CTI STIX Subcommittee

 View Only
  • 1.  Re: [cti-stix] Labels on STIX TLOs

    Posted 06-30-2016 19:19



    ?+1



    Providing a generic tag mechanism would allow for a given organization to annotate intelligence specific to their operational workflows and have that context/metadata transmitted via STIX.   As a tool developer, being able to
    consume/maintain that context as an opaque value allows my tool to remain relevant within that operational environment without having to know about it a priori.


    $0.02



    Ted Bedwell
    Principal Engineer
    Network Threat Defense
    .: :.: :.  CISCO  .: :.: :.





    From:
    cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Jason Keirstead < Jason.Keirstead@ca.ibm.com >
    Sent: Thursday, June 30, 2016 8:57 AM
    To: Terry MacDonald
    Cc: John A. Wunder; cti-stix@lists.oasis-open.org
    Subject: Re: [cti-stix] Labels on STIX TLOs
     


    Myself, I would prefer that "tag" or "labels" be added to the base TLO Common Properties instead of having special properties for many TLOs but for some other TLOs we do not have any label / tag method.

    Analysts should be able to tag / label anything in STIX with anything they want. This facility will help them be able to quickly "look up" and categorize objects.


    -
    Jason Keirstead
    STSM, Product Architect, Security Intelligence, IBM Security Systems
    www.ibm.com/security www.securityintelligence.com

    Without data, all you are is just another person with an opinion - Unknown


    Terry MacDonald
    ---06/29/2016 06:58:00 PM---I don't like the labels field myself. I would prefer the addition of a genetic tag TLO. The communit

    From: Terry MacDonald < terry.macdonald@cosive.com >
    To: "John A. Wunder" < jwunder@mitre.org >
    Cc: cti-stix@lists.oasis-open.org
    Date: 06/29/2016 06:58 PM
    Subject: Re: [cti-stix] Labels on STIX TLOs
    Sent by: < cti-stix@lists.oasis-open.org >





    I don't like the labels field myself. I would prefer the addition of a genetic tag TLO. The community does prefer the labels field however, and so...
    I would make the label field optional, and leave it applied just to the objects we can make a case for. I would worry about using it everywhere, as that will restrict us in the future if we decide to make it more specific to each object. Having
    one list across all objects would worry me that we are restricting our choices later on.

    Cheers
    Terry MacDonald
    Cosive
    On 30/06/2016 01:24, "Wunder, John A." < jwunder@mitre.org > wrote:

    All,
     
    One of the topics that came up across several items on the call yesterday was the “labels” field that currently exists on Indicator, Malware, and Tool. The field is an array of values from an open vocabulary (indicator-label-ov, malware-label-ov, and tool-label-ov
    respectively).
     
    We have a couple of open questions:
     
    1.       Should the labels field be required or optional?




    a.       If we make labels required, do we need to add a value of “other” to the vocabulary? This will help tools/users who can’t find an existing value in the vocabulary that works but don’t want to make one up.



    2.       Which TLOs need the labels field? It’s on Indicator, Malware, and Tool now but has not been added to Campaign or Attack Pattern.




    a.       Allan has suggested adding it across all top-level objects. Does that make sense, or should we consider it on a case-by-case basis?
    b.       Allan also suggested that if we don’t add it across all top-level objects, it should be added to Campaign. Are there other TLOs that we should add it to, even if we don’t add it across all of them?




     
    To be honest I don’t really have a strong opinion either way. What do you think?

