CTI STIX Subcommittee

Hi All, I'd like to propose the Opinion Object for STIX 2.1. The Opinion object is an object that allows the creator of the Opinion object to agree/disagree with any other STIX Data Object or STIX Relationship Object. It will allow an Organization to disagree with a relationship between a Threat Actor and a Campaign for example, or agree with the contents of an Course of Action. This is the first step towards consumers being able to crowd-source the opinion of the community, which will help newcomers to the threat intelligence sharing groups better understand which threats have a high degree of community agreement and which are contentious. Further details in the attached PDF. Cheers Terry MacDonald   Chief Product Officer M:   +64 211 918 814 E:   terry.macdonald@cosive.com W:   www.cosive.com Attachment: STIX2.1Proposal-OpinionObject.pdf Description: Adobe PDF document

Hello Terry,

Is the "no-opinion" useful? If one wants to express a neutral view they
would select "neutral", otherwise you have two options for a "neutral"
opinion which could create some interpretation issues. (counting as 0 or
not counting when cumulating responses).

Secondly is there an approved reference definition of agree vs
strongly-agree or is it based on individuals point of views and typical
psychology studies ? https://en.wikipedia.org/wiki/Likert_scale, http://www.
simplypsychology.org/likert-scale.html http://poincare.
matf.bg.ac.rs/~kristina/topic-dane-likert.pdf

Eric Freyssinet
Ministry of Interior, Cyberthreats taskforce
Associate member of Loria

On 25 December 2016 at 09:23, Terry MacDonald <terry.macdonald@cosive.com>
wrote:

> Hi All,
>
> I'd like to propose the Opinion Object for STIX 2.1.
>
> The Opinion object is an object that allows the creator of the Opinion
> object to agree/disagree with any other STIX Data Object or STIX
> Relationship Object. It will allow an Organization to disagree with a
> relationship between a Threat Actor and a Campaign for example, or agree
> with the contents of an Course of Action.
>
> This is the first step towards consumers being able to crowd-source the
> opinion of the community, which will help newcomers to the threat
> intelligence sharing groups better understand which threats have a high
> degree of community agreement and which are contentious.
>
> Further details in the attached PDF.
>
> Cheers
>
> *Terry MacDonald *| Chief Product Officer
>
>
>
> M: +64 211 918 814 <+64+211+918+814>
> E: terry.macdonald@cosive.com
> W: www.cosive.com
>
>
>
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX. Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: cti-users-subscribe@lists.oasis-open.org
> Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org
> Post: cti-users@lists.oasis-open.org
> List help: cti-users-help@lists.oasis-open.org
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>

</terry.macdonald@cosive.com>

I believe this is a valuable addition. Like other User Generated Content (UGC), attribution is a requirement for the content to be trusted and used, therefore, if added, attribution will be required in some manner for it to be adopted. I know many people are concerned about attribution but I for one am happy to provide it in this field, in fact I think it will be required moving forward for full adoption, less we only rely a limited set of authoritative feeds.

From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Terry MacDonald
Sent: December 25, 2016 3:24 AM
To: cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org
Subject: [cti-users] STIX 2.1 Propsal - Opinion Object

*** EXTERNAL email. Please be cautious and evaluate before you click on links, open attachments, or provide credentials. ***
Hi All,

I'd like to propose the Opinion Object for STIX 2.1.

The Opinion object is an object that allows the creator of the Opinion object to agree/disagree with any other STIX Data Object or STIX Relationship Object. It will allow an Organization to disagree with a relationship between a Threat Actor and a Campaign for example, or agree with the contents of an Course of Action.

This is the first step towards consumers being able to crowd-source the opinion of the community, which will help newcomers to the threat intelligence sharing groups better understand which threats have a high degree of community agreement and which are contentious.

Further details in the attached PDF.

Cheers

Terry MacDonald | Chief Product Officer

[cid:image001.png@01D26A68.5FD93860]

M: +64 211 918 814<tel:+64+211+918+814>
E: terry.macdonald@cosive.com<mailto:terry.macdonald@cosive.com>
W: www.cosive.com<https: www.cosive.com/="">




This e-mail message and any files transmitted with it are intended only for the named recipient(s) above and may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient(s), any dissemination, distribution or copying of this e-mail message or any files transmitted with it is strictly prohibited. If you have received this message in error, or are not the named recipient(s), please notify the sender immediately and delete this e-mail message.

