OASIS Cyber Threat Intelligence (CTI) TC

All,
 
Separate from the timestamp debate, I was also hoping to get to a resolution on timestamp precision. As a reminder, precision is an optional field accompanying certain timestamps that can tell you how precise
the timestamp is supposed to be. It would let you say, for example, that a campaign with first seen sometime in 2014 without the producer having to pick some arbitrary date in 2014.
 
I see three options:
 
1.       
Keep as-is
2.       
Remove precision from all fields and add it as necessary
3.       
Evaluate it on a field-by-field basis
 
I’ve listed the places that have precision below (and notable places that don’t) so that we can all be on the same page. Given that data, which do you prefer? If you prefer #3, which places should we add it
to now?
 
John
 
Campaign
first_seen
last_seen
 
Indicator
valid_from
valid_to
 
Intrusion Set
first_seen
last_seen
 
Sighting
first_seen
last_seen
 
The following timestamps do
not have precision:
 
STIX Objects (all SROs and SDOs)
created
modified
 
Observed Data
first_observed
last_observed
 
Report
published
 
Cyber Observable Layer
Nowhere in the cyber observable layer has timestamps

On 06.12.2016 17:32:01, Wunder, John A. wrote: > > I see three options: > > > 1. Keep as-is > > 2. Remove precision from all fields and add it as necessary > > 3. Evaluate it on a field-by-field basis > I'm in favor of option 2. -- Cheers, Trey ++--------------------------------------------------------------------------++ Kingfisher Operations, sprl gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4 5B9B B30D DD6E 62C8 6C1D ++--------------------------------------------------------------------------++ -- "Just wait till time intervenes. The alchemy of time transforms everything into comedy. Everything..." --Josef Škvorecký Attachment: signature.asc Description: Digital signature

Thanks Trey, same. I think we should get 2.0 out there and then see if we need to add precision anywhere once we get real usage. I’m also curious whether companies like Soltra and EclecticIQ implemented precision in STIX 1.2 (I believe it was added to 1.1). Does anybody know of any implementations that used precision in 1.x and, if so, how it was implemented and whether analysts used it? John On 12/7/16, 3:51 AM, "Trey Darley" <trey@kingfisherops.com> wrote: On 06.12.2016 17:32:01, Wunder, John A. wrote: > > I see three options: > > > 1. Keep as-is > > 2. Remove precision from all fields and add it as necessary > > 3. Evaluate it on a field-by-field basis > I'm in favor of option 2. -- Cheers, Trey ++--------------------------------------------------------------------------++ Kingfisher Operations, sprl gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4 5B9B B30D DD6E 62C8 6C1D ++--------------------------------------------------------------------------++ -- "Just wait till time intervenes. The alchemy of time transforms everything into comedy. Everything..." --Josef Škvorecký

Prefer Option 2 as well. On 12/7/16, 5:49 AM, "cti@lists.oasis-open.org on behalf of Wunder, John A." <cti@lists.oasis-open.org on behalf of jwunder@mitre.org> wrote: Thanks Trey, same. I think we should get 2.0 out there and then see if we need to add precision anywhere once we get real usage. I’m also curious whether companies like Soltra and EclecticIQ implemented precision in STIX 1.2 (I believe it was added to 1.1). Does anybody know of any implementations that used precision in 1.x and, if so, how it was implemented and whether analysts used it? John On 12/7/16, 3:51 AM, "Trey Darley" <trey@kingfisherops.com> wrote: On 06.12.2016 17:32:01, Wunder, John A. wrote: > > I see three options: > > > 1. Keep as-is > > 2. Remove precision from all fields and add it as necessary > > 3. Evaluate it on a field-by-field basis > I'm in favor of option 2. -- Cheers, Trey ++--------------------------------------------------------------------------++ Kingfisher Operations, sprl gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4 5B9B B30D DD6E 62C8 6C1D ++--------------------------------------------------------------------------++ -- "Just wait till time intervenes. The alchemy of time transforms everything into comedy. Everything..." --Josef Škvorecký <<attachment: winmail.dat>>

Prefer option #2 -- Rob Coderre iDefense, Director of Product Management Verisign, Inc. rcoderre@verisign.com o: +1 703-948-3833 m: +1 571-224-4627 On Dec 6, 2016, at 12:32 PM, Wunder, John A. < jwunder@mitre.org > wrote:








All,
 
Separate from the timestamp debate, I was also hoping to get to a resolution on timestamp precision. As a reminder, precision is an optional field accompanying certain timestamps that can tell you how precise
the timestamp is supposed to be. It would let you say, for example, that a campaign with first seen sometime in 2014 without the producer having to pick some arbitrary date in 2014.
 
I see three options:
 
1.       
Keep as-is
2.       
Remove precision from all fields and add it as necessary
3.       
Evaluate it on a field-by-field basis
 
I’ve listed the places that have precision below (and notable places that don’t) so that we can all be on the same page. Given that data, which do you prefer? If you prefer #3, which places should we add it
to now?
 
John
 
Campaign
first_seen
last_seen
 
Indicator
valid_from
valid_to
 
Intrusion Set
first_seen
last_seen
 
Sighting
first_seen
last_seen
 
The following timestamps do
not have precision:
 
STIX Objects (all SROs and SDOs)
created
modified
 
Observed Data
first_observed
last_observed
 
Report
published
 
Cyber Observable Layer
Nowhere in the cyber observable layer has timestamps



Attachment: smime.p7s Description: S/MIME cryptographic signature