CTI STIX Subcommittee

 View Only
Expand all | Collapse all

RE: Stements & relations (was [cti-stix] [cti-cybox] Revoke Cybox Observable)

  • 1.  RE: Stements & relations (was [cti-stix] [cti-cybox] Revoke Cybox Observable)

    Posted 11-11-2015 17:14




    Re:
    I kind of view all of this as people making assertions about something.  
    Yup!!
     
    One thing this would bring up is consistency in relationships. In some cases STIX relations are not reified (made “real” with their own class/statement) – they
    are just properties, in other cases there is one class and in others 2 classes – a “set” (has a plural name) and a “relation” (has a “reference” name). I have seen reified relations in a lot of models, STIX is the first time I have seen it “doubled up” like
    this, I’m not sure that is needed. So the question is when should relations/statements be reified and should there be one or 2 “intermediates”?
    ·         
    Never reify relations, this information goes somewhere else (so have to say where that is).
    ·         
    Always reify relations, this is the basis for trust and versioning
    ·         
    Sometimes reify relations – ok, so what are the rules for when?
    ·         
    When is there a reified “set” and a reified “ref”?
     
    I find “simple” means consistent. I would go for always reifying relations, but getting rid of the 2-steps. You can put all the metadata you want on each “statement”.
    I would think calling this a “statement” would also be a good idea as it makes the intent clear. Statements can then have a validity date range, source, confidence, etc. Of course, these are also statements.
     
    -Cory
     


    From: Jordan, Bret [mailto:bret.jordan@bluecoat.com]

    Sent: Wednesday, November 11, 2015 11:37 AM
    To: Cory Casanave
    Cc: Jerome Athias; Sarah Kelley; Ivan Kirillov; Ali Khan; cti-stix@lists.oasis-open.org; cti-cybox@lists.oasis-open.org
    Subject: Re: [cti-stix] [cti-cybox] Revoke Cybox Observable


     
    I kind of view all of this as people making assertions about something.  Those assertions can be good, bad, valid, invalid, only for a defined time frame etc.  Further, people can make assertions about your assertions.  You say this threat
    actor is using this TTP to run this campaign and attack these users types at these companies by doing XYZ..    Someone may come along and challenge part of that assertions and say it is not XYZ but rather ABC and DEF..  

     









    From hearing everyones complaints about versioning, I think that is something we should try and fix in the next 7 days.  Lets identify the things that should be easy wins to
    figure out, and lets tackle them one at a time and fix them.  


     


    Thanks,


     


    Bret



     


     


     



    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO


    Blue Coat Systems



    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









     



    On Nov 11, 2015, at 06:44, Cory Casanave < cory-c@modeldriven.com > wrote:

     


    I would like to strongly “+1” the idea of using the relationships as a basis for versioning. Deleting data is so 20 th   century!


     


    If you consider each instance of these relationships a “statement” (or fact) stated by some party at some time, it will always be true that this  party said
    what they said when they said it. In this area of threats, such “historical” statements can be very important even if they are no longer considered “true” by some party (i.e. some statements that made the U.S. go to war in Iraq ). As these statements (relationship
    instances) are already first-class things they can have a timeframe and confidence. We can say “that statement is invalid” or “That set of statements is not longer true”. If some implementation wants to interpret that as a “delete”, that would be fine but
    others may want a record of such statements (U.S. national archives likes to do such things).


     


    Most of the infrastructure is already in place to do this, relationships have identity. Adding “second order” statements about them such as “superseded by”
    or “end date” provides for a very robust distributed knowledge base, which is what we are fundamentally trying to support.


     


    -Cory


     


    From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
    Behalf Of   Jerome Athias
    Sent:   Tuesday, November 10, 2015 9:08 PM
    To:   Sarah Kelley
    Cc:   Jordan, Bret; Ivan Kirillov; Ali Khan;   cti-stix@lists.oasis-open.org ;   cti-cybox@lists.oasis-open.org
    Subject:   [cti-stix] Re: [cti-cybox] Revoke Cybox Observable


     


    While implementation dependent, imho, the top construct Relationship (remember top of our todo list) will help.



    Would be 'easy' to implement a purge procedure of all observables that don't have a Relationship created more than x month/week ago




    (Similar to logs or backups/archives management/roll process)




     




    Should we finalize the Relationship?

    On Tuesday, 10 November 2015, Sarah Kelley < Sarah.Kelley@cisecurity.org > wrote:






    At this point, we’re currently just trying to clean up our own database. I’m sure there is a much wider issue involved, but our current context is that we have the same observable
    in our system five different times (which is obviously unnecessary). The only things that changed were things like TLP, or “Hey, I fat-fingered something!” I understand the concern about "what does it mean to revoke a fact", but what if it’s just wrong? You
    type 1.1.1.1, and you really meant 2.2.2.2? The first is not correct, but currently is lingering in the system, even after unlinking it from the indicator. 





     




    Sarah Kelley




    Senior CERT Analyst





    Center for Internet Security (CIS)




    Integrated Intelligence Center (IIC)




    Multi-State Information Sharing and Analysis Center (MS-ISAC)




    1-866-787-4722 (7×24 SOC)




    Email:  cert@cisecurity.org




    www.cisecurity.org




    Follow us @CISecurity





     







     




    From:   "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date:   Tuesday, November 10, 2015 at 1:16 PM
    To:   Ivan Kirillov < ikirillov@mitre.org >
    Cc:   Sarah Kelley < sarah.kelley@cisecurity.org >, Unknown Unknown < athiasjerome@gmail.com >,
    Ali Khan < akhan@soltra.com >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >,
    " cti-cybox@lists.oasis-open.org " < cti-cybox@lists.oasis-open.org >
    Subject:   Re: [cti-cybox] [cti-stix] Re: [cti-cybox] Revoke Cybox Observable




     





    We have talked about this a lot in the past, in regards to STIX, and I now view this as an implementation or process related issue.  The reason for that is you can not guarantee
    that the other end of the link will honor your request.  Maybe in "like" systems, meaning all systems built by EclecticIQ or Soltra, you would have some level of success.  



     




    But when you span across products there is no guarantee that they have implemented it in their code, nor that the administrator will allow it.  Requests like that may go
    in to a bucket for human review.   



     











     




    Thanks,




     




    Bret





     




     




     





    Bret Jordan CISSP



    Director of Security Architecture and Standards Office of the CTO




    Blue Coat Systems





    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050




    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











     





    On Nov 10, 2015, at 11:09, Kirillov, Ivan A. < ikirillov@mitre.org > wrote:



     



    Thanks for the context, Sarah - very helpful.