</https:></mailto:terry.macdonald@cosive.com></tel:+64+211+918+814>

Hi!,

I would also like to add my support for an ‘Opinion Object’ as well (I think this was discussed last year as well). As Jason and Terry have highlighted, this object provides the capability for the community to have their say on information which is being passed around or shared. This can be quite critical in sector specific areas as well as the wider community as well (for example, we could rate or have opinion about fraud data being shared between banks).

It would be great to be able to associate “Opinions” about the STIX data that is being passed around. It also provides the ability to introduce additional concepts at a later stage.

Regards,

Dean


From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jason Hammerschmidt
Sent: Tuesday, 10 January 2017 3:06 AM
To: 'Terry MacDonald'; cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org
Subject: RE: [cti-users] STIX 2.1 Propsal - Opinion Object

I believe this is a valuable addition. Like other User Generated Content (UGC), attribution is a requirement for the content to be trusted and used, therefore, if added, attribution will be required in some manner for it to be adopted. I know many people are concerned about attribution but I for one am happy to provide it in this field, in fact I think it will be required moving forward for full adoption, less we only rely a limited set of authoritative feeds.

From: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org> [mailto:cti-users@lists.oasis-open.org] On Behalf Of Terry MacDonald
Sent: December 25, 2016 3:24 AM
To: cti-stix@lists.oasis-open.org<mailto:cti-stix@lists.oasis-open.org>; cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>
Subject: [cti-users] STIX 2.1 Propsal - Opinion Object

*** EXTERNAL email. Please be cautious and evaluate before you click on links, open attachments, or provide credentials. ***
Hi All,

I'd like to propose the Opinion Object for STIX 2.1.

The Opinion object is an object that allows the creator of the Opinion object to agree/disagree with any other STIX Data Object or STIX Relationship Object. It will allow an Organization to disagree with a relationship between a Threat Actor and a Campaign for example, or agree with the contents of an Course of Action.

This is the first step towards consumers being able to crowd-source the opinion of the community, which will help newcomers to the threat intelligence sharing groups better understand which threats have a high degree of community agreement and which are contentious.

Further details in the attached PDF.

Cheers

Terry MacDonald | Chief Product Officer

[cid:image001.png@01D26B1F.259055A0]

M: +64 211 918 814<tel:+64+211+918+814>
E: terry.macdonald@cosive.com<mailto:terry.macdonald@cosive.com>
W: www.cosive.com<https: www.cosive.com/="">




This e-mail message and any files transmitted with it are intended only for the named recipient(s) above and may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient(s), any dissemination, distribution or copying of this e-mail message or any files transmitted with it is strictly prohibited. If you have received this message in error, or are not the named recipient(s), please notify the sender immediately and delete this e-mail message.


This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.

</https:></mailto:terry.macdonald@cosive.com></tel:+64+211+918+814></mailto:cti-users@lists.oasis-open.org></mailto:cti-stix@lists.oasis-open.org></mailto:cti-users@lists.oasis-open.org>

 
Hi!,
 
I would also like to add my support for an ‘Opinion Object’ as well (I think this was discussed last year as well).  As Jason and Terry have highlighted, this
object provides the capability for the community to have their say on information which is being passed around or shared.  This can be quite critical in sector specific areas as well as the wider community as well (for example, we could rate or have opinion
about fraud data being shared between banks).
 
It would be great to be able to associate “Opinions” about the STIX data that is being passed around.  It also provides the ability to introduce additional
concepts at a later stage.
 
Regards,
 
Dean
 
 


From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org]
On Behalf Of Jason Hammerschmidt
Sent: Tuesday, 10 January 2017 3:06 AM
To: 'Terry MacDonald'; cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org
Subject: RE: [cti-users] STIX 2.1 Propsal - Opinion Object


 
I believe this is a valuable addition.  Like other User Generated Content (UGC), attribution is a requirement for the content to be trusted and
used, therefore, if added, attribution will be required in some manner for it to be adopted.  I know many people are concerned about attribution but I for one am happy to provide it in this field, in fact I think it will be required moving forward for full
adoption, less we only rely a limited set of authoritative feeds.   
 
From:
cti-users@lists.oasis-open.org [ mailto:cti-users@lists.oasis-open.org ]
On Behalf Of Terry MacDonald
Sent: December 25, 2016 3:24 AM
To: cti-stix@lists.oasis-open.org ;
cti-users@lists.oasis-open.org
Subject: [cti-users] STIX 2.1 Propsal - Opinion Object
 
*** EXTERNAL email. Please be cautious and evaluate before you click on links, open attachments, or provide credentials. ***


Hi All,

I'd like to propose the Opinion Object for STIX 2.1.

