Based on the consensus on the call we added aliases to the rest of the TTP objects, aka infrastructure and attack pattern.
Before we ship we should have one last review of base properties on SDOs and SROs (not SCOs) and make sure everything makes sense.
Bret
Sent from my Commodore 128D
PGP
Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
On Jun 14, 2019, at 1:38 PM, Jason Keirstead <
Jason.Keirstead@ca.ibm.com > wrote:
You could say the same thing for Attack Pattern.
This goes back to the "TTP objects vs non-TTP objects" discussion from last week's working call & Brett's spreadsheet. There are a subset of SDOs which are used to communicate TTPs, that when you look at
them objectively *should* have a common set of base properties. But we did not do that, there is a lot of inconsistency.
-
Jason Keirstead
Lead Architect - IBM Security Connect
www.ibm.com/security "Would you like me to give you a formula for success? It's quite simple, really. Double your rate of failure."
- Thomas J. Watson
From: Trey Darley <
trey.darley@cert.be >
To: OASIS CTI TC STIX SC list <
cti-stix@lists.oasis-open.org >
Date: 06/14/2019 08:13 AM
Subject: [EXTERNAL] [cti-stix] Why do we have first_seen / last_seen on Intrusion Set but not on Threat Actor?
Sent by: <
cti-stix@lists.oasis-open.org >
Hey, y'all -
Somehow this escaped me until now. Was this an intentional decision or
is this an accidental omission?
--
Cheers,
Trey Darley
Co-Chair, OASIS CTI TC
CTI Strategist, CERT.be
--
CERT.be
Centre for Cyber Security Belgium
Mail:
trey.darley@cert.be GPG: CA5B 29E4 937E 151E 2550 6607 AE9A 7FF2 8000 0E4E
--
Under the authority of the Prime Minister
Wetstraat 16 - 1000 Brussels - Belgium
Visiting address : Rue Ducale 4 â 1000 Brussels â Belgium
Contact:
https://www.cert.be [attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]