OASIS Cyber Threat Intelligence (CTI) TC

Yes, exactly. The purpose of the larger range is simply to accommodate more possible scales than a single 1-5  scale. Nothing more or less. -- Sent from my mobile device, please excuse any typos. Andras Iklody --- Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September] --- From: "Andras Iklody" <andras.iklody@gmail.com> To: "Joep Gommers" <joep@eclecticiq.com> Cc: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>, cti-stix@lists.oasis-open.org, "Marko Dragoljevic" <marko@eclecticiq.com>, cti@lists.oasis-open.org, "Dave Cridland" <dave.cridland@surevine.com>, "JE" <je@cybersecurityscout.eu>, "Terry MacDonald" <terry.macdonald@cosive.com>, "Patrick Maroney" <Pmaroney@specere.org>, "Mark Clancy" <mclancy@soltra.com> Date: Tue, Sep 13, 2016 3:52 AM Subject: Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September] The idea is definitely to use descriptive language and convert to a unified scale. A 5 step scale limits the conversion of 4 and 3 step scales, 0-100 simply accommodates more toes of descriptive language. On Sep 13, 2016 8:18 AM, "Joep Gommers" < joep@eclecticiq.com > wrote: For what its worth, reflecting on intelligence tradecraft, I’m fully supportive of a 1-5 scale (or similar order magnitude) so that you can build clear analytic constructs and constraints around each scale. 1-100 for an analytic judgement is not just overkill, it breaks the ability for an analyst to apply such analytic tradecraft. That said, having a 1-100 score if this is mostly created by machines, for machines, with a known algorithm makes all the sense – but don’t think we are intended to create that. Or have both * ducks *…   From: < cti@lists.oasis-open.org > on behalf of Mark Clancy < mclancy@soltra.com > Date: Monday, September 12, 2016 at 8:43 PM To: Marko Dragoljevic < marko@eclecticiq.com >, Terry MacDonald < terry.macdonald@cosive.com > Cc: Jason Keirstead < Jason.Keirstead@ca.ibm.com >, Patrick Maroney <Pmaroney@Specere.org>, Dave Cridland < dave.cridland@surevine.com >, JE < je@cybersecurityscout.eu >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Subject: Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]   We are trying to add a level of precision to information that generally lacks reproducible precision when two parties review the exact same set of facts.  That leads you to wanting a scheme that does not create the illusion of precision where none exists. We don’t need two significant digits of precision for confidence so I think the 0-100 scheme is over kill.  Yes it exists today in Stix1.0, but has anybody actually analyzed how many unique precision values have been used in CTI data to date?     -Mark     From: < cti@lists.oasis-open.org > on behalf of Marko Dragoljevic < marko@eclecticiq.com > Date: Friday, September 9, 2016 at 4:37 AM To: Terry MacDonald < terry.macdonald@cosive.com > Cc: Jason Keirstead < Jason.Keirstead@ca.ibm.com >, Patrick Maroney <Pmaroney@Specere.org>, Dave Cridland < dave.cridland@surevine.com >, JE < je@cybersecurityscout.eu >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Subject: Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]   Hi all   +1 for all comments from Terry   Few extra thoughts: - Reliability of Source and other similar evaluation methods used across types of Intelligence are not meant to provide "specific quantification" but rather to “inform” with certain degree of error margin. Then, it’s up to analysts, consumers (human, products) or policy makers (stakeholders) to “interpret” this and eventually make decisions or informed actions. - It should be up to specific Technology Products to implement how mapping of this and other evaluation methods or scores into specific numbers actually works when and if needed. I can imagine that end users would want to be able to fine tune this “formulas” based on specific use cases.   Thanks, Marko Dragoljevic VP Technology, Chief Architect marko@eclecticiq.com +31 643 919 496 ?EclecticIQ Intelligence Powered Defense https://www.eclecticiq.com   On 09 Sep 2016, at 01:16, Terry MacDonald < terry.macdonald@cosive.com > wrote:   I would disagree with using a numbering scheme (and especially one with a range of 0-100), as it makes it much more complex than it needs to be.   Is something that is confidence level 82 really that worse than confidence 83? How is a user going to understand the difference at those small levels of difference? Will they care about the difference at all? Do people really want 6 different levels of difference rather than 100?   If we use an existing methodology that has been used for many years in the intelligence community such as the Admiralty Code then it is something that is understandable and useable by humans.    I believe they will be able to comprehend the difference between 'Reliability of Source - B - Usually reliable' and 'Reliability of Source - D - Not usually reliable' a lot easier than looking at 'Reliability of Source - 79' and 'Reliability of Source - 48'.   Cheers   Terry MacDonald   Chief Product Officer   <cosive_mail_signature.png>   M:   +64 211 918 814 E:   terry.macdonald@cosive.com W:   www.cosive.com         On Fri, Sep 9, 2016 at 7:39 AM, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: I very much like the idea of adding support for the MISP taxonomies, but I still think that confidence should be a numerical value. I would like to see a way that the admiralty scale taxonomy can be mapped to a numerical equivalent. That way if someone wants to use a different taxonomy because the admiralty scale is either too broad or too narrow, they are free to do so, because we are not directly mandating it be used. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> Patrick Maroney ---09/08/2016 01:29:55 PM---Good discussion folks. In support of the concepts expressed here, I'd like to raise the topic of su From: Patrick Maroney < Pmaroney@Specere.org > To: Dave Cridland < dave.cridland@surevine.com >, JE < je@cybersecurityscout.eu > Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >, "Terry MacDonald" < terry.macdonald@cosive.com > Date: 09/08/2016 01:29 PM Subject: [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September] Sent by: < cti-stix@lists.oasis-open.org > Good discussion folks. In support of the concepts expressed here, I'd like to raise the topic of supporting the MISP Taxonomy format and the public repository of Taxonomies and format for consideration. https://github.com/MISP/misp- taxonomies Alexandre Dulaunoy has cleared up concerns raised regarding licensing, so we can assess on the technical merits. <49458202.jpg> Patrick Maroney President Integrated Networking Technologies, Inc. Desk: (856)983-0001 Cell: (609)841-5104 Email: pmaroney@specere.org From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Dave Cridland < dave.cridland@surevine.com > Sent: Thursday, September 8, 2016 4:13:31 AM To: JE Cc: cti-stix@lists.oasis-open.org ; cti@lists.oasis-open.org ; Terry MacDonald Subject: RE: [cti] CTI Brussels F2F Meeting...RSVP deadline 5 September   There's two approaches, both already existing, which can help with this. Firstly, a common, shared policy (and just as important, commonly understood semantics). The FIRST IEP work is along these lines.   Secondly, real security label/classification/policy systems allow one policy to be translated to another, as long as the semantics can be mapped. These systems exist already, and are specified in a slew of documents include SDN.801(c), X.841, and so on.   Obviously these two are complementary - if there are lots of common semantics in organisation's policies, it makes it easy to express handling requirements, and the existing label specs allow each organization to have their own policy which they can develop independently.   But all this is already handled by STIX - it's just payload data to STIX and TAXII. Dave.   On 8 Sep 2016 09:29, "JE" < je@cybersecurityscout.eu > wrote: Hi Terry,   Sorry I was not clear enough in my suggestion and putting it into context… we’re on the same page, there are currently discussions going on in some communities to extend TLP scheme (proprietary) by validation information and within some schemes used in intel (usually not public / publicly known) this is already existing as part of their schemes. Unfortunately proprietary approaches have their issues when trying to make it work outside the origin.   To enable a true policy-based management, enforcement, priority handling etc. it’s vital to have a standard on assigning & processing level of confidence, trust in source and possibly validation by analyst as well. Some of the European ISACs I know handle this by reserving some classification levels for members and assign trust-by-default but of course this does not scale beyond limited community nor is it a feasible way to apply it on granular objects.   Cheers from Brussels, Joerg From: cti@lists.oasis-open.org [mailto: cti@lists.oasis-open. org ] On Behalf Of Terry MacDonald Sent: Wednesday, September 7, 2016 21:11 To: JE < je@cybersecurityscout.eu > Cc: cti-stix@lists.oasis-open.org ; cti@lists.oasis-open.org ; Thompson, Dean < Dean.Thompson@anz.com > Subject: RE: [cti] CTI Brussels F2F Meeting...RSVP deadline 5 September   Hi Joerg, I wasn't meaning information handling or policy management at all, as this is already supported via the object level data marking or granular date marking in STIX 2.0. I was definitely meaning a way of describing confidence that the threat intelligence is correct, and confidence that the person who told you the threat intelligence gets it right. We had that functionality in STIX 1.x series, and we've lost it in STIX 2.0. We need to add it back on as part of STIX 2.1. Cheers Terry MacDonald Cosive   On 7/09/2016 10:25 PM, "JE" < je@cybersecurityscout.eu > wrote: Dear All,   I fully support this – having built some ISACs in industry as well as GOV classification/labeling is usually a “top 5 “ issue … if not at the time of initial set-up than usually later when information from different sources is to be shared and utilized. This might not be a primary issue from vendor side (although it should be as most TI is not under monolithic policy/license rights but compiled) it is definitely an issue from user perspective to handle, distribute and leverage TI properly,   Some of the commercially available systems on the market implement labeling/label-based-handling in a proprietary way as current information models/standards do not foresee this. If you e.g. look at OTRS (not a STIX/TAXI implementation but wide used for Service + Incident Mgt), actually an open source system but during the evolution also included labeling and handling according to this. No matter if e.g. TLP or other schemes are applied I strongly suggest to at least include the option to label objects and though enable/apply/enforce policy-based information exchange and handling.   Sunny greetings from Berlin & looking forward meeting you guys f2f on later Wednesday evening in Brussels, Joerg From: cti@lists.oasis-open.org [mailto: cti@lists.oasis-open. org ] On Behalf Of Thompson, Dean Sent: Wednesday, September 7, 2016 03:06 To: 'Terry MacDonald' < terry.macdonald@cosive.com >; ' cti@lists.oasis-open.org ' < cti@lists.oasis-open.org >; ' cti-stix@lists.oasis-open.org ' < cti-stix@lists.oasis-open.org > Subject: RE: [cti] CTI Brussels F2F Meeting...RSVP deadline 5 September     Hi!,   Can I add my voice in here as well and say that “Confidence” and also having an “Opinion” about Threat Intelligence is very important and is a concept that we use quite heavily when we are exchanging threat intelligence with other financial organisations and dealing with threat data that comes in via 3 rd parties and intelligence sources.   Can we please ensure that this is included in the agenda and discussed at the meeting ?   Regards,   Dean   From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open. org ] On Behalf Of Terry MacDonald Sent: Wednesday, 7 September 2016 8:18 AM To: cti@lists.oasis-open.org ; cti-stix@lists.oasis-open.org Subject: Re: [cti] CTI Brussels F2F Meeting...RSVP deadline 5 September   Please say that we are including confidence and opinion object in STIX 2.1 candidate smackdown agenda item at the F2F.   We just can't treat everything that people send out as the absolute truth as we do in STIX 2.0. There is a reason things like the admiralty code were developed.... and that's because threat intelligence is always someone's opinion.We need a way for the consumer to understand how confident the producer is in the threat intelligence they are sending. It's up to the consumer to determine if they believe that its the truth, and they need various ways to determine this. That's a ton easier if the person who sent the threat intelligence to you tells you how much they trust the intelligence and trust the source of the intelligence with some form of confidence field.....   I really, really believe this is critical for STIX to work properly, and it was something that made it possible for STIX to automatically be pushed out to the different security tools within an organization (e.g. high confidence DNS to the DNS RPZ block, low confidence to the alerting on the passive DNS).   These are so easy to add to STIX, we would be remiss to skip it.   Cheers   Terry MacDonald Chief Product Officer   <49228383.gif>   M: +64 211 918 814 E: terry.macdonald@cosive.com W: www.cosive.com         On Fri, Sep 2, 2016 at 8:53 AM, Jane Harnad < jharnad@oasis-open.org > wrote: Dear CTI Members, The CTI TC F2F meeting is scheduled for Wednesday, 7 September at the Thon EU Hotel , Germany Room. Lunch and refreshments will be provided by OASIS. A headcount is needed ASAP. Below is a list of individuals that replied to the last RSVP request. If you don't see your name and do plan to participate in either the F2F meeting or group dinner, please send your RSVP no later than 5 September. Remote access is available to TC members unable to attend in person. Login details are: https://global.gotomeeting. com/join/978573765 You can also dial in using your phone. United States (Toll-free): 1 866 899 4679 United States +1 (646) 749-3117 Access Code: 978-573-765 Proposed agenda is attached. Details on group dinner option : CTI members are invited to sign up to attend a group dinner on Wednesday evening after the F2F. Family members and/or guests traveling along with you are also invited to join us. This is not a hosted dinner, so each participant (and their guests) will be responsible for covering the costs associated with their dinner. Please be sure to confirm the number of guests.   Thanks so much and we look forward to seeing you all in Brussels! Regards, Jane   **F2F/Dinner Attendees                                                                                                                                                   Bret Jordan <ecblank.gif> Alexandre Dulaunoy <ecblank.gif> Raymon van der Velde <ecblank.gif> Ryusuke Masuoka <ecblank.gif> Kazuo Noguchi <ecblank.gif> Jason Keirstead <ecblank.gif> Jerome Athias <ecblank.gif> Allan Thomson <ecblank.gif> Daniel Riedel <ecblank.gif> John-Mark Gurney <ecblank.gif> Carol Geyer <ecblank.gif> Richard Struse <ecblank.gif> Joerg Eschweiler <ecblank.gif> Trey Darley <ecblank.gif> Marko Dragoljevic <ecblank.gif> Sergey Polzunov <ecblank.gif> Aukjan van Belkum <ecblank.gif> Wouter Bolsterlee <ecblank.gif> Andras Iklody <ecblank.gif> Mark Davidson <ecblank.gif> Masato Terada <ecblank.gif> -- Jane Harnad Manager, Events OASIS Advancing open standards for the information society +1.781.425.5073 x214 (Office) http://www.oasis-open.org Join OASIS at: Borderless Cyber Europe 8-9 Sept Brussels Borderless Cyber Asia 1-2 Nov Tokyo ------------------------------ ------------------------------ --------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/ apps/org/workgroup/portal/my_ workgroups.php     This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.                                        

