RE: [cti] RE: [Non-DoD Source] Re: [cti] Working call agenda 10/30/28

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

I don't know what 'medusa' is... but this
option as Rich has proposed below is actually for the most part backwards
compatible with STIX 2.0. The code only needs to look at the relationship
mechanics to determine if it should reach inside the observable to an atomic
element or not.

-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security

"Things may come to those who wait, but only the things left by those
who hustle." - Unknown 




From:      
 "Mates, Jeffrey
CIV DC3/TSD" <Jeffrey.Mates@dc3.mil>
To:      
 Jason Keirstead <Jason.Keirstead@ca.ibm.com>,
"Piazza, Rich" <rpiazza@mitre.org>
Cc:      
 "cti@lists.oasis-open.org"
<cti@lists.oasis-open.org>, Sean Barnum <sean.barnum@FireEye.com>,
"Kelley, Sarah E." <skelley@mitre.org>
Date:      
 10/31/2018 11:32 AM
Subject:    
   RE: [cti] RE:
[Non-DoD Source] Re: [cti] Working call agenda 10/30/28

---

This is a variant of the
medusa option, which was shot down at the face to face because it wasnât
a full fix and still broke a fair bit of stuff.
 
Jeffrey Mates, Civ DC3/TSD
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computer Scientist
Defense Cyber Crime Institute
jeffrey.mates@dc3.mil
410-694-4335
 
From: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Wednesday, October 31, 2018 10:23 AM
To: Piazza, Rich <rpiazza@mitre.org>
Cc: cti@lists.oasis-open.org; Mates, Jeffrey CIV DC3/TSD <Jeffrey.Mates@dc3.mil>;
Sean Barnum <sean.barnum@FireEye.com>; Kelley, Sarah E. <skelley@mitre.org>
Subject: Re: [cti] RE: [Non-DoD Source] Re: [cti] Working call agenda
10/30/28
 
All active links contained in this
email were disabled. Please verify the identity of the sender, and confirm
the authenticity of all links contained within the message prior to copying
and pasting the address to a Web browser.

---

I could get behind this idea, or some variantof it. It is a variant of
what John Wunder proposed at the F2F.

-
Jason Keirstead
Lead Architect - IBM.Security
Caution-www.ibm.com/security

"Things may come to those who wait, but only the things left by thosewho
hustle." - Unknown 




From:       "Piazza,
Rich"<rpiazza@mitre.org>
To:       Jason Keirstead
<Jason.Keirstead@ca.ibm.com>,"Mates, Jeffrey CIV DC3/TSD"
<Jeffrey.Mates@dc3.mil>
Cc:       "cti@lists.oasis-open.org"<cti@lists.oasis-open.org>,
Sean Barnum <sean.barnum@FireEye.com>,"Kelley, Sarah E."
<skelley@mitre.org>
Date:       10/31/2018
11:15 AM
Subject:       Re: [cti]
RE:[Non-DoD Source] Re: [cti] Working call agenda 10/30/28

---

I have a compromise suggestion â and asa compromise â Iâm sure no one
will like it, but here goes.
 
As I looked at the various examples thatSean and John came up with, I was
struck on how similar they really were. As Sean said, the semantics is
basically the same.  It seems to bethere are two main issues here:

• Should we change observed_data in a minorrelease?
• How can we have relationships between SDOsand simple cyber observables

Here is the idea:
Letâs extend the idea of an identifierto allow references to individual
cyber observables within an observed_data.
Use the key in observed_data to refer toan individual cyber observable.
 
               observed_data-3f708258-8c84-4b31-acd9-ff479618f88c.0
 
For instance:

{
	"type":"bundle",
	"id":"bundle--44af6c39-c09b-49c5-9de2-394224b04982",
	"objects":[
	{
	"type":"observed_data",
	"id":"observed_data-3f708258-8c84-4b31-acd9-ff479618f88c",
	"objects": {       "0":{
	"value":"joebob@example.com",          "type":"email-addr"       }
	}
	"spec_version":"2.1",
	"created":"2018-04-16T20:03:48.000Z",
	"modified":"2018-04-16T20:03:48.000Z",
	},
	{
	"type":"threat-actor",
	"id":"threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
	"spec_version":"2.1",
	"created":"2016-04-06T20:03:48.000Z",
	"modified":"2016-04-06T20:03:48.000Z",
	"name":"Evil Org"
	},
	{
	"type":"relationship",
	"id":"relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
	"spec_version":"2.1",
	"created":"2015-07-01T00:00:00.000Z",
	"modified":"2016-07-01T00:00:00.000Z",
	"source_ref":"threat-actor--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
	"target_ref":"observed_data-3f708258-8c84-4b31-acd9-ff479618f88c.0",
	"relationship_type":"uses",
	"start_time":"2015-07-01T00:00:00.000000Z",
	"stop_time":"2016-07-01T00:00:00.000000Z"
	}
	]
	}

I can see some problems with this approachimmediately, like how do we deal with the refs to other cyber observablesin the same observed-data.
But I see this as solving the relationshipissue, without really changing observed_data.  Maybe someone can improveupon the basic idea.