    To me, this comes down to being a language versus process question - that is, is Observable revocation something that should be addressed as part of the CybOX language, or should it be considered more as part of the processes in which CybOX is used? I’m leaning
    towards the latter, for the reason that the notion of revocation around Observables is something that doesn’t seem to fit as part of the data model around them. This is because, at their core, Observables represent some cyber “fact”, and what it does it mean
    to revoke a “fact”? At least with Indicators, you can argue that the Indicator may no longer be valid, or that its pattern is incorrect. With Observables, I think the semantics of revocation are not as clear and may not really make sense.  

    At least in your case, it seems like we may need to consider defining some sort of garbage collection process, where Observables (and any other id-able CybOX/STIX entities) that were referenced and/or embedded in another entity and then no longer referenced
    be pruned from the datastore.

    Regards,
    Ivan



    On 11/10/15, 12:31 PM, " cti-cybox@lists.oasis-open.org   on behalf of Sarah Kelley" < cti-cybox@lists.oasis-open.org   on
    behalf of   Sarah.Kelley@cisecurity.org > wrote:






    Just to give a little context around this question, this came up in a
    conversation between Ali (well, several Soltra people) and myself today.

    In our instance of Soltra Edge, we have (on many occasions) had to ‘edit’
    an observable. Currently this involves editing the indicator, deleting the
    link to the current Cybox observable, and creating a new observable. This
    leaves lots of orphaned observables in our database that we really need to
    have the ability to purge. The understanding we have is that currently
    Cybox doesn’t support any sort of revoke/purge like Stix does.



    Sarah Kelley
    Senior CERT Analyst
    Center for Internet Security (CIS)
    Integrated Intelligence Center (IIC)
    Multi-State Information Sharing and Analysis Center (MS-ISAC)
    1-866-787-4722 (7×24 SOC)
    Email:   cert@cisecurity.org
    www.cisecurity.org
    Follow us @CISecurity






    On 11/10/15, 11:06 AM, " cti-stix@lists.oasis-open.org   on behalf of
    Kirillov, Ivan A." < cti-stix@lists.oasis-open.org   on behalf of
    ikirillov@mitre.org > wrote:






    Great question Ali; unfortunately I don’t have much insight into this
    topic. Moving this to the STIX list - I think revocation is more specific
    to STIX (though it clearly touches upon CybOX as well).

    Regards,
    Ivan




    On 11/10/15, 11:00 AM, " cti-cybox@lists.oasis-open.org   on behalf of
    Jerome Athias" < cti-cybox@lists.oasis-open.org   on behalf of
    athiasjerome@gmail.com > wrote:






    Potential review of this
    https://stixproject.github.io/data-model/1.2/indicator/ValidTimeType/
    Suggestions welcome

    2015-11-10 18:48 GMT+03:00 Ali Khan < akhan@soltra.com >:




    What is the cybox committees discussion so far for future versions to
    support ability to revoke and remove completely a cybox observable
    that was
    created and then shared but now there is a need to remove it.





    Thank You



    Ali Khan
    Lead Analyst

    SOLTRA An FS-ISAC & DTCC Company

    Tampa, fl 33647

    813.470.2197   akhan@soltra.com






    ---------------------------------------------------------------------
    To unsubscribe from this mail list, you must leave the OASIS TC that
    generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


    ...


    This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
    immediately and permanently delete the message and any attachments.

    . . .

    ---------------------------------------------------------------------
    To unsubscribe from this mail list, you must leave the OASIS TC that  
    generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php




     






    This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution
    or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.  
    . . .






     







  • 2.  Re: Stements & relations (was [cti-stix] [cti-cybox] Revoke Cybox Observable)

