note are separate objects, and opinion has a description. To have a text explanation of an opinion, you would use the description field on the opinion object.

2.      Opinion and intel note are separate objects, and opinion does not have a description. To have a text explanation of an opinion, you would use an intel note and link it to the opinion.

3.      Opinion and intel note are merged (likely calling it intel note, since not all of them would be opinions) and you would use that object to describe opinions, opinions w/ descriptions, and added analysis

 

People can reply with their reasoning and pros/cons, but I’m particularly interested in hearing people who have not chimed in yet. What is your preferred option? Any thoughts on the reasoning?

 

FYI, here are the latest working versions of intel note and opinion, in Google Docs. These are roughly option #1, based on the recent working call and a poll in Slack.

 

-          Intel note: https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.74spnst8naxc

-          Opinion: https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.haeazu2sh3sq

 

My own opinion (sorry I know this pun is getting old) is that giving an opinion is distinct from adding analyst notes or extra context and therefore I prefer #1. My second choice would be #2, because I think #3 results in an ambiguous object that does too many things and can have completely orthogonal sets of fields, which to me is an indication that it really should be two objects.

 

Thanks,

John