cti message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [cti] Re: [EXT] Re: [cti] [EXT] [cti] Embedded Relationships
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: Bret Jordan <Bret_Jordan@symantec.com>
- Date: Thu, 4 May 2017 13:26:29 -0300
I am having a hard time wrapping my head
around this
Revoked -> this relationship was created
in error and we want to remove its existence from future consideration
No longer active -> this relationship
was active, is legitimate but we (as source of the reln) have determined
that the connection is no longer at time X
Just because something in STIX was revoked
*does not* mean it was made in error, so I don't know why we would be assuming
this for relationships when we don't for any other object type. In fact
we define what revoked means in the spec:
The revokedproperty indicates whether the object has been revoked. Revoked objects
are no longer considered valid by the object creator.
It doesn't say anywhere that something
being revoked means it was "made in error". It just means it
is no longer valid. How is "no longer valid" different than "no
longer active" ??
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
Without data, all you are is just another person with an opinion - Unknown
From:
Bret Jordan <Bret_Jordan@symantec.com>
To:
Allan Thomson <athomson@lookingglasscyber.com>,
"Piazza, Rich" <rpiazza@mitre.org>, "cti@lists.oasis-open.org"
<cti@lists.oasis-open.org>, "Wunder, John A." <jwunder@mitre.org>
Date:
05/04/2017 01:19 PM
Subject:
[cti] Re: [EXT]
Re: [cti] [EXT] [cti] Embedded Relationships
Sent by:
<cti@lists.oasis-open.org>
So would this be a correct example of this?
Malware SpyEye using IP addresses 1.1.1.1/24.
Then SpyEye moves to ip addresses 2.2.2.2/24?
Bret
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Sent: Thursday, May 4, 2017 8:00 AM
To: Piazza, Rich; cti@lists.oasis-open.org; Wunder, John A.
Subject: [EXT] Re: [cti] [EXT] [cti] Embedded Relationships
Rich – I’m not suggesting the model keeps
the history.
If products want to keep history then that
is a product choice not a stix modelling question. Stix is an intelligence
sharing data model.
All I’m suggesting is having a date for
when a relationship is no longer active so that producers of that information
can indicate that specific event/information.
First_seen/last_seen could work for this
concept but I know others might have issue with that design. I personally
think a single timestamp or first_seen/last-seen would work.
Regards
allan
From: "Piazza, Rich" <rpiazza@mitre.org>
Date: Thursday, May 4, 2017 at 6:34 AM
To: Allan Thomson <athomson@lookingglasscyber.com>, "cti@lists.oasis-open.org"
<cti@lists.oasis-open.org>, "Wunder, John" <jwunder@mitre.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships
What Allan is referring to is a lot more
complex that first_seen, last_seen.
Let’s say a relationship is true from
t1 to t2, then isn’t from t2 to t3, but then is true again after t3? Do
we need to keep this “history”? Are these just 3 different versions
of this relationship?
With first_seen, last_seen history is unimportant
– Something was last seen at t2, but then seen again at t3, we don’t
care about t2.
From: <cti@lists.oasis-open.org>
on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Wednesday, May 3, 2017 at 4:55 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>,
John Wunder <jwunder@mitre.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships
Yes. It could be.
Allan
On Wed, May 3, 2017 at 1:49 PM
-0700, "Wunder, John A." <jwunder@mitre.org>
wrote:
Gotcha. I wonder if it’s similar to first_seen
and last_seen like we have on campaign.
From: Allan Thomson <athomson@lookingglasscyber.com>
Date: Wednesday, May 3, 2017 at 4:37 PM
To: John Wunder <jwunder@mitre.org>, "cti@lists.oasis-open.org"
<cti@lists.oasis-open.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships
Revoked -> this relationship was created
in error and we want to remove its existence from future consideration
No longer active -> this relationship
was active, is legitimate but we (as source of the reln) have determined
that the connection is no longer at time X
Semantically they are different. I can
see why you might think it’s the same but they’re not. At least in my
mind. ☺
allan
From: "cti@lists.oasis-open.org"
<cti@lists.oasis-open.org> on behalf of "Wunder, John"
<jwunder@mitre.org>
Date: Wednesday, May 3, 2017 at 1:35 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships
I don’t think I really follow the difference…can
you give a couple examples (of no longer valid vs. no longer active)?
