OASIS Cyber Threat Intelligence (CTI) TC

 View Only
  • 1.  Current status on Confidence, Intel Note, and Opinion

    Posted 03-30-2017 17:49
    All,   We wanted to send out a current status for several of the items we’re working through for STIX 2.1.   Confidence: This is currently at consensus. We have reviewed both the implementation and the scales, and people seem to agree that they are good enough. Since this topic has already been discussed at a monthly TC-wide call, the text is being moved from the 2.1 working document into the 2.1 proposed specification document.   Intel Note: This is mostly at consensus. On the working calls this week, we discussed the author property, and debated if it should be a string field or a reference to an identity object. The agreement was to make it a string. If there are no complaints or issues with this change, then this SDO is also at consensus. We will bring this SDO up on the next full-TC call in April, as per our workflow, and if we get agreement there, we will be ready to move this text from the 2.1 working document into the 2.1 specification as well. If there are concerns with this field being a string, please raise them on the list. We will also create a poll in the #polls channel in slack.   Opinion: This one still has debate going on, and we have not achieved consensus. On the working calls this week, we did agree to change the object_ref property from a single identifier to a list of type identifier. At least two open questions remain that need to be decided. The first is that of the scale. Currently, we have the scale as a value 1-5, with a mapping to a closed vocabulary (Strongly Agree, Agree, Neutral, Disagree, Strongly Disagree). It was done numerically in order to provide the ability to do statistics on the opinions. There has been a suggestion to change this to a simple closed vocabulary, and remove the 1-5 values. The second open question is that of a description field. Currently, this object doesn’t have a description field. This was done to keep the object small, and to help differentiate it from other similar objects (like Intel Note). The idea is that if you need to add a description, you would create an Intel Note object and point it at the Opinion object. Others feel this is two heavy handed, and we should just add a description field back into the Opinion object itself. Again, if you have comments on either of these open questions, please reply to the list with your thoughts. We will also create polls in the #polls channel in slack.     Now that we have consensus on two of our objects (Confidence and Intel Note), we will be able to move on to the next item on our list, which is Location, which will be discussed on an upcoming working call, hopefully Tuesday April 4 th .   Thanks,   Sarah Kelley Senior CERT Analyst Center for Internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7×24 SOC) Email:  cert@cisecurity.org www.cisecurity.org Follow us @CISecurity   This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . .


  • 2.  Re: [cti] Current status on Confidence, Intel Note, and Opinion

    Posted 03-30-2017 18:20
    .02:  Re: Subjective Measures Since we evidently have consensus on the 0-100 scale for confidence, we should adopt this representation for all subjective measures, assertions, etc.   We should be able to apply consistent methods to process these mathematically/statistically.   Example: An opinion is an assertion by an entity.  Like all subjective  measures, one might want/need to assign a weight/scaling factor to an opinion on the basis of the receiving entities rating for this source (or sources in the aggregate). Therefore, if we adopt a common scale and numeric representation for all of these subjective types of measures and representations, we can easily calculate  (e.g., sum, average, std deviation), weight, aggregate, etc. Patrick Maroney Principle Engineer - Data Science & Analytics Wapack Labs pmaroney@wapacklabs.com (609)841-5104 On Mar 30, 2017, at 1:48 PM, Sarah Kelley < Sarah.Kelley@cisecurity.org > wrote: All,   We wanted to send out a current status for several of the items we’re working through for STIX 2.1.   Confidence: This is currently at consensus. We have reviewed both the implementation and the scales, and people seem to agree that they are good enough. Since this topic has already been discussed at a monthly TC-wide call, the text is being moved from the 2.1 working document into the 2.1 proposed specification document.   Intel Note: This is mostly at consensus. On the working calls this week, we discussed the author property, and debated if it should be a string field or a reference to an identity object. The agreement was to make it a string. If there are no complaints or issues with this change, then this SDO is also at consensus. We will bring this SDO up on the next full-TC call in April, as per our workflow, and if we get agreement there, we will be ready to move this text from the 2.1 working document into the 2.1 specification as well. If there are concerns with this field being a string, please raise them on the list. We will also create a poll in the #polls channel in slack.   Opinion: This one still has debate going on, and we have not achieved consensus. On the working calls this week, we did agree to change the object_ref property from a single identifier to a list of type identifier. At least two open questions remain that need to be decided. The first is that of the scale. Currently, we have the scale as a value 1-5, with a mapping to a closed vocabulary (Strongly Agree, Agree, Neutral, Disagree, Strongly Disagree). It was done numerically in order to provide the ability to do statistics on the opinions. There has been a suggestion to change this to a simple closed vocabulary, and remove the 1-5 values. The second open question is that of a description field. Currently, this object doesn’t have a description field. This was done to keep the object small, and to help differentiate it from other similar objects (like Intel Note). The idea is that if you need to add a description, you would create an Intel Note object and point it at the Opinion object. Others feel this is two heavy handed, and we should just add a description field back into the Opinion object itself. Again, if you have comments on either of these open questions, please reply to the list with your thoughts. We will also create polls in the #polls channel in slack.     Now that we have consensus on two of our objects (Confidence and Intel Note), we will be able to move on to the next item on our list, which is Location, which will be discussed on an upcoming working call, hopefully Tuesday April 4 th .   Thanks,   Sarah Kelley Senior CERT Analyst Center for Internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7×24 SOC) Email:  cert@cisecurity.org www.cisecurity.org Follow us @CISecurity   This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . .


