[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Working Call: Text-based Notes
CTI TC: Below are the text-based notes of the Working Call today. I include embedded images on the PDF that are not available on this version. Jane Ginn
Â
Agenda:  Cyber Observables â How handle moving forward Meeting Notes:  Allan Thomson  There has been a mini-group on the two key proposals â we are discussing here with  Larger group today, during the regular working call  Problem Summary  We agree that an ID is required for SCOs with the following properties It should be possible to deterministically compute on both creation (producer side) and useful for search (consumer side) Its easy to create (for both sides) It can be referenced by relationships across transactional/individual units of intel (i.e. bundles) The ID will be computed on a subset of SCO properties <- mini-group consensus last week We need to work on A) How does each implementation interoperate including what needs to be defined in the spec for preferred subset B) How an ID is computed for the set of properties chosen for subset of properties  Â Commonalities of Two Proposals Producer SHOULD use an identifier-template defined in the STIX specification for the SCO Exact format of identifier template is tbc (later slides) Producer MAY use a different identifier-template than that defined in the STIX specification for the SCO Producer MUST pass an identifier-map of non-standard templates used as part of a STIX Bundle either directly as a STIX object or via reference to an externally published version for use by external organizations Identifiers MUST use an identifier-template to specify how the id is generated.  John-Mark Gurney  [Asked a question for clarification on two vendors and the use of IDs]  Then, asked if there was only 1 ID on these objects  Allan Thomson  [Noted that in the future â there could be multiple IDs â but we want to get agreement on this first]  [Went over the Pros & Cons]
 Â Sean Barnum  [Clarified that the Pros and Cons for the UUID proposal are overall, Ânot compared to the other proposal]  John-Mark Gurney  The SHA1 standard is compromised â we may need to consider  Gary Katz  Would that we relevant in this case?  John-Mark Gurney  If you keep all of the data for the Object, then the SHA1 could be used, if you donât, then it could be  A problem, even for this case.  Gary Katz  Could you send out some links on this afterwards  Chris Ricard  Are the two approaches being debated to ensure semantic equivalency  Allan Thomson  We want an approach where we can have an ID that can be used in multiple Use Cases  Chris Ricard  Then, it is deterministicâ?  OK, then, gave an example of a scenarioâ Noted that different users would assign different IDs  Allan Thomson  The mini-group has discussed this about the mappingâ We agreed that there will never be consensus  On what parameters to be usedâ that is why we are deferring to the STIXPreferred persona  The specification allows flexibilityâ the Interoperability is where we have agreed upon for the Use Cases  Chris Ricard  If it is something that is negotiated on a case-by-case basisâ then you can have agreement on a specific  Use Case  Allan Thomson  [Had problem with word ânegotiationââ but, agreed in principle]  Gary Katz  Gave a clarifying point about how different vendors will use their own parameters could be with a library  Chris Ricard  If this is for searchingâWhy not just hash the value?  Sean Barnum  The primary Use Case is for de-dupingâ not query. The secondary Use Case is between vendors  Then what we all do to make it easier for the usersâ but, primary Use Case is de-dupe  Jason Keirstead  What Chris is bringing up is very relevantâ a legitimate problem with the whole ideaâ  This could be a problemâ I realize this is a compromise  Allan Thomson  We all agreeâ Letâs try and find a compromiseâ. From a standards POV, what we need to do is  Find a compromise  Chris Ricard  I donât know that this solves anything  Jason Keirstead  What this seems like to me is that we need to flush this out furtherâ or we will have a problem with TC  The problem I have with thisâ. What is the Business Valueâ.If the IDs are different from producer-to-  Producer  Allan Thomson  In a large community, we need a mappingâ.