Jason I generally agree.
Marking is a formal method of conveying something to those that receive the data.
Labels are informal and might not be used or properly understood outside of the originating entity.
I won't recommend any automated processing, without much assurance, of labels on content received externally.
-Marlon
From:
cti-stix@lists.oasis-open.org [mailto:
cti-stix@lists.oasis-open.org]
On Behalf Of Wunder, John A.
Sent: Wednesday, September 21, 2016 8:46 AM
To: Jason Keirstead; Alexandre Dulaunoy
Cc:
cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Labels versus marking
I agree with this. I think we should limit markings to handling instructions and things that are a part of the data itself should be in the data model as properties.
My reasoning is that generic approaches for marking and tagging data will lead to less standardization. I mark my data with tags on a per-field basis, you do it at the object
level, and therefore you don’t support my tags. So, if there’s a strong use case for field-level tagging, IMO they should just be added as properties.
John
From:
<
cti-stix@lists.oasis-open.org > on behalf of Jason Keirstead <
Jason.Keirstead@ca.ibm.com >
Date: Wednesday, September 21, 2016 at 8:38 AM
To: "
Alexandre.Dulaunoy@circl.lu " <
Alexandre.Dulaunoy@circl.lu >
Cc: "
cti-stix@lists.oasis-open.org " <
cti-stix@lists.oasis-open.org >
Subject: Re: [cti-stix] Labels versus marking
My own naive view of labels vs markings is this...
Data markings are meant to enforce policy, either automated or manual.
Tags, on the other hand, are meant to facilitate analysis and searching.
If you are making the data to help an analyst understad what it is, and/or find it in a tool, use labels. If you are making the data to ensure that a tool or human treats it in a certain way when they recieve it, you would use a marking.
Is my view in alignment with the community? We probably need to figure out how to describe this in STIX...
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown
Alexandre Dulaunoy ---09/21/2016 06:16:04 AM---On 21/09/16
00:36, Bret Jordan (CS) wrote: > Can you give some examples of what you are wanting to d
From: Alexandre Dulaunoy <
Alexandre.Dulaunoy@circl.lu >
To:
cti-stix@lists.oasis-open.org Date: 09/21/2016 06:16 AM
Subject: Re: [cti-stix] Labels versus marking
Sent by: <
cti-stix@lists.oasis-open.org >
On 21/09/16 00:36, Bret Jordan (CS) wrote:
> Can you give some examples of what you are wanting to do?
>
> The current labels property is a way of tracking the old "malware type" for example. It also allows products to add extra labels or tags to an object for use in their classifications. I view this as means of mimicking Evernote's or GMail's labels.
Sure. We are currently evaluating the options to support properly the taxonomy in MISP
when doing STIX import and export. The two options are marking or labels. The main issue
for us is the labels being limited to some types only and you cannot do any granular marking.
Until now, the approach we want to take is the following:
{
"type": "marking-definition",
"id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",
"created": "2016-08-01T00:00:00Z",
"modified": "2016-08-01T00:00:00Z",
"version": 1,
"definition_type": "misp-taxonomies",
"definition": {
"tag": "misp:confidence-level="usually-confident""
}
}
{
"type": "marking-definition",
"id": "marking-definition--78ad9b3b-8113-4454-a04e-7d433dadae07",
"created": "2016-08-01T00:00:00Z",
"modified": "2016-08-01T00:00:00Z",
"version": 1,
"definition_type": "misp-taxonomies",
"definition": {
"tag": "adversary:infrastructure-status="compromised""
}
}
"indicators": [
{
"type": "indicator",
"id": "indicator--33fe3b22-0201-47cf-85d0-97c02164528d",
"version": 1,
"created": "2014-05-08T09:00:00.000000Z",
"modified": "2014-05-08T09:00:00.000000Z",
"name": "IP Address for known C2 channel",
"labels": ["malicious-activity"],
"object_marking_refs": ["marking-definition--78ad9b3b-8113-4454-a04e-7d433dadae07", "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"]
"pattern": "ipv4addr-object:value EQ '10.0.0.0'",
"pattern_lang": "cybox",
"valid_from": "2014-05-08T09:00:00.000000Z"
}
]
and if you use label (but we won't be able to do marking where we want):
"indicators": [
{
"type": "indicator",
"id": "indicator--33fe3b22-0201-47cf-85d0-97c02164528d",
"version": 1,
"created": "2014-05-08T09:00:00.000000Z",
"modified": "2014-05-08T09:00:00.000000Z",
"name": "IP Address for known C2 channel",
"labels": ["adversary:infrastructure-status="compromised"", "misp:confidence-level="usually-confident""],
"pattern": "ipv4addr-object:value EQ '10.0.0.0'",
"pattern_lang": "cybox",
"valid_from": "2014-05-08T09:00:00.000000Z"
}
]
The other advantage of using the marking is to ensure that parser can support directly
the taxonomies with the type defined compared to labels where this can be a series
of various, tags or machine tags.
If the option of marking is kept, how would we define the marking type in the standard?
Can this be extended in the current proposal?
Cheers
--
Alexandre Dulaunoy
CIRCL - Computer Incident Response Center Luxembourg
41, avenue de la gare L-1611 Luxembourg
info@circl.lu -
www.circl.lu ---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php