On 13/09/16 12:31, Jason Keirstead wrote: > Yes, exactly. > > The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less. Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both. Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale and a clear description for analysts. [1] http://stixproject.github.io/data-model/1.2/stixVocabs/HighMediumLowVocab-1.0/ [2] https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L31 -- Alexandre Dulaunoy CIRCL - Computer Incident Response Center Luxembourg 41, avenue de la gare L-1611 Luxembourg info@circl.lu - www.circl.lu

The wider scale certainly seems like the path of least resistance. Tools get to do what they want and for the most part things should just work. A couple worries (perhaps edge cases?) I would have: 1. The admiralty scale has specific semantics for each level that tools not using it would of course not honor. So someone who set a confidence of “high” in ToolA, which maps to 100 (let’s say), would get translated to a 1 in the admiralty scale when displayed by ToolB. But was it actually confirmed by other sources? 2. There would potentially be issues where people map scales over differently. I.e. (None, Low, Medium, High) would have a different range than (Low, Medium, High) and so a score of “Low” in ToolC might translate to “None” in ToolD and confuse people. Then you have to explain to the user that “well, in reality it’s a 1-100 scale underneath and the products use different scales and……” I’m not totally opposed btw, just wanted to point out some of these issues. John On 9/13/16, 7:42 AM, "cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy" <cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu> wrote: On 13/09/16 12:31, Jason Keirstead wrote: > Yes, exactly. > > The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less. Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both. Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale and a clear description for analysts. [1] http://stixproject.github.io/data-model/1.2/stixVocabs/HighMediumLowVocab-1.0/ [2] https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L31 -- Alexandre Dulaunoy CIRCL - Computer Incident Response Center Luxembourg 41, avenue de la gare L-1611 Luxembourg info@circl.lu - www.circl.lu --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

There is another reason that a numerical scale should be used, that I haven't yet mentioned as I didn't want to conflate the whole "confidence" problem - but I also didn't expect it to be so controversial, so here we go... The problem with the admiralty scale is it is very human-focused, but in the current world of CTI you can't make the assumption that the confidence value is being assigned by humans. It will also be assigned by machines as a result of algorithmic and analytical processes on the underlying data. When a product produces an intelligent feed of data based on analytics, it will be able to figure out and assign its own confidence metric, that will be calculated based on the confidence levels it has on all of the other pieces of data that were factors in the decision. IE, when I am taking 100 pieces of data - each of which has its own confidence value - and producing this other derived piece of data, it's confidence is derived based on all of the other confidence (in the simplest scenario, it might be thought of as the simple weighted average of all of the other confidences). You can't do this type of thing with something as simple as the admiralty scale. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown "Wunder, John A." ---09/13/2016 09:34:38 AM---The wider scale certainly seems like the path of least resistance. Tools get to do what they want an From: "Wunder, John A." <jwunder@mitre.org> To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Date: 09/13/2016 09:34 AM Subject: Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September] Sent by: <cti-stix@lists.oasis-open.org> The wider scale certainly seems like the path of least resistance. Tools get to do what they want and for the most part things should just work. A couple worries (perhaps edge cases?) I would have: 1. The admiralty scale has specific semantics for each level that tools not using it would of course not honor. So someone who set a confidence of “high” in ToolA, which maps to 100 (let’s say), would get translated to a 1 in the admiralty scale when displayed by ToolB. But was it actually confirmed by other sources? 2. There would potentially be issues where people map scales over differently. I.e. (None, Low, Medium, High) would have a different range than (Low, Medium, High) and so a score of “Low” in ToolC might translate to “None” in ToolD and confuse people. Then you have to explain to the user that “well, in reality it’s a 1-100 scale underneath and the products use different scales and……” I’m not totally opposed btw, just wanted to point out some of these issues. John On 9/13/16, 7:42 AM, "cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy" <cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu> wrote:    On 13/09/16 12:31, Jason Keirstead wrote:    > Yes, exactly.    >    > The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less.        Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly    for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both.        Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale    and a clear description for analysts.        [1] http://stixproject.github.io/data-model/1.2/stixVocabs/HighMediumLowVocab-1.0/    [2] https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L31        --    Alexandre Dulaunoy    CIRCL - Computer Incident Response Center Luxembourg    41, avenue de la gare L-1611 Luxembourg    info@circl.lu - www.circl.lu        ---------------------------------------------------------------------    To unsubscribe from this mail list, you must leave the OASIS TC that    generates this mail.  Follow this link to all your TCs in OASIS at:     https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php          

I agree with Jason’s arguments. Both on mapping and how the numbers will be assigned by machines & humans.
 
STIX should focus on exchanging a ‘value’ for machine-to-machine. It’s a data exchange format not a UI exchange. How this information is relayed to a human or entered by a human can and
may be different.
 
If a number of 0-100 is chosen then that can be mapped by products to something a human may more easily assign such as admiralty.
 
allan
 

From:
"cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Tuesday, September 13, 2016 at 7:58 AM
To: "Wunder, John" <jwunder@mitre.org>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]


 



There is another reason that a numerical scale should be used, that I haven't yet mentioned as I didn't want to conflate the whole "confidence" problem - but I also didn't expect it to be so controversial, so here we go...

The problem with the admiralty scale is it is very human-focused, but in the current world of CTI you can't make the assumption that the confidence value is being assigned by humans. It will also be assigned by machines as a result of algorithmic and analytical
processes on the underlying data. When a product produces an intelligent feed of data based on analytics, it will be able to figure out and assign its own confidence metric, that will be calculated based on the confidence levels it has on all of the other
pieces of data that were factors in the decision. IE, when I am taking 100 pieces of data - each of which has its own confidence value - and producing this other derived piece of data, it's confidence is derived based on all of the other confidence (in the
simplest scenario, it might be thought of as the simple weighted average of all of the other confidences). You can't do this type of thing with something as simple as the admiralty scale.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


"Wunder, John A." ---09/13/2016 09:34:38 AM---The wider scale
certainly seems like the path of least resistance. Tools get to do what they want an

From: "Wunder, John A." <jwunder@mitre.org>
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 09/13/2016 09:34 AM
Subject: Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]
Sent by: <cti-stix@lists.oasis-open.org>






The wider scale certainly seems like the path of least resistance. Tools get to do what they want and for the most part things should just work. A couple worries (perhaps edge cases?) I would have:

1. The admiralty scale has specific semantics for each level that tools not using it would of course not honor. So someone who set a confidence of “high” in ToolA, which maps to 100 (let’s say), would get translated to a 1 in the admiralty scale when displayed
by ToolB. But was it actually confirmed by other sources?
2. There would potentially be issues where people map scales over differently. I.e. (None, Low, Medium, High) would have a different range than (Low, Medium, High) and so a score of “Low” in ToolC might translate to “None” in ToolD and confuse people. Then
you have to explain to the user that “well, in reality it’s a 1-100 scale underneath and the products use different scales and……”

I’m not totally opposed btw, just wanted to point out some of these issues.

John

On 9/13/16, 7:42 AM, "cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy" <cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu> wrote:

   On 13/09/16 12:31, Jason Keirstead wrote:
   > Yes, exactly.
   >
   > The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less.
   
   Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly
   for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both.
   
   Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale
   and a clear description for analysts.
   
   [1]
http://stixproject.github.io/data-model/1.2/stixVocabs/HighMediumLowVocab-1.0/
   [2]
https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L31
   
   --
   Alexandre Dulaunoy
   CIRCL - Computer Incident Response Center Luxembourg
   41, avenue de la gare L-1611 Luxembourg
   info@circl.lu - www.circl.lu
   
   ---------------------------------------------------------------------
   To unsubscribe from this mail list, you must leave the OASIS TC that

   generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  
   
   

While I agree that there may be Threat Intel automatically generated by machines, I don't necessarily agree that this means we should use a single 0-100 range for confidence. We shouldn't conflate multiple different confidence systems together as there is to much risk for misinterpretation. The admiralty code, for example, rates the Reliability of the source as well as the Reliability of the information. We need to decide if we are going to pick one system for confidence and mandate it (like admiralty code), or if we are going to allow multiple different confidence systems and will only mandate a MTI version (e.g. a Confidence object similar to the marking object). As John mentioned earlier in this email chain, each type of confidence system has its own meanings for things at a different level. Without a way for the producer to specify which confidence level they are using, we run a real change of consumers interpreting the confidence level incorrectly. In addition, if the overall confidence is tracked via multiple types of confidence (e.g confidence in the source of the information well as the information itself) then tracking it via a single number won't work. One way we can use the Admiralty code within STIX is to create an Admiralty code Confidence object for use on all STIX objects. Then when people receive the Threat Intel they know that it is 'encoded' as an Admiralty code Confidence and can consumer it appropriately. The Admiralty code Confidence object would contain two fields that track: - information reliability (confidence the info is true) - source reliability (confidence the source is telling the truth) I'm not sure that a single 0-100 number is good enough or flexible enough for our needs. We really need those committee members who've worked in intelligence organisations to say what they used internally. Cheers Terry MacDonald Cosive On 14 Sep 2016 3:14 AM, "Allan Thomson" < athomson@lookingglasscyber. com > wrote: I agree with Jason’s arguments. Both on mapping and how the numbers will be assigned by machines & humans.   STIX should focus on exchanging a ‘value’ for machine-to-machine. It’s a data exchange format not a UI exchange. How this information is relayed to a human or entered by a human can and may be different.   If a number of 0-100 is chosen then that can be mapped by products to something a human may more easily assign such as admiralty.   allan   From: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of Jason Keirstead < Jason.Keirstead@ca.ibm.com > Date: Tuesday, September 13, 2016 at 7:58 AM To: "Wunder, John" < jwunder@mitre.org > Cc: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Subject: Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]   There is another reason that a numerical scale should be used, that I haven't yet mentioned as I didn't want to conflate the whole "confidence" problem - but I also didn't expect it to be so controversial, so here we go... The problem with the admiralty scale is it is very human-focused, but in the current world of CTI you can't make the assumption that the confidence value is being assigned by humans. It will also be assigned by machines as a result of algorithmic and analytical processes on the underlying data. When a product produces an intelligent feed of data based on analytics, it will be able to figure out and assign its own confidence metric, that will be calculated based on the confidence levels it has on all of the other pieces of data that were factors in the decision. IE, when I am taking 100 pieces of data - each of which has its own confidence value - and producing this other derived piece of data, it's confidence is derived based on all of the other confidence (in the simplest scenario, it might be thought of as the simple weighted average of all of the other confidences). You can't do this type of thing with something as simple as the admiralty scale. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown "Wunder, John A." ---09/13/2016 09:34:38 AM---The wider scale certainly seems like the path of least resistance. Tools get to do what they want an From: "Wunder, John A." < jwunder@mitre.org > To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Date: 09/13/2016 09:34 AM Subject: Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September] Sent by: < cti-stix@lists.oasis-open.org > The wider scale certainly seems like the path of least resistance. Tools get to do what they want and for the most part things should just work. A couple worries (perhaps edge cases?) I would have: 1. The admiralty scale has specific semantics for each level that tools not using it would of course not honor. So someone who set a confidence of “high” in ToolA, which maps to 100 (let’s say), would get translated to a 1 in the admiralty scale when displayed by ToolB. But was it actually confirmed by other sources? 2. There would potentially be issues where people map scales over differently. I.e. (None, Low, Medium, High) would have a different range than (Low, Medium, High) and so a score of “Low” in ToolC might translate to “None” in ToolD and confuse people. Then you have to explain to the user that “well, in reality it’s a 1-100 scale underneath and the products use different scales and……” I’m not totally opposed btw, just wanted to point out some of these issues. John On 9/13/16, 7:42 AM, " cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy" < cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu > wrote:    On 13/09/16 12:31, Jason Keirstead wrote:    > Yes, exactly.    >    > The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less.        Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly    for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both.        Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale    and a clear description for analysts.        [1] http://stixproject.github.io/ data-model/1.2/stixVocabs/ HighMediumLowVocab-1.0/    [2] https://github.com/MISP/misp- taxonomies/blob/master/misp/ machinetag.json#L31        --    Alexandre Dulaunoy    CIRCL - Computer Incident Response Center Luxembourg    41, avenue de la gare L-1611 Luxembourg     info@circl.lu - www.circl.lu        ----------------------------- ------------------------------ ----------    To unsubscribe from this mail list, you must leave the OASIS TC that    generates this mail.  Follow this link to all your TCs in OASIS at:     https://www.oasis-open.org/ apps/org/workgroup/portal/my_ workgroups.php          

Terry –
 
At the F2F we discussed multiple aspects of confidence and what is intended by the term being considered for inclusion in the spec.  And there was an action to capture the exact meaning
of what was discussed to ensure people would have something to review online without a lot of emails.

 
It was agreed there are multiple requirements but for this specific attribute it was considered important enough to represent the ‘source confidence’. That is, the confidence with which
the source providing the information rates the information reliability.
 
I agree with your statement that if a source is using a specific scale then they should identify that as part of the confidence rating they provide.

 
So for sourceConfidence there would be two attributes:
 
1)       
ratingType_ov { admirality, 0-100, other-favored-choices }
2)       
ratingValue { where this is a numeric value chosen from the rating Type }
 
There are many other aspects of rating information being shared both on the creator side and how the recipient wants to rate information once received. For the F2F the group focused on
how the source wants to rate information being shared.
 