    Posted 11-11-2015 17:54
    Can you give me some code-ish examples or UML-ish examples to help me better understand and follow your ideas?  They sounds great, I just want to make sure I fully understand what they mean.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Nov 11, 2015, at 10:13, Cory Casanave < cory-c@modeldriven.com > wrote: Re:   I kind of view all of this as people making assertions about something.   Yup!!   One thing this would bring up is consistency in relationships. In some cases STIX relations are not reified (made “real” with their own class/statement) – they are just properties, in other cases there is one class and in others 2 classes – a “set” (has a plural name) and a “relation” (has a “reference” name). I have seen reified relations in a lot of models, STIX is the first time I have seen it “doubled up” like this, I’m not sure that is needed. So the question is when should relations/statements be reified and should there be one or 2 “intermediates”? ·            Never reify relations, this information goes somewhere else (so have to say where that is). ·            Always reify relations, this is the basis for trust and versioning ·            Sometimes reify relations – ok, so what are the rules for when? ·            When is there a reified “set” and a reified “ref”?   I find “simple” means consistent. I would go for always reifying relations, but getting rid of the 2-steps. You can put all the metadata you want on each “statement”. I would think calling this a “statement” would also be a good idea as it makes the intent clear. Statements can then have a validity date range, source, confidence, etc. Of course, these are also statements.   -Cory   From:   Jordan, Bret [ mailto:bret.jordan@bluecoat.com ]   Sent:   Wednesday, November 11, 2015 11:37 AM To:   Cory Casanave Cc:   Jerome Athias; Sarah Kelley; Ivan Kirillov; Ali Khan;   cti-stix@lists.oasis-open.org ;   cti-cybox@lists.oasis-open.org Subject:   Re: [cti-stix] [cti-cybox] Revoke Cybox Observable   I kind of view all of this as people making assertions about something.  Those assertions can be good, bad, valid, invalid, only for a defined time frame etc.  Further, people can make assertions about your assertions.  You say this threat actor is using this TTP to run this campaign and attack these users types at these companies by doing XYZ..    Someone may come along and challenge part of that assertions and say it is not XYZ but rather ABC and DEF..     From hearing everyones complaints about versioning, I think that is something we should try and fix in the next 7 days.  Lets identify the things that should be easy wins to figure out, and lets tackle them one at a time and fix them.     Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.     On Nov 11, 2015, at 06:44, Cory Casanave < cory-c@modeldriven.com > wrote:   I would like to strongly “+1” the idea of using the relationships as a basis for versioning. Deleting data is so 20 th   century!   If you consider each instance of these relationships a “statement” (or fact) stated by some party at some time, it will always be true that this  party said what they said when they said it. In this area of threats, such “historical” statements can be very important even if they are no longer considered “true” by some party (i.e. some statements that made the U.S. go to war in Iraq ). As these statements (relationship instances) are already first-class things they can have a timeframe and confidence. We can say “that statement is invalid” or “That set of statements is not longer true”. If some implementation wants to interpret that as a “delete”, that would be fine but others may want a record of such statements (U.S. national archives likes to do such things).   Most of the infrastructure is already in place to do this, relationships have identity. Adding “second order” statements about them such as “superseded by” or “end date” provides for a very robust distributed knowledge base, which is what we are fundamentally trying to support.   -Cory   From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On Behalf Of   Jerome Athias Sent:   Tuesday, November 10, 2015 9:08 PM To:   Sarah Kelley Cc:   Jordan, Bret; Ivan Kirillov; Ali Khan;   cti-stix@lists.oasis-open.org ;   cti-cybox@lists.oasis-open.org Subject:   [cti-stix] Re: [cti-cybox] Revoke Cybox Observable   While implementation dependent, imho, the top construct Relationship (remember top of our todo list) will help. Would be 'easy' to implement a purge procedure of all observables that don't have a Relationship created more than x month/week ago (Similar to logs or backups/archives management/roll process)   Should we finalize the Relationship? On Tuesday, 10 November 2015, Sarah Kelley < Sarah.Kelley@cisecurity.org > wrote: At this point, we’re currently just trying to clean up our own database. I’m sure there is a much wider issue involved, but our current context is that we have the same observable in our system five different times (which is obviously unnecessary). The only things that changed were things like TLP, or “Hey, I fat-fingered something!” I understand the concern about what does it mean to revoke a fact , but what if it’s just wrong? You type 1.1.1.1, and you really meant 2.2.2.2? The first is not correct, but currently is lingering in the system, even after unlinking it from the indicator.    Sarah Kelley Senior CERT Analyst Center for Internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7×24 SOC) Email:  cert@cisecurity.org www.cisecurity.org Follow us @CISecurity     From:   Jordan, Bret < bret.jordan@bluecoat.com > Date:   Tuesday, November 10, 2015 at 1:16 PM To:   Ivan Kirillov < ikirillov@mitre.org > Cc:   Sarah Kelley < sarah.kelley@cisecurity.org >, Unknown Unknown < athiasjerome@gmail.com >, Ali Khan < akhan@soltra.com >, cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org >, cti-cybox@lists.oasis-open.org < cti-cybox@lists.oasis-open.org > Subject:   Re: [cti-cybox] [cti-stix] Re: [cti-cybox] Revoke Cybox Observable   We have talked about this a lot in the past, in regards to STIX, and I now view this as an implementation or process related issue.  The reason for that is you can not guarantee that the other end of the link will honor your request.  Maybe in like systems, meaning all systems built by EclecticIQ or Soltra, you would have some level of success.     But when you span across products there is no guarantee that they have implemented it in their code, nor that the administrator will allow it.  Requests like that may go in to a bucket for human review.        Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.     On Nov 10, 2015, at 11:09, Kirillov, Ivan A. < ikirillov@mitre.org > wrote:   Thanks for the context, Sarah - very helpful. To me, this comes down to being a language versus process question - that is, is Observable revocation something that should be addressed as part of the CybOX language, or should it be considered more as part of the processes in which CybOX is used? I’m leaning towards the latter, for the reason that the notion of revocation around Observables is something that doesn’t seem to fit as part of the data model around them. This is because, at their core, Observables represent some cyber “fact”, and what it does it mean to revoke a “fact”? At least with Indicators, you can argue that the Indicator may no longer be valid, or that its pattern is incorrect. With Observables, I think the semantics of revocation are not as clear and may not really make sense.   At least in your case, it seems like we may need to consider defining some sort of garbage collection process, where Observables (and any other id-able CybOX/STIX entities) that were referenced and/or embedded in another entity and then no longer referenced be pruned from the datastore. Regards, Ivan On 11/10/15, 12:31 PM, cti-cybox@lists.oasis-open.org   on behalf of Sarah Kelley < cti-cybox@lists.oasis-open.org   on behalf of   Sarah.Kelley@cisecurity.org > wrote: Just to give a little context around this question, this came up in a conversation between Ali (well, several Soltra people) and myself today. In our instance of Soltra Edge, we have (on many occasions) had to ‘edit’ an observable. Currently this involves editing the indicator, deleting the link to the current Cybox observable, and creating a new observable. This leaves lots of orphaned observables in our database that we really need to have the ability to purge. The understanding we have is that currently Cybox doesn’t support any sort of revoke/purge like Stix does. Sarah Kelley Senior CERT Analyst Center for Internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7×24 SOC) Email:   cert@cisecurity.org www.cisecurity.org Follow us @CISecurity On 11/10/15, 11:06 AM, cti-stix@lists.oasis-open.org   on behalf of Kirillov, Ivan A. < cti-stix@lists.oasis-open.org   on behalf of ikirillov@mitre.org > wrote: Great question Ali; unfortunately I don’t have much insight into this topic. Moving this to the STIX list - I think revocation is more specific to STIX (though it clearly touches upon CybOX as well). Regards, Ivan On 11/10/15, 11:00 AM, cti-cybox@lists.oasis-open.org   on behalf of Jerome Athias < cti-cybox@lists.oasis-open.org   on behalf of athiasjerome@gmail.com > wrote: Potential review of this https://stixproject.github.io/data-model/1.2/indicator/ValidTimeType/ Suggestions welcome 2015-11-10 18:48 GMT+03:00 Ali Khan < akhan@soltra.com >: What is the cybox committees discussion so far for future versions to support ability to revoke and remove completely a cybox observable that was created and then shared but now there is a need to remove it. Thank You Ali Khan Lead Analyst SOLTRA An FS-ISAC & DTCC Company Tampa, fl 33647 813.470.2197   akhan@soltra.com --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php ... This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . . --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that   generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php   This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.   . . . Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 3.  RE: Stements & relations (was [cti-stix] [cti-cybox] Revoke Cybox Observable)

    Posted 11-11-2015 18:20




    Here is some “conceptual” UML:

    This is shown as a UML “Association Class” in the threat conceptual model. So for example “Membership” associates an actor with an organization. It is a subclass
    of “Situation” which (among other things) provides for statements about the time this membership is valid. You can also have metadata about the membership situation, such as confidence and source.
     
    In STIX we see this all the time in “Related_XXX”:

    If we were to have a consistent rule I would then always map a UML association to a STIX relationship type, but my preference would be to only have one intermediate
    and just have multiple instances for lists.
     