              Rich P.

From: <cti@lists.oasis-open.org>on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Wednesday, October 31, 2018 at 9:44 AM
To: "Mates, Jeffrey CIV DC3/TSD" <Jeffrey.Mates@dc3.mil>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>,Sean Barnum <sean.barnum@FireEye.com>, "Kelley, Sarah E."<skelley@mitre.org>
Subject: Re: [cti] RE: [Non-DoD Source] Re: [cti] Working call agenda10/30/28

Jeff the problem is not re-using objectsinternally in a single server.

It is the problem of re-using objects across the entire ecosystem of thousandsof tools and hundreds of thousands of instances of said tools. That isnot something that will be able to realistically occur with this model.


-
Jason Keirstead
Lead Architect - IBM.Security
Caution-www.ibm.com/security

"Things may come to those who wait, but only the things left by thosewho hustle." - Unknown




From:        "Mates,Jeffrey CIV DC3/TSD" <Jeffrey.Mates@dc3.mil>
To:        Jason Keirstead<Jason.Keirstead@ca.ibm.com>, Sean Barnum <sean.barnum@FireEye.com>
Cc:        "cti@lists.oasis-open.org"<cti@lists.oasis-open.org>, "Kelley, Sarah E." <skelley@mitre.org>
Date:        10/31/201810:39 AM
Subject:        [cti]RE: [Non-DoD Source] Re: [cti] Working call agenda 10/30/28
Sent by:        <cti@lists.oasis-open.org>

---

My concern is that the current approach does nothing to even allow producersto
attempt to minimize duplication of static factual entries.  Everytime
I want to say I saw an IP address right now I need to create bothan observed
data for it and a sighting.  If I want to say that thisIP resolved
to an FQDN I need another observed that contains it and theFQDN.  If
I want to say that the FQDN was part of someoneâs infrastructureI need
YET another copy of that FQDN to make that relationship.

With this at the very least I can keep referencing the same IP and FQDNif
I choose to do so.  In most cases systems wonât bother doing thisoutside
of a single STIX message unless theyâre configured as a TAXIIserver as
well.

If you do have a TAXII server then itâs vital to be able to re-use asmany
STIX objects as possible.  Otherwise asking for them by ID andlooking
up references to them is meaningless.

Jeffrey Mates, Civ DC3/TSD
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Computer Scientist
Defense Cyber Crime Institute
jeffrey.mates@dc3.mil
410-694-4335

From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> OnBehalf
Of Jason Keirstead
Sent: Wednesday, October 31, 2018 8:15 AM
To: Sean Barnum <sean.barnum@FireEye.com>
Cc: cti@lists.oasis-open.org; Kelley, Sarah E. <skelley@mitre.org>
Subject: [Non-DoD Source] Re: [cti] Working call agenda 10/30/28

All active links contained in this email were disabled. Please verify theidentity
of the sender, and confirm the authenticity of all links containedwithin
the message prior to copying and pasting the address to a Web browser.

---

What I see missing from this proposal is how we are going to avoid theproliferation
of thousands / millions of duplicate entries for static,factual objects
such as IPs, URLs, Hosts, and file hashes in the CTI ecosystemif we go
down this path.

How many instances of "8.8.8.8" or will there be in the wildthat
a CTI repository will have to store to maintain this graph? Tens ofthousands?
Millions? Every time a new data source wants to link an observationto an
IP they will have a new UUID.. its not like they will very oftenbe able
to refer to an existing one, as there is no "global repositoryof STIX
objects" that exists anywhere. 

We will have so, so much duplication. The number of top level objects thathave
to be tracked among all third parties will explode exponentially.

I am fully aware that internally some software has to do some things likethis
anyway for certain analytical use cases - our own teams do this. Thatis
not the point. The purpose of STIX is not to emulate a graph database.If
it was, we could all just switch to Gremlin.