Allan
 

From:
Terry MacDonald <terry.macdonald@cosive.com>
Date: Tuesday, September 13, 2016 at 1:07 PM
To: Allan Thomson <athomson@lookingglasscyber.com>
Cc: Jason Keirstead <Jason.Keirstead@ca.ibm.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "Wunder, John" <jwunder@mitre.org>
Subject: Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]


 



While I agree that there may be Threat Intel automatically generated by machines, I don't necessarily agree that this means we should use a single 0-100 range for confidence.
We shouldn't conflate multiple different confidence systems together as there is to much risk for misinterpretation. The admiralty code, for example, rates the Reliability of the source as well as the Reliability of the information. We need to decide if
we are going to pick one system for confidence and mandate it (like admiralty code), or if we are going to allow multiple different confidence systems and will only mandate a MTI version (e.g. a Confidence object similar to the marking object).
As John mentioned earlier in this email chain, each type of confidence system has its own meanings for things at a different level. Without a way for the producer to specify which confidence level they are using, we run a real change of consumers interpreting
the confidence level incorrectly. In addition, if the overall confidence is tracked via multiple types of confidence (e.g confidence in the source of the information well as the information itself) then tracking it via a single number won't work.

One way we can use the Admiralty code within STIX is to create an Admiralty code Confidence object for use on all STIX objects. Then when people receive the Threat Intel they know that it is 'encoded' as an Admiralty code Confidence and can consumer it appropriately.

The Admiralty code Confidence object would contain two fields that track:
- information reliability (confidence the info is true)
- source reliability (confidence the source is telling the truth)
I'm not sure that a single 0-100 number is good enough or flexible enough for our needs.
We really need those committee members who've worked in intelligence organisations to say what they used internally.
Cheers
Terry MacDonald
Cosive

 

On 14 Sep 2016 3:14 AM, "Allan Thomson" < athomson@lookingglasscyber.com > wrote:



I agree with Jason’s arguments. Both on mapping and how the numbers will be assigned by machines & humans.
 
STIX should focus on exchanging a ‘value’ for machine-to-machine. It’s a data exchange format not a UI exchange. How this information
is relayed to a human or entered by a human can and may be different.
 
If a number of 0-100 is chosen then that can be mapped by products to something a human may more easily assign such as admiralty.
 
allan
 

From:
" cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on
behalf of Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Date: Tuesday, September 13, 2016 at 7:58 AM
To: "Wunder, John" < jwunder@mitre.org >
Cc: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
Subject: Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]


 



There is another reason that a numerical scale should be used, that I haven't yet mentioned as I didn't want to conflate the whole "confidence" problem - but I also didn't expect it to be so controversial, so here we go...

The problem with the admiralty scale is it is very human-focused, but in the current world of CTI you can't make the assumption that the confidence value is being assigned by humans. It will also be assigned by machines as a result of algorithmic and analytical
processes on the underlying data. When a product produces an intelligent feed of data based on analytics, it will be able to figure out and assign its own confidence metric, that will be calculated based on the confidence levels it has on all of the other
pieces of data that were factors in the decision. IE, when I am taking 100 pieces of data - each of which has its own confidence value - and producing this other derived piece of data, it's confidence is derived based on all of the other confidence (in the
simplest scenario, it might be thought of as the simple weighted average of all of the other confidences). You can't do this type of thing with something as simple as the admiralty scale.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


"Wunder, John A." ---09/13/2016 09:34:38 AM---The wider
scale certainly seems like the path of least resistance. Tools get to do what they want an

From: "Wunder, John A." < jwunder@mitre.org >
To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
Date: 09/13/2016 09:34 AM
Subject: Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]
Sent by: < cti-stix@lists.oasis-open.org >








The wider scale certainly seems like the path of least resistance. Tools get to do what they want and for the most part things should just work. A couple worries (perhaps edge cases?) I would have:

1. The admiralty scale has specific semantics for each level that tools not using it would of course not honor. So someone who set a confidence of “high” in ToolA, which maps to 100 (let’s say), would get translated to a 1 in the admiralty scale when displayed
by ToolB. But was it actually confirmed by other sources?
2. There would potentially be issues where people map scales over differently. I.e. (None, Low, Medium, High) would have a different range than (Low, Medium, High) and so a score of “Low” in ToolC might translate to “None” in ToolD and confuse people. Then
you have to explain to the user that “well, in reality it’s a 1-100 scale underneath and the products use different scales and……”

I’m not totally opposed btw, just wanted to point out some of these issues.

John

On 9/13/16, 7:42 AM, " cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy" < cti-stix@lists.oasis-open.org on
behalf of Alexandre.Dulaunoy@circl.lu > wrote:

   On 13/09/16 12:31, Jason Keirstead wrote:
   > Yes, exactly.
   >
   > The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less.
   
   Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly
   for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both.
   
   Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale
   and a clear description for analysts.
   
   [1]
http://stixproject.github.io/data-model/1.2/stixVocabs/HighMediumLowVocab-1.0/
   [2]
https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L31
   
   --
   Alexandre Dulaunoy
   CIRCL - Computer Incident Response Center Luxembourg
   41, avenue de la gare L-1611 Luxembourg
    info@circl.lu -
www.circl.lu
   
   ---------------------------------------------------------------------
   To unsubscribe from this mail list, you must leave the OASIS TC that

   generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  
   
   

On 13.09.2016 15:14:37, Allan Thomson wrote: > > STIX should focus on exchanging a ‘value’ for machine-to-machine. > It’s a data exchange format not a UI exchange. How this information > is relayed to a human or entered by a human can and may be > different. > > If a number of 0-100 is chosen then that can be mapped by products > to something a human may more easily assign such as admiralty. > ^ _____ This! -- Cheers, Trey ++--------------------------------------------------------------------------++ Kingfisher Operations, sprl gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4 5B9B B30D DD6E 62C8 6C1D ++--------------------------------------------------------------------------++ -- "There are only two hard things in Computer Science: cache invalidation and naming things." --Phil Karlton Attachment: signature.asc Description: Digital signature

As I just said in my last email, I think for things like this we just pre-define them in normative text. If you have a 1-5 scale, this is what it looks like, if you have a 1-3 scale, this is how it works. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Sep 13, 2016, at 06:34, Wunder, John A. < jwunder@mitre.org > wrote: The wider scale certainly seems like the path of least resistance. Tools get to do what they want and for the most part things should just work. A couple worries (perhaps edge cases?) I would have: 1. The admiralty scale has specific semantics for each level that tools not using it would of course not honor. So someone who set a confidence of “high” in ToolA, which maps to 100 (let’s say), would get translated to a 1 in the admiralty scale when displayed by ToolB. But was it actually confirmed by other sources? 2. There would potentially be issues where people map scales over differently. I.e. (None, Low, Medium, High) would have a different range than (Low, Medium, High) and so a score of “Low” in ToolC might translate to “None” in ToolD and confuse people. Then you have to explain to the user that “well, in reality it’s a 1-100 scale underneath and the products use different scales and……” I’m not totally opposed btw, just wanted to point out some of these issues. John On 9/13/16, 7:42 AM, cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy < cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu > wrote:    On 13/09/16 12:31, Jason Keirstead wrote: Yes, exactly. The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less.    Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly    for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both.    Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale    and a clear description for analysts.    [1] http://stixproject.github.io/data-model/1.2/stixVocabs/HighMediumLowVocab-1.0/    [2] https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L31    --    Alexandre Dulaunoy    CIRCL - Computer Incident Response Center Luxembourg    41, avenue de la gare L-1611 Luxembourg     info@circl.lu - www.circl.lu    ---------------------------------------------------------------------    To unsubscribe from this mail list, you must leave the OASIS TC that    generates this mail.  Follow this link to all your TCs in OASIS at:     https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

I also think we should call out in the specification how you would map this to the Admiralty score.  This way, for people that want to do it, they all do it the same way. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Sep 13, 2016, at 13:09, Jordan, Bret < bret.jordan@BLUECOAT.COM > wrote: As I just said in my last email, I think for things like this we just pre-define them in normative text. If you have a 1-5 scale, this is what it looks like, if you have a 1-3 scale, this is how it works. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Sep 13, 2016, at 06:34, Wunder, John A. < jwunder@mitre.org > wrote: The wider scale certainly seems like the path of least resistance. Tools get to do what they want and for the most part things should just work. A couple worries (perhaps edge cases?) I would have: 1. The admiralty scale has specific semantics for each level that tools not using it would of course not honor. So someone who set a confidence of “high” in ToolA, which maps to 100 (let’s say), would get translated to a 1 in the admiralty scale when displayed by ToolB. But was it actually confirmed by other sources? 2. There would potentially be issues where people map scales over differently. I.e. (None, Low, Medium, High) would have a different range than (Low, Medium, High) and so a score of “Low” in ToolC might translate to “None” in ToolD and confuse people. Then you have to explain to the user that “well, in reality it’s a 1-100 scale underneath and the products use different scales and……” I’m not totally opposed btw, just wanted to point out some of these issues. John On 9/13/16, 7:42 AM, cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy < cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu > wrote:    On 13/09/16 12:31, Jason Keirstead wrote: Yes, exactly. The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less.    Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly    for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both.    Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale    and a clear description for analysts.    [1] http://stixproject.github.io/data-model/1.2/stixVocabs/HighMediumLowVocab-1.0/    [2] https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L31    --    Alexandre Dulaunoy    CIRCL - Computer Incident Response Center Luxembourg    41, avenue de la gare L-1611 Luxembourg     info@circl.lu - www.circl.lu    ---------------------------------------------------------------------    To unsubscribe from this mail list, you must leave the OASIS TC that    generates this mail.  Follow this link to all your TCs in OASIS at:     https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

I don't think you can map Admiralty Code to a single Confidence score - Admiralty Code doesn't equate to confidence, quite. The code divides into two, but one is the Source Reliability and the other is the Credibility of the particular event. The idea is that you can express "we think this is very plausible, though it is uncorroborated and our source is unreliable", versus "we think this is unlikely, but the source has been historically reliable". It feels, to my mind, that these might influence an overall confidence but they have considerable nuance, and I'm not convinced they're directly comparable, and the next steps - to improve confidence - are different in each case (the former case is "get corroboration", the latter might be "ask the source for more information"). On top of that, even if you pretend the likelihood scoring is a simple 1-5 confidence score (and 6 "I dunno"), then it's not clear it maps evenly across a linear scale - but it might. Finally, even if you figure out a mapping to a single numeric score, you're never going to be able to map back. On 13 September 2016 at 20:12, Jordan, Bret < bret.jordan@bluecoat.com > wrote: I also think we should call out in the specification how you would map this to the Admiralty score.  This way, for people that want to do it, they all do it the same way. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."  On Sep 13, 2016, at 13:09, Jordan, Bret < bret.jordan@BLUECOAT.COM > wrote: As I just said in my last email, I think for things like this we just pre-define them in normative text. If you have a 1-5 scale, this is what it looks like, if you have a 1-3 scale, this is how it works. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."  On Sep 13, 2016, at 06:34, Wunder, John A. < jwunder@mitre.org > wrote: The wider scale certainly seems like the path of least resistance. Tools get to do what they want and for the most part things should just work. A couple worries (perhaps edge cases?) I would have: 1. The admiralty scale has specific semantics for each level that tools not using it would of course not honor. So someone who set a confidence of “high” in ToolA, which maps to 100 (let’s say), would get translated to a 1 in the admiralty scale when displayed by ToolB. But was it actually confirmed by other sources? 2. There would potentially be issues where people map scales over differently. I.e. (None, Low, Medium, High) would have a different range than (Low, Medium, High) and so a score of “Low” in ToolC might translate to “None” in ToolD and confuse people. Then you have to explain to the user that “well, in reality it’s a 1-100 scale underneath and the products use different scales and……” I’m not totally opposed btw, just wanted to point out some of these issues. John On 9/13/16, 7:42 AM, " cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy" < cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu > wrote:    On 13/09/16 12:31, Jason Keirstead wrote: Yes, exactly. The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less.    Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly    for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both.    Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale    and a clear description for analysts.    [1] http://stixproject.github.io/ data-model/1.2/stixVocabs/ HighMediumLowVocab-1.0/    [2] https://github.com/MISP/misp- taxonomies/blob/master/misp/ machinetag.json#L31    --    Alexandre Dulaunoy    CIRCL - Computer Incident Response Center Luxembourg    41, avenue de la gare L-1611 Luxembourg     info@circl.lu - www.circl.lu    --------------------------- ------------------------------ ------------    To unsubscribe from this mail list, you must leave the OASIS TC that    generates this mail.  Follow this link to all your TCs in OASIS at:     https://www.oasis-open.org/ apps/org/workgroup/portal/my_ workgroups.php -- Dave Cridland phone   +448454681066 email   dave.cridland@surevine.com skype   dave.cridland.surevine Participate Collaborate Innovate Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND If you think you have received this message in error, please notify us.

 
Dave Cridland <dave.cridland@surevine.com>; Jordan, Bret
bret.jordan@bluecoat.com
 
 
 
Nicely said Dave.
 
Source reliability on intelligence content is an estimative judgement on the reliability of the sources used to derive that piece of intelligence from. Credibility about corroboration across
those sources. In the context of STIX they are the judgement of the producer of this intelligence. It is up for any subsequent capability to judge it in a similar fashion.
 
Confidence is more an analysts estimate judgement. It appears in many different forms, but in intelligence its pretty much an industry standard to use Sherman Kent’s model;
Certain  100%      Give or take 0%  

Almost Certain    93%        Give or take about 6%
Probable               75%        Give or take about 12%
Chances About Even          50%        Give or take about 10%
Probably Not        30%        Give or take about 10%
Almost Certainly Not         7%          Give or take about 5%
Impossible            0              Give or take 0%

 
But it is not the SCALE the matters most it is the agreement among the STIX community WHAT the confidence estimation is for. E.g. confidence in maliciousness, confidence in the analysis
provided (e.g. written), confidence in the correctness of attributes or relationships (structured). Generally confidence is provided as a confidence of the “correctness” of analysis whatever it is. Additionally, available on attributes.
 
