cti message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [EXT] Re: [cti] [EXT] [cti] Location as a Top-Level SDO
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: Bret Jordan <Bret_Jordan@symantec.com>
- Date: Tue, 13 Jun 2017 08:44:33 -0300
That is not the primary purpose of a location
SDO in my mind. The primary purpose of a location SDO is the same reason
we make most all other SDOs - so that we can correlate and track events
over time against these objects to inform the analysis of the CTI.
If locations are all embedded as properties
inside SDOs, it is going to make it much more difficult for a analyst to
be able to notice that these 10 otherwise-unrelated things that recently
occurred are all originating from the same location, because it will become
very difficult to track those kinds of statistics (and many software providers
simply won't do it at all, because the spec is not encouraging it).
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
Without data, all you are is just another person with an opinion - Unknown
From:
Bret Jordan <Bret_Jordan@symantec.com>
To:
"Wunder, John
A." <jwunder@mitre.org>, Patrick Maroney <pmaroney@wapacklabs.com>
Cc:
"Jason Mr. Keirstead"
<Jason.Keirstead@ca.ibm.com>, "John-Mark Mr. Gurney" <jmg@newcontext.com>,
"cti@lists.oasis-open.org" <cti@lists.oasis-open.org>,
"Back, Greg" <gback@mitre.org>, "Nathan.Reller@jhuapl.edu"
<Nathan.Reller@jhuapl.edu>
Date:
06/12/2017 06:00 PM
Subject:
Re: [EXT] Re:
[cti] [EXT] [cti] Location as a Top-Level SDO
The only use-case I have heard for a location
SDO is the ability to allow a third party to say they think this threat
actor for example is also in this other location. To allow for this
use case, you would need either have the location be an SDO or you would
need to use a note or opinion object.
I would ask that if location is an SDO,
then other properties probably should also be made SDOs.
Bret
From: Wunder, John A. <jwunder@mitre.org>
Sent: Monday, June 12, 2017 2:12:29 PM
To: Patrick Maroney; Bret Jordan
Cc: Jason Mr. Keirstead; John-Mark Mr. Gurney; cti@lists.oasis-open.org;
Back, Greg; Nathan.Reller@jhuapl.edu
Subject: [EXT] Re: [cti] [EXT] [cti] Location as a Top-Level SDO
Yeah +1 to Pat…we’re a CTI org, let’s
not maintain a database of geolocations.
More generally I also agree w/ Allan that
this doesn’t really impact the SDO question. Either you:
- Have the library and duplicate it in the
embedded types
- Have the library and reference it by UUID
(if we generate STIX UUIDs for it)
- Have the library and copy it into the referenced
types (if we don’t generate UUIDs for it)
It would be nice to enumerate these types
of scenarios and see how we can deal with each of them in each approach.
I talked to Allan and I think he has the beginnings of that document started,
I’ll get with him to push it to Google docs so we can all look over it.
John
From: <cti@lists.oasis-open.org>
on behalf of Patrick Maroney <pmaroney@wapacklabs.com>
Date: Monday, June 12, 2017 at 3:16 PM
To: "Bret Jordan (CS)" <Bret_Jordan@symantec.com>
Cc: "Jason Mr. Keirstead" <Jason.Keirstead@ca.ibm.com>,
"John-Mark Mr. Gurney" <jmg@newcontext.com>, "cti@lists.oasis-open.org"
<cti@lists.oasis-open.org>, Greg Back <gback@mitre.org>, "Nathan.Reller@jhuapl.edu"
<Nathan.Reller@jhuapl.edu>
Subject: Re: [cti] [EXT] [cti] Location as a Top-Level SDO
My .02: If we're building,
publishing, maintaining our own Geo-Location Data, we're doing something
wrong. This is one wheel we do not need to re-invent...again just
my .02.
Patrick Maroney
Principal Engineer - Data Science &
Analytics
Wapack Labs LLC
(609)841-5104
pmaroney@wapacklabs.com
Public Key: http://pgp.mit.edu/pks/lookup?op=get&search=0x7C810C9769BD29AF
On Jun 11, 2017, at 11:58 PM, Bret
Jordan <Bret_Jordan@symantec.com>
wrote:
So if we were going to do this, we would
probably need to build a library of locations by country and regions and
publish them as a Committee Note and hope people just use the them for
locations at the granularity of a country or group of countries.
Bret
From: cti@lists.oasis-open.org<cti@lists.oasis-open.org>
on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Sunday, June 11, 2017 7:35:18 PM
To: jmg@newcontext.com
Cc: Bret Jordan; cti@lists.oasis-open.org; gback@mitre.org; Nathan.Reller@jhuapl.edu
Subject: Re: [cti] Re: [EXT] [cti] Location as a Top-Level SDO
You are assuming that we don't create a repository
of "standard" location SDOs for things like continent and country
names - IE the things that people would want to share in the first place.
Which, I don't see why we would not do this, seeing how we're doing it
for things like CAPEC.
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
Without data, all you are is just another person with an opinion - Unknown
----- Original message -----
From: John-Mark Gurney <jmg@newcontext.com>
Sent by: <cti@lists.oasis-open.org>
To: "Back, Greg" <gback@mitre.org>
Cc: Bret Jordan <Bret_Jordan@symantec.com>,
"Reller, Nathan S." <Nathan.Reller@jhuapl.edu>,
"cti@lists.oasis-open.org"
<cti@lists.oasis-open.org>
Subject: Re: [cti] Re: [EXT] [cti] Location as a Top-Level SDO
Date: Fri, Jun 9, 2017 8:36 PM
Back, Greg wrote this message on Fri,
Jun 09, 2017 at 20:18 +0000:
> If Location is an SDO, does that make it possible to “move” another
object by versioning the Location object? That seems like a bad idea. Especially
if you effectively “move” other, unrelated objects that also refer to
the same Location. Even if we did make Location a TLO, we would have to
mandate that people update the “_ref” fields to move an SDO, not the
Location itself.
>
> (I haven’t made up my mind on whether I like the Location SDO in
general, just pointing out one consideration).
Interesting point. Which effectively means that if you create a
relationship to a location, that location should be one you own, not
one that was created by someone else (unless you can trust the creator
not to do what you just described)...
This means that by definition, there will be many Location SDO's for
the same location to prevent this from happeneing...
--
John-Mark
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
--------------------------------------------------------------------- To
unsubscribe from this mail list, you must leave the OASIS TC that generates
this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]