[Gave example of AIS feeds]  Jason Keirstead  Made argument that the intra-vendor Use Cases have not been articulated  Gary Katz  Here is one: High Speed sensor â need a way to use same ID for the same object  A second one â As a producer of intel, as a producer, I have made a determination that these are  Correlatedâ you need to provide that as a service  The third Use Caseâ I have multiple, different vendorsâ in that case, Iâll need to correlate  With these proposalsâ we have a discovery process with a mapping structure  Jason Keirstead  Gave an argument â Do not agree  Sean Barnum  Asked about how to keep track of relationships  Jason Keirstead  They are internal issuesâ it is not about sharing. I understand that internally, that you guys have a graph  Allan Thomson  This is not about individual organizationsâ Made a point about custom properties â will not fix issue  If that is where we disagreeâ Is that what you are actually disputing  Jason Keirstead  We can have STIX top-level objects that would be linked to a Cyber Observableâ then, canât use STIX  Gary Katz  It is about how it is computedâ not what the ID is  Sean Barnum  We do this to scaleâ so it is implementableâ [Gave examples of file, network traffic, email different]  Weâve seen different players have different perspectivesâ Â Â What Allan was saying was that Optionality will help with specific Use Casesâ without trying to  Achieve the 5% without breaking the 95%  Chris Ricard  It seems to me the ID should not be indicating semantic equivalenceâ it should be a different object  [Gave a proposed solution of a âSemantic Equivalenceâ object that could relate to the CO]  Made argument that they should not be de-deduped  John-Mark Gurney  I agree with Chris  Gary Katz  For those that are opposing thisâ could you please outline how your organization would do this  Please outline  Jason Keirstead  I keep having a problem. We would have to throw these things away  I still have to match UUID4s â We still have to do string matchesâ.  Allan Thomson  At the beginning of this mini-groupâ there are some Use Cases that it will help  Sarah Kelley  If it solves some Use Cases, then letâs use it  John-Mark Gurney  If we can solve the security issueâ the other problem is that not all fields are hashed  It solves one problem and raises another problem  Gary Katz  Can I respond to that real quick? [Gave an example of different vendors using different hashes]  You are still getting a correlation between different producersâ if have a mapping  John-Mark Gurney  The problem is that for additional context properties that you are linking toâ you cannot use  That â the hash will be different  Gary Katz  Have an identifier map for that Producer that would allow me to distinguish it from others  John-Mark Gurney  Correctâ but it is not handled in this proposals  That is why I like Jasonâs idea of having a custom propertyâ  Trey Darley  Gave example, being inside CERT, we are having problems with correlating thingsâ It didnât work  For Malware, Infrastructure and Incidentâ What we are aiming at is the best alternative  To no agreement  Allan Thomson  So, what was proposed was an attempt to provide Optionalityâ but, it sounds like some are having  Problemsâ  We collectively have to find a compromise that works for everybodyâ  Trey Darley  The problem is getting worse for all of the market sectorsâ we have a societal imperative to find a  Solution  Sean Barnum  How do we move forward that does not block for some of us to move forwardâ For those of you  That are having problemsâ Please be specific  We got to this point in the Mini-group for some very specific Use Cases  There are things with STIX that we canât doâ  John-Mark Gurney  I heard a proposal hereâ you create a third-party object [Chrisâs suggestion as given above]  Allan Thomson  It was discussed in the Mini-Group, and then was discounted.  John-Mark Gurney  It should be presented to the larger group, so we could debate it.  Gary Katz  The reason it was discounted was that it did not meet the specific Use Case of the high-speed sensor.  Â Allan Thomson  We are running out of timeâ weâll have to discuss this later. Thank you all for joining us.   Rest of Slide Deck Information:  Identifier Templates: Option #1 â Use STIX Pattern Grammar variation - Use the terms defined in the STIX pattern grammar and the concatenation terms - and define SHA1 hash on the result of the _expression_ â [email.type:value FOLLOWEDBY email.is_multipart:value] â For optional fields we could have - [email.type:value FOLLOWEDBY (email.is_multipart:value OR â\ffâ)] - If is_multipart was an optional field value - \ff or similar would be chosen to avoid ambiguity  Identifier Template: Option #2 Â
   Meeting Terminated ******************************************************************************* -- ***************************** Jane Ginn, MSIA, MRP Secretary, OASIS CTI TC jg@ctin.us 001 (928) 399-0509 ***************************** |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]