So if STIX wants to facilitate the exchange of very commonly available intelligence sources if should at least:
1.       
facilitate admiralty
2.       
facilitate a generic confidence statement
3.       
facilitate confidence as an extention to common components of entities such as malicious vs safe for certain attributes or anything else we feel relevant
 
If we follow Ken’t works on estimative probability it would be fine to use 0-100 scale IF its percentages. From which we can deduct, through a known and accepted standard the level equivelants.
 
Best regards,
Joep
 
 
 
 
 
 

From:
<cti-stix@lists.oasis-open.org> on behalf of Dave Cridland <dave.cridland@surevine.com>
Date: Wednesday, September 14, 2016 at 4:02 PM
To: "Jordan, Bret" <bret.jordan@bluecoat.com>
Cc: "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]


 




I don't think you can map Admiralty Code to a single Confidence score - Admiralty Code doesn't equate to confidence, quite. The code divides into two, but one is the Source Reliability and the other is the Credibility of the particular
event.

 


The idea is that you can express "we think this is very plausible, though it is uncorroborated and our source is unreliable", versus "we think this is unlikely, but the source has been historically reliable". It feels, to my mind, that
these might influence an overall confidence but they have considerable nuance, and I'm not convinced they're directly comparable, and the next steps - to improve confidence - are different in each case (the former case is "get corroboration", the latter might
be "ask the source for more information").


 


On top of that, even if you pretend the likelihood scoring is a simple 1-5 confidence score (and 6 "I dunno"), then it's not clear it maps evenly across a linear scale - but it might.


 


Finally, even if you figure out a mapping to a single numeric score, you're never going to be able to map back.



 

On 13 September 2016 at 20:12, Jordan, Bret < bret.jordan@bluecoat.com > wrote:


I also think we should call out in the specification how you would map this to the Admiralty score.  This way, for people that want to do it, they all do it the same way.







 


Thanks,


 


Bret



 


 


 



Bret Jordan CISSP


Director of Security Architecture and Standards Office of the CTO


Blue Coat Systems



PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









 





On Sep 13, 2016, at 13:09, Jordan, Bret < bret.jordan@BLUECOAT.COM > wrote:

 


As I just said in my last email, I think for things like this we just pre-define them in normative text. If you have a 1-5 scale, this is what it looks like, if you have a 1-3 scale, this is how it works.







 


Thanks,


 


Bret



 


 


 



Bret Jordan CISSP


Director of Security Architecture and Standards Office of the CTO


Blue Coat Systems



PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









 



On Sep 13, 2016, at 06:34, Wunder, John A. < jwunder@mitre.org > wrote:

 


The wider scale certainly seems like the path of least resistance. Tools get to do what they want and for the most part things should just work. A couple worries (perhaps edge cases?) I would have:

1. The admiralty scale has specific semantics for each level that tools not using it would of course not honor. So someone who set a confidence of “high” in ToolA, which maps to 100 (let’s say), would get translated to a 1 in the admiralty scale when displayed
by ToolB. But was it actually confirmed by other sources?
2. There would potentially be issues where people map scales over differently. I.e. (None, Low, Medium, High) would have a different range than (Low, Medium, High) and so a score of “Low” in ToolC might translate to “None” in ToolD and confuse people.
Then you have to explain to the user that “well, in reality it’s a 1-100 scale underneath and the products use different scales and……”

I’m not totally opposed btw, just wanted to point out some of these issues.

John

On 9/13/16, 7:42 AM, " cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy" < cti-stix@lists.oasis-open.org
on behalf of Alexandre.Dulaunoy@circl.lu > wrote:

   On 13/09/16 12:31, Jason Keirstead wrote:



Yes, exactly.

The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less.


   Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly
   for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both.

   Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale
   and a clear description for analysts.

   [1]
http://stixproject.github.io/data-model/1.2/stixVocabs/HighMediumLowVocab-1.0/
   [2]
https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L31

   --
   Alexandre Dulaunoy
   CIRCL - Computer Incident Response Center Luxembourg
   41, avenue de la gare L-1611 Luxembourg
    info@circl.lu -
www.circl.lu

   ---------------------------------------------------------------------
   To unsubscribe from this mail list, you must leave the OASIS TC that
   generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php









 




 









 

--


Dave Cridland


phone  +448454681066


email   dave.cridland@surevine.com


skype  dave.cridland.surevine



Participate Collaborate Innovate


Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND


If you think you have received this message in error, please notify us.

So what I am hearing is that we may need multiple properties to do this correctly???  Based on this discussion maybe we do Admiralty Scale AND something else.  If they are both optional, then people can pick the one they want to use.  What I do not like is the idea of using random extensions to things.  That was in IMHO, one of the biggest failing points of STIX 1.x.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Sep 14, 2016, at 09:55, Joep Gommers < joep@eclecticiq.com > wrote:   Dave Cridland < dave.cridland@surevine.com >; Jordan, Bret   bret.jordan@bluecoat.com       Nicely said Dave.   Source reliability on intelligence content is an estimative judgement on the reliability of the sources used to derive that piece of intelligence from. Credibility about corroboration across those sources. In the context of STIX they are the judgement of the producer of this intelligence. It is up for any subsequent capability to judge it in a similar fashion.   Confidence is more an analysts estimate judgement. It appears in many different forms, but in intelligence its pretty much an industry standard to use Sherman Kent’s model; Certain  100%      Give or take 0%   Almost Certain    93%        Give or take about 6% Probable               75%        Give or take about 12% Chances About Even          50%        Give or take about 10% Probably Not        30%        Give or take about 10% Almost Certainly Not         7%          Give or take about 5% Impossible            0              Give or take 0%   But it is not the SCALE the matters most it is the agreement among the STIX community WHAT the confidence estimation is for. E.g. confidence in maliciousness, confidence in the analysis provided (e.g. written), confidence in the correctness of attributes or relationships (structured). Generally confidence is provided as a confidence of the “correctness” of analysis whatever it is. Additionally, available on attributes.   So if STIX wants to facilitate the exchange of very commonly available intelligence sources if should at least: 1.          facilitate admiralty 2.          facilitate a generic confidence statement 3.          facilitate confidence as an extention to common components of entities such as malicious vs safe for certain attributes or anything else we feel relevant   If we follow Ken’t works on estimative probability it would be fine to use 0-100 scale IF its percentages. From which we can deduct, through a known and accepted standard the level equivelants.   Best regards, Joep             From:   < cti-stix@lists.oasis-open.org > on behalf of Dave Cridland < dave.cridland@surevine.com > Date:   Wednesday, September 14, 2016 at 4:02 PM To:   Jordan, Bret < bret.jordan@bluecoat.com > Cc:   Wunder, John A. < jwunder@mitre.org >, cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > Subject:   Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]   I don't think you can map Admiralty Code to a single Confidence score - Admiralty Code doesn't equate to confidence, quite. The code divides into two, but one is the Source Reliability and the other is the Credibility of the particular event.     The idea is that you can express we think this is very plausible, though it is uncorroborated and our source is unreliable , versus we think this is unlikely, but the source has been historically reliable . It feels, to my mind, that these might influence an overall confidence but they have considerable nuance, and I'm not convinced they're directly comparable, and the next steps - to improve confidence - are different in each case (the former case is get corroboration , the latter might be ask the source for more information ).   On top of that, even if you pretend the likelihood scoring is a simple 1-5 confidence score (and 6 I dunno ), then it's not clear it maps evenly across a linear scale - but it might.   Finally, even if you figure out a mapping to a single numeric score, you're never going to be able to map back.   On 13 September 2016 at 20:12, Jordan, Bret < bret.jordan@bluecoat.com > wrote: I also think we should call out in the specification how you would map this to the Admiralty score.  This way, for people that want to do it, they all do it the same way.   Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.     On Sep 13, 2016, at 13:09, Jordan, Bret < bret.jordan@BLUECOAT.COM > wrote:   As I just said in my last email, I think for things like this we just pre-define them in normative text. If you have a 1-5 scale, this is what it looks like, if you have a 1-3 scale, this is how it works.   Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.     On Sep 13, 2016, at 06:34, Wunder, John A. < jwunder@mitre.org > wrote:   The wider scale certainly seems like the path of least resistance. Tools get to do what they want and for the most part things should just work. A couple worries (perhaps edge cases?) I would have: 1. The admiralty scale has specific semantics for each level that tools not using it would of course not honor. So someone who set a confidence of “high” in ToolA, which maps to 100 (let’s say), would get translated to a 1 in the admiralty scale when displayed by ToolB. But was it actually confirmed by other sources? 2. There would potentially be issues where people map scales over differently. I.e. (None, Low, Medium, High) would have a different range than (Low, Medium, High) and so a score of “Low” in ToolC might translate to “None” in ToolD and confuse people. Then you have to explain to the user that “well, in reality it’s a 1-100 scale underneath and the products use different scales and……” I’m not totally opposed btw, just wanted to point out some of these issues. John On 9/13/16, 7:42 AM, cti-stix@lists.oasis-open.org   on behalf of Alexandre Dulaunoy < cti-stix@lists.oasis-open.org   on behalf of   Alexandre.Dulaunoy@circl.lu > wrote:    On 13/09/16 12:31, Jason Keirstead wrote: Yes, exactly. The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less.    Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly    for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both.    Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale    and a clear description for analysts.    [1]   http://stixproject.github.io/data-model/1.2/stixVocabs/HighMediumLowVocab-1.0/    [2]   https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L31    --      Alexandre Dulaunoy    CIRCL - Computer Incident Response Center Luxembourg    41, avenue de la gare L-1611 Luxembourg     info@circl.lu   -   www.circl.lu    ---------------------------------------------------------------------    To unsubscribe from this mail list, you must leave the OASIS TC that      generates this mail.  Follow this link to all your TCs in OASIS at:     https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php         --   Dave Cridland phone  +448454681066 email   dave.cridland@surevine.com skype  dave.cridland.surevine Participate Collaborate Innovate Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND If you think you have received this message in error, please notify us. Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

To be clear - everything we are discussing here is credibility of the event. As Alan stated, we dug into this a bit at the F2F and it is obvious that there are going to have to be other metrics affiliated with STIX data - confidence, credibility, relevance are obvious, but there are potentially others. But - we need to tackle one at a time (or just go out on a limb and give the same scale for each). - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown Dave Cridland ---09/14/2016 11:02:25 AM---I don't think you can map Admiralty Code to a single Confidence score - Admiralty Code doesn't equat From: Dave Cridland <dave.cridland@surevine.com> To: "Jordan, Bret" <bret.jordan@bluecoat.com> Cc: "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Date: 09/14/2016 11:02 AM Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September] Sent by: <cti-stix@lists.oasis-open.org> I don't think you can map Admiralty Code to a single Confidence score - Admiralty Code doesn't equate to confidence, quite. The code divides into two, but one is the Source Reliability and the other is the Credibility of the particular event. The idea is that you can express "we think this is very plausible, though it is uncorroborated and our source is unreliable", versus "we think this is unlikely, but the source has been historically reliable". It feels, to my mind, that these might influence an overall confidence but they have considerable nuance, and I'm not convinced they're directly comparable, and the next steps - to improve confidence - are different in each case (the former case is "get corroboration", the latter might be "ask the source for more information"). On top of that, even if you pretend the likelihood scoring is a simple 1-5 confidence score (and 6 "I dunno"), then it's not clear it maps evenly across a linear scale - but it might. Finally, even if you figure out a mapping to a single numeric score, you're never going to be able to map back. On 13 September 2016 at 20:12, Jordan, Bret < bret.jordan@bluecoat.com > wrote: I also think we should call out in the specification how you would map this to the Admiralty score.  This way, for people that want to do it, they all do it the same way. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 
On Sep 13, 2016, at 13:09, Jordan, Bret < bret.jordan@BLUECOAT.COM > wrote: As I just said in my last email, I think for things like this we just pre-define them in normative text. If you have a 1-5 scale, this is what it looks like, if you have a 1-3 scale, this is how it works. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 
On Sep 13, 2016, at 06:34, Wunder, John A. < jwunder@mitre.org > wrote: The wider scale certainly seems like the path of least resistance. Tools get to do what they want and for the most part things should just work. A couple worries (perhaps edge cases?) I would have: 1. The admiralty scale has specific semantics for each level that tools not using it would of course not honor. So someone who set a confidence of “high” in ToolA, which maps to 100 (let’s say), would get translated to a 1 in the admiralty scale when displayed by ToolB. But was it actually confirmed by other sources? 2. There would potentially be issues where people map scales over differently. I.e. (None, Low, Medium, High) would have a different range than (Low, Medium, High) and so a score of “Low” in ToolC might translate to “None” in ToolD and confuse people. Then you have to explain to the user that “well, in reality it’s a 1-100 scale underneath and the products use different scales and……” I’m not totally opposed btw, just wanted to point out some of these issues. John On 9/13/16, 7:42 AM, " cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy" < cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu > wrote:    On 13/09/16 12:31, Jason Keirstead wrote: Yes, exactly. The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less.    Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly    for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both.    Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale    and a clear description for analysts.    [1] http://stixproject.github.io/data-model/1.2/stixVocabs/HighMediumLowVocab-1.0/    [2] https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L31    --    Alexandre Dulaunoy    CIRCL - Computer Incident Response Center Luxembourg    41, avenue de la gare L-1611 Luxembourg     info@circl.lu - www.circl.lu    ---------------------------------------------------------------------    To unsubscribe from this mail list, you must leave the OASIS TC that    generates this mail.  Follow this link to all your TCs in OASIS at:     https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php -- Dave Cridland phone  +448454681066 email   dave.cridland@surevine.com skype  dave.cridland.surevine Participate Collaborate Innovate Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND If you think you have received this message in error, please notify us.