     
    John











  • 2.  Re: [cti-stix] Labels on STIX TLOs

    Posted 07-01-2016 00:28
    I think we can all agree that we should have a general tagging or labeling object on the TLO Common Properties for all TLOs...  The question is, should it be different from the existing Indicator Type (now called labels) or Malware Type (also now called labels).  What does everyone think?   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Jun 30, 2016, at 13:19, Ted Bedwell (tebedwel) < tebedwel@cisco.com > wrote: ?+1 Providing a generic tag mechanism would allow for a given organization to annotate intelligence specific to their operational workflows and have that context/metadata transmitted via STIX.   As a tool developer, being able to consume/maintain that context as an opaque value allows my tool to remain relevant within that operational environment without having to know about it a priori. $0.02 Ted Bedwell Principal Engineer Network Threat Defense .: :.: :.  CISCO  .: :.: :. From:   cti-stix@lists.oasis-open.org   < cti-stix@lists.oasis-open.org > on behalf of Jason Keirstead < Jason.Keirstead@ca.ibm.com > Sent:   Thursday, June 30, 2016 8:57 AM To:   Terry MacDonald Cc:   John A. Wunder;   cti-stix@lists.oasis-open.org Subject:   Re: [cti-stix] Labels on STIX TLOs   Myself, I would prefer that tag or labels be added to the base TLO Common Properties instead of having special properties for many TLOs but for some other TLOs we do not have any label / tag method. Analysts should be able to tag / label anything in STIX with anything they want. This facility will help them be able to quickly look up and categorize objects.   - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security     www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown   <graycol.gif> Terry MacDonald ---06/29/2016 06:58:00 PM---I don't like the labels field myself. I would prefer the addition of a genetic tag TLO. The communit From:   Terry MacDonald < terry.macdonald@cosive.com > To:   John A. Wunder < jwunder@mitre.org > Cc:   cti-stix@lists.oasis-open.org Date:   06/29/2016 06:58 PM Subject:   Re: [cti-stix] Labels on STIX TLOs Sent by:   < cti-stix@lists.oasis-open.org > I don't like the labels field myself. I would prefer the addition of a genetic tag TLO. The community does prefer the labels field however, and so... I would make the label field optional, and leave it applied just to the objects we can make a case for. I would worry about using it everywhere, as that will restrict us in the future if we decide to make it more specific to each object. Having one list across all objects would worry me that we are restricting our choices later on. Cheers Terry MacDonald Cosive On 30/06/2016 01:24, Wunder, John A. < jwunder@mitre.org > wrote: All,     One of the topics that came up across several items on the call yesterday was the “labels” field that currently exists on Indicator, Malware, and Tool. The field is an array of values from an open vocabulary (indicator-label-ov, malware-label-ov, and tool-label-ov respectively).       We have a couple of open questions:       1.       Should the labels field be required or optional?   a.       If we make labels required, do we need to add a value of “other” to the vocabulary? This will help tools/users who can’t find an existing value in the vocabulary that works but don’t want to make one up. 2.       Which TLOs need the labels field? It’s on Indicator, Malware, and Tool now but has not been added to Campaign or Attack Pattern. a.       Allan has suggested adding it across all top-level objects. Does that make sense, or should we consider it on a case-by-case basis? b.       Allan also suggested that if we don’t add it across all top-level objects, it should be added to Campaign. Are there other TLOs that we should add it to, even if we don’t add it across all of them? To be honest I don’t really have a strong opinion either way. What do you think?     John   <graycol.gif> --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that   generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 3.  Re: [cti-stix] Labels on STIX TLOs

    Posted 07-01-2016 20:39




    Based on what we have in the vocabularies now and what we had in the STIX 1.2 vocabularies, I believe what we were calling “type” is pretty much “labels”. So, I think we should go ahead
    and add it everywhere as an optional property, defining open vocabs for the TLOs where it makes sense and we have time. So we could have “labels” on all TLOs, but the open vocab for malware labels would be specific to malware while the open vocab for indicator
    labels would be specific to indicators.
     
    We could note that in the specification using the same dark gray highlighting we use for “type” to indicate that we’re overriding the field with further specification.
     
    John
     

    From:
    Bret Jordan <bret.jordan@bluecoat.com>
    Date: Thursday, June 30, 2016 at 8:28 PM
    To: "Ted Bedwell (tebedwel)" <tebedwel@cisco.com>
    Cc: Jason Keirstead <Jason.Keirstead@ca.ibm.com>, Terry MacDonald <terry.macdonald@cosive.com>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Subject: Re: [cti-stix] Labels on STIX TLOs


     



    I think we can all agree that we should have a general "tagging" or "labeling" object on the TLO Common Properties for all TLOs...  The question is, should it be different from the existing Indicator Type (now called labels) or Malware
    Type (also now called labels).  What does everyone think?  