    From: Jordan, Bret [mailto:bret.jordan@bluecoat.com]

    Sent: Wednesday, November 11, 2015 12:53 PM
    To: Cory Casanave
    Cc: Jerome Athias; Sarah Kelley; Ivan Kirillov; Ali Khan; cti-stix@lists.oasis-open.org; cti-cybox@lists.oasis-open.org
    Subject: Re: Stements & relations (was [cti-stix] [cti-cybox] Revoke Cybox Observable)


     
    Can you give me some code-ish examples or UML-ish examples to help me better understand and follow your ideas?  They sounds great, I just want to make sure I fully understand what they mean.  







     


    Thanks,


     


    Bret



     


     


     



    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO


    Blue Coat Systems



    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









     



    On Nov 11, 2015, at 10:13, Cory Casanave < cory-c@modeldriven.com > wrote:

     


    Re:   I kind of view all of this as people making assertions about something.  


    Yup!!


     


    One thing this would bring up is consistency in relationships. In some cases STIX relations are not reified (made “real” with their own class/statement) – they
    are just properties, in other cases there is one class and in others 2 classes – a “set” (has a plural name) and a “relation” (has a “reference” name). I have seen reified relations in a lot of models, STIX is the first time I have seen it “doubled up” like
    this, I’m not sure that is needed. So the question is when should relations/statements be reified and should there be one or 2 “intermediates”?


    ·            Never
    reify relations, this information goes somewhere else (so have to say where that is).


    ·            Always
    reify relations, this is the basis for trust and versioning


    ·            Sometimes
    reify relations – ok, so what are the rules for when?


    ·            When
    is there a reified “set” and a reified “ref”?


     


    I find “simple” means consistent. I would go for always reifying relations, but getting rid of the 2-steps. You can put all the metadata you want on each “statement”.
    I would think calling this a “statement” would also be a good idea as it makes the intent clear. Statements can then have a validity date range, source, confidence, etc. Of course, these are also statements.


     


    -Cory


     




    From:   Jordan,
    Bret [ mailto:bret.jordan@bluecoat.com ]  
    Sent:   Wednesday, November 11, 2015 11:37 AM
    To:   Cory Casanave
    Cc:   Jerome Athias; Sarah Kelley; Ivan Kirillov; Ali Khan;   cti-stix@lists.oasis-open.org ;   cti-cybox@lists.oasis-open.org
    Subject:   Re: [cti-stix] [cti-cybox] Revoke Cybox Observable




     


    I kind of view all of this as people making assertions about something.  Those assertions can be good, bad, valid, invalid, only for a defined time frame etc.  Further, people can make assertions about your assertions.  You say this threat
    actor is using this TTP to run this campaign and attack these users types at these companies by doing XYZ..    Someone may come along and challenge part of that assertions and say it is not XYZ but rather ABC and DEF..  



     











    From hearing everyones complaints about versioning, I think that is something we should try and fix in the next 7 days.  Lets identify the things that should be easy wins to figure out,
    and lets tackle them one at a time and fix them.  




     




    Thanks,




     




    Bret





     




     




     





    Bret Jordan CISSP



    Director of Security Architecture and Standards Office of the CTO




    Blue Coat Systems





    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050




    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











     





    On Nov 11, 2015, at 06:44, Cory Casanave < cory-c@modeldriven.com > wrote:



     




    I would like to strongly “+1” the idea of using the relationships as a basis for versioning. Deleting data is so 20 th   century!




     




    If you consider each instance of these relationships a “statement” (or fact) stated by some party at some time, it will always be true that this  party said
    what they said when they said it. In this area of threats, such “historical” statements can be very important even if they are no longer considered “true” by some party (i.e. some statements that made the U.S. go to war in Iraq ). As these statements (relationship
    instances) are already first-class things they can have a timeframe and confidence. We can say “that statement is invalid” or “That set of statements is not longer true”. If some implementation wants to interpret that as a “delete”, that would be fine but
    others may want a record of such statements (U.S. national archives likes to do such things).




     




    Most of the infrastructure is already in place to do this, relationships have identity. Adding “second order” statements about them such as “superseded by”
    or “end date” provides for a very robust distributed knowledge base, which is what we are fundamentally trying to support.




     




    -Cory




     




    From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
    Behalf Of   Jerome Athias
    Sent:   Tuesday, November 10, 2015 9:08 PM
    To:   Sarah Kelley
    Cc:   Jordan, Bret; Ivan Kirillov; Ali Khan;   cti-stix@lists.oasis-open.org ;   cti-cybox@lists.oasis-open.org
    Subject:   [cti-stix] Re: [cti-cybox] Revoke Cybox Observable




     




    While implementation dependent, imho, the top construct Relationship (remember top of our todo list) will help.





    Would be 'easy' to implement a purge procedure of all observables that don't have a Relationship created more than x month/week ago






    (Similar to logs or backups/archives management/roll process)






     






    Should we finalize the Relationship?

    On Tuesday, 10 November 2015, Sarah Kelley < Sarah.Kelley@cisecurity.org > wrote:








    At this point, we’re currently just trying to clean up our own database. I’m sure there is a much wider issue involved, but our current context is that we have the same observable
    in our system five different times (which is obviously unnecessary). The only things that changed were things like TLP, or “Hey, I fat-fingered something!” I understand the concern about "what does it mean to revoke a fact", but what if it’s just wrong? You
    type 1.1.1.1, and you really meant 2.2.2.2? The first is not correct, but currently is lingering in the system, even after unlinking it from the indicator. 







     






    Sarah Kelley






    Senior CERT Analyst







    Center for Internet Security (CIS)






    Integrated Intelligence Center (IIC)






    Multi-State Information Sharing and Analysis Center (MS-ISAC)






    1-866-787-4722 (7×24 SOC)






    Email:  cert@cisecurity.org






    www.cisecurity.org






    Follow us @CISecurity







     









     






    From:   "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date:   Tuesday, November 10, 2015 at 1:16 PM
    To:   Ivan Kirillov < ikirillov@mitre.org >
    Cc:   Sarah Kelley < sarah.kelley@cisecurity.org >, Unknown Unknown < athiasjerome@gmail.com >,
    Ali Khan < akhan@soltra.com >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >,
    " cti-cybox@lists.oasis-open.org " < cti-cybox@lists.oasis-open.org >
    Subject:   Re: [cti-cybox] [cti-stix] Re: [cti-cybox] Revoke Cybox Observable






     







    We have talked about this a lot in the past, in regards to STIX, and I now view this as an implementation or process related issue.  The reason for that is you can not guarantee
    that the other end of the link will honor your request.  Maybe in "like" systems, meaning all systems built by EclecticIQ or Soltra, you would have some level of success.  