Maybe this is the exact discussion we should be having....  What are the confidence like properties we should include on all objects?  Is it 2, 3, or 4 different properties?   Once we have those figured out, we can work on their definitions and how best to use them. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Sep 14, 2016, at 10:49, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: To be clear - everything we are discussing here is credibility of the event. As Alan stated, we dug into this a bit at the F2F and it is obvious that there are going to have to be other metrics affiliated with STIX data - confidence, credibility, relevance are obvious, but there are potentially others. But - we need to tackle one at a time (or just go out on a limb and give the same scale for each). - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> Dave Cridland ---09/14/2016 11:02:25 AM---I don't think you can map Admiralty Code to a single Confidence score - Admiralty Code doesn't equat From: Dave Cridland < dave.cridland@surevine.com > To: Jordan, Bret < bret.jordan@bluecoat.com > Cc: Wunder, John A. < jwunder@mitre.org >, cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > Date: 09/14/2016 11:02 AM Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September] Sent by: < cti-stix@lists.oasis-open.org > I don't think you can map Admiralty Code to a single Confidence score - Admiralty Code doesn't equate to confidence, quite. The code divides into two, but one is the Source Reliability and the other is the Credibility of the particular event. The idea is that you can express we think this is very plausible, though it is uncorroborated and our source is unreliable , versus we think this is unlikely, but the source has been historically reliable . It feels, to my mind, that these might influence an overall confidence but they have considerable nuance, and I'm not convinced they're directly comparable, and the next steps - to improve confidence - are different in each case (the former case is get corroboration , the latter might be ask the source for more information ). On top of that, even if you pretend the likelihood scoring is a simple 1-5 confidence score (and 6 I dunno ), then it's not clear it maps evenly across a linear scale - but it might. Finally, even if you figure out a mapping to a single numeric score, you're never going to be able to map back. On 13 September 2016 at 20:12, Jordan, Bret < bret.jordan@bluecoat.com > wrote: I also think we should call out in the specification how you would map this to the Admiralty score.  This way, for people that want to do it, they all do it the same way. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Sep 13, 2016, at 13:09, Jordan, Bret < bret.jordan@BLUECOAT.COM > wrote: As I just said in my last email, I think for things like this we just pre-define them in normative text. If you have a 1-5 scale, this is what it looks like, if you have a 1-3 scale, this is how it works. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Sep 13, 2016, at 06:34, Wunder, John A. < jwunder@mitre.org > wrote: The wider scale certainly seems like the path of least resistance. Tools get to do what they want and for the most part things should just work. A couple worries (perhaps edge cases?) I would have: 1. The admiralty scale has specific semantics for each level that tools not using it would of course not honor. So someone who set a confidence of “high” in ToolA, which maps to 100 (let’s say), would get translated to a 1 in the admiralty scale when displayed by ToolB. But was it actually confirmed by other sources? 2. There would potentially be issues where people map scales over differently. I.e. (None, Low, Medium, High) would have a different range than (Low, Medium, High) and so a score of “Low” in ToolC might translate to “None” in ToolD and confuse people. Then you have to explain to the user that “well, in reality it’s a 1-100 scale underneath and the products use different scales and……” I’m not totally opposed btw, just wanted to point out some of these issues. John On 9/13/16, 7:42 AM, cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy < cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu > wrote:    On 13/09/16 12:31, Jason Keirstead wrote: Yes, exactly. The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less.    Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly    for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both.    Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale    and a clear description for analysts.    [1] http://stixproject.github.io/data-model/1.2/stixVocabs/HighMediumLowVocab-1.0/    [2] https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L31    --    Alexandre Dulaunoy    CIRCL - Computer Incident Response Center Luxembourg    41, avenue de la gare L-1611 Luxembourg     info@circl.lu - www.circl.lu    ---------------------------------------------------------------------    To unsubscribe from this mail list, you must leave the OASIS TC that    generates this mail.  Follow this link to all your TCs in OASIS at:     https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php -- Dave Cridland phone  +448454681066 email   dave.cridland@surevine.com skype  dave.cridland.surevine Participate Collaborate Innovate Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND If you think you have received this message in error, please notify us. Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

The four that immediately come to mind are confidence, credibility, severity, and relevance.
Relevance is unlikely to be shared outside an organizational boundary, but may be within some trust groups. Tools will also need to be able to communicate it over STIX, regardless of if it leaves the boundary.
- Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown "Jordan, Bret" ---09/14/2016 05:59:41 PM---Maybe this is the exact discussion we should be having.... What are the confidence like properties From: "Jordan, Bret" <bret.jordan@bluecoat.com> To: Jason Keirstead/CanEast/IBM@IBMCA Cc: Dave Cridland <dave.cridland@surevine.com>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Date: 09/14/2016 05:59 PM Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September] Sent by: <cti-stix@lists.oasis-open.org> Maybe this is the exact discussion we should be having.... What are the confidence like properties we should include on all objects? Is it 2, 3, or 4 different properties? Once we have those figured out, we can work on their definitions and how best to use them. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On Sep 14, 2016, at 10:49, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote:
To be clear - everything we are discussing here is credibility of the event. As Alan stated, we dug into this a bit at the F2F and it is obvious that there are going to have to be other metrics affiliated with STIX data - confidence, credibility, relevance are obvious, but there are potentially others. But - we need to tackle one at a time (or just go out on a limb and give the same scale for each). - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> Dave Cridland ---09/14/2016 11:02:25 AM---I don't think you can map Admiralty Code to a single Confidence score - Admiralty Code doesn't equat From: Dave Cridland < dave.cridland@surevine.com > To: "Jordan, Bret" < bret.jordan@bluecoat.com > Cc: "Wunder, John A." < jwunder@mitre.org >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Date: 09/14/2016 11:02 AM Subject: Re: [cti-stix] [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September] Sent by: < cti-stix@lists.oasis-open.org >
I don't think you can map Admiralty Code to a single Confidence score - Admiralty Code doesn't equate to confidence, quite. The code divides into two, but one is the Source Reliability and the other is the Credibility of the particular event. The idea is that you can express "we think this is very plausible, though it is uncorroborated and our source is unreliable", versus "we think this is unlikely, but the source has been historically reliable". It feels, to my mind, that these might influence an overall confidence but they have considerable nuance, and I'm not convinced they're directly comparable, and the next steps - to improve confidence - are different in each case (the former case is "get corroboration", the latter might be "ask the source for more information"). On top of that, even if you pretend the likelihood scoring is a simple 1-5 confidence score (and 6 "I dunno"), then it's not clear it maps evenly across a linear scale - but it might. Finally, even if you figure out a mapping to a single numeric score, you're never going to be able to map back. On 13 September 2016 at 20:12, Jordan, Bret < bret.jordan@bluecoat.com > wrote: I also think we should call out in the specification how you would map this to the Admiralty score. This way, for people that want to do it, they all do it the same way. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." On Sep 13, 2016, at 13:09, Jordan, Bret < bret.jordan@BLUECOAT.COM > wrote: As I just said in my last email, I think for things like this we just pre-define them in normative text. If you have a 1-5 scale, this is what it looks like, if you have a 1-3 scale, this is how it works. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." On Sep 13, 2016, at 06:34, Wunder, John A. < jwunder@mitre.org > wrote: The wider scale certainly seems like the path of least resistance. Tools get to do what they want and for the most part things should just work. A couple worries (perhaps edge cases?) I would have: 1. The admiralty scale has specific semantics for each level that tools not using it would of course not honor. So someone who set a confidence of “high” in ToolA, which maps to 100 (let’s say), would get translated to a 1 in the admiralty scale when displayed by ToolB. But was it actually confirmed by other sources? 2. There would potentially be issues where people map scales over differently. I.e. (None, Low, Medium, High) would have a different range than (Low, Medium, High) and so a score of “Low” in ToolC might translate to “None” in ToolD and confuse people. Then you have to explain to the user that “well, in reality it’s a 1-100 scale underneath and the products use different scales and……” I’m not totally opposed btw, just wanted to point out some of these issues. John On 9/13/16, 7:42 AM, " cti-stix@lists.oasis-open.org on behalf of Alexandre Dulaunoy" < cti-stix@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu > wrote: On 13/09/16 12:31, Jason Keirstead wrote: Yes, exactly. The purpose of the larger range is simply to accommodate more possible scales than a single 1-5 scale. Nothing more or less. Indeed. The proposal came from some real cases we had like reorganizing the confidence level of various sources. The 1-5 scale is clearly for human analysts where the whole range is mainly for machine-to-machine. With the current proposal[2], you can have both. Compared to the existing confidence level in STIX described with the HighMediumLowVocab-1.0[1], we added a scale and a clear description for analysts. [1] http://stixproject.github.io/data-model/1.2/stixVocabs/HighMediumLowVocab-1.0/ [2] https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L31 -- Alexandre Dulaunoy CIRCL - Computer Incident Response Center Luxembourg 41, avenue de la gare L-1611 Luxembourg info@circl.lu - www.circl.lu --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php -- Dave Cridland phone +448454681066 email dave.cridland@surevine.com skype dave.cridland.surevine Participate Collaborate Innovate Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND If you think you have received this message in error, please notify us. [attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]

So if we have 0-100 scale in the standard but most human operators want 1-5. Do those map to 1-5 or do we require up scaling to 20,40,60,80,100?  We have to be declarative as to how to support both in one value set.
Sent from my Windows 10 phone
 

From: Jason Keirstead
Sent: Tuesday, September 13, 2016 6:31 AM
To: Andras Iklody
Cc: Joep Gommers ;
cti-stix@lists.oasis-open.org ; Marko Dragoljevic ;
cti@lists.oasis-open.org ;
Dave Cridland ; JE ;
Terry MacDonald ; Patrick Maroney ;
Mark Clancy
Subject: Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]

 

Yes, exactly.

The purpose of the larger range is simply to accommodate more possible scales than a single 1-5  scale. Nothing more or less.


--
Sent from my mobile device, please excuse any typos.


Andras Iklody --- Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September] ---





From:
"Andras Iklody" <andras.iklody@gmail.com>


To:
"Joep Gommers" <joep@eclecticiq.com>


Cc:
"Jason Keirstead" <Jason.Keirstead@ca.ibm.com>, cti-stix@lists.oasis-open.org, "Marko Dragoljevic" <marko@eclecticiq.com>, cti@lists.oasis-open.org, "Dave Cridland" <dave.cridland@surevine.com>, "JE" <je@cybersecurityscout.eu>,
"Terry MacDonald" <terry.macdonald@cosive.com>, "Patrick Maroney" <Pmaroney@specere.org>, "Mark Clancy" <mclancy@soltra.com>


Date:
Tue, Sep 13, 2016 3:52 AM


Subject:
Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]






The idea is definitely to use descriptive language and convert to a unified scale. A 5 step scale limits the conversion of 4 and 3 step scales, 0-100 simply accommodates more toes of descriptive language.

On Sep 13, 2016 8:18 AM, "Joep Gommers" < joep@eclecticiq.com > wrote:



For what its worth, reflecting on intelligence tradecraft, I’m fully supportive of a 1-5 scale (or similar order magnitude) so that you can build clear analytic constructs and constraints
around each scale. 1-100 for an analytic judgement is not just overkill, it breaks the ability for an analyst to apply such analytic tradecraft. That said, having a 1-100 score if this is mostly created by machines, for machines, with a known algorithm makes
all the sense – but don’t think we are intended to create that. Or have both * ducks *…
 

From:
< cti@lists.oasis-open.org > on behalf of Mark Clancy < mclancy@soltra.com >
Date: Monday, September 12, 2016 at 8:43 PM
To: Marko Dragoljevic < marko@eclecticiq.com >, Terry MacDonald < terry.macdonald@cosive.com >
Cc: Jason Keirstead < Jason.Keirstead@ca.ibm.com >, Patrick Maroney <Pmaroney@Specere.org>, Dave Cridland < dave.cridland@surevine.com >,
JE < je@cybersecurityscout.eu >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >,
" cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
Subject: Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]


 



We are trying to add a level of precision to information that generally lacks reproducible precision when two parties review the exact same set of facts.  That leads you to wanting a scheme
that does not create the illusion of precision where none exists. We don’t need two significant digits of precision for confidence so I think the 0-100 scheme is over kill.  Yes it exists today in Stix1.0, but has anybody actually analyzed how many unique
precision values have been used in CTI data to date?
 
 
-Mark
 
 

From:
< cti@lists.oasis-open.org > on behalf of Marko Dragoljevic < marko@eclecticiq.com >
Date: Friday, September 9, 2016 at 4:37 AM
To: Terry MacDonald < terry.macdonald@cosive.com >
Cc: Jason Keirstead < Jason.Keirstead@ca.ibm.com >, Patrick Maroney <Pmaroney@Specere.org>, Dave Cridland < dave.cridland@surevine.com >,
JE < je@cybersecurityscout.eu >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >,
" cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
Subject: Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]


 




Hi all


 

+1 for all comments from Terry

 


Few extra thoughts:


- Reliability of Source and other similar evaluation methods used across types of Intelligence are not meant to provide "specific quantification" but rather to “inform” with certain degree of error margin. Then, it’s up to analysts, consumers
(human, products) or policy makers (stakeholders) to “interpret” this and eventually make decisions or informed actions.


- It should be up to specific Technology Products to implement how mapping of this and other evaluation methods or scores into specific numbers actually works when and if needed. I can imagine that end users would want to be able to fine
tune this “formulas” based on specific use cases.