-
Jason Keirstead
Lead Architect - IBM.Security
Caution-Caution-www.ibm.com/security<Caution-Caution-www.ibm.com/security
> 

"Things may come to those who wait, but only the things left by thosewho
hustle." - Unknown 




From:        SeanBarnum
<sean.barnum@FireEye.com>
To:        Jason Keirstead<Jason.Keirstead@ca.ibm.com>
Cc:        "cti@lists.oasis-open.org"<cti@lists.oasis-open.org>,
"Kelley, Sarah E." <skelley@mitre.org>
Date:        10/30/201802:38
PM
Subject:        Re:[cti]
Working call agenda 10/30/28
Sent by:        <cti@lists.oasis-open.org>

---

I would realistically and truthfully argue that âtheproposal
as submitted does not contain a very large number of significantbreaking
changes to the spec.â
There are 5 substantive changes.

1. Observables keep their same typestructure but are now TLOs
   • Semantically the same thing (a file isstill a file, a domain-name is still a domain-name, etc)
2. Observed-data.objects now containsreferences to the observable objects rather than defining them inline
   • Semantically the same thing (observationsstill specify the observables they observed)
3. Observed-data.objects can now containreferences to relationships
   • Semantically the same thing (the relationshipswere already there as properties on the observable objects)
4. Inter-Observable relationshipscurrently expressed as properties on source object are broken out intoRelationships
   • Semantically the same thing
   • Is needed anyway for numerous reasons
5. Extensions are possible on allSTIX objects

• NO change in overall semantics (each typeof object still represents the same thing) just in how they are structured
• NO substantive change to any STIX Objectsother than observed-data
• NO substantive changes to any ObservableObject types except breaking out relationship properties that should berelationships

I
would argue thatthis is nowhere close to âan order of magnitude larger
than the totalcombined changes we have done thus far in 2.1 specâ.

I used the term FUD in its literal sense âfear, uncertainty and doubtâ.During
the F2F, you expressed your fear, uncertainty and doubt by makingthe assertion
that Option1 would require âmassiveâ change to the specificationsand
that the  months of effort it would take to do that made it anon-starter
to even consider Option1. This was not âsimply stating thefactsâ. This
was an assertion of an opinion without any factual evidencein support.
I was doubtful of this assertion but did not feel it wouldbe appropriate
to argue strongly against it without having actual evidencerather than
just words to throw around. That is why I took the time toreview and revise
the STIX specs for Option1. In the end, I believe thereferenced modded
specifications demonstrate that Option1 does NOT representâmassiveâ change
to the specifications (in fact it proved out to be evenmuch less than I
anticipated) and did NOT take months to do (I did it alonein a few days
time).

This concrete evidence-based approach is also the approach we all agreedto
take in evaluating the technical issues involved in supporting requisiteSTIX
use cases. 
I would assert that the evidence presented at the technical level alsoclearly
demonstrates the need for change and that Option1 is the only optionon
the table that supports the needed change.

Obviously, we can disagree on what is a minor vs major release.
I would suggest that the limited and localized nature of substantive changesrepresented
in this proposal clearly would be allowable in a 2.1 or 2.2release.

Sean Barnum
Principal Architect
FireEye
M: 703.473.8262
E: sean.barnum@fireeye.com

From: <cti@lists.oasis-open.org> on behalf of Jason Keirstead<Jason.Keirstead@ca.ibm.com>
Date: Tuesday, October 30, 2018 at 12:32 PM
To: Sean Barnum <sean.barnum@FireEye.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>,"Kelley,
Sarah E." <skelley@mitre.org>
Subject: Re: [cti] Working call agenda 10/30/28

Sean - I don't think anyone could realistically argue that the proposalas
submitted does not contain a very large number of significant breakingchanges
to the spec. Said changes are an order of magnitude larger thanthe total
combined changes we have done thus far in 2.1 spec... I wouldhardly call
it "FUD", it is simply stating the facts.

One thing that has yet to be discussed in the TC is the scope to whicha
changeset can even be considered for a minor vs. a major release. 

I would argue that this changeset and the breakages within are substantialenough
that it should only be being discussed in the scope of a major change(STIX
3.0).

-
Jason Keirstead
Lead Architect - IBM.Security
Caution-Caution-www.ibm.com/security<Caution-Caution-www.ibm.com/security
> 

"Things may come to those who wait, but only the things left by thosewho
hustle." - Unknown 




From:        SeanBarnum
<sean.barnum@FireEye.com>
To:        "Kelley,Sarah
E." <skelley@mitre.org>, "cti@lists.oasis-open.org"<cti@lists.oasis-open.org>
Date:        10/30/201812:33
PM
Subject:        Re:[cti]
Working call agenda 10/30/28
Sent by:        <cti@lists.oasis-open.org>

