CTI STIX Subcommittee

Hi All,   Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend the top-level STIX Sighting Object conversation starter out again.  So here are the slides. Please feel free to comment/feedback/complain/call me names.   Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only for Observable Instances; it assumes that Indicators will similarly be restricted to only allowing Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206 terry@soltra.com     Attachment: OASIS CTI STIX SC Meeting - Oct 21 2015 v1.0b - Sighting.ppt Description: OASIS CTI STIX SC Meeting - Oct 21 2015 v1.0b - Sighting.ppt

Questions   - What is Alternative_ID ?   - Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.   - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown    
Original message ----- From: Terry MacDonald <terry@soltra.com> Sent by: <cti-stix@lists.oasis-open.org> To: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> Cc: Subject: [cti-stix] Top-level Sighting Object from last meeting Date: Mon, Oct 26, 2015 2:00 PM   Hi All,   Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend the top-level STIX Sighting Object conversation starter out again.  So here are the slides. Please feel free to comment/feedback/complain/call me names.   Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only for Observable Instances; it assumes that Indicators will similarly be restricted to only allowing Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206 terry@soltra.com       --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  

Hi Jason
 
- What is "Alternative_ID" ?
 
The Alternative_ID was taken from the IndicatorType object.  From that object’s description it ‘Specifies an alternative identifier
(or alias) for the cyber threat Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to include it
just in case. TBH we may want to think more about how we handle ‘aliases’ in general across the whole STIX model…
 
- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.
 
Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really like to see
what everyone else thinks.
 
Suggested Mandatory Fields
·         
Version
·         
Title

·         
Timestamp / Time Period
·         
One or more referenced objects (i.e. idref) – ( This would be done via Top-level relationship object )
 
Suggested Optional Fields
·         
Sighting Count
·         
Timestamp / Time Period
·         
Victim Organization information
·         
Producer Organization information
·         
Sighting Confidence
·         
TLP / Data Markings
·         
Alternative Sighting ID
·         
Sighting Type
·         
Description
·         
Short Description
 
Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year ( https://github.com/STIXProject/schemas/issues/306 ).
In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?

 

Please note this reflects my own personal viewpoint.
 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com

 
 
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Jason Keirstead
Sent: Tuesday, 27 October 2015 8:34 AM
To: Terry MacDonald <terry@soltra.com>
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting
 


Questions


 


- What is "Alternative_ID" ?


 


- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.


 


-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

 


 



Original message -----
From: Terry MacDonald < terry@soltra.com >
Sent by: < cti-stix@lists.oasis-open.org >
To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
Cc:
Subject: [cti-stix] Top-level Sighting Object from last meeting
Date: Mon, Oct 26, 2015 2:00 PM
 

Hi All,
 
Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend the top-level STIX Sighting Object conversation starter out again.  So here are the slides.
Please feel free to comment/feedback/complain/call me names.
 
Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only for Observable Instances; it assumes that Indicators will similarly be restricted to only allowing
Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.

 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com

 
 


 


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  





--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Hi All,
 
One other thing I wanted to highlight was a point raised by Aharon late last week in the STIX meeting. We need to discuss what exactly
we want the Sighting Object to be able to reference. As I understand it the available options are:
 

·         
Should a Sighting Object only reference ‘detected’ information (e.g. Observable Instances
only – most similar to an Indicator)
OR

·         
Should a Sighting Object reference
any other top-level Object (e.g. Threat Actor’s, TTPs, etc). This will be the most flexible and least restrictive for the future.
OR

·         
Should a Sighting Object reference
some top-level Objects based on STIX model  (e.g. Threat Actor’s, TTPs, Indicators, Incident, Report)
 
My
personal preference is for the first option – but I am very interested in what others think. I think we need to scope the Sighting object and discuss its purpose fairly early on to work out exactly where it will fit in the model.
 
Cheers
 

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com
 

 


From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Terry MacDonald
Sent: Tuesday, 27 October 2015 9:21 AM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
Hi Jason
 
- What is "Alternative_ID" ?
 
The Alternative_ID was taken from the IndicatorType object.  From that object’s description it ‘Specifies an alternative identifier
(or alias) for the cyber threat Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to include it
just in case. TBH we may want to think more about how we handle ‘aliases’ in general across the whole STIX model…
 
- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.
 
Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really like to see
what everyone else thinks.
 
Suggested Mandatory Fields
·         
Version
·         
Title

·         
Timestamp / Time Period
·         
One or more referenced objects (i.e. idref) – ( This would be done via Top-level relationship object )
 
Suggested Optional Fields
·         
Sighting Count
·         
Timestamp / Time Period
·         
Victim Organization information
·         
Producer Organization information
·         
Sighting Confidence
·         
TLP / Data Markings
·         
Alternative Sighting ID
·         
Sighting Type
·         
Description
·         
Short Description
 
Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year ( https://github.com/STIXProject/schemas/issues/306 ).
In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?

 

Please note this reflects my own personal viewpoint.
 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com

 
 
From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Jason Keirstead
Sent: Tuesday, 27 October 2015 8:34 AM
To: Terry MacDonald < terry@soltra.com >
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting
 


Questions


 


- What is "Alternative_ID" ?


 


- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.


 


-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

 


 



Original message -----
From: Terry MacDonald < terry@soltra.com >
Sent by: < cti-stix@lists.oasis-open.org >
To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
Cc:
Subject: [cti-stix] Top-level Sighting Object from last meeting
Date: Mon, Oct 26, 2015 2:00 PM
 

Hi All,
 
Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend the top-level STIX Sighting Object conversation starter out again.  So here are the slides.
Please feel free to comment/feedback/complain/call me names.
 
Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only for Observable Instances; it assumes that Indicators will similarly be restricted to only allowing
Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.

 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com

 
 


 


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  





--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

I would tend to agree Terry (just feels cleaner and more focused), although I’m curious about your thoughts are on how we restrict that.  If the reference is just
an ID, couldn’t anything be put in that field regardless of what we say the ‘rules’ are?
 


From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Terry MacDonald
Sent: Monday, October 26, 2015 6:57 PM
To: Terry MacDonald; Jason Keirstead
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
Hi All,
 
One other thing I wanted to highlight was a point raised by Aharon late last week in the STIX meeting. We need to discuss what exactly we want
the Sighting Object to be able to reference. As I understand it the available options are:
 
·         
Should a Sighting Object only reference ‘detected’ information (e.g. Observable Instances
only – most similar to an Indicator)
OR
·         
Should a Sighting Object reference
any other top-level Object (e.g. Threat Actor’s, TTPs, etc). This will be the most flexible and least restrictive for the future.
OR
·         
Should a Sighting Object reference
some top-level Objects based on STIX model  (e.g. Threat Actor’s, TTPs, Indicators, Incident, Report)
 
My
personal preference is for the first option – but I am very interested in what others think. I think we need to scope the Sighting object and discuss its purpose fairly early on to work out exactly where it will fit in the model.
 
Cheers
 

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com
 

 


From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Terry MacDonald
Sent: Tuesday, 27 October 2015 9:21 AM
To: Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
Hi Jason
 
- What is "Alternative_ID" ?
 
The Alternative_ID was taken from the IndicatorType object.  From that object’s description it ‘Specifies an alternative identifier (or alias)
for the cyber threat Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to include it just in case.
TBH we may want to think more about how we handle ‘aliases’ in general across the whole STIX model…
 
- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.
 
Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really like to see what everyone
else thinks.
 
Suggested Mandatory Fields
·         
Version
·         
Title

·         
Timestamp / Time Period
·         
One or more referenced objects (i.e. idref) – ( This would be done via Top-level relationship object )
 
Suggested Optional Fields
·         
Sighting Count
·         
Timestamp / Time Period
·         
Victim Organization information
·         
Producer Organization information
·         
Sighting Confidence
·         
TLP / Data Markings
·         
Alternative Sighting ID
·         
Sighting Type
·         
Description
·         
Short Description
 
Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year ( https://github.com/STIXProject/schemas/issues/306 ).
In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?

 

Please note this reflects my own personal viewpoint.
 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com

 
 
From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Jason Keirstead
Sent: Tuesday, 27 October 2015 8:34 AM
To: Terry MacDonald < terry@soltra.com >
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting
 


Questions


 


- What is "Alternative_ID" ?


