OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [EXT] Re: [cti] Common repository for STIX CTI objects


Hi Andrew,

 

We are at the beginning of the process of designing the  common repository â so all ideas are worth considering 😊

 

I made comments below about my thoughts on your âworkflowsâ below.

 

                Rich

 

From: <cti@lists.oasis-open.org> on behalf of Andrew Storms <storms@newcontext.com>
Date: Monday, July 6, 2020 at 12:15 PM
To: Rich Piazza <rpiazza@mitre.org>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [EXT] Re: [cti] Common repository for STIX CTI objects

 

Hi Rich.

 

I have a question of clarification. 

 

2 potential workflows:

 

  1. As an analyst, would they go to this repository, find what they need. Then copy and paste into their piece of threat intel they are creating in STIX. And perhaps edit things slightly for their specific case? Essentially a repo of templates for use.

 

In the STIX 2.1 specification the following is stated concerning the contents of a bundle in section 3.3:

 

            ID references can refer to objects to which the consumer/producer may not currently have. This specification does not address the implementation of ID reference resolution.

 

The general understanding is there is no requirement that a bundle have all of the objects referred to within it.  With that in mind, if an object is contained in the common repository, there would be no need to âcut and pasteâ it into the content that a producer is creating, because any consumer could look up the identifier in the common repository - thus saving on the amount of data that needs to be transmitted.  Whether or not the common objects are âcachedâ at the consumerâs or producerâs site is up to them.

 

If the content from the repository wasnât exactly what you wanted â you could certainly think of it as a template, but since it can only be edited by the object creator, you would need to create a new object, with a new id.

 

  1. Or instead would they find what they want, grab the URL to the object in the repo. Then instead of actually putting the content in their threat intel, they would then only paste the URL to the object in the repo?

 

Basically, the latter.  As I mentioned above, just the STIX identifier (not a URL) needs to be referenced in the content. 

 

 

Hopefully my questions make sense.

 

--A

 

 

 

 

 

On Mon, Jul 6, 2020 at 7:59 AM Rich Piazza <rpiazza@mitre.org> wrote:

Many entities in cyber threat intelligence are common and having many duplicate STIX objects to represent the same concept has always been seen as wasteful and problematic.  Several decisions made when writing the STIX specification tried to take this into account. This includes:  specification defined instances of TLP data markings, kill chain phases referred to by their names and deterministic identifiers for STIX cyber objects (SCOs).  However, having an easily available repository of common CTI objects has always been on the âwish listâ of members of the CTI-TC.   DHS has tasked MITRE with investigating creating such a repository.  

 

MITRE has already started a similar repository of STIX objects to represent both the ATT&CK and CAPEC frameworks.  It is available at https://github.com/mitre/cti.  It certainly is the case that other organizations might want to do something similar with their cyber threat intellectual property.  However, there are other STIX objects that are general enough to be hosted in a common repository, defined once and re-used by the broader STIX community.  Such a repository would foster consistency across STIX threat sharing efforts. In creating and using this repository, the amount of data transmitted over the wire could be reduced because only identifier references would need to be shared.

  

Some of the objects types that immediately come to mind to include in this repository are locations (e.g., countries) and identities (e.g., industry sectors).  Others types, like software (e.g., Microsoft Word â version x) or tools (e.g., RDP) might be useful.  Objects like IP addresses, which already can be considered unique if using deterministic identifiers, could be âstoredâ in this repository, so they need not be shared.  Vulnerability objects representing each CVE could be housed there also.  Iâm sure there are other objects that could be included.

 

There are many issues to be discussed as part of setting up such a repository:

 

  • Where would it be hosted?  It is envisioned that it could be available on the GitHub oasis-open web site, however this is just an initial suggestion.
  • How is the content stored?  Is it âfrontedâ by a TAXII server?
  • Who maintains it?  MITRE, DHS, OASISâ?
  • Who decides what should be in the repository?  The maintainers, a CTI subcommittee?
  • Would the STIX community actually use this repository?

 

If you would like to be involved in making this happen, or just have some ideas, please get in touch.

We can have a kickoff discussion at a future working call.

 

            Rich P.

-- 

Rich Piazza

Lead Cyber Security Engineer

The MITRE Corporation

781-271-3760

 

signature_2064325401

 

 

 


 

--

Andrew Storms

VP of Security Services

 707-477-4335

Image removed by sender.  Image removed by sender.

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]