 



Thanks,

Marko Dragoljevic
VP Technology, Chief Architect
marko@eclecticiq.com
+31 643 919 496

?EclecticIQ
Intelligence Powered Defense
https://www.eclecticiq.com


 



On 09 Sep 2016, at 01:16, Terry MacDonald < terry.macdonald@cosive.com > wrote:

 


I would disagree with using a numbering scheme (and especially one with a range of 0-100), as it makes it much more complex than it needs to be.


 


Is something that is confidence level 82 really that worse than confidence 83? How is a user going to understand the difference at those small levels of difference? Will they care about the difference at all? Do people really want 6 different
levels of difference rather than 100?


 


If we use an existing methodology that has been used for many years in the intelligence community such as the Admiralty Code then it is something that is understandable and useable by humans. 


 


I believe they will be able to comprehend the difference between 'Reliability of Source - B - Usually reliable' and 'Reliability of Source - D - Not usually reliable' a lot easier than looking at 'Reliability of Source - 79' and 'Reliability
of Source - 48'.


 













Cheers


 



Terry MacDonald   Chief Product Officer


 


<cosive_mail_signature.png>


 


M:   +64 211 918 814


E:   terry.macdonald@cosive.com


W:   www.cosive.com


 



 


 








 

On Fri, Sep 9, 2016 at 7:39 AM, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote:


I very much like the idea of adding support for the MISP taxonomies, but I still think that confidence should be a numerical value.


I would like to see a way that the admiralty scale taxonomy can be mapped to a numerical equivalent. That way if someone wants to use a different taxonomy because the admiralty scale is either too broad or too narrow, they are free to do so, because we are
not directly mandating it be used.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


<graycol.gif> Patrick Maroney ---09/08/2016 01:29:55 PM---Good discussion folks. In support of the concepts expressed here, I'd like to raise the topic of su

From: Patrick Maroney < Pmaroney@Specere.org >
To: Dave Cridland < dave.cridland@surevine.com >, JE < je@cybersecurityscout.eu >
Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >,
" cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >, "Terry MacDonald" < terry.macdonald@cosive.com >
Date: 09/08/2016 01:29 PM
Subject: [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]
Sent by: < cti-stix@lists.oasis-open.org >










Good discussion folks. In support of the concepts expressed here, I'd like to raise the topic of supporting the MISP Taxonomy format and the public repository of Taxonomies and format for consideration.


https://github.com/MISP/misp- taxonomies

Alexandre Dulaunoy has cleared up concerns raised regarding licensing, so we can assess on the technical merits.


<49458202.jpg>

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org






From: cti@lists.oasis-open.org < cti@lists.oasis-open.org >
on behalf of Dave Cridland < dave.cridland@surevine.com >
Sent: Thursday, September 8, 2016 4:13:31 AM
To: JE
Cc: cti-stix@lists.oasis-open.org ;
cti@lists.oasis-open.org ; Terry MacDonald
Subject: RE: [cti] CTI Brussels F2F Meeting...RSVP deadline 5 September



 



There's two approaches, both already existing, which can help with this. Firstly, a common, shared policy (and just as important, commonly understood semantics). The FIRST IEP work is along these lines.



 



Secondly, real security label/classification/policy systems allow one policy to be translated to another, as long as the semantics can be mapped. These systems exist already, and are specified in a slew of
documents include SDN.801(c), X.841, and so on.



 



Obviously these two are complementary - if there are lots of common semantics in organisation's policies, it makes it easy to express handling requirements, and the existing label specs allow each organization
to have their own policy which they can develop independently.



 



But all this is already handled by STIX - it's just payload data to STIX and TAXII.


Dave.

 




On 8 Sep 2016 09:29, "JE" < je@cybersecurityscout.eu > wrote:
Hi Terry,

 

Sorry I was not clear enough in my suggestion and putting it into context… we’re on the same page, there are currently discussions going on in some communities to extend TLP scheme
(proprietary) by validation information and within some schemes used in intel (usually not public / publicly known) this is already existing as part of their schemes. Unfortunately proprietary approaches have their issues when trying to make it work outside
the origin.

 

To enable a true policy-based management, enforcement, priority handling etc. it’s vital to have a standard on assigning & processing level of confidence, trust in source and possibly
validation by analyst as well. Some of the European ISACs I know handle this by reserving some classification levels for members and assign trust-by-default but of course this does not scale beyond limited community nor is it a feasible way to apply it on
granular objects.

 

Cheers from Brussels,
Joerg
From: cti@lists.oasis-open.org
[mailto: cti@lists.oasis-open. org ]
On Behalf Of Terry MacDonald
Sent: Wednesday, September 7, 2016 21:11
To: JE < je@cybersecurityscout.eu >
Cc: cti-stix@lists.oasis-open.org ;
cti@lists.oasis-open.org ; Thompson, Dean < Dean.Thompson@anz.com >
Subject: RE: [cti] CTI Brussels F2F Meeting...RSVP deadline 5 September

 

Hi Joerg,
I wasn't meaning information handling or policy management at all, as this is already supported via the object level data marking or granular date marking in STIX 2.0.
I was definitely meaning a way of describing confidence that the threat intelligence is correct, and confidence that the person who told you the threat intelligence gets it right.
We had that functionality in STIX 1.x series, and we've lost it in STIX 2.0.
We need to add it back on as part of STIX 2.1.
Cheers
Terry MacDonald
Cosive

 

On 7/09/2016 10:25 PM, "JE" < je@cybersecurityscout.eu >
wrote:
Dear All,

 

I fully support this – having built some ISACs in industry as well as GOV classification/labeling is usually a “top 5 “ issue … if not at the time of initial set-up than usually
later when information from different sources is to be shared and utilized. This might not be a primary issue from vendor side (although it should be as most TI is not under monolithic policy/license rights but compiled) it is definitely an issue from user
perspective to handle, distribute and leverage TI properly,

 

Some of the commercially available systems on the market implement labeling/label-based-handling in a proprietary way as current information models/standards do not foresee this.
If you e.g. look at OTRS (not a STIX/TAXI implementation but wide used for Service + Incident Mgt), actually an open source system but during the evolution also included labeling and handling according to this. No matter if e.g. TLP or other schemes are applied
I strongly suggest to at least include the option to label objects and though enable/apply/enforce policy-based information exchange and handling.

 

Sunny greetings from Berlin & looking forward meeting you guys f2f on later Wednesday evening in Brussels,
Joerg
From: cti@lists.oasis-open.org
[mailto: cti@lists.oasis-open. org ]
On Behalf Of Thompson, Dean
Sent: Wednesday, September 7, 2016 03:06
To: 'Terry MacDonald' < terry.macdonald@cosive.com >; ' cti@lists.oasis-open.org '
< cti@lists.oasis-open.org >; ' cti-stix@lists.oasis-open.org '
< cti-stix@lists.oasis-open.org >
Subject: RE: [cti] CTI Brussels F2F Meeting...RSVP deadline 5 September

 


 

Hi!,

 

Can I add my voice in here as well and say that “Confidence” and also having an “Opinion” about Threat Intelligence is very important and is a concept that we use
quite heavily when we are exchanging threat intelligence with other financial organisations and dealing with threat data that comes in via 3 rd parties and intelligence sources.

 

Can we please ensure that this is included in the agenda and discussed at the meeting ?

 

Regards,

 

Dean

 

From: cti@lists.oasis-open.org
[ mailto:cti@lists.oasis-open. org ]
On Behalf Of Terry MacDonald
Sent: Wednesday, 7 September 2016 8:18 AM
To: cti@lists.oasis-open.org ;
cti-stix@lists.oasis-open.org
Subject: Re: [cti] CTI Brussels F2F Meeting...RSVP deadline 5 September

 

Please
say that we are including confidence and opinion object in STIX 2.1 candidate smackdown agenda item at the F2F.


 

We just can't treat everything that people send out as the absolute truth as we do in STIX 2.0. There is a reason things like the admiralty code were developed.... and that's because
threat intelligence is always someone's opinion.We need a way for the consumer to understand how confident the producer is in the threat intelligence they are sending. It's up to the consumer to determine if they believe that its the truth, and they need various
ways to determine this. That's a ton easier if the person who sent the threat intelligence to you tells you how much they trust the intelligence and trust the source of the intelligence with some form of confidence field.....

 

I really, really believe this is critical for STIX to work properly, and it was something that made it possible for STIX to automatically be pushed out to the different security tools
within an organization (e.g. high confidence DNS to the DNS RPZ block, low confidence to the alerting on the passive DNS).

 

These are so easy to add to STIX, we would be remiss to skip it.

 

Cheers

 

Terry MacDonald
Chief Product Officer

 

<49228383.gif>

 

M: +64 211 918
814
E: terry.macdonald@cosive.com
W: www.cosive.com

 


 


 


 

On Fri, Sep 2, 2016 at 8:53 AM, Jane Harnad < jharnad@oasis-open.org >
wrote:
Dear CTI Members,

The CTI TC F2F meeting is scheduled for Wednesday, 7 September at the Thon EU Hotel ,
Germany Room. Lunch and refreshments will be provided by OASIS. A headcount is needed ASAP. Below is a list of individuals that replied to the last RSVP request. If you don't see your name and do plan to participate in either the F2F meeting or group dinner,
please send your RSVP no later than 5 September.

Remote access is available to TC members unable to attend in person.

Login details are:
https://global.gotomeeting. com/join/978573765

You can also dial in using your phone.
United States (Toll-free): 1 866 899 4679
United States
+1 (646) 749-3117
Access Code: 978-573-765

Proposed agenda is attached.
Details on group dinner option : CTI members are invited to sign up to attend a group dinner on Wednesday
evening after the F2F. Family members and/or guests traveling along with you are also invited to join us. This is not a hosted dinner, so each participant (and their guests) will be responsible for covering the costs associated with their dinner. Please be
sure to confirm the number of guests.

 

Thanks so much and we look forward to seeing you all in Brussels!
Regards, Jane

 

**F2F/Dinner Attendees

 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 


 

 






Bret Jordan


<ecblank.gif>




Alexandre Dulaunoy


<ecblank.gif>




Raymon van der Velde


<ecblank.gif>




Ryusuke Masuoka


<ecblank.gif>




Kazuo Noguchi


<ecblank.gif>




Jason Keirstead


<ecblank.gif>




Jerome Athias


<ecblank.gif>




Allan Thomson


<ecblank.gif>




Daniel Riedel


<ecblank.gif>




John-Mark Gurney


<ecblank.gif>




Carol Geyer


<ecblank.gif>




Richard Struse


<ecblank.gif>




Joerg Eschweiler


<ecblank.gif>




Trey Darley


<ecblank.gif>




Marko Dragoljevic


<ecblank.gif>




Sergey Polzunov


<ecblank.gif>




Aukjan van Belkum


<ecblank.gif>




Wouter Bolsterlee


<ecblank.gif>




Andras Iklody


<ecblank.gif>




Mark Davidson


<ecblank.gif>




Masato Terada


<ecblank.gif>






--
Jane Harnad
Manager, Events
OASIS Advancing open standards for the information society

+1.781.425.5073 x214 (Office)

http://www.oasis-open.org
Join OASIS at:
Borderless Cyber Europe 8-9
Sept Brussels
Borderless Cyber Asia 1-2
Nov Tokyo


------------------------------ ------------------------------ ---------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/ apps/org/workgroup/portal/my_ workgroups.php

 

 






This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error,
please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly
stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ does not accept liability in connection with the integrity of or errors in
the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.

 


 


 


 


 


 


 


 


 


 

 

 


 


 


 


 


 


 




 




 

