Re: [cti] MISP format <-> STIX 2.0

On May 5, 2017, at 9:44 AM, Wunder, John A. <jwunder@mitre.org> wrote:

Ah, good feedback Paul…does anyone else have a similar namespaced tagging approach?

Maybe we should put a pin in this topic for either 2.1 or 2.2. I’m curious about what the cross-tool usages of the fields are…if it’s just displaying to users or searching on it, jamming it into strings might not be so bad. If there’s automated processing based on specific tags though, obviously that doesn’t work so well. It would probably be useful to take some examples and run them through some sharing scenarios. Or maybe we’ll find out everyone has the same set of “vendor-specific” tags and we literally can just standardize on them.

John

From: Paul Patrick <Paul.Patrick@FireEye.com>
Date: Friday, May 5, 2017 at 9:26 AM
To: John Wunder <jwunder@mitre.org>, OASIS CTI TC Discussion List <cti@lists.oasis-open.org>
Subject: Re: [cti] MISP format <-> STIX 2.0 - Discussions

John,

To your very point and the examples Alexandre used, we’ve had to add a custom property that is a dictionary to hold exactly the kind of things that Alexandre is attempting to do for very similar reasons. “Tagging” is a very common and unfortunately often vendor specific thing, but a reality.
Like Alexandre did, we toyed with the idea of “encoding values” and putting them in labels, but it very unattractive and mixed the semantics defined for the use of labels on a given SDO. We also toyed with the idea of adding a custom property for each “tag”, but that quickly became unworkable.

It too bad we didn’t make labels a dictionary instead of a list of strings.

Paul Patrick

From: <cti@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org>
Date: Friday, May 5, 2017 at 9:15 AM
To: OASIS CTI TC Discussion List <cti@lists.oasis-open.org>
Subject: Re: [cti] MISP format <-> STIX 2.0 - Discussions

Yeah this is a great writeup.

One thing I would consider as you (and others) are doing this comprehensively is the use of custom properties. Specifically, if there are cases where a generic STIX tool (not coded support for your specific capabilities) just has no hope of doing something intelligent with the data you should probably use custom properties.

As an example, in the taxonomy section you have a label called "osint:source-type=\"blog-post\"". If a generic tool gets that property it’ll probably just display it to the user as it does with other labels…which in this case, kinda makes sense. It’s not ideal because there’s markup in there but it’s at least readable.

OTOH you also suggested putting Machine IDs into labels, which would give a label like "misp:to_ids:true". Would that make sense for a general tool to display to the user? Would the user (who doesn’t know MISP) know what it means? I think the answer is no, so that seems like a good use for custom properties. Just add a generic property to the STIX object called {“x_misp_to_ids”: true}

Here are some specific comments…
Contextual Categories:
I agree that kill chain phases is the right place for this. I also like the idea of the TC somehow publishing a set of known kill chain and phase names so we get better consistency. I don’t think it makes sense as part of the STIX spec itself, but maybe as a non-standards track work product (or, to be honest, just on our docs site would be better than nothing).

Taxonomies:
As I said above I think it makes sense to use labels for this. I’m not sure about having generic machine tags as a standard part of STIX…one of the key features of STIX is to standardize on things, and so we probably just want to consider adding fields specific to the commonly used taxonomies.

That actually already applies to one of your labels…you have “tlp:amber” in there, but in STIX that should really go in data markings. That does mean that you probably need to treat some of your taxonomies different than others.

Machine IDs:
I also don’t really understand this. As I said above, though, the best place to put it is probably custom properties.

Versioning:
I agree about versioning. You should make sure to consider this on both import and export (i.e. if you get a STIX object from another tool that’s revoked, can you handle it correctly and, if you create a STIX object that’s revoked, can you create it correctly).

Events:
Yeah I agree there’s not a great place for this now. CRITS had a similar type capability called “event” that, back in the STIX 1.x days, we aligned to a named package (which is now report) because it was incident seemed excessive. If we add the event object in 2.1 that would work. If you want to do something for 2.0 I would consider either report (I don’t think a generic tool that got a report w/ your collection of data would be confused by it, especially if you set a label to “event-report”) or custom object (aligned to your event proposal for 2.1) as a stopgap.

John

From: <cti@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Friday, May 5, 2017 at 8:49 AM
To: "Alexandre.Dulaunoy@circl.lu" <Alexandre.Dulaunoy@circl.lu>
Cc: OASIS CTI TC Discussion List <cti@lists.oasis-open.org>
Subject: Re: [cti] MISP format <-> STIX 2.0 - Discussions

This is a very good read. These kinds of validations and challenges to our modeling with real-world use cases are critical to make sure we are getting things right...

- Being a MISP novice, can you go into more detail on the "MISP IDS/Machine" field? What is this used to convey?

- From my reading around it, A MISP "event" to me seems like it would be most properly modeled using an Incident object, which was something that was pitched and is in the STIX 2.1 Working Concepts, but has not yet had anyone take it over for refinement to get into STIX 2.1. Maybe MISP would like to take that on?

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security

Without data, all you are is just another person with an opinion - Unknown

From: Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu>
To: OASIS CTI TC Discussion List <cti@lists.oasis-open.org>
Date: 05/05/2017 07:29 AM
Subject: [cti] MISP format <-> STIX 2.0 - Discussions
Sent by: <cti@lists.oasis-open.org>

Hi All,

We recently had an extensive discussion within the MISP core team
for the MISP format conversion from/to STIX 2. We pinpointed
some issues and possible remedies (short-cuts?) on the following page:

https://github.com/MISP/MISP/wiki/NotesMISP-STIX2

As discussed with Trey, we would like to share our findings with
the community and are hoping to see whatever our solutions fit the
envisioned STIX 2 standard.

Thank you very much.

Cheers.

--
Alexandre Dulaunoy
CIRCL - Computer Incident Response Center Luxembourg
41, avenue de la gare L-1611 Luxembourg
info@circl.lu - www.circl.lu

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.

cti message