OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] Re: [EXT] Re: [cti] Intel note and opinion

Thanks Jane.  Just to be clear, we are not talking about getting rid of any of the functionality that exists in the two objects.  Here is some proposed text that shows how both use cases can easily be done with a single object. 



2.7. Comment

A Comment contains informative text to help explain the context of one or more STIX Objects (SDOs or SROs) or to provide additional analysis or assertions that are not contained in the original object. A Comment can also contain an assessment of the correctness of the information in another STIX Object using the opinion property. This opinion property captures the level of agreement or disagreement using a fixed scale.


For example, an analyst may add a Comment to a Campaign object created by another organization indicating that they've seen posts related to that campaign on a hacker forum. Further, the analyst can also assert an opinion about the object and use their details as collaboration for their opinion.


In another example, an analyst from a consuming organization might say that they "strongly disagree" with a Campaign object and provide an explanation about why. In a more automated workflow, a SOC operator might give an indicator one star (expressing "strongly disagree") because it is a false positive.


Because Comments are typically (though not always) created by human analysts and are comprised of human-oriented text, they contain an additional property to capture the analyst that created the note. This is distinct from the created_by_ref property, which is meant to capture the organization that created the object.


For a Comment, either the description or opinion property MUST be filled in.

Properties

Common Properties

<TODO>

Opinion Specific Properties

name, description, opinion, author, object_refs

Property Name

Type

Description

type (required)

string

The value of this field MUST be comment

name (optional)

string

A name used to identify this Comment as a summary of the note

description (optional)

string

The extra details or comments about an object or the rationale for the opinion. For example, if an opinion of strongly-disagree is given, this can contain an explanation of why the object creator disagrees and what evidence they have for their disagreement.

opinion (optional)

agreement-enum

The opinion that the producer has about the object listed in the object_ref field. This is represented as an enum..

author (optional)

string

The name of the author of this comment (e.g., the analyst that created it). This is often used when communicating or adding data to an object within a group.

object_refs (required)

list of type identifier

The STIX Objects (SDOs and SROs) that the note is being applied to.



From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of JG on CTI-TC <jg@ctin.us>
Sent: Wednesday, April 12, 2017 1:45 PM
To: cti@lists.oasis-open.org
Subject: Re: [cti] Re: [EXT] Re: [cti] Intel note and opinion
 

Bret & All:

One of the problems I'm running into as I delve into data on a TIP is wrapping the IOCs in some sort of context; that is, if the original Producer of the data did not add the background information that is associated with the IOCs.  As a analyst trying to work my way up the pyramid of pain by reverse engineering the malware, analyzing the (probably spoofed) geolocation information, looking for clues in the linkages within the malicious infrastructure, etc... I am often in the dark unless I have that richer context. 

Granted, this is only one of the Use Cases; the one where human analysts are looking at the data.  But in this instance, I find that contextual information is very helpful.  Furthermore, I am working within the context of several ISAOs and ISACs where the level of adoption and sharing-maturity varies all across the board.  It is my sense that the human impediments to the adoption of a "sharing" paradigm is the more difficult problem in this vision of a CTI community.  Therefore, there will be a period whereby a transition from human analyst Use Cases to a pure MRTI ecosystem will be long and painful.  This will be the case throughout the period when vendors are tooling up and products are rolling out.  Even after that, there will be a lag between the vision of those of us here and market adoption. This will be due, in part, to the need to build out the workforce for CTI. 

As such, I think we need to think of the Opinion and Intel Note objects as very important and SEPARATE objects that should be added as soon as possible to the STIX data model. It may be that, in the future, as the entire ecosystem transitions from Use Cases where human analysts are working the data to MRTI Use Cases, we can even depreciate one or the other object.  But, at this time, I strongly support the camp that is calling for two separate objects for Opinion and Intel Note. 

Option #2 is my choice.

Jane Ginn

CTIN


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]