Can we not do something like the 0-100 scale and then define in the spec how a 10 digit solution and a 5 digits solution and a 3 digit solution. So for example  If your solution or product only works with 1-10 then you should use, 10, 20, 30,... 100 If your solution or product only works with 1-5 then you should use, 20, 40, 60, 80, 100 etc???? Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Sep 13, 2016, at 04:31, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: Yes, exactly. The purpose of the larger range is simply to accommodate more possible scales than a single 1-5  scale. Nothing more or less. -- Sent from my mobile device, please excuse any typos. Andras Iklody --- Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September] --- From: Andras Iklody < andras.iklody@gmail.com > To: Joep Gommers < joep@eclecticiq.com > Cc: Jason Keirstead < Jason.Keirstead@ca.ibm.com >, cti-stix@lists.oasis-open.org , Marko Dragoljevic < marko@eclecticiq.com >, cti@lists.oasis-open.org , Dave Cridland < dave.cridland@surevine.com >, JE < je@cybersecurityscout.eu >, Terry MacDonald < terry.macdonald@cosive.com >, Patrick Maroney < Pmaroney@specere.org >, Mark Clancy < mclancy@soltra.com > Date: Tue, Sep 13, 2016 3:52 AM Subject: Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September] The idea is definitely to use descriptive language and convert to a unified scale. A 5 step scale limits the conversion of 4 and 3 step scales, 0-100 simply accommodates more toes of descriptive language. On Sep 13, 2016 8:18 AM, Joep Gommers < joep@eclecticiq.com > wrote: For what its worth, reflecting on intelligence tradecraft, I’m fully supportive of a 1-5 scale (or similar order magnitude) so that you can build clear analytic constructs and constraints around each scale. 1-100 for an analytic judgement is not just overkill, it breaks the ability for an analyst to apply such analytic tradecraft. That said, having a 1-100 score if this is mostly created by machines, for machines, with a known algorithm makes all the sense – but don’t think we are intended to create that. Or have both * ducks *…   From: < cti@lists.oasis-open.org > on behalf of Mark Clancy < mclancy@soltra.com > Date: Monday, September 12, 2016 at 8:43 PM To: Marko Dragoljevic < marko@eclecticiq.com >, Terry MacDonald < terry.macdonald@cosive.com > Cc: Jason Keirstead < Jason.Keirstead@ca.ibm.com >, Patrick Maroney < Pmaroney@Specere.org >, Dave Cridland < dave.cridland@surevine.com >, JE < je@cybersecurityscout.eu >, cti@lists.oasis-open.org < cti@lists.oasis-open.org >, cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > Subject: Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]   We are trying to add a level of precision to information that generally lacks reproducible precision when two parties review the exact same set of facts.  That leads you to wanting a scheme that does not create the illusion of precision where none exists. We don’t need two significant digits of precision for confidence so I think the 0-100 scheme is over kill.  Yes it exists today in Stix1.0, but has anybody actually analyzed how many unique precision values have been used in CTI data to date?     -Mark     From: < cti@lists.oasis-open.org > on behalf of Marko Dragoljevic < marko@eclecticiq.com > Date: Friday, September 9, 2016 at 4:37 AM To: Terry MacDonald < terry.macdonald@cosive.com > Cc: Jason Keirstead < Jason.Keirstead@ca.ibm.com >, Patrick Maroney < Pmaroney@Specere.org >, Dave Cridland < dave.cridland@surevine.com >, JE < je@cybersecurityscout.eu >, cti@lists.oasis-open.org < cti@lists.oasis-open.org >, cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > Subject: Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]   Hi all   +1 for all comments from Terry   Few extra thoughts: - Reliability of Source and other similar evaluation methods used across types of Intelligence are not meant to provide specific quantification but rather to “inform” with certain degree of error margin. Then, it’s up to analysts, consumers (human, products) or policy makers (stakeholders) to “interpret” this and eventually make decisions or informed actions. - It should be up to specific Technology Products to implement how mapping of this and other evaluation methods or scores into specific numbers actually works when and if needed. I can imagine that end users would want to be able to fine tune this “formulas” based on specific use cases.   Thanks, Marko Dragoljevic VP Technology, Chief Architect marko@eclecticiq.com +31 643 919 496 ?EclecticIQ Intelligence Powered Defense https://www.eclecticiq.com   On 09 Sep 2016, at 01:16, Terry MacDonald < terry.macdonald@cosive.com > wrote:   I would disagree with using a numbering scheme (and especially one with a range of 0-100), as it makes it much more complex than it needs to be.   Is something that is confidence level 82 really that worse than confidence 83? How is a user going to understand the difference at those small levels of difference? Will they care about the difference at all? Do people really want 6 different levels of difference rather than 100?   If we use an existing methodology that has been used for many years in the intelligence community such as the Admiralty Code then it is something that is understandable and useable by humans.    I believe they will be able to comprehend the difference between 'Reliability of Source - B - Usually reliable' and 'Reliability of Source - D - Not usually reliable' a lot easier than looking at 'Reliability of Source - 79' and 'Reliability of Source - 48'.   Cheers   Terry MacDonald   Chief Product Officer   <cosive_mail_signature.png>   M:   +64 211 918 814 E:   terry.macdonald@cosive.com W:   www.cosive.com         On Fri, Sep 9, 2016 at 7:39 AM, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: I very much like the idea of adding support for the MISP taxonomies, but I still think that confidence should be a numerical value. I would like to see a way that the admiralty scale taxonomy can be mapped to a numerical equivalent. That way if someone wants to use a different taxonomy because the admiralty scale is either too broad or too narrow, they are free to do so, because we are not directly mandating it be used. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> Patrick Maroney ---09/08/2016 01:29:55 PM---Good discussion folks. In support of the concepts expressed here, I'd like to raise the topic of su From: Patrick Maroney < Pmaroney@Specere.org > To: Dave Cridland < dave.cridland@surevine.com >, JE < je@cybersecurityscout.eu > Cc: cti@lists.oasis-open.org < cti@lists.oasis-open.org >, cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org >, Terry MacDonald < terry.macdonald@cosive.com > Date: 09/08/2016 01:29 PM Subject: [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September] Sent by: < cti-stix@lists.oasis-open.org > Good discussion folks. In support of the concepts expressed here, I'd like to raise the topic of supporting the MISP Taxonomy format and the public repository of Taxonomies and format for consideration. https://github.com/MISP/misp- taxonomies Alexandre Dulaunoy has cleared up concerns raised regarding licensing, so we can assess on the technical merits. <49458202.jpg> Patrick Maroney President Integrated Networking Technologies, Inc. Desk: (856)983-0001 Cell: (609)841-5104 Email: pmaroney@specere.org From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Dave Cridland < dave.cridland@surevine.com > Sent: Thursday, September 8, 2016 4:13:31 AM To: JE Cc: cti-stix@lists.oasis-open.org ; cti@lists.oasis-open.org ; Terry MacDonald Subject: RE: [cti] CTI Brussels F2F Meeting...RSVP deadline 5 September   There's two approaches, both already existing, which can help with this. Firstly, a common, shared policy (and just as important, commonly understood semantics). The FIRST IEP work is along these lines.   Secondly, real security label/classification/policy systems allow one policy to be translated to another, as long as the semantics can be mapped. These systems exist already, and are specified in a slew of documents include SDN.801(c), X.841, and so on.   Obviously these two are complementary - if there are lots of common semantics in organisation's policies, it makes it easy to express handling requirements, and the existing label specs allow each organization to have their own policy which they can develop independently.   But all this is already handled by STIX - it's just payload data to STIX and TAXII. Dave.   On 8 Sep 2016 09:29, JE < je@cybersecurityscout.eu > wrote: Hi Terry,   Sorry I was not clear enough in my suggestion and putting it into context… we’re on the same page, there are currently discussions going on in some communities to extend TLP scheme (proprietary) by validation information and within some schemes used in intel (usually not public / publicly known) this is already existing as part of their schemes. Unfortunately proprietary approaches have their issues when trying to make it work outside the origin.   To enable a true policy-based management, enforcement, priority handling etc. it’s vital to have a standard on assigning & processing level of confidence, trust in source and possibly validation by analyst as well. Some of the European ISACs I know handle this by reserving some classification levels for members and assign trust-by-default but of course this does not scale beyond limited community nor is it a feasible way to apply it on granular objects.   Cheers from Brussels, Joerg From: cti@lists.oasis-open.org [mailto: cti@lists.oasis-open. org ] On Behalf Of Terry MacDonald Sent: Wednesday, September 7, 2016 21:11 To: JE < je@cybersecurityscout.eu > Cc: cti-stix@lists.oasis-open.org ; cti@lists.oasis-open.org ; Thompson, Dean < Dean.Thompson@anz.com > Subject: RE: [cti] CTI Brussels F2F Meeting...RSVP deadline 5 September   Hi Joerg, I wasn't meaning information handling or policy management at all, as this is already supported via the object level data marking or granular date marking in STIX 2.0. I was definitely meaning a way of describing confidence that the threat intelligence is correct, and confidence that the person who told you the threat intelligence gets it right. We had that functionality in STIX 1.x series, and we've lost it in STIX 2.0. We need to add it back on as part of STIX 2.1. Cheers Terry MacDonald Cosive   On 7/09/2016 10:25 PM, JE < je@cybersecurityscout.eu > wrote: Dear All,   I fully support this – having built some ISACs in industry as well as GOV classification/labeling is usually a “top 5 “ issue … if not at the time of initial set-up than usually later when information from different sources is to be shared and utilized. This might not be a primary issue from vendor side (although it should be as most TI is not under monolithic policy/license rights but compiled) it is definitely an issue from user perspective to handle, distribute and leverage TI properly,   Some of the commercially available systems on the market implement labeling/label-based-handling in a proprietary way as current information models/standards do not foresee this. If you e.g. look at OTRS (not a STIX/TAXI implementation but wide used for Service + Incident Mgt), actually an open source system but during the evolution also included labeling and handling according to this. No matter if e.g. TLP or other schemes are applied I strongly suggest to at least include the option to label objects and though enable/apply/enforce policy-based information exchange and handling.   Sunny greetings from Berlin & looking forward meeting you guys f2f on later Wednesday evening in Brussels, Joerg From: cti@lists.oasis-open.org [mailto: cti@lists.oasis-open. org ] On Behalf Of Thompson, Dean Sent: Wednesday, September 7, 2016 03:06 To: 'Terry MacDonald' < terry.macdonald@cosive.com >; ' cti@lists.oasis-open.org ' < cti@lists.oasis-open.org >; ' cti-stix@lists.oasis-open.org ' < cti-stix@lists.oasis-open.org > Subject: RE: [cti] CTI Brussels F2F Meeting...RSVP deadline 5 September     Hi!,   Can I add my voice in here as well and say that “Confidence” and also having an “Opinion” about Threat Intelligence is very important and is a concept that we use quite heavily when we are exchanging threat intelligence with other financial organisations and dealing with threat data that comes in via 3 rd parties and intelligence sources.   Can we please ensure that this is included in the agenda and discussed at the meeting ?   Regards,   Dean   From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open. org ] On Behalf Of Terry MacDonald Sent: Wednesday, 7 September 2016 8:18 AM To: cti@lists.oasis-open.org ; cti-stix@lists.oasis-open.org Subject: Re: [cti] CTI Brussels F2F Meeting...RSVP deadline 5 September   Please say that we are including confidence and opinion object in STIX 2.1 candidate smackdown agenda item at the F2F.   We just can't treat everything that people send out as the absolute truth as we do in STIX 2.0. There is a reason things like the admiralty code were developed.... and that's because threat intelligence is always someone's opinion.We need a way for the consumer to understand how confident the producer is in the threat intelligence they are sending. It's up to the consumer to determine if they believe that its the truth, and they need various ways to determine this. That's a ton easier if the person who sent the threat intelligence to you tells you how much they trust the intelligence and trust the source of the intelligence with some form of confidence field.....   I really, really believe this is critical for STIX to work properly, and it was something that made it possible for STIX to automatically be pushed out to the different security tools within an organization (e.g. high confidence DNS to the DNS RPZ block, low confidence to the alerting on the passive DNS).   These are so easy to add to STIX, we would be remiss to skip it.   Cheers   Terry MacDonald Chief Product Officer   <49228383.gif>   M: +64 211 918 814 E: terry.macdonald@cosive.com W: www.cosive.com         On Fri, Sep 2, 2016 at 8:53 AM, Jane Harnad < jharnad@oasis-open.org > wrote: Dear CTI Members, The CTI TC F2F meeting is scheduled for Wednesday, 7 September at the Thon EU Hotel , Germany Room. Lunch and refreshments will be provided by OASIS. A headcount is needed ASAP. Below is a list of individuals that replied to the last RSVP request. If you don't see your name and do plan to participate in either the F2F meeting or group dinner, please send your RSVP no later than 5 September. Remote access is available to TC members unable to attend in person. Login details are: https://global.gotomeeting. com/join/978573765 You can also dial in using your phone. United States (Toll-free): 1 866 899 4679 United States +1 (646) 749-3117 Access Code: 978-573-765 Proposed agenda is attached. Details on group dinner option : CTI members are invited to sign up to attend a group dinner on Wednesday evening after the F2F. Family members and/or guests traveling along with you are also invited to join us. This is not a hosted dinner, so each participant (and their guests) will be responsible for covering the costs associated with their dinner. Please be sure to confirm the number of guests.   Thanks so much and we look forward to seeing you all in Brussels! Regards, Jane   **F2F/Dinner Attendees                                                                                                                                                   Bret Jordan <ecblank.gif> Alexandre Dulaunoy <ecblank.gif> Raymon van der Velde <ecblank.gif> Ryusuke Masuoka <ecblank.gif> Kazuo Noguchi <ecblank.gif> Jason Keirstead <ecblank.gif> Jerome Athias <ecblank.gif> Allan Thomson <ecblank.gif> Daniel Riedel <ecblank.gif> John-Mark Gurney <ecblank.gif> Carol Geyer <ecblank.gif> Richard Struse <ecblank.gif> Joerg Eschweiler <ecblank.gif> Trey Darley <ecblank.gif> Marko Dragoljevic <ecblank.gif> Sergey Polzunov <ecblank.gif> Aukjan van Belkum <ecblank.gif> Wouter Bolsterlee <ecblank.gif> Andras Iklody <ecblank.gif> Mark Davidson <ecblank.gif> Masato Terada <ecblank.gif> -- Jane Harnad Manager, Events OASIS Advancing open standards for the information society +1.781.425.5073 x214 (Office) http://www.oasis-open.org Join OASIS at: Borderless Cyber Europe 8-9 Sept Brussels Borderless Cyber Asia 1-2 Nov Tokyo ------------------------------ ------------------------------ --------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/ apps/org/workgroup/portal/my_ workgroups.php     This e-mail and any attachments to it (the Communication ) is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together ANZ ). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.                                         Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