 


- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.


 


-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

 


 



Original message -----
From: Terry MacDonald < terry@soltra.com >
Sent by: < cti-stix@lists.oasis-open.org >
To: " cti-stix@lists.oasis-open.org "
< cti-stix@lists.oasis-open.org >
Cc:
Subject: [cti-stix] Top-level Sighting Object from last meeting
Date: Mon, Oct 26, 2015 2:00 PM
 

Hi All,
 
Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend the top-level STIX Sighting Object conversation starter out again.  So here
are the slides. Please feel free to comment/feedback/complain/call me names.

 
Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only for Observable Instances; it assumes that Indicators will similarly be restricted
to only allowing Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.

 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com

 
 


 


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  





--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses.  The company accepts no liability for any damage caused by any virus transmitted by this email.

My thought would be that the Sighting
structure permit a reference to any other top level object, but for 2.0 we limit (in the spec) Sighting to only the use case(s) we know enough to solve (e.g., sightings of detected information).
 
As a means of enforcing this rule, the spec could have text along the lines of “The reference field MUST reference an (e.g.,) Indicator. Note that this rule may
be expanded in future revisions of STIX”. This rule would give software an easy way to toss out non-conforming sightings.
 
There’s probably also a variant of this use case where the sighting references something not in STIX (e.g., a signature that was not previously sent via STIX).
If we require that the Sighting reference a STIX object, then we are also requiring that the e.g., Indicator be previously sent via STIX. I think that having everything done via STIX is the ideal case, and the one we should optimize for. But we should consider
the uneven progress that will be made toward STIX adoption. Say, for instance, somebody wants to add STIX code to an IDS. It would be great (IMO) if they could have the sensor output STIX sightings for signatures that were not sent via STIX (perhaps they are
sent by the IDS’ management console), then once a STIX source is hooked up to the sensor (maybe the management console gets upgraded later), just start populating the sightings more completely. The question for me is how to make the sighting object useful
without necessarily having a dereferencable STIX ID (maybe this is an argument for Alternative ID? And we say that people MAY use Alternative ID in lieu of a STIX object ID? If we did that, IMO the rules regarding the usage of Alternative ID would have to
be pretty strict). Anyway, this paragraph is turning into a ramble so I’ll end it.
 
A couple other shorter thoughts:
·         
IMO source should be a required field, even if there is an explicit option for not disclosing the actual source (e.g., Unknown, Anonymous). I roughed
out a quick prototype the other day, and sighting info without a source just felt incomplete.
·         
Alternative_ID makes sense for indicator, but IMO not as much for a sighting (minus the previous caveat). In theory, the processing software could dereference
the referenced ID then use any fields from that dereferenced object (like Alternative ID in the case of indicators). Or else we could have a “reference type” field.

o   
Note: This dereferencing capability probably relies on the query discussion happening in the TAXII SC. A “get by ID” use case has been raised a few
times.
·         
I agree that for Sightings, the “inside the org” use case overlaps significantly with the “org to org” use case. I suspect this is the case with many
other use cases also.
 
Thank you.
-Mark
 


From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Bush, Jonathan
Sent: Monday, October 26, 2015 7:01 PM
To: 'Terry MacDonald' <terry@soltra.com>; Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
I would tend to agree Terry (just feels cleaner and more focused), although I’m curious about your thoughts are on how we restrict that. 
If the reference is just an ID, couldn’t anything be put in that field regardless of what we say the ‘rules’ are?
 


From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Terry MacDonald
Sent: Monday, October 26, 2015 6:57 PM
To: Terry MacDonald; Jason Keirstead
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
Hi All,
 
One other thing I wanted to highlight was a point raised by Aharon late last week in the STIX meeting. We need to discuss
what exactly we want the Sighting Object to be able to reference. As I understand it the available options are:
 
·         
Should a Sighting Object only reference ‘detected’ information (e.g. Observable Instances
only – most similar to an Indicator)
OR
·         
Should a Sighting Object reference
any other top-level Object (e.g. Threat Actor’s, TTPs, etc). This will be the most flexible and least restrictive for the future.
OR
·         
Should a Sighting Object reference
some top-level Objects based on STIX model  (e.g. Threat Actor’s, TTPs, Indicators, Incident, Report)
 
My
personal preference is for the first option – but I am very interested in what others think. I think we need to scope the Sighting object and discuss its purpose fairly early on to work out exactly where it will fit in the model.
 
