CTI STIX Subcommittee

 View Only
  • 1.  Labels on STIX TLOs

    Posted 06-29-2016 15:24




    All,
     
    One of the topics that came up across several items on the call yesterday was the “labels” field that currently exists on Indicator, Malware, and Tool. The field is an array of values from an open vocabulary
    (indicator-label-ov, malware-label-ov, and tool-label-ov respectively).
     
    We have a couple of open questions:
     
    1.       
    Should the labels field be required or optional?

    a.       
    If we make labels required, do we need to add a value of “other” to the vocabulary? This will help tools/users who can’t find an existing value in the vocabulary that works but don’t want to make
    one up.
    2.       
    Which TLOs need the labels field? It’s on Indicator, Malware, and Tool now but has not been added to Campaign or Attack Pattern.

    a.       
    Allan has suggested adding it across all top-level objects. Does that make sense, or should we consider it on a case-by-case basis?

    b.       
    Allan also suggested that if we don’t add it across all top-level objects, it should be added to Campaign. Are there other TLOs that we should add it to, even if we don’t add it across all of them?
     
    To be honest I don’t really have a strong opinion either way. What do you think?
     
    John






  • 2.  Re: [cti-stix] Labels on STIX TLOs

    Posted 06-29-2016 21:58
    I don't like the labels field myself. I would prefer the addition of a genetic tag TLO. The community does prefer the labels field however, and so... I would make the label field optional, and leave it applied just to the objects we can make a case for. I would worry about using it everywhere, as that will restrict us in the future if we decide to make it more specific to each object. Having one list across all objects would worry me that we are restricting our choices later on. Cheers Terry MacDonald Cosive On 30/06/2016 01:24, "Wunder, John A." < jwunder@mitre.org > wrote: All,   One of the topics that came up across several items on the call yesterday was the “labels” field that currently exists on Indicator, Malware, and Tool. The field is an array of values from an open vocabulary (indicator-label-ov, malware-label-ov, and tool-label-ov respectively).   We have a couple of open questions:   1.        Should the labels field be required or optional? a.        If we make labels required, do we need to add a value of “other” to the vocabulary? This will help tools/users who can’t find an existing value in the vocabulary that works but don’t want to make one up. 2.        Which TLOs need the labels field? It’s on Indicator, Malware, and Tool now but has not been added to Campaign or Attack Pattern. a.        Allan has suggested adding it across all top-level objects. Does that make sense, or should we consider it on a case-by-case basis? b.        Allan also suggested that if we don’t add it across all top-level objects, it should be added to Campaign. Are there other TLOs that we should add it to, even if we don’t add it across all of them?   To be honest I don’t really have a strong opinion either way. What do you think?   John


  • 3.  Re: [cti-stix] Labels on STIX TLOs

    Posted 06-30-2016 12:57
    Myself, I would prefer that "tag" or "labels" be added to the base TLO Common Properties instead of having special properties for many TLOs but for some other TLOs we do not have any label / tag method. Analysts should be able to tag / label anything in STIX with anything they want. This facility will help them be able to quickly "look up" and categorize objects. - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown Terry MacDonald ---06/29/2016 06:58:00 PM---I don't like the labels field myself. I would prefer the addition of a genetic tag TLO. The communit From: Terry MacDonald <terry.macdonald@cosive.com> To: "John A. Wunder" <jwunder@mitre.org> Cc: cti-stix@lists.oasis-open.org Date: 06/29/2016 06:58 PM Subject: Re: [cti-stix] Labels on STIX TLOs Sent by: <cti-stix@lists.oasis-open.org> I don't like the labels field myself. I would prefer the addition of a genetic tag TLO. The community does prefer the labels field however, and so... I would make the label field optional, and leave it applied just to the objects we can make a case for. I would worry about using it everywhere, as that will restrict us in the future if we decide to make it more specific to each object. Having one list across all objects would worry me that we are restricting our choices later on. Cheers Terry MacDonald Cosive On 30/06/2016 01:24, "Wunder, John A." < jwunder@mitre.org > wrote: All,
     
    One of the topics that came up across several items on the call yesterday was the “labels” field that currently exists on Indicator, Malware, and Tool. The field is an array of values from an open vocabulary (indicator-label-ov, malware-label-ov, and tool-label-ov respectively).
     
    We have a couple of open questions:
     
    1.       Should the labels field be required or optional?
    a.       If we make labels required, do we need to add a value of “other” to the vocabulary? This will help tools/users who can’t find an existing value in the vocabulary that works but don’t want to make one up. 2.       Which TLOs need the labels field? It’s on Indicator, Malware, and Tool now but has not been added to Campaign or Attack Pattern.
    a.       Allan has suggested adding it across all top-level objects. Does that make sense, or should we consider it on a case-by-case basis?
    b.       Allan also suggested that if we don’t add it across all top-level objects, it should be added to Campaign. Are there other TLOs that we should add it to, even if we don’t add it across all of them?  
    To be honest I don’t really have a strong opinion either way. What do you think?
     
    John





  • 4.  Re: [cti-stix] Labels on STIX TLOs

    Posted 07-01-2016 18:17
    Wunder, John A. wrote this message on Wed, Jun 29, 2016 at 15:23 +0000: > All, > > One of the topics that came up across several items on the call yesterday was the “labels” field that currently exists on Indicator, Malware, and Tool. The field is an array of values from an open vocabulary (indicator-label-ov, malware-label-ov, and tool-label-ov respectively). > > We have a couple of open questions: > > > 1. Should the labels field be required or optional? optional... > a. If we make labels required, do we need to add a value of “other” to the vocabulary? This will help tools/users who can’t find an existing value in the vocabulary that works but don’t want to make one up. This is only needed if required and it's required that the length is >= 1. I'm not a fan of other, especially if it's an open vocab.. > 2. Which TLOs need the labels field? It’s on Indicator, Malware, and Tool now but has not been added to Campaign or Attack Pattern. > > a. Allan has suggested adding it across all top-level objects. Does that make sense, or should we consider it on a case-by-case basis? I think adding it across the board is fine... It makes handling the TLO's easier, and more consistent, and I can see most of the TLO's using them... I don't have a strong preference though... > b. Allan also suggested that if we don’t add it across all top-level objects, it should be added to Campaign. Are there other TLOs that we should add it to, even if we don’t add it across all of them? > > To be honest I don’t really have a strong opinion either way. What do you think? > > John -- John-Mark