Can we not do something like the 0-100 scale and then define in the spec how a 10 digit solution and a 5 digits solution and a 3 digit solution. So for example  If your solution or product only works with 1-10 then you should use, 10, 20, 30,... 100 If your solution or product only works with 1-5 then you should use, 20, 40, 60, 80, 100 etc???? Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Sep 13, 2016, at 04:31, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: Yes, exactly. The purpose of the larger range is simply to accommodate more possible scales than a single 1-5  scale. Nothing more or less. -- Sent from my mobile device, please excuse any typos. Andras Iklody --- Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September] --- From: Andras Iklody < andras.iklody@gmail.com > To: Joep Gommers < joep@eclecticiq.com > Cc: Jason Keirstead < Jason.Keirstead@ca.ibm.com >, cti-stix@lists.oasis-open.org , Marko Dragoljevic < marko@eclecticiq.com >, cti@lists.oasis-open.org , Dave Cridland < dave.cridland@surevine.com >, JE < je@cybersecurityscout.eu >, Terry MacDonald < terry.macdonald@cosive.com >, Patrick Maroney < Pmaroney@specere.org >, Mark Clancy < mclancy@soltra.com > Date: Tue, Sep 13, 2016 3:52 AM Subject: Re: [cti-stix] Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September] The idea is definitely to use descriptive language and convert to a unified scale. A 5 step scale limits the conversion of 4 and 3 step scales, 0-100 simply accommodates more toes of descriptive language. On Sep 13, 2016 8:18 AM, Joep Gommers < joep@eclecticiq.com > wrote: For what its worth, reflecting on intelligence tradecraft, I’m fully supportive of a 1-5 scale (or similar order magnitude) so that you can build clear analytic constructs and constraints around each scale. 1-100 for an analytic judgement is not just overkill, it breaks the ability for an analyst to apply such analytic tradecraft. That said, having a 1-100 score if this is mostly created by machines, for machines, with a known algorithm makes all the sense – but don’t think we are intended to create that. Or have both * ducks *…   From: < cti@lists.oasis-open.org > on behalf of Mark Clancy < mclancy@soltra.com > Date: Monday, September 12, 2016 at 8:43 PM To: Marko Dragoljevic < marko@eclecticiq.com >, Terry MacDonald < terry.macdonald@cosive.com > Cc: Jason Keirstead < Jason.Keirstead@ca.ibm.com >, Patrick Maroney < Pmaroney@Specere.org >, Dave Cridland < dave.cridland@surevine.com >, JE < je@cybersecurityscout.eu >, cti@lists.oasis-open.org < cti@lists.oasis-open.org >, cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > Subject: Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]   We are trying to add a level of precision to information that generally lacks reproducible precision when two parties review the exact same set of facts.  That leads you to wanting a scheme that does not create the illusion of precision where none exists. We don’t need two significant digits of precision for confidence so I think the 0-100 scheme is over kill.  Yes it exists today in Stix1.0, but has anybody actually analyzed how many unique precision values have been used in CTI data to date?     -Mark     From: < cti@lists.oasis-open.org > on behalf of Marko Dragoljevic < marko@eclecticiq.com > Date: Friday, September 9, 2016 at 4:37 AM To: Terry MacDonald < terry.macdonald@cosive.com > Cc: Jason Keirstead < Jason.Keirstead@ca.ibm.com >, Patrick Maroney < Pmaroney@Specere.org >, Dave Cridland < dave.cridland@surevine.com >, JE < je@cybersecurityscout.eu >, cti@lists.oasis-open.org < cti@lists.oasis-open.org >, cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > Subject: Re: [cti] [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]   Hi all   +1 for all comments from Terry   Few extra thoughts: - Reliability of Source and other similar evaluation methods used across types of Intelligence are not meant to provide specific quantification but rather to “inform” with certain degree of error margin. Then, it’s up to analysts, consumers (human, products) or policy makers (stakeholders) to “interpret” this and eventually make decisions or informed actions. - It should be up to specific Technology Products to implement how mapping of this and other evaluation methods or scores into specific numbers actually works when and if needed. I can imagine that end users would want to be able to fine tune this “formulas” based on specific use cases.   Thanks, Marko Dragoljevic VP Technology, Chief Architect marko@eclecticiq.com +31 643 919 496 ?EclecticIQ Intelligence Powered Defense https://www.eclecticiq.com   On 09 Sep 2016, at 01:16, Terry MacDonald < terry.macdonald@cosive.com > wrote:   I would disagree with using a numbering scheme (and especially one with a range of 0-100), as it makes it much more complex than it needs to be.   Is something that is confidence level 82 really that worse than confidence 83? How is a user going to understand the difference at those small levels of difference? Will they care about the difference at all? Do people really want 6 different levels of difference rather than 100?   If we use an existing methodology that has been used for many years in the intelligence community such as the Admiralty Code then it is something that is understandable and useable by humans.    I believe they will be able to comprehend the difference between 'Reliability of Source - B - Usually reliable' and 'Reliability of Source - D - Not usually reliable' a lot easier than looking at 'Reliability of Source - 79' and 'Reliability of Source - 48'.   Cheers   Terry MacDonald   Chief Product Officer   <cosive_mail_signature.png>   M:   +64 211 918 814 E:   terry.macdonald@cosive.com W:   www.cosive.com         On Fri, Sep 9, 2016 at 7:39 AM, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: I very much like the idea of adding support for the MISP taxonomies, but I still think that confidence should be a numerical value. I would like to see a way that the admiralty scale taxonomy can be mapped to a numerical equivalent. That way if someone wants to use a different taxonomy because the admiralty scale is either too broad or too narrow, they are free to do so, because we are not directly mandating it be used. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> Patrick Maroney ---09/08/2016 01:29:55 PM---Good discussion folks. In support of the concepts expressed here, I'd like to raise the topic of su From: Patrick Maroney < Pmaroney@Specere.org > To: Dave Cridland < dave.cridland@surevine.com >, JE < je@cybersecurityscout.eu > Cc: cti@lists.oasis-open.org < cti@lists.oasis-open.org >, cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org >, Terry MacDonald < terry.macdonald@cosive.com > Date: 09/08/2016 01:29 PM Subject: [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September] Sent by: < cti-stix@lists.oasis-open.org > Good discussion folks. In support of the concepts expressed here, I'd like to raise the topic of supporting the MISP Taxonomy format and the public repository of Taxonomies and format for consideration. https://github.com/MISP/misp- taxonomies Alexandre Dulaunoy has cleared up concerns raised regarding licensing, so we can assess on the technical merits. <49458202.jpg> Patrick Maroney President Integrated Networking Technologies, Inc. Desk: (856)983-0001 Cell: (609)841-5104 Email: pmaroney@specere.org From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > on behalf of Dave Cridland < dave.cridland@surevine.com > Sent: Thursday, September 8, 2016 4:13:31 AM To: JE Cc: cti-stix@lists.oasis-open.org ; cti@lists.oasis-open.org ; Terry MacDonald Subject: RE: [cti] CTI Brussels F2F Meeting...RSVP deadline 5 September   There's two approaches, both already existing, which can help with this. Firstly, a common, shared policy (and just as important, commonly understood semantics). The FIRST IEP work is along these lines.   Secondly, real security label/classification/policy systems allow one policy to be translated to another, as long as the semantics can be mapped. These systems exist already, and are specified in a slew of documents include SDN.801(c), X.841, and so on.   Obviously these two are complementary - if there are lots of common semantics in organisation's policies, it makes it easy to express handling requirements, and the existing label specs allow each organization to have their own policy which they can develop independently.   But all this is already handled by STIX - it's just payload data to STIX and TAXII. Dave.   On 8 Sep 2016 09:29, JE < je@cybersecurityscout.eu > wrote: Hi Terry,   Sorry I was not clear enough in my suggestion and putting it into context… we’re on the same page, there are currently discussions going on in some communities to extend TLP scheme (proprietary) by validation information and within some schemes used in intel (usually not public / publicly known) this is already existing as part of their schemes. Unfortunately proprietary approaches have their issues when trying to make it work outside the origin.   To enable a true policy-based management, enforcement, priority handling etc. it’s vital to have a standard on assigning & processing level of confidence, trust in source and possibly validation by analyst as well. Some of the European ISACs I know handle this by reserving some classification levels for members and assign trust-by-default but of course this does not scale beyond limited community nor is it a feasible way to apply it on granular objects.   Cheers from Brussels, Joerg From: cti@lists.oasis-open.org [mailto: cti@lists.oasis-open. org ] On Behalf Of Terry MacDonald Sent: Wednesday, September 7, 2016 21:11 To: JE < je@cybersecurityscout.eu > Cc: cti-stix@lists.oasis-open.org ; cti@lists.oasis-open.org ; Thompson, Dean < Dean.Thompson@anz.com > Subject: RE: [cti] CTI Brussels F2F Meeting...RSVP deadline 5 September   Hi Joerg, I wasn't meaning information handling or policy management at all, as this is already supported via the object level data marking or granular date marking in STIX 2.0. I was definitely meaning a way of describing confidence that the threat intelligence is correct, and confidence that the person who told you the threat intelligence gets it right. We had that functionality in STIX 1.x series, and we've lost it in STIX 2.0. We need to add it back on as part of STIX 2.1. Cheers Terry MacDonald Cosive   On 7/09/2016 10:25 PM, JE < je@cybersecurityscout.eu > wrote: Dear All,   I fully support this – having built some ISACs in industry as well as GOV classification/labeling is usually a “top 5 “ issue … if not at the time of initial set-up than usually later when information from different sources is to be shared and utilized. This might not be a primary issue from vendor side (although it should be as most TI is not under monolithic policy/license rights but compiled) it is definitely an issue from user perspective to handle, distribute and leverage TI properly,   Some of the commercially available systems on the market implement labeling/label-based-handling in a proprietary way as current information models/standards do not foresee this. If you e.g. look at OTRS (not a STIX/TAXI implementation but wide used for Service + Incident Mgt), actually an open source system but during the evolution also included labeling and handling according to this. No matter if e.g. TLP or other schemes are applied I strongly suggest to at least include the option to label objects and though enable/apply/enforce policy-based information exchange and handling.   Sunny greetings from Berlin & looking forward meeting you guys f2f on later Wednesday evening in Brussels, Joerg From: cti@lists.oasis-open.org [mailto: cti@lists.oasis-open. org ] On Behalf Of Thompson, Dean Sent: Wednesday, September 7, 2016 03:06 To: 'Terry MacDonald' < terry.macdonald@cosive.com >; ' cti@lists.oasis-open.org ' < cti@lists.oasis-open.org >; ' cti-stix@lists.oasis-open.org ' < cti-stix@lists.oasis-open.org > Subject: RE: [cti] CTI Brussels F2F Meeting...RSVP deadline 5 September     Hi!,   Can I add my voice in here as well and say that “Confidence” and also having an “Opinion” about Threat Intelligence is very important and is a concept that we use quite heavily when we are exchanging threat intelligence with other financial organisations and dealing with threat data that comes in via 3 rd parties and intelligence sources.   Can we please ensure that this is included in the agenda and discussed at the meeting ?   Regards,   Dean   From: cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open. org ] On Behalf Of Terry MacDonald Sent: Wednesday, 7 September 2016 8:18 AM To: cti@lists.oasis-open.org ; cti-stix@lists.oasis-open.org Subject: Re: [cti] CTI Brussels F2F Meeting...RSVP deadline 5 September   Please say that we are including confidence and opinion object in STIX 2.1 candidate smackdown agenda item at the F2F.   We just can't treat everything that people send out as the absolute truth as we do in STIX 2.0. There is a reason things like the admiralty code were developed.... and that's because threat intelligence is always someone's opinion.We need a way for the consumer to understand how confident the producer is in the threat intelligence they are sending. It's up to the consumer to determine if they believe that its the truth, and they need various ways to determine this. That's a ton easier if the person who sent the threat intelligence to you tells you how much they trust the intelligence and trust the source of the intelligence with some form of confidence field.....   I really, really believe this is critical for STIX to work properly, and it was something that made it possible for STIX to automatically be pushed out to the different security tools within an organization (e.g. high confidence DNS to the DNS RPZ block, low confidence to the alerting on the passive DNS).   These are so easy to add to STIX, we would be remiss to skip it.   Cheers   Terry MacDonald Chief Product Officer   <49228383.gif>   M: +64 211 918 814 E: terry.macdonald@cosive.com W: www.cosive.com         On Fri, Sep 2, 2016 at 8:53 AM, Jane Harnad < jharnad@oasis-open.org > wrote: Dear CTI Members, The CTI TC F2F meeting is scheduled for Wednesday, 7 September at the Thon EU Hotel , Germany Room. Lunch and refreshments will be provided by OASIS. A headcount is needed ASAP. Below is a list of individuals that replied to the last RSVP request. If you don't see your name and do plan to participate in either the F2F meeting or group dinner, please send your RSVP no later than 5 September. Remote access is available to TC members unable to attend in person. Login details are: https://global.gotomeeting. com/join/978573765 You can also dial in using your phone. United States (Toll-free): 1 866 899 4679 United States +1 (646) 749-3117 Access Code: 978-573-765 Proposed agenda is attached. Details on group dinner option : CTI members are invited to sign up to attend a group dinner on Wednesday evening after the F2F. Family members and/or guests traveling along with you are also invited to join us. This is not a hosted dinner, so each participant (and their guests) will be responsible for covering the costs associated with their dinner. Please be sure to confirm the number of guests.   Thanks so much and we look forward to seeing you all in Brussels! Regards, Jane   **F2F/Dinner Attendees                                                                                                                                                   Bret Jordan <ecblank.gif> Alexandre Dulaunoy <ecblank.gif> Raymon van der Velde <ecblank.gif> Ryusuke Masuoka <ecblank.gif> Kazuo Noguchi <ecblank.gif> Jason Keirstead <ecblank.gif> Jerome Athias <ecblank.gif> Allan Thomson <ecblank.gif> Daniel Riedel <ecblank.gif> John-Mark Gurney <ecblank.gif> Carol Geyer <ecblank.gif> Richard Struse <ecblank.gif> Joerg Eschweiler <ecblank.gif> Trey Darley <ecblank.gif> Marko Dragoljevic <ecblank.gif> Sergey Polzunov <ecblank.gif> Aukjan van Belkum <ecblank.gif> Wouter Bolsterlee <ecblank.gif> Andras Iklody <ecblank.gif> Mark Davidson <ecblank.gif> Masato Terada <ecblank.gif> -- Jane Harnad Manager, Events OASIS Advancing open standards for the information society +1.781.425.5073 x214 (Office) http://www.oasis-open.org Join OASIS at: Borderless Cyber Europe 8-9 Sept Brussels Borderless Cyber Asia 1-2 Nov Tokyo ------------------------------ ------------------------------ --------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/ apps/org/workgroup/portal/my_ workgroups.php     This e-mail and any attachments to it (the Communication ) is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together ANZ ). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.                                         Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail