I can think of a couple reasons to have incident in STIX:
1.
US-CERT is using STIX to support reporting of incidents from federal departments and agencies to DHS. Other organizations responsible for incident reporting/tracking might appreciate having a consistent data standard to use that’s integrated
into the rest of the STIX ecosystem. I know of several mandatory and optional incident reporting systems like this.
2.
Tracking of campaigns and intrusion sets relies on tracking the incidents that make up those campaigns and intrusion sets
3.
While one use case of STIX is for the sharing of information between organizations, another important use case is between tools within the same organization. While MITRE probably wouldn’t share most of our incidents with the outside
world (with the exception of the reporting in #1) it would be nice if our incident tracking systems could be integrated into the rest of our threat intelligence infrastructure (via STIX).
I don’t think it’s reasonable for us to solve STIX incident and asset for MVP. OTOH I think it would be a good idea to lay some groundwork so we can build on it for 2.1, so IMO we should focus on the bare minimums here:
-
Basic information like title and description
-
Defined relationships to other TLOs (campaigns, targets, etc.)
-
Categorization
-
External IDs, which will be critical for both incident and asset. Luckily, if they’re TLOs then we get that for free.
I think we should explicitly scope out impact and severity information from incident (as we’ve done the same for indicator) and definitional information about asset (which can be captured by other languages). Then for 2.1 we can do some
coordination with VERIS and maybe some asset data standards to figure out how to expand them to make them more useful for analysis.
John
From: <
cti-stix@lists.oasis-open.org> on behalf of Rich Piazza <
rpiazza@mitre.org>
Date: Friday, June 10, 2016 at 3:58 PM
To: Allan Thomson <
athomson@lookingglasscyber.com>, "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: RE: [cti-stix] Including Incident and Assets in STIX MVP
Hi Allan,
Can you be more specific when you say “ overlap with other TLOs “?
I assume you are thinking mostly of campaigns and intrusion sets. I would say that campaigns are different because they might contain several incidents, that you have tied together as a campaign (maybe associated
with some threat actor). I would think intrusion sets are similar to incidents, but they don’t contain information about what happened “after” the intrusion happened – what was done to mitigate the attack, for instance. Intrusion sets are more amorphous…at
least the way I understand them.
But I agree – we need a well-defined use case that needs to be supported for Incident’s inclusion in the MVP. I once again leave that to others, as my knowledge is more limited to a STIX-centric point of view
(except for VERIS J ).
Rich
From:
cti-stix@lists.oasis-open.org [mailto:
cti-stix@lists.oasis-open.org]
On Behalf Of Allan Thomson
Sent: Friday, June 10, 2016 2:42 PM
To: Piazza, Rich <
rpiazza@mitre.org>;
cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Including Incident and Assets in STIX MVP
Hi Rich – As I said, if there is a use case and people are willing to put in the work to add this content, review it, resolve all comments by July then cool.
But we should do that if there are people planning to implement it in their respective orgs or products as part of MVP.
Otherwise we are just adding bloat to the MVP spec that people will ignore.
Regarding your proposal it seems to me that several of the attributes and relationships overlap with other TLOs so its not immediately obvious to me when I would create an incident vs other TLOs and the benefit
to having another object that contains a lot of similar attributes/relationships to others.
allan
From:
"Piazza, Rich" <
rpiazza@mitre.org >
Date: Friday, June 10, 2016 at 11:30 AM
To: Allan Thomson <
athomson@lookingglasscyber.com >, "
cti-stix@lists.oasis-open.org " <
cti-stix@lists.oasis-open.org >
Subject: RE: [cti-stix] Including Incident and Assets in STIX MVP
There have been so many votes about what should be in MVP, so I’m not sure which one you are referring to, but it you look in the STIX cover page (in google docs:
https://docs.google.com/document/d/1yvqWaPPnPW-2NiVCLqzRszcx91ffMowfT5MmE9Nsy_w/edit#heading=h.ye30tgaxelp4 ), it seems like the vote was in favor of “Incident Basics” and “Asset Stub”. Were you referring to another vote??
My email was an attempt to decide what “Basics” and “Stub” mean
J
The whole purpose of VERIS is to describe incidents. I think if we released STIX 2.0 without having such a concept many would be surprised.
I will leave it to others to defend this more vociferously…
From: Allan Thomson [ mailto:
athomson@lookingglasscyber.com ]
Sent: Friday, June 10, 2016 2:21 PM
To: Piazza, Rich <
rpiazza@mitre.org >;
cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Including Incident and Assets in STIX MVP
Hi Rich - Did we not review the list of objects and vote on what was required for MVP? Should we not be focusing on that MVP list before we start introducing more objects or classes? Given that its already June
10 th and the goal is to have a MVP spec by July it would seem we need to focus and put some of these items on the backlog for a future release.
