OASIS Cyber Threat Intelligence (CTI) TC

 View Only
Back to discussions
Expand all | Collapse all

Location as a Top-Level SDO

  • 1.  Location as a Top-Level SDO

    Posted 06-13-2017 18:00


    All,
     
    A lot of conversations have been happening over email and on slack regarding whether location should be an SDO or a property embedded on other SDOs. It appears that several
    new uses cases have appeared and tipped the scales in favor of it being an SDO, and several people have shifted their opinions. The current proposal for it as a separate SDO is located here:

    https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.4mmu2llmy610
     
    Is there anyone here that is still in favor of it being an embedded property?

     
    We’re trying to gauge where the group stands in terms of consensus on this issue. For the moment, try to separate out this particular question from the “what are the rules
    for making something its own SDO?” question, as this is still an ongoing discussion and more information on that topic will likely be forthcoming.
     
     
    Thanks,

     

    Sarah Kelley
    Senior Cyber Threat Analyst
    Multi-State Information Sharing and Analysis Center (MS-ISAC)                   
    31 Tech Valley Drive
    East Greenbush, NY 12061
     
    sarah.kelley@cisecurity.org
    518-266-3493
    24x7 Security Operations Center
    SOC@cisecurity.org  - 1-866-787-4722
     


          
                 
     

    From:
    <cti@lists.oasis-open.org> on behalf of "Taylor, Marlon" <Marlon.Taylor@hq.dhs.gov>
    Date: Tuesday, June 13, 2017 at 12:50 PM
    To: Richard Struse <rjs@mitre.org>, Nicholas Hayden <nhayden@anomali.com>, "Wunder, John A." <jwunder@mitre.org>
    Cc: Patrick Maroney <pmaroney@wapacklabs.com>, Bret Jordan <Bret_Jordan@symantec.com>, Jason Keirstead <Jason.Keirstead@ca.ibm.com>, John-Mark Gurney <jmg@newcontext.com>, CTI OASIS GROUP <cti@lists.oasis-open.org>, "Back, Greg" <gback@mitre.org>, "Nathan
    S. Reller" <Nathan.Reller@jhuapl.edu>
    Subject: RE: [cti] [EXT] [cti] Location as a Top-Level SDO


     

    This is an instance of a general design concern(embedded or not) throughout the spec and I look forward to Rich’s document to help our discussion.
     
    Marlon Taylor
    Technology Services Section
    National Cybersecurity & Communications Integration Center (NCCIC)
    U.S. Department of Homeland Security



     


    From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org]
    On Behalf Of Struse, Richard J.
    Sent: Tuesday, June 13, 2017 8:52 AM
    To: Nicholas Hayden <nhayden@anomali.com>; Wunder, John A. <jwunder@mitre.org>
    Cc: Patrick Maroney <pmaroney@wapacklabs.com>; Bret Jordan <Bret_Jordan@symantec.com>; Jason Keirstead <Jason.Keirstead@ca.ibm.com>; John-Mark Gurney <jmg@newcontext.com>; CTI OASIS GROUP <cti@lists.oasis-open.org>; Back, Greg <gback@mitre.org>; Nathan
    S. Reller <Nathan.Reller@jhuapl.edu>
    Subject: Re: [cti] [EXT] [cti] Location as a Top-Level SDO


     
    I am working on a document that lays out the thinking on this and other design issues.
     

    From:
    < cti@lists.oasis-open.org > on behalf of Nicholas Hayden < nhayden@anomali.com >
    Date: Tuesday, June 13, 2017 at 8:47 AM
    To: "Wunder, John A." < jwunder@mitre.org >
    Cc: Patrick Maroney < pmaroney@wapacklabs.com >, Bret Jordan < Bret_Jordan@symantec.com >, Jason Keirstead < Jason.Keirstead@ca.ibm.com >,
    John-Mark Gurney < jmg@newcontext.com >, CTI OASIS GROUP < cti@lists.oasis-open.org >, "Back, Greg" < gback@mitre.org >, "Nathan S. Reller"
    < Nathan.Reller@jhuapl.edu >
    Subject: Re: [cti] [EXT] [cti] Location as a Top-Level SDO


     


    Can we derive a "Go No GO” checklist for SDO’s?  This might help us in resolving this and to John’s point future scenarios.  My proposal is we clearly define what the characteristics are which “Qualifies” something that needs to be an SDO.
     So for example does it requiring versioning “Yes” ok thats a +1 toward making it an SDO.


     

     


    Best Regards, 
    Nicholas Hayden, CISSP, GICSP, CNDA, CEH, Sec+ 


    Director of Engineering Anomali   anomali.com


    808 Winslow St Redwood City, CA 94063


    Phone: (650) 257-0867 Twitter: @anomali


    PastedGraphic-2.tiff


     



    On Jun 12, 2017, at 4:12 PM, Wunder, John A. < jwunder@mitre.org > wrote:

     



    Yeah +1 to Pat…we’re a CTI org, let’s not maintain a database of geolocations.



     


    More generally I also agree w/ Allan that this doesn’t really impact the SDO question. Either you:


     


    Have the library and duplicate it in the embedded types Have the library and reference it by UUID (if we generate STIX UUIDs for it) Have the library and copy it into the referenced types (if we don’t generate UUIDs for it)

     


    It would be nice to enumerate these types of scenarios and see how we can deal with each of them in each approach. I talked to Allan and I think he has the beginnings of that
    document started, I’ll get with him to push it to Google docs so we can all look over it.


     


    John


     



    From:
    < cti@lists.oasis-open.org > on behalf of Patrick Maroney < pmaroney@wapacklabs.com >
    Date: Monday, June 12, 2017 at 3:16 PM
    To: "Bret Jordan (CS)" < Bret_Jordan@symantec.com >
    Cc: "Jason Mr. Keirstead" < Jason.Keirstead@ca.ibm.com >, "John-Mark Mr. Gurney" < jmg@newcontext.com >, " cti@lists.oasis-open.org "
    < cti@lists.oasis-open.org >, Greg Back < gback@mitre.org >, " Nathan.Reller@jhuapl.edu " < Nathan.Reller@jhuapl.edu >
    Subject: Re: [cti] [EXT] [cti] Location as a Top-Level SDO




     



    My .02:  If we're building, publishing, maintaining our own Geo-Location Data, we're doing something wrong.  This is one wheel we do not need to re-invent...again just my .02.



     





    Patrick Maroney




    Principal Engineer - Data Science & Analytics




    Wapack Labs LLC




    (609)841-5104




    pmaroney@wapacklabs.com




     




    Public Key:  http://pgp.mit.edu/pks/lookup?op=get&search=0x7C810C9769BD29AF




     




    On Jun 11, 2017, at 11:58 PM, Bret Jordan < Bret_Jordan@symantec.com > wrote:



     





    So if we were going to do this, we would probably need to build a library of locations by country and regions and publish them as a Committee Note and hope people just use the them for locations
    at the granularity of a country or group of countries. 




     




    Bret








    From:   cti@lists.oasis-open.org
    < cti@lists.oasis-open.org > on behalf of Jason Keirstead < Jason.Keirstead@ca.ibm.com >
    Sent:   Sunday, June 11, 2017 7:35:18 PM
    To:   jmg@newcontext.com
    Cc:   Bret Jordan;
    cti@lists.oasis-open.org ; gback@mitre.org ;
    Nathan.Reller@jhuapl.edu
    Subject:   Re: [cti] Re: [EXT] [cti] Location as a Top-Level SDO



     







    You are assuming that we don't create a repository of "standard" location SDOs for things like continent and country names - IE the things that people would want to share in
    the first place. Which, I don't see why we would not do this, seeing how we're doing it for things like CAPEC.




     




    -
    Jason Keirstead
    STSM, Product Architect, Security Intelligence, IBM Security Systems
    www.ibm.com/security

    Without data, all you are is just another person with an opinion - Unknown




     




     







Related Content