     






    But when you span across products there is no guarantee that they have implemented it in their code, nor that the administrator will allow it.  Requests like that may go
    in to a bucket for human review.   





     













     






    Thanks,






     






    Bret







     






     






     







    Bret Jordan CISSP





    Director of Security Architecture and Standards Office of the CTO






    Blue Coat Systems







    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050






    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 













     







    On Nov 10, 2015, at 11:09, Kirillov, Ivan A. < ikirillov@mitre.org > wrote:





     





    Thanks for the context, Sarah - very helpful.

    To me, this comes down to being a language versus process question - that is, is Observable revocation something that should be addressed as part of the CybOX language, or should it be considered more as part of the processes in which CybOX is used? I’m leaning
    towards the latter, for the reason that the notion of revocation around Observables is something that doesn’t seem to fit as part of the data model around them. This is because, at their core, Observables represent some cyber “fact”, and what it does it mean
    to revoke a “fact”? At least with Indicators, you can argue that the Indicator may no longer be valid, or that its pattern is incorrect. With Observables, I think the semantics of revocation are not as clear and may not really make sense.  

    At least in your case, it seems like we may need to consider defining some sort of garbage collection process, where Observables (and any other id-able CybOX/STIX entities) that were referenced and/or embedded in another entity and then no longer referenced
    be pruned from the datastore.

    Regards,
    Ivan



    On 11/10/15, 12:31 PM, " cti-cybox@lists.oasis-open.org   on behalf of Sarah Kelley" < cti-cybox@lists.oasis-open.org   on
    behalf of   Sarah.Kelley@cisecurity.org > wrote:









    Just to give a little context around this question, this came up in a
    conversation between Ali (well, several Soltra people) and myself today.

    In our instance of Soltra Edge, we have (on many occasions) had to ‘edit’
    an observable. Currently this involves editing the indicator, deleting the
    link to the current Cybox observable, and creating a new observable. This
    leaves lots of orphaned observables in our database that we really need to
    have the ability to purge. The understanding we have is that currently
    Cybox doesn’t support any sort of revoke/purge like Stix does.



    Sarah Kelley
    Senior CERT Analyst
    Center for Internet Security (CIS)
    Integrated Intelligence Center (IIC)
    Multi-State Information Sharing and Analysis Center (MS-ISAC)
    1-866-787-4722 (7×24 SOC)
    Email:   cert@cisecurity.org
    www.cisecurity.org
    Follow us @CISecurity






    On 11/10/15, 11:06 AM, " cti-stix@lists.oasis-open.org   on behalf of
    Kirillov, Ivan A." < cti-stix@lists.oasis-open.org   on behalf of
    ikirillov@mitre.org > wrote:









    Great question Ali; unfortunately I don’t have much insight into this
    topic. Moving this to the STIX list - I think revocation is more specific
    to STIX (though it clearly touches upon CybOX as well).

    Regards,
    Ivan




    On 11/10/15, 11:00 AM, " cti-cybox@lists.oasis-open.org   on behalf of
    Jerome Athias" < cti-cybox@lists.oasis-open.org   on behalf of
    athiasjerome@gmail.com > wrote:









    Potential review of this
    https://stixproject.github.io/data-model/1.2/indicator/ValidTimeType/
    Suggestions welcome

    2015-11-10 18:48 GMT+03:00 Ali Khan < akhan@soltra.com >:






    What is the cybox committees discussion so far for future versions to
    support ability to revoke and remove completely a cybox observable
    that was
    created and then shared but now there is a need to remove it.





    Thank You



    Ali Khan
    Lead Analyst

    SOLTRA An FS-ISAC & DTCC Company

    Tampa, fl 33647

    813.470.2197   akhan@soltra.com







    ---------------------------------------------------------------------
    To unsubscribe from this mail list, you must leave the OASIS TC that
    generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



    ...



    This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
    immediately and permanently delete the message and any attachments.

    . . .

    ---------------------------------------------------------------------
    To unsubscribe from this mail list, you must leave the OASIS TC that  
    generates this mail.  Follow this link to all your TCs in OASIS at:
    https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php





     








    This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution
    or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.  
    . . .











     






  • 4.  Re: Stements & relations (was [cti-stix] [cti-cybox] Revoke Cybox Observable)