Regarding the statement on STIX 2.0 without an incident object.
How many organizations are sharing incidents? Vs sharing campaigns, TTPs, intrusion sets, indicators….etc?
What does an incident convey that the other TLOs do not?
If there’s a strong case for incident and asset in MVP then we should add them for sure. But I’m not sure there is.
Allan
From:
"
cti-stix@lists.oasis-open.org " <
cti-stix@lists.oasis-open.org > on behalf of "Piazza, Rich" <
rpiazza@mitre.org >
Date: Friday, June 10, 2016 at 7:43 AM
To: "
cti-stix@lists.oasis-open.org " <
cti-stix@lists.oasis-open.org >
Subject: [cti-stix] Including Incident and Assets in STIX MVP
It is difficult to imagine STIX 2.0 without an Incident TLO and if we include Incident, that implies that we also need an Asset TLO. Before I present a proposal for these two TLOs, I thought I might describe how
these concepts are defined in STIX 1.x and how that fits into our current design goals for STIX 2.0. Both of these objects in STIX 1.x were very “meaty”.
I have some comments and questions below. Knowing the community’s thoughts on them could help me come up with a better initial proposal.
Also, a lot of the features were based on VERIS. I wrote a stix2veris converter a few years ago, therefore, I’m aware of the similarities and differences between STIX 1.2 and VERIS.
For STIX 1.x documentation, see
http://stixproject.github.io/data-model/1.2/incident/IncidentType/ and
http://stixproject.github.io/data-model/1.2/incident/AffectedAssetType/ The Incident object in STIX 1.x can be summarized into five groupings of fields (fields in
italics are already not part of STIX 2.0):
Basic:
ID, Title, Description,
Short_Description , Handling, Information_Source,
External_ID , etc.
Metadata:
Time, Status (cv),
Discovery Method (cv from VERIS),
Categories, Confidence , Security_Compromise (cv)
Relationships:
Related_Indicators,
Related_Observables, Leveraged_TTPs, Attributed_Threat_Actors, COA_Requested, COA_Taken, Related_Incidents, Affected_Assets,
Related_Packages
Details:
Impact_Assessment, Intended_Effect, History
Associated Identities:
Reporter, Responder, Coordinator, Victim, Contact
Comments and Questions?
·
Most of the Basic fields are similar to the TLO Common fields in 2.0.
·
Categories is very similar is similar to
Indicator_Type (or labels in 2.0) in that it is currently a cv (
http://stixproject.github.io/data-model/1.2/stixVocabs/IncidentCategoryVocab-1.0/ )
, but its list of values seems somewhat incomplete. It should probably be an ov in 2.0.
·
Relationships are called out for many of the TLOs, which are appropriate to make explicit?
·
History is a log of actions taken, either as COA or just text notes. Is this MVP?
·
Intended_Effect, Impact_Assessment
– similar to objective field of campaign, which we are representing as a list of strings in 2.0.
·
Victim is probably the identity of the actual victim, not a description of a “general” target.
·
Reporter could be related to
created_by_ref , although the concepts might not totally align.
·
Are Responder, Coordinator and
Contact needed for MVP?
·
Anything missing that we need for 2.0?
The Asset object in STIX 1.x can be summarized into three groupings of fields (fields in
italics are already not part of STIX 2.0):
Basic:
Description
Metadata:
Type
(cv from VERIS -
http://stixproject.github.io/data-model/1.2/stixVocabs/AssetTypeVocab-1.0/ ) ,
Ownership_Class
(cv from VERIS) , Management_Class
(cv from VERIS) , Location_Class
(cv from VERIS) , Location
Details:
Structured_Description, Nature_Of_Security_Effects, Business_Function_Or_Role
Comments and Questions?
·
Type seems to be very important here – and the list of values from VERIS is very complete.
·
Are the fields Type and
Description sufficient for MVP?
·
Structured_Description via CybOX is what is specified in STIX 1.x. There might be other standards that we eventually want to reference, but
that is not something for 2.0.
·
Are Ownership_Class, Management_Class, Location_Class part of MVP?
·
Is the Location of the asset something that needs to be specified explicitly in its own field?
·
Nature_Of_Security_Effects
is where CIA (Confidentiality, Integrity, Availability, etc) is specified. These concepts are commonly used to describe cyber-attack activity. These are important concepts in VERIS also. MVP?
·
Anything missing that we need for 2.0?
Thanks for reading this long email….
J
Rich
Rich Piazza
The MITRE Corporation
781-271-3760