---

All,

At the F2F there was a lot of conversation around WHY Option1 may be needed,identifying
and discussing numerous use case scenarios and leading to afairly strong
majority consensus (9-5 of attendees I believe) in favor.To further demonstrate
what was discussed in a fact-based manner and tohelp other TC members who
did not attend the F2F, it was decided to listout a list of some use case
scenarios for use cases that STIX should/must(some would argue should while
some would argue must) support and thenprovide actual JSON examples of
how that Use Case would be supported withOption1 and how it would be supported
with Option7 (which is mostly statusquo with a couple very minor changes).
It was recognized by all that thelist would not be complete but would at
least give us something concreteto think about and discuss.
That list is located here: Caution-Caution-https://docs.google.com/document/d/1puPuKVWNSelrWH05yu9It99OuqQGdYo_Et0nmZKAZz8/edit#<Caution-Caution-https://docs.google.com/document/d/1puPuKVWNSelrWH05yu9It99OuqQGdYo_Et0nmZKAZz8/edit>
It contains links to some submitted Option1 and Option7 examples that claimto
demonstrate support for the use cases.

As very strong proponents of Option1 (proven out operationally across FireEyeevery
day), FireEye submitted Option1 examples for almost all of the usecases
on the list. The 3 out of 20 that we did not provide examples forwere due
to ambiguities in the use case characterizations rather than anyinability
of Option1 to cover them.
In addition, we are in the process of writing up a brief rationale/justificationfor
Option1 but it is not yet ready to share prior to todayâs call.

Beyond the question of which option is needed technically there was alsodiscussion
of FUD around what level of change/impact would be requiredon the STIX
specifications with at least one party expressing worry thatthe change
could be massive and take months to do.

In an attempt to determine if the FUD about massive specification changewas
justified or not we also performed a quick review/revision pass throughall
5 parts of the STIX 2.1 working draft specs making appropriate modificationsto
implement Option1. There still is some editorial cleanup required beyondour
suggested changes but we believe our suggested changes fully coverthe substantive
changes required for Option1. We were pleasantly surprisedat the minimal
level of impact and the fact that I was able to completethe review and
suggested revision in only a few days time. 
You can find a very brief summarization of the proposal and the changesit
involves at a high-level and at a spec level as well as links to themodified
specs here: Caution-Caution-https://docs.google.com/document/d/1j0gXMp3MFLzHCrudfbDn5NeZSUeBCc8EBsvPsP1epOg/edit?usp=sharing<Caution-Caution-https://docs.google.com/document/d/1j0gXMp3MFLzHCrudfbDn5NeZSUeBCc8EBsvPsP1epOg/edit?usp=sharing>

That link should give you all permissions to not only read but also provideany
comments you feel are relevant.

We are hopeful that this in addition to the forthcoming rationale writeupwill
be helpful for everyone to understand the reality of the issues involvedand
the reality of spec change impact.

Let me know if you have any questions.


Sean Barnum
Principal Architect
FireEye
M: 703.473.8262
E: sean.barnum@fireeye.com

From: <cti@lists.oasis-open.org> on behalf of "Kelley, SarahE."
<skelley@mitre.org>
Date: Tuesday, October 30, 2018 at 8:50 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Working call agenda 10/30/28

All,

Today on the working call weâll be discussing the 1` option that discussedat
the F2F in NYC. For those not in attendance, there was a proposal toredesign
the STIX data model and make observables top level objects (knownas option
1`). A second proposal was made to just modify observed dataand use that
instead (option 7). The two options have been modeled here:(Caution-Caution-https://docs.google.com/document/d/1puPuKVWNSelrWH05yu9It99OuqQGdYo_Et0nmZKAZz8/edit<Caution-Caution-https://docs.google.com/document/d/1puPuKVWNSelrWH05yu9It99OuqQGdYo_Et0nmZKAZz8/edit>
) for various use cases. 

Please join us to  make this conversation productive and successful.

Thanks, 

Sarah Kelley
Lead Cybersecurity Engineer, T8B2
Defensive Operations
The MITRE Corporation
703-983-6242
skelley@mitre.org < Caution-Caution-mailto:skelley@mitre.org>

This email and any attachments theretomay contain private, confidential, and/or privileged material for the soleuse of the intended recipient. Any review, copying, or distribution ofthis email (or any attachments thereto) by others is strictly prohibited.If you are not the intended recipient, please contact the sender immediatelyand permanently delete the original and any copies of this email and anyattachments thereto. [attachment "image001.jpg" deleted by JasonKeirstead/CanEast/IBM]

 

This email and any attachments theretomay contain private, confidential, and/or privileged material for the soleuse of the intended recipient. Any review, copying, or distribution ofthis email (or any attachments thereto) by others is strictly prohibited.If you are not the intended recipient, please contact the sender immediatelyand permanently delete the original and any copies of this email and anyattachments thereto.