    Posted 11-11-2015 18:25
    +1 for the code samples. But UML tends to make us think very abstractly. How would you want to use this in code? (Python, Java, whatever is fine.) I'd offer to hack it myself, but I'm really not following here. JSA From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Cory Casanave <cory-c@modeldriven.com> Sent: Wednesday, November 11, 2015 1:20 PM To: Jordan, Bret Cc: Jerome Athias; Sarah Kelley; Ivan Kirillov; Ali Khan; cti-stix@lists.oasis-open.org; cti-cybox@lists.oasis-open.org Subject: [cti-stix] RE: Stements & relations (was [cti-stix] [cti-cybox] Revoke Cybox Observable)   Here is some “conceptual” UML: This is shown as a UML “Association Class” in the threat conceptual model. So for example “Membership” associates an actor with an organization. It is a subclass of “Situation” which (among other things) provides for statements about the time this membership is valid. You can also have metadata about the membership situation, such as confidence and source.   In STIX we see this all the time in “Related_XXX”: If we were to have a consistent rule I would then always map a UML association to a STIX relationship type, but my preference would be to only have one intermediate and just have multiple instances for lists.   From: Jordan, Bret [mailto:bret.jordan@bluecoat.com] Sent: Wednesday, November 11, 2015 12:53 PM To: Cory Casanave Cc: Jerome Athias; Sarah Kelley; Ivan Kirillov; Ali Khan; cti-stix@lists.oasis-open.org; cti-cybox@lists.oasis-open.org Subject: Re: Stements & relations (was [cti-stix] [cti-cybox] Revoke Cybox Observable)   Can you give me some code-ish examples or UML-ish examples to help me better understand and follow your ideas?  They sounds great, I just want to make sure I fully understand what they mean.     Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."    On Nov 11, 2015, at 10:13, Cory Casanave < cory-c@modeldriven.com > wrote:   Re:   I kind of view all of this as people making assertions about something.   Yup!!   One thing this would bring up is consistency in relationships. In some cases STIX relations are not reified (made “real” with their own class/statement) – they are just properties, in other cases there is one class and in others 2 classes – a “set” (has a plural name) and a “relation” (has a “reference” name). I have seen reified relations in a lot of models, STIX is the first time I have seen it “doubled up” like this, I’m not sure that is needed. So the question is when should relations/statements be reified and should there be one or 2 “intermediates”? ·            Never reify relations, this information goes somewhere else (so have to say where that is). ·            Always reify relations, this is the basis for trust and versioning ·            Sometimes reify relations – ok, so what are the rules for when? ·            When is there a reified “set” and a reified “ref”?   I find “simple” means consistent. I would go for always reifying relations, but getting rid of the 2-steps. You can put all the metadata you want on each “statement”. I would think calling this a “statement” would also be a good idea as it makes the intent clear. Statements can then have a validity date range, source, confidence, etc. Of course, these are also statements.   -Cory   From:   Jordan, Bret [ mailto:bret.jordan@bluecoat.com ]   Sent:   Wednesday, November 11, 2015 11:37 AM To:   Cory Casanave Cc:   Jerome Athias; Sarah Kelley; Ivan Kirillov; Ali Khan;   cti-stix@lists.oasis-open.org ;   cti-cybox@lists.oasis-open.org Subject:   Re: [cti-stix] [cti-cybox] Revoke Cybox Observable   I kind of view all of this as people making assertions about something.  Those assertions can be good, bad, valid, invalid, only for a defined time frame etc.  Further, people can make assertions about your assertions.  You say this threat actor is using this TTP to run this campaign and attack these users types at these companies by doing XYZ..    Someone may come along and challenge part of that assertions and say it is not XYZ but rather ABC and DEF..     From hearing everyones complaints about versioning, I think that is something we should try and fix in the next 7 days.  Lets identify the things that should be easy wins to figure out, and lets tackle them one at a time and fix them.     Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."    On Nov 11, 2015, at 06:44, Cory Casanave < cory-c@modeldriven.com > wrote:   I would like to strongly “+1” the idea of using the relationships as a basis for versioning. Deleting data is so 20 th   century!   If you consider each instance of these relationships a “statement” (or fact) stated by some party at some time, it will always be true that this  party said what they said when they said it. In this area of threats, such “historical” statements can be very important even if they are no longer considered “true” by some party (i.e. some statements that made the U.S. go to war in Iraq ). As these statements (relationship instances) are already first-class things they can have a timeframe and confidence. We can say “that statement is invalid” or “That set of statements is not longer true”. If some implementation wants to interpret that as a “delete”, that would be fine but others may want a record of such statements (U.S. national archives likes to do such things).   Most of the infrastructure is already in place to do this, relationships have identity. Adding “second order” statements about them such as “superseded by” or “end date” provides for a very robust distributed knowledge base, which is what we are fundamentally trying to support.   -Cory   From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On Behalf Of   Jerome Athias Sent:   Tuesday, November 10, 2015 9:08 PM To:   Sarah Kelley Cc:   Jordan, Bret; Ivan Kirillov; Ali Khan;   cti-stix@lists.oasis-open.org ;   cti-cybox@lists.oasis-open.org Subject:   [cti-stix] Re: [cti-cybox] Revoke Cybox Observable   While implementation dependent, imho, the top construct Relationship (remember top of our todo list) will help. Would be 'easy' to implement a purge procedure of all observables that don't have a Relationship created more than x month/week ago (Similar to logs or backups/archives management/roll process)   Should we finalize the Relationship? On Tuesday, 10 November 2015, Sarah Kelley < Sarah.Kelley@cisecurity.org > wrote: At this point, we’re currently just trying to clean up our own database. I’m sure there is a much wider issue involved, but our current context is that we have the same observable in our system five different times (which is obviously unnecessary). The only things that changed were things like TLP, or “Hey, I fat-fingered something!” I understand the concern about "what does it mean to revoke a fact", but what if it’s just wrong? You type 1.1.1.1, and you really meant 2.2.2.2? The first is not correct, but currently is lingering in the system, even after unlinking it from the indicator.    Sarah Kelley Senior CERT Analyst Center for Internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7×24 SOC) Email:  cert@cisecurity.org www.cisecurity.org Follow us @CISecurity     From:   "Jordan, Bret" < bret.jordan@bluecoat.com > Date:   Tuesday, November 10, 2015 at 1:16 PM To:   Ivan Kirillov < ikirillov@mitre.org > Cc:   Sarah Kelley < sarah.kelley@cisecurity.org >, Unknown Unknown < athiasjerome@gmail.com >, Ali Khan < akhan@soltra.com >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >, " cti-cybox@lists.oasis-open.org " < cti-cybox@lists.oasis-open.org > Subject:   Re: [cti-cybox] [cti-stix] Re: [cti-cybox] Revoke Cybox Observable   We have talked about this a lot in the past, in regards to STIX, and I now view this as an implementation or process related issue.  The reason for that is you can not guarantee that the other end of the link will honor your request.  Maybe in "like" systems, meaning all systems built by EclecticIQ or Soltra, you would have some level of success.     But when you span across products there is no guarantee that they have implemented it in their code, nor that the administrator will allow it.  Requests like that may go in to a bucket for human review.        Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."    On Nov 10, 2015, at 11:09, Kirillov, Ivan A. < ikirillov@mitre.org > wrote:   Thanks for the context, Sarah - very helpful. To me, this comes down to being a language versus process question - that is, is Observable revocation something that should be addressed as part of the CybOX language, or should it be considered more as part of the processes in which CybOX is used? I’m leaning towards the latter, for the reason that the notion of revocation around Observables is something that doesn’t seem to fit as part of the data model around them. This is because, at their core, Observables represent some cyber “fact”, and what it does it mean to revoke a “fact”? At least with Indicators, you can argue that the Indicator may no longer be valid, or that its pattern is incorrect. With Observables, I think the semantics of revocation are not as clear and may not really make sense.   At least in your case, it seems like we may need to consider defining some sort of garbage collection process, where Observables (and any other id-able CybOX/STIX entities) that were referenced and/or embedded in another entity and then no longer referenced be pruned from the datastore. Regards, Ivan On 11/10/15, 12:31 PM, " cti-cybox@lists.oasis-open.org   on behalf of Sarah Kelley" < cti-cybox@lists.oasis-open.org   on behalf of   Sarah.Kelley@cisecurity.org > wrote: Just to give a little context around this question, this came up in a conversation between Ali (well, several Soltra people) and myself today. In our instance of Soltra Edge, we have (on many occasions) had to ‘edit’ an observable. Currently this involves editing the indicator, deleting the link to the current Cybox observable, and creating a new observable. This leaves lots of orphaned observables in our database that we really need to have the ability to purge. The understanding we have is that currently Cybox doesn’t support any sort of revoke/purge like Stix does. Sarah Kelley Senior CERT Analyst Center for Internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7×24 SOC) Email:   cert@cisecurity.org www.cisecurity.org Follow us @CISecurity On 11/10/15, 11:06 AM, " cti-stix@lists.oasis-open.org   on behalf of Kirillov, Ivan A." < cti-stix@lists.oasis-open.org   on behalf of ikirillov@mitre.org > wrote: Great question Ali; unfortunately I don’t have much insight into this topic. Moving this to the STIX list - I think revocation is more specific to STIX (though it clearly touches upon CybOX as well). Regards, Ivan On 11/10/15, 11:00 AM, " cti-cybox@lists.oasis-open.org   on behalf of Jerome Athias" < cti-cybox@lists.oasis-open.org   on behalf of athiasjerome@gmail.com > wrote: Potential review of this https://stixproject.github.io/data-model/1.2/indicator/ValidTimeType/ Suggestions welcome 2015-11-10 18:48 GMT+03:00 Ali Khan < akhan@soltra.com >: What is the cybox committees discussion so far for future versions to support ability to revoke and remove completely a cybox observable that was created and then shared but now there is a need to remove it. Thank You Ali Khan Lead Analyst SOLTRA An FS-ISAC & DTCC Company Tampa, fl 33647 813.470.2197   akhan@soltra.com --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php ... This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . . --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that   generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php   This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.   . . .  