From: <cti@lists.oasis-open.org>
on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Wednesday, May 3, 2017 at 4:31 PM
To: John Wunder <jwunder@mitre.org>, Patrick Maroney <pmaroney@wapacklabs.com>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, "Jason
Mr. Keirstead" <Jason.Keirstead@ca.ibm.com>, "Bret Jordan
(CS)" <Bret_Jordan@symantec.com>, "Reller, Nathan S."
<Nathan.Reller@jhuapl.edu>, "Richard.Struse@HQ.DHS.GOV"
<Richard.Struse@hq.dhs.gov>, "John-Mark Mr. Gurney" <jmg@newcontext.com>,
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships
Revoked does not mean ‘no longer active’.
It means the data is no longer valid. That’s semantically different.
I think we need a different attribute to
represent no longer active.
allan
From: "Wunder, John" <jwunder@mitre.org>
Date: Wednesday, May 3, 2017 at 1:27 PM
To: Allan Thomson <athomson@lookingglasscyber.com>, Patrick Maroney
<pmaroney@wapacklabs.com>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, Jason Keirstead
<Jason.Keirstead@ca.ibm.com>, Bret Jordan <Bret_Jordan@symantec.com>,
"Reller, Nathan S." <Nathan.Reller@jhuapl.edu>, "Struse,
Richard" <Richard.Struse@hq.dhs.gov>, John-Mark Gurney <jmg@newcontext.com>,
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships
Relationships are just a type of STIX Object
and so already have a `revoked` property. Is that what we’re talking about
here? If so I think we’re already covered.
From: <cti@lists.oasis-open.org>
on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Wednesday, May 3, 2017 at 4:20 PM
To: Patrick Maroney <pmaroney@wapacklabs.com>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, "Jason
Mr. Keirstead" <Jason.Keirstead@ca.ibm.com>, "Bret Jordan
(CS)" <Bret_Jordan@symantec.com>, "Reller, Nathan S."
<Nathan.Reller@jhuapl.edu>, "Richard.Struse@HQ.DHS.GOV"
<Richard.Struse@hq.dhs.gov>, "John-Mark Mr. Gurney" <jmg@newcontext.com>,
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships
Pat – not sure I follow.
All of our CRUD operations/versioning are
timestamped based in the current STIX 2.0 spec.
I don’t believe I’m suggesting something
that is different from what we already have. Just making sure we follow
that design.
Regards
allan
From: Patrick Maroney <pmaroney@wapacklabs.com>
Date: Wednesday, May 3, 2017 at 1:18 PM
To: Allan Thomson <athomson@lookingglasscyber.com>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, Jason Keirstead
<Jason.Keirstead@ca.ibm.com>, Bret Jordan <Bret_Jordan@symantec.com>,
"Reller, Nathan S." <Nathan.Reller@jhuapl.edu>, "Struse,
Richard" <Richard.Struse@hq.dhs.gov>, John-Mark Gurney <jmg@newcontext.com>,
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] [EXT] [cti] Embedded Relationships
Re Allan's comments:
"But the ability to model
and represent data changes (CRUD) is important. We just need to agree on
how that is done in the STIX model.
My response to this thread
was suggesting we model deletion of relationships with a timestamp of when
the reln is no longer active."
Since this topic has surfaced again,
I'll throw out the Time Based Versioning Concept again.
Whoa! Whoa! Rocinante*!!! Relax..
We are not attacking this windmill again!!
Rocinante (Spanish pronunciation:
[roθiˈnante]) is Don Quixote's horse in the novel Don Quixote by Miguel
de Cervantes.
In many ways, Rocinante is not
only Don Quixote's horse, but also his double: like Don Quixote,
he is awkward, past his prime,
and engaged in a task beyond his capacities
Patrick Maroney
Principal Engineer - Data Science &
Analytics
Wapack Labs LLC
(609)841-5104
pmaroney@wapacklabs.com
Public Key: http://pgp.mit.edu/pks/lookup?op=get&search=0x7C810C9769BD29AF
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]