  • 3.  Re: [cti] Current status on Confidence, Intel Note, and Opinion

    Posted 03-31-2017 07:53
    On 30/03/17 20:19, Patrick Maroney wrote: > .02: > > Re: Subjective Measures > > Since we evidently have consensus on the 0-100 scale for confidence, we should adopt this representation for all subjective measures, assertions, etc. We should be able to apply consistent methods to process these mathematically/statistically. We are also already in-line with the various MISP taxonomies representation with the 0-100 scale. This is pretty much what we had in mind when we faced a similar decision. Ultimately we ended up using a similar 0-100 scale as described here: https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L40 We strongly favour this consensus too. > > Example: > > An "opinion" is an assertion by an entity. Like all subjective measures, one might want/need to assign a weight/scaling factor to an "opinion" on the basis of the receiving entities rating for this source (or sources in the aggregate). > > Therefore, if we adopt a common scale and numeric representation for all of these subjective types of measures and representations, we can easily calculate (e.g., sum, average, std deviation), weight, aggregate, etc. True. Cheers. -- Alexandre Dulaunoy CIRCL - Computer Incident Response Center Luxembourg 41, avenue de la gare L-1611 Luxembourg info@circl.lu - www.circl.lu


  • 4.  Re: [cti] Current status on Confidence, Intel Note, and Opinion

    Posted 04-03-2017 12:23
    All, I thought I sent this on Friday but MITRE was having some e-mail issues and I don’t see it in the archive so I’m sending it again just in case. I’m one of the people who things a fixed scale is the way to go, and I want to explain why. First, I see our current 0-100 scale for confidence as a necessary solution because people use so many different confidence scales. If everyone could agree on one scale, I’d think it would make more sense to just use that…that way we don’t have people using different words and having to map scales back and forth. The person from AlienVault made that point at the face to face…what we have now is not our greatest option for compatibility. But, since there’s so many existing and divergent scales here we decided to go with this 0-100 scale with a mapping. It’s not ideal for consistency of language or best compatibility, but it lets us mediate across different scales. I don’t think we have the same issue with opinion. I’ve not heard anyone say that we need to have different vocabularies to represent degrees of agreement or disagreement. Given that, I think we can take the more ideal approach here and just standardize on the single scale. Given that we’ll define a vocabulary for the scale, tools wanting to use statistical methods on opinion and confidence still can…just come up with your own mappings into numerical scales and use that. Nobody says you can’t call “Neutral” a 50…you totally can. It doesn’t mean we need to formally define it in the standard, and have to deal with the unfortunate bucketing solution that we have for confidence (where some level of information gets lost in translation). Using a defined scale lets us achieve maximum compatibility in the exchange (no bucketing of values) while still allowing people to do all the fancy math they want. John On 3/31/17, 3:53 AM, "cti@lists.oasis-open.org on behalf of Alexandre Dulaunoy" <cti@lists.oasis-open.org on behalf of Alexandre.Dulaunoy@circl.lu> wrote: On 30/03/17 20:19, Patrick Maroney wrote: > .02: > > Re: Subjective Measures > > Since we evidently have consensus on the 0-100 scale for confidence, we should adopt this representation for all subjective measures, assertions, etc. We should be able to apply consistent methods to process these mathematically/statistically. We are also already in-line with the various MISP taxonomies representation with the 0-100 scale. This is pretty much what we had in mind when we faced a similar decision. Ultimately we ended up using a similar 0-100 scale as described here: https://github.com/MISP/misp-taxonomies/blob/master/misp/machinetag.json#L40 We strongly favour this consensus too. > > Example: > > An "opinion" is an assertion by an entity. Like all subjective measures, one might want/need to assign a weight/scaling factor to an "opinion" on the basis of the receiving entities rating for this source (or sources in the aggregate). > > Therefore, if we adopt a common scale and numeric representation for all of these subjective types of measures and representations, we can easily calculate (e.g., sum, average, std deviation), weight, aggregate, etc. True. Cheers. -- Alexandre Dulaunoy CIRCL - Computer Incident Response Center Luxembourg 41, avenue de la gare L-1611 Luxembourg info@circl.lu - www.circl.lu --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php