The Opinion object is an object that allows the creator of the Opinion object to agree/disagree with any other STIX Data Object or STIX Relationship Object. It will allow an Organization to disagree with a relationship between a Threat Actor and a Campaign
for example, or agree with the contents of an Course of Action.

This is the first step towards consumers being able to crowd-source the opinion of the community, which will help newcomers to the threat intelligence sharing groups better understand which threats have a high degree of community agreement and which are contentious.

 


Further details in the attached PDF.


 








Cheers


 



Terry MacDonald   Chief Product Officer


 





 


M:   +64 211 918 814


E:   terry.macdonald@cosive.com


W:   www.cosive.com


 



 


 










This e-mail message and any files transmitted with it are intended only for the named recipient(s) above and may contain information that is privileged, confidential and/or exempt
from disclosure under applicable law.  If you are not the intended recipient(s), any dissemination, distribution or copying of this e-mail message or any files transmitted with it is strictly prohibited.  If you have received this message in error, or are
not the named recipient(s), please notify the sender immediately and delete this e-mail message.

This e-mail and any attachments to it (the Communication ) is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together ANZ ). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.

Hello All

If you allow me, here are my two cents on this:
In my opinion we should not confuse things.
Attribution is the capability of assign and provide evidences linking
someone/something with an action/attack step that has or is happening and
is thightly connected with one of the attributes of information security
that is not commonly managed, non-repudiation.

I do agreed with the existence of an object property that allow "to grade"
the commonly agreed level of relationship between other SDO´s by
accumulating "thustworthy points", and due to that to carry a property,
call it for eg "thrust level"/"opinion level"
This points could be given by the community who could also have the
capability of downgrade the "thustworthy points" by subtracting or
attributing negative points.
Obviously there should be put in place mecanisms for protecting the misuse
or corruption of such an attribute.

Hope it helped

Be happy and have a super 2017

TM



Tolentino Martins

2017-01-09 16:06 GMT+00:00 Jason Hammerschmidt <jason.hammerschmidt@ieso.ca>
:

> I believe this is a valuable addition. Like other User Generated Content
> (UGC), attribution is a requirement for the content to be trusted and used,
> therefore, if added, attribution will be required in some manner for it to
> be adopted. I know many people are concerned about attribution but I for
> one am happy to provide it in this field, in fact I think it will be
> required moving forward for full adoption, less we only rely a limited set
> of authoritative feeds.
>
>
>
> *From:* cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-
> open.org] *On Behalf Of *Terry MacDonald
> *Sent:* December 25, 2016 3:24 AM
> *To:* cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org
> *Subject:* [cti-users] STIX 2.1 Propsal - Opinion Object
>
>
>
> *** EXTERNAL email. Please be cautious and evaluate before you click on
> links, open attachments, or provide credentials. ***
>
> Hi All,
>
> I'd like to propose the Opinion Object for STIX 2.1.
>
> The Opinion object is an object that allows the creator of the Opinion
> object to agree/disagree with any other STIX Data Object or STIX
> Relationship Object. It will allow an Organization to disagree with a
> relationship between a Threat Actor and a Campaign for example, or agree
> with the contents of an Course of Action.
>
> This is the first step towards consumers being able to crowd-source the
> opinion of the community, which will help newcomers to the threat
> intelligence sharing groups better understand which threats have a high
> degree of community agreement and which are contentious.
>
>
>
> Further details in the attached PDF.
>
>
>
> Cheers
>
>
>
> *Terry MacDonald *| Chief Product Officer
>
>
>
>
>
> M: +64 211 918 814 <+64+211+918+814>
>
> E: terry.macdonald@cosive.com
>
> W: www.cosive.com
>
>
>
>
>
>
>
> This e-mail message and any files transmitted with it are intended only
> for the named recipient(s) above and may contain information that is
> privileged, confidential and/or exempt from disclosure under applicable
> law. If you are not the intended recipient(s), any dissemination,
> distribution or copying of this e-mail message or any files transmitted
> with it is strictly prohibited. If you have received this message in
> error, or are not the named recipient(s), please notify the sender
> immediately and delete this e-mail message.
>

</jason.hammerschmidt@ieso.ca>