     


     







     


    Thanks,


     


    Bret



     


     


     



    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO


    Blue Coat Systems



    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









     



    On Jun 30, 2016, at 13:19, Ted Bedwell (tebedwel) < tebedwel@cisco.com > wrote:

     


    ?+1


     


    Providing a generic tag mechanism would allow for a given organization to annotate intelligence specific to their operational workflows and have that context/metadata transmitted
    via STIX.  As a tool developer, being able to consume/maintain that context as an opaque value allows my tool to remain relevant within that operational environment without having to know about it a priori.


     


    $0.02


     



    Ted Bedwell


    Principal Engineer


    Network Threat Defense


    .: :.: :.  CISCO  .: :.: :.



     







    From:   cti-stix@lists.oasis-open.org   < cti-stix@lists.oasis-open.org >
    on behalf of Jason Keirstead < Jason.Keirstead@ca.ibm.com >
    Sent:   Thursday, June 30, 2016 8:57 AM
    To:   Terry MacDonald
    Cc:   John A. Wunder;   cti-stix@lists.oasis-open.org
    Subject:   Re: [cti-stix] Labels on STIX TLOs

     




    Myself, I would prefer that "tag" or "labels" be added to the base TLO Common Properties instead of having special properties for many TLOs but for some other TLOs
    we do not have any label / tag method.

    Analysts should be able to tag / label anything in STIX with anything they want. This facility will help them be able to quickly "look up" and categorize objects.  

    -
    Jason Keirstead
    STSM, Product Architect, Security Intelligence, IBM Security Systems
    www.ibm.com/security     www.securityintelligence.com

    Without data, all you are is just another person with an opinion - Unknown  


    <graycol.gif> Terry MacDonald ---06/29/2016 06:58:00 PM---I don't like the labels field myself. I would prefer the addition of a genetic tag TLO. The communit

    From:   Terry MacDonald < terry.macdonald@cosive.com >
    To:   "John A. Wunder" < jwunder@mitre.org >
    Cc:   cti-stix@lists.oasis-open.org
    Date:   06/29/2016 06:58 PM
    Subject:   Re: [cti-stix] Labels on STIX TLOs
    Sent by:   < cti-stix@lists.oasis-open.org >







    I don't like the labels field myself. I would prefer the addition of a genetic tag TLO. The community does prefer the labels field however, and so...

    I would make the label field optional, and leave it applied just to the objects we can make a case for. I would worry about using it everywhere, as
    that will restrict us in the future if we decide to make it more specific to each object. Having one list across all objects would worry me that we are restricting our choices later on.


    Cheers
    Terry MacDonald
    Cosive


    On 30/06/2016 01:24, "Wunder, John A." < jwunder@mitre.org >
    wrote:

    All,
       

    One of the topics that came up across several items on the call yesterday was the “labels” field that currently exists on Indicator, Malware, and
    Tool. The field is an array of values from an open vocabulary (indicator-label-ov, malware-label-ov, and tool-label-ov respectively).  

       

    We have a couple of open questions:  

       

    1.       Should the labels field be required or optional?  

    a.       If we make labels required, do we need to add a value of “other” to the vocabulary? This will help tools/users who can’t find an existing
    value in the vocabulary that works but don’t want to make one up.
    2.       Which TLOs need the labels field? It’s on Indicator, Malware, and Tool now but has not been added to Campaign or Attack Pattern.
    a.       Allan has suggested adding it across all top-level objects. Does that make sense, or should we consider it on a case-by-case basis?

    b.       Allan also suggested that if we don’t add it across all top-level objects, it should be added to Campaign. Are there other TLOs that we
    should add it to, even if we don’t add it across all of them?


    To be honest I don’t really have a strong opinion either way. What do you think?

       

    John  

     


    <graycol.gif>
    ---------------------------------------------------------------------
    To unsubscribe from this mail list, you must leave the OASIS TC that  
    generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php