  • 5.  RE: Stements & relations (was [cti-stix] [cti-cybox] Revoke Cybox Observable)

    Posted 11-11-2015 18:35
    I would think the same way your code “RelatedIndicatorType” now. You make a class for the relationship and property methods for the ends. Perhaps the difference is that other relationship objects can reference such a relationship so you can “make statements about the statements”.   My code tends to be generic and model driven so I don’t want to confuse you. I could hack some code if you like, but  the STIX python library is probably close.   From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of John Anderson Sent: Wednesday, November 11, 2015 1:25 PM To: Cory Casanave; Jordan, Bret Cc: Jerome Athias; Sarah Kelley; Ivan Kirillov; Ali Khan; cti-stix@lists.oasis-open.org; cti-cybox@lists.oasis-open.org Subject: [cti-stix] Re: Stements & relations (was [cti-stix] [cti-cybox] Revoke Cybox Observable)   +1 for the code samples. But UML tends to make us think very abstractly. How would you want to use this in code? (Python, Java, whatever is fine.) I'd offer to hack it myself, but I'm really not following here. JSA   From: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Cory Casanave < cory-c@modeldriven.com > Sent: Wednesday, November 11, 2015 1:20 PM To: Jordan, Bret Cc: Jerome Athias; Sarah Kelley; Ivan Kirillov; Ali Khan; cti-stix@lists.oasis-open.org ; cti-cybox@lists.oasis-open.org Subject: [cti-stix] RE: Stements & relations (was [cti-stix] [cti-cybox] Revoke Cybox Observable)   Here is some “conceptual” UML: This is shown as a UML “Association Class” in the threat conceptual model. So for example “Membership” associates an actor with an organization. It is a subclass of “Situation” which (among other things) provides for statements about the time this membership is valid. You can also have metadata about the membership situation, such as confidence and source.   In STIX we see this all the time in “Related_XXX”: If we were to have a consistent rule I would then always map a UML association to a STIX relationship type, but my preference would be to only have one intermediate and just have multiple instances for lists.   From: Jordan, Bret [ mailto:bret.jordan@bluecoat.com ] Sent: Wednesday, November 11, 2015 12:53 PM To: Cory Casanave Cc: Jerome Athias; Sarah Kelley; Ivan Kirillov; Ali Khan; cti-stix@lists.oasis-open.org ; cti-cybox@lists.oasis-open.org Subject: Re: Stements & relations (was [cti-stix] [cti-cybox] Revoke Cybox Observable)   Can you give me some code-ish examples or UML-ish examples to help me better understand and follow your ideas?  They sounds great, I just want to make sure I fully understand what they mean.     Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."    On Nov 11, 2015, at 10:13, Cory Casanave < cory-c@modeldriven.com > wrote:   Re:  I kind of view all of this as people making assertions about something.   Yup!!   One thing this would bring up is consistency in relationships. In some cases STIX relations are not reified (made “real” with their own class/statement) – they are just properties, in other cases there is one class and in others 2 classes – a “set” (has a plural name) and a “relation” (has a “reference” name). I have seen reified relations in a lot of models, STIX is the first time I have seen it “doubled up” like this, I’m not sure that is needed. So the question is when should relations/statements be reified and should there be one or 2 “intermediates”? ·           Never reify relations, this information goes somewhere else (so have to say where that is). ·           Always reify relations, this is the basis for trust and versioning ·           Sometimes reify relations – ok, so what are the rules for when? ·           When is there a reified “set” and a reified “ref”?   I find “simple” means consistent. I would go for always reifying relations, but getting rid of the 2-steps. You can put all the metadata you want on each “statement”. I would think calling this a “statement” would also be a good idea as it makes the intent clear. Statements can then have a validity date range, source, confidence, etc. Of course, these are also statements.   -Cory   From:  Jordan, Bret [ mailto:bret.jordan@bluecoat.com ]  Sent:  Wednesday, November 11, 2015 11:37 AM To:  Cory Casanave Cc:  Jerome Athias; Sarah Kelley; Ivan Kirillov; Ali Khan;  cti-stix@lists.oasis-open.orgcti-cybox@lists.oasis-open.org Subject:  Re: [cti-stix] [cti-cybox] Revoke Cybox Observable   I kind of view all of this as people making assertions about something.  Those assertions can be good, bad, valid, invalid, only for a defined time frame etc.  Further, people can make assertions about your assertions.  You say this threat actor is using this TTP to run this campaign and attack these users types at these companies by doing XYZ..    Someone may come along and challenge part of that assertions and say it is not XYZ but rather ABC and DEF..     From hearing everyones complaints about versioning, I think that is something we should try and fix in the next 7 days.  Lets identify the things that should be easy wins to figure out, and lets tackle them one at a time and fix them.     Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."    On Nov 11, 2015, at 06:44, Cory Casanave < cory-c@modeldriven.com > wrote:   I would like to strongly “+1” the idea of using the relationships as a basis for versioning. Deleting data is so 20 th  century!   If you consider each instance of these relationships a “statement” (or fact) stated by some party at some time, it will always be true that this  party said what they said when they said it. In this area of threats, such “historical” statements can be very important even if they are no longer considered “true” by some party (i.e. some statements that made the U.S. go to war in Iraq ). As these statements (relationship instances) are already first-class things they can have a timeframe and confidence. We can say “that statement is invalid” or “That set of statements is not longer true”. If some implementation wants to interpret that as a “delete”, that would be fine but others may want a record of such statements (U.S. national archives likes to do such things).   Most of the infrastructure is already in place to do this, relationships have identity. Adding “second order” statements about them such as “superseded by” or “end date” provides for a very robust distributed knowledge base, which is what we are fundamentally trying to support.   -Cory   From:   cti-stix@lists.oasis-open.org  [ mailto:cti-stix@lists.oasis-open.org ]  On Behalf Of  Jerome Athias Sent:  Tuesday, November 10, 2015 9:08 PM To:  Sarah Kelley Cc:  Jordan, Bret; Ivan Kirillov; Ali Khan;  cti-stix@lists.oasis-open.orgcti-cybox@lists.oasis-open.org Subject:  [cti-stix] Re: [cti-cybox] Revoke Cybox Observable   While implementation dependent, imho, the top construct Relationship (remember top of our todo list) will help. Would be 'easy' to implement a purge procedure of all observables that don't have a Relationship created more than x month/week ago (Similar to logs or backups/archives management/roll process)   Should we finalize the Relationship? On Tuesday, 10 November 2015, Sarah Kelley < Sarah.Kelley@cisecurity.org > wrote: At this point, we’re currently just trying to clean up our own database. I’m sure there is a much wider issue involved, but our current context is that we have the same observable in our system five different times (which is obviously unnecessary). The only things that changed were things like TLP, or “Hey, I fat-fingered something!” I understand the concern about "what does it mean to revoke a fact", but what if it’s just wrong? You type 1.1.1.1, and you really meant 2.2.2.2? The first is not correct, but currently is lingering in the system, even after unlinking it from the indicator.    Sarah Kelley Senior CERT Analyst Center for Internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7×24 SOC) Email:  cert@cisecurity.org www.cisecurity.org Follow us @CISecurity     From:  "Jordan, Bret" < bret.jordan@bluecoat.com > Date:  Tuesday, November 10, 2015 at 1:16 PM To:  Ivan Kirillov < ikirillov@mitre.org > Cc:  Sarah Kelley < sarah.kelley@cisecurity.org >, Unknown Unknown < athiasjerome@gmail.com >, Ali Khan < akhan@soltra.com >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >, " cti-cybox@lists.oasis-open.org " < cti-cybox@lists.oasis-open.org > Subject:  Re: [cti-cybox] [cti-stix] Re: [cti-cybox] Revoke Cybox Observable   We have talked about this a lot in the past, in regards to STIX, and I now view this as an implementation or process related issue.  The reason for that is you can not guarantee that the other end of the link will honor your request.  Maybe in "like" systems, meaning all systems built by EclecticIQ or Soltra, you would have some level of success.     But when you span across products there is no guarantee that they have implemented it in their code, nor that the administrator will allow it.  Requests like that may go in to a bucket for human review.       Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."    On Nov 10, 2015, at 11:09, Kirillov, Ivan A. < ikirillov@mitre.org > wrote:   Thanks for the context, Sarah - very helpful. To me, this comes down to being a language versus process question - that is, is Observable revocation something that should be addressed as part of the CybOX language, or should it be considered more as part of the processes in which CybOX is used? I’m leaning towards the latter, for the reason that the notion of revocation around Observables is something that doesn’t seem to fit as part of the data model around them. This is because, at their core, Observables represent some cyber “fact”, and what it does it mean to revoke a “fact”? At least with Indicators, you can argue that the Indicator may no longer be valid, or that its pattern is incorrect. With Observables, I think the semantics of revocation are not as clear and may not really make sense.  At least in your case, it seems like we may need to consider defining some sort of garbage collection process, where Observables (and any other id-able CybOX/STIX entities) that were referenced and/or embedded in another entity and then no longer referenced be pruned from the datastore. Regards, Ivan On 11/10/15, 12:31 PM, " cti-cybox@lists.oasis-open.org  on behalf of Sarah Kelley" < cti-cybox@lists.oasis-open.org  on behalf of  Sarah.Kelley@cisecurity.org > wrote: Just to give a little context around this question, this came up in a conversation between Ali (well, several Soltra people) and myself today. In our instance of Soltra Edge, we have (on many occasions) had to ‘edit’ an observable. Currently this involves editing the indicator, deleting the link to the current Cybox observable, and creating a new observable. This leaves lots of orphaned observables in our database that we really need to have the ability to purge. The understanding we have is that currently Cybox doesn’t support any sort of revoke/purge like Stix does. Sarah Kelley Senior CERT Analyst Center for Internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7×24 SOC) Email:  cert@cisecurity.org www.cisecurity.org Follow us @CISecurity On 11/10/15, 11:06 AM, " cti-stix@lists.oasis-open.org  on behalf of Kirillov, Ivan A." < cti-stix@lists.oasis-open.org  on behalf of ikirillov@mitre.org > wrote: Great question Ali; unfortunately I don’t have much insight into this topic. Moving this to the STIX list - I think revocation is more specific to STIX (though it clearly touches upon CybOX as well). Regards, Ivan On 11/10/15, 11:00 AM, " cti-cybox@lists.oasis-open.org  on behalf of Jerome Athias" < cti-cybox@lists.oasis-open.org  on behalf of athiasjerome@gmail.com > wrote: Potential review of this https://stixproject.github.io/data-model/1.2/indicator/ValidTimeType/ Suggestions welcome 2015-11-10 18:48 GMT+03:00 Ali Khan < akhan@soltra.com >: What is the cybox committees discussion so far for future versions to support ability to revoke and remove completely a cybox observable that was created and then shared but now there is a need to remove it. Thank You Ali Khan Lead Analyst SOLTRA An FS-ISAC & DTCC Company Tampa, fl 33647 813.470.2197   akhan@soltra.com --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php ... This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . . --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that  generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php   This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.  . . .  


  • 6.  Re: Stements & relations (was [cti-stix] [cti-cybox] Revoke Cybox Observable)

    Posted 11-11-2015 19:12
    If we could just see a couple examples in say JSON, we could better follow what you mean. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Nov 11, 2015, at 11:34, Cory Casanave < cory-c@modeldriven.com > wrote: I would think the same way your code “RelatedIndicatorType” now. You make a class for the relationship and property methods for the ends. Perhaps the difference is that other relationship objects can reference such a relationship so you can “make statements about the statements”.   My code tends to be generic and model driven so I don’t want to confuse you. I could hack some code if you like, but  the STIX python library is probably close.   Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail