1) Not a fan of using confidence for #1. Wouldn’t you be saying that you have a low confidence that something is strange (when you are pretty sure that it’s strange). Almost feels as if a sighting is more appropriate, followed by some sort of product workflow
outside of STIX. For example, an analyst places strange sightings into an “investigate this bucket” within the tool.
2) This is a fairly standard issue within sharing communities. It’s possible that we need to investigate adding Requests For Information (RFI) within STIX or TAXII.
3) My response is fairly simple. Create a new indicator based on the pattern, and create a sighting. The fact you are “seeing this as well” should be done with tools that understand what to do with indicators and sightings.
4) Sightings or Opinion object
5) Sightings or Opinion object
Jason, your #4 and #5 questions concern me the most. If you are having issues identifying this functionality from our existing sightings/opinion documentation then I tend to blame our documentation, or a lack thereof.
Aharon
From: <
cti-stix@lists.oasis-open.org > on behalf of "Wunder, John A." <
jwunder@mitre.org >
Date: Monday, April 4, 2016 at 4:53 PM
To: Jason Keirstead <
Jason.Keirstead@ca.ibm.com >, "
cti-stix@lists.oasis-open.org " <
cti-stix@lists.oasis-open.org >,
"
cti-cybox@lists.oasis-open.org " <
cti-cybox@lists.oasis-open.org >
Subject: Re: [cti-stix] Question on Sightings Proposal and Cybox Observations
What do you think about using a low-confidence indicator for #1 and #2?
I also noticed that there’s a lot of workflow stuff in those use cases…implicit request from SOC to TI cell to do something, explicit request for sightings, explicit request to create an indicator, explicit +1 of indicator patterns (not necessarily a sighting
I assume?). A lot of that stuff is definitely not covered now.
From: <
cti-stix@lists.oasis-open.org > on behalf of Jason Keirstead <
Jason.Keirstead@ca.ibm.com >
Date: Monday, April 4, 2016 at 4:11 PM
To: "
cti-stix@lists.oasis-open.org " <
cti-stix@lists.oasis-open.org >, "
cti-cybox@lists.oasis-open.org "
<
cti-cybox@lists.oasis-open.org >
Subject: [cti-stix] Question on Sightings Proposal and Cybox Observations
I have a cross-cutting STIX and Cybox question, and answering it on Slack seems too difficult (bouncing between too many channels).
I have been reading through the STIX Sightings proposal and also the Cybox Observation proposal. I am not sure either of them take into account composite, behavioral use cases for sightings and observations.... but maybe I am simply misunderstanding.
Can someone explain how the below use cases can be done using the existing proposals? The main part I see the existing proposals falling down on are 1-3. I can't figure out how to communicate an observation of behavior, that is not an already existing indicator.
-
1) My SOC needs to be able to tell my threat intelligence group “we are seeing X followed by Y followed by Z, this looks strange”
2) My threat intelligence group needs to be able to ask my ISAO “we are seeing X followed by Y followed by Z, are you seeing anything like this”
3) Org 2 tells Org 1 via the ISAO “yes we are seeing that pattern as well, lets create an indicator for this pattern to publish to ISAO
4) A generalized indicator pattern is created and Org 1 and Org 2 both “+1” the pattern
5) Org 3 (and many other orgs) “+1” the pattern as well
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown