[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [EXT] Re: [cti] Roadmap discussion and update
The report object in STIX was designed to mimic a finished PDF report that an org sends out. What MISP is asking for is more like a mix of bundle and report??? A collection of things that might be related with some sort of confidence, right? So I do not think report would work well here. A report has no concept of confidence on the relationships, since they are embedded relationships (once again, because this was designed to be finished intel).
To me it seems like we could easily solve the MISP requirement by making a very small and very light-weight object that just had the generic related-to relationships. And you could relate anything to this "thing". Maybe there is a few meta-data fields on it. Using report would mean we would need to probably go back and allow external entities to add data to a report, which is something that we said we were not going to do. A report is someone's finished intel and no one should be able to add more data to it.
Can we just create something small for MISP?
Bret From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Wunder, John A. <jwunder@mitre.org>
Sent: Thursday, August 10, 2017 7:19:41 AM To: Andras Iklody; jg; Sarah.Kelley@cisecurity.org; cti@lists.oasis-open.org Subject: [EXT] Re: [cti] Roadmap discussion and update FWIW I think a MISP Event is much more similar to a Report than to what we’re currently talking about as Event. They aren’t necessarily related to the IR or SOC process at all…the example on the MISP website is a bunch of collected intelligence
about a RAT (https://www.circl.lu/services/misp-malware-information-sharing-platform/). So IMO the path forward is to figure out some solution other than Event, regardless of the timeline on Event. I just worry that even if Event were in it would not meet your use cases or, if it did, the definition would be very broad (either
an Incident or a SOC event or some collection of intelligence). Maybe it’s a new “Collection” object that’s a clone of report but with the assumption that it will evolve over time, idk. John From: <cti@lists.oasis-open.org> on behalf of Andras Iklody <andras.iklody@circl.lu> Jane, we've been trying to do just that, we've pointed our issues out back in May and linked to our wiki regarding deficiencies that we face with STIX 2.x when it comes to integration (https://github.com/MISP/MISP/wiki/NotesMISP-STIX2#how-to-represent-a-misp-event-in-stix-2),
to which we were advised to come with a simple proposal to remedy the issues (which we did here -
https://www.misp.software/Eventproposal-STIX2.1-1.pdf). After discussions stemming from the above proposal, we were told that an alternate solution could be to enhance the report object with some of the missing meta-data fields that we need (in addition to clarifying that despite its current interpretation, reports
don't have to be final published reports, but could be general containers for threat intel information similarly to the intent in STIX 1.2). A simple publish boolean flag on the report object would go a long way for us as a stop-gap solution for now to at
least get started (as described here:
https://www.misp.software/STIX2.1Reportproposal.pdf). However this idea was shot down. So at the moment we're not really sure how we're left in limbo, eagerly awaiting a generic event SDO to finally be released. Seeing this crucial missing piece of the puzzle being pushed back is a massive disappointment for
us. Best regards, Andras On 10. aug. 2017 14:43, jg wrote:
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]