Cheers
 

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC
and DTCC Company
+61 (407) 203 206
terry@soltra.com
 

 


From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Terry MacDonald
Sent: Tuesday, 27 October 2015 9:21 AM
To: Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
Hi Jason
 
- What is "Alternative_ID" ?
 
The Alternative_ID was taken from the IndicatorType object.  From that object’s description it ‘Specifies an alternative
identifier (or alias) for the cyber threat Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to
include it just in case. TBH we may want to think more about how we handle ‘aliases’ in general across the whole STIX model…
 
- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory,
but not all.
 
Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really
like to see what everyone else thinks.
 
Suggested Mandatory Fields
·         
Version
·         
Title

·         
Timestamp / Time Period
·         
One or more referenced objects (i.e. idref) – ( This would be done via Top-level relationship object )
 
Suggested Optional Fields
·         
Sighting Count
·         
Timestamp / Time Period
·         
Victim Organization information
·         
Producer Organization information
·         
Sighting Confidence
·         
TLP / Data Markings
·         
Alternative Sighting ID
·         
Sighting Type
·         
Description
·         
Short Description
 
Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year ( https://github.com/STIXProject/schemas/issues/306 ).
In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?

 

Please note this reflects my own personal viewpoint.
 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC
and DTCC Company
+61 (407) 203 206
terry@soltra.com

 
 
From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Jason Keirstead
Sent: Tuesday, 27 October 2015 8:34 AM
To: Terry MacDonald < terry@soltra.com >
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting
 


Questions


 


- What is "Alternative_ID" ?


 


- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory,
but not all.


 


-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

 


 



Original message -----
From: Terry MacDonald < terry@soltra.com >
Sent by: < cti-stix@lists.oasis-open.org >
To: " cti-stix@lists.oasis-open.org "
< cti-stix@lists.oasis-open.org >
Cc:
Subject: [cti-stix] Top-level Sighting Object from last meeting
Date: Mon, Oct 26, 2015 2:00 PM
 

Hi All,
 
Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend the top-level STIX Sighting Object conversation starter
out again.  So here are the slides. Please feel free to comment/feedback/complain/call me names.

 
Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only for Observable Instances; it assumes that Indicators will
similarly be restricted to only allowing Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.

 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com

 
 


 


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  





--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email
and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses.  The company accepts no liability for any damage caused by any virus transmitted by this email.

Hi Mark,
 
Great points!
 
My thought would be that the Sighting
structure permit a reference to any other top level object, but for 2.0 we limit (in the spec) Sighting to only the use case(s) we know enough to solve (e.g., sightings of detected information).
 
This is in effect what I was thinking about for the top-level relationship object. If we used a top-level relationship object it would be possible
to have a relationship between any STIX ‘data’ objects; it would only be the restrictions of the STIX data model that would limit these from being legal. So we could gain that functionality fairly easily.
 
There’s probably also a variant of this use case where the sighting references something not in STIX (e.g., a signature that was not previously sent via STIX).
If we require that the Sighting reference a STIX object, then we are also requiring that the e.g., Indicator be previously sent via STIX.

 
I don’t necessarily agree here that we need to use an non-STIX ID to reference Sightings outside of STIX. Rather than allow external references using
non-STIX IDs, we could handle this one of two ways:
·         
Require all STIX (including internal STIX) to have an externally resolvable namespace (i.e. http://taxi.orgA.com-indicator-
421e7b7b-7db0-4a28-8bc5-03ff43c09de1). The problem with this is that the company needs to setup and use and externally referenceable URI in order to use the namespace.
The benefit is that if the producer decides to share the Sighting it is very easy to do so as the Sighting is ready to be shared by default.
·         
Have an internal only namespace – the STIX version of RFC1918 – to allow internal only STIX IDs (i.e. internal -indicator-
421e7b7b-7db0-4a28-8bc5-03ff43c09de1). The problem with this is that I will require the STIX IDs to be translated into the externally resolvable namespace (i.e.
http://taxi.orgA.com-indicator- 421e7b7b-7db0-4a28-8bc5-03ff43c09de1) as it is being shared (kind of like STIX NAT). This translation
would need to be maintained for as long as the STIX objects are maintained within the internal system.
 
IMO source should be a required field, even if there is an explicit option for not disclosing the actual source (e.g., Unknown, Anonymous). I roughed out a quick
prototype the other day, and sighting info without a source just felt incomplete.
 
If the Source should be a required field then I would think the Victim information should too. As Pat and others have mentioned it is often important
to understand the traits of the victim in order to understand the aims of the attacker.
 
Alternative_ID makes sense for indicator, but IMO not as much for a sighting (minus the previous caveat). In theory, the processing software could dereference
the referenced ID then use any fields from that dereferenced object (like Alternative ID in the case of indicators). Or else we could have a “reference type” field.
·         
Note: This dereferencing capability probably relies on the query discussion happening in the TAXII SC. A “get by ID” use case has been raised a few times.
 
Not sure I understand this. Can you please expand this a bit more. (Apologies).
 
Cheers
 

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com
 

 


From: Davidson II, Mark S [mailto:mdavidson@mitre.org]

Sent: Tuesday, 27 October 2015 10:39 PM
To: Jonathan Bush (DTCC) <jbush@dtcc.com>; Terry MacDonald <terry@soltra.com>; Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
My thought would be that the Sighting
structure permit a reference to any other top level object, but for 2.0 we limit (in the spec) Sighting to only the use case(s) we know enough to solve (e.g., sightings of detected information).
 
As a means of enforcing this rule, the spec could have text along the lines of “The reference field MUST reference an (e.g.,) Indicator. Note that
this rule may be expanded in future revisions of STIX”. This rule would give software an easy way to toss out non-conforming sightings.
 
There’s probably also a variant of this use case where the sighting references something not in STIX (e.g., a signature that was not previously sent
via STIX). If we require that the Sighting reference a STIX object, then we are also requiring that the e.g., Indicator be previously sent via STIX. I think that having everything done via STIX is the ideal case, and the one we should optimize for. But we
should consider the uneven progress that will be made toward STIX adoption. Say, for instance, somebody wants to add STIX code to an IDS. It would be great (IMO) if they could have the sensor output STIX sightings for signatures that were not sent via STIX
(perhaps they are sent by the IDS’ management console), then once a STIX source is hooked up to the sensor (maybe the management console gets upgraded later), just start populating the sightings more completely. The question for me is how to make the sighting
object useful without necessarily having a dereferencable STIX ID (maybe this is an argument for Alternative ID? And we say that people MAY use Alternative ID in lieu of a STIX object ID? If we did that, IMO the rules regarding the usage of Alternative ID
would have to be pretty strict). Anyway, this paragraph is turning into a ramble so I’ll end it.
 
A couple other shorter thoughts:
·         
IMO source should be a required field, even if there is an explicit option for not disclosing the actual source (e.g., Unknown, Anonymous).
I roughed out a quick prototype the other day, and sighting info without a source just felt incomplete.
·         
Alternative_ID makes sense for indicator, but IMO not as much for a sighting (minus the previous caveat). In theory, the processing software
could dereference the referenced ID then use any fields from that dereferenced object (like Alternative ID in the case of indicators). Or else we could have a “reference type” field.

o   
Note: This dereferencing capability probably relies on the query discussion happening in the TAXII SC. A “get by ID” use case has been
raised a few times.
·         
I agree that for Sightings, the “inside the org” use case overlaps significantly with the “org to org” use case. I suspect this is the
case with many other use cases also.
 
Thank you.
-Mark
 


From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Bush, Jonathan
Sent: Monday, October 26, 2015 7:01 PM
To: 'Terry MacDonald' < terry@soltra.com >; Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
I would tend to agree Terry (just feels cleaner and more focused), although I’m curious about your thoughts are on how we
restrict that.  If the reference is just an ID, couldn’t anything be put in that field regardless of what we say the ‘rules’ are?
 


From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Terry MacDonald
Sent: Monday, October 26, 2015 6:57 PM
To: Terry MacDonald; Jason Keirstead
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
Hi All,
 
One other thing I wanted to highlight was a point raised by Aharon late last week in the STIX meeting. We need to discuss what exactly
we want the Sighting Object to be able to reference. As I understand it the available options are:
 
·         
Should a Sighting Object only reference ‘detected’ information (e.g. Observable Instances
only – most similar to an Indicator)
OR
·         
Should a Sighting Object reference
any other top-level Object (e.g. Threat Actor’s, TTPs, etc). This will be the most flexible and least restrictive for the future.
OR
·         
Should a Sighting Object reference
some top-level Objects based on STIX model  (e.g. Threat Actor’s, TTPs, Indicators, Incident, Report)
 
My
personal preference is for the first option – but I am very interested in what others think. I think we need to scope the Sighting object and discuss its purpose fairly early on to work out exactly where it will fit in the model.
 
Cheers
 

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com
 

 


From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Terry MacDonald
Sent: Tuesday, 27 October 2015 9:21 AM
To: Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
Hi Jason
 
- What is "Alternative_ID" ?
 
The Alternative_ID was taken from the IndicatorType object.  From that object’s description it ‘Specifies an alternative identifier
(or alias) for the cyber threat Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to include it
just in case. TBH we may want to think more about how we handle ‘aliases’ in general across the whole STIX model…
 
- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.
 
Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really like to see
what everyone else thinks.
 
Suggested Mandatory Fields
·         
Version
·         
Title

·         
Timestamp / Time Period
·         
One or more referenced objects (i.e. idref) – ( This would be done via Top-level relationship object )
 
Suggested Optional Fields
·         
Sighting Count
·         
Timestamp / Time Period
·         
Victim Organization information
·         
Producer Organization information
·         
Sighting Confidence
·         
TLP / Data Markings
·         
Alternative Sighting ID
·         
Sighting Type
·         
Description
·         
Short Description
 
Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year ( https://github.com/STIXProject/schemas/issues/306 ).
In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?

 

Please note this reflects my own personal viewpoint.
 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com

 
 
From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Jason Keirstead
Sent: Tuesday, 27 October 2015 8:34 AM
To: Terry MacDonald < terry@soltra.com >
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting
 


Questions


 


- What is "Alternative_ID" ?


 


- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.


 


-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

 


 



Original message -----
From: Terry MacDonald < terry@soltra.com >
Sent by: < cti-stix@lists.oasis-open.org >
To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
Cc:
Subject: [cti-stix] Top-level Sighting Object from last meeting
Date: Mon, Oct 26, 2015 2:00 PM
 

Hi All,
 
Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend the top-level STIX Sighting Object conversation starter out again.
 So here are the slides. Please feel free to comment/feedback/complain/call me names.

 
Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only for Observable Instances; it assumes that Indicators will similarly
be restricted to only allowing Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.

 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com

 
 


 


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  





--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email
and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses.  The company accepts no liability for any damage caused by any virus transmitted by this email.

Alternative_ID makes sense for indicator, but IMO not as much for a sighting (minus the previous caveat). In theory, the processing software could
dereference the referenced ID then use any fields from that dereferenced object (like Alternative ID in the case of indicators). Or else we could have a “reference type” field.

·         
Note: This dereferencing capability probably relies on the query discussion happening in the TAXII SC. A “get by ID” use case has been raised a few times.
 
Not sure I understand this. Can you please expand this a bit more. (Apologies).
 
No worries; upon re-reading my email I had to think about what I meant, so clearly I was unclear.
 
I made an assumption that the Alternative ID field you proposed would be redundant with the Alternative ID from the referenced Indicator (or more generally, referenced object).
This assumption may have been in error. That said, I feel that redundant fields probably aren’t needed in sightings – a processing system can dereference the sighted object and get any necessary information from the dereferenced object.
 
If Alternative ID means a sighting’s Alternative ID, then my previous paragraph doesn’t really apply. In that situation, I’d like raise an open question as to why the Alternative
ID is necessary (we don’t need to answer the question now).
 
Thank you.
-Mark

To ´why alternative IDs': CVE-2015-007 = OSVDB-123 = MS05-666 On Thursday, 29 October 2015, Davidson II, Mark S < mdavidson@mitre.org > wrote: Alternative_ID makes sense for indicator, but IMO not as much for a sighting (minus the previous caveat). In theory, the processing software could dereference the referenced ID then use any fields from that dereferenced object (like Alternative ID in the case of indicators). Or else we could have a “reference type” field. ·          Note: This dereferencing capability probably relies on the query discussion happening in the TAXII SC. A “get by ID” use case has been raised a few times.   Not sure I understand this. Can you please expand this a bit more. (Apologies).   No worries; upon re-reading my email I had to think about what I meant, so clearly I was unclear.   I made an assumption that the Alternative ID field you proposed would be redundant with the Alternative ID from the referenced Indicator (or more generally, referenced object). This assumption may have been in error. That said, I feel that redundant fields probably aren’t needed in sightings – a processing system can dereference the sighted object and get any necessary information from the dereferenced object.   If Alternative ID means a sighting’s Alternative ID, then my previous paragraph doesn’t really apply. In that situation, I’d like raise an open question as to why the Alternative ID is necessary (we don’t need to answer the question now).   Thank you. -Mark

Ah ok.

 
The Alternative_ID was meant to reference something like an ID from an alerting tool. It was supposed to help record that mapping so
that you could go back to the original alert in the alerting tool that produced the sighting.
 
Cheers
 

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com
 

 


From: Davidson II, Mark S [mailto:mdavidson@mitre.org]

Sent: Thursday, 29 October 2015 11:42 PM
To: Terry MacDonald <terry@soltra.com>; Jonathan Bush (DTCC) <jbush@dtcc.com>; Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
Alternative_ID makes sense for indicator, but IMO not as much for a sighting (minus the previous caveat). In theory, the processing
software could dereference the referenced ID then use any fields from that dereferenced object (like Alternative ID in the case of indicators). Or else we could have a “reference type” field.

·         
Note: This dereferencing capability probably relies on the query discussion happening in the TAXII SC. A “get by ID” use case has been raised a few times.
 
Not sure I understand this. Can you please expand this a bit more. (Apologies).
 
No worries; upon re-reading my email I had to think about what I meant, so clearly I was unclear.
 
I made an assumption that the Alternative ID field you proposed would be redundant with the Alternative ID from the referenced Indicator (or more generally, referenced
object). This assumption may have been in error. That said, I feel that redundant fields probably aren’t needed in sightings – a processing system can dereference the sighted object and get any necessary information from the dereferenced object.
 
If Alternative ID means a sighting’s Alternative ID, then my previous paragraph doesn’t really apply. In that situation, I’d like raise an open question as to
why the Alternative ID is necessary (we don’t need to answer the question now).
 
Thank you.
-Mark

 
Hi!,
 
Does this depend on what is producing the sighting object ?, for example the first option appeals to me because from an ability to auto-script and generate
it could be potentially easy to make those links of observations to a sighting object.  With regards to “Threat Actor’s” and “TTP’s”, doesn’t it get a little hard because (based on the experience I have had), you have more softer definitions you place into
those top level objects, they are not straight out IP addresses, MD5’s or email addresses.
 
Do others seeing the sighting object as being a construct which would more times than not be something that is auto-generated by various systems, rather than
a construct put together manually which include thought and analysis ? (that’s not to say that you couldn’t do that, just that it is a lot harder).
 
Personally, I prefer option 1.
 
Regards,
 
Dean
 
 


From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Terry MacDonald
Sent: Tuesday, 27 October 2015 9:57 AM
To: Terry MacDonald; Jason Keirstead
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
Hi All,
 
One other thing I wanted to highlight was a point raised by Aharon late last week in the STIX meeting. We need to discuss
what exactly we want the Sighting Object to be able to reference. As I understand it the available options are:
 
·         
Should a Sighting Object only reference ‘detected’ information (e.g. Observable Instances
only – most similar to an Indicator)
OR
·         
Should a Sighting Object reference
any other top-level Object (e.g. Threat Actor’s, TTPs, etc). This will be the most flexible and least restrictive for the future.
OR
·         
Should a Sighting Object reference
some top-level Objects based on STIX model  (e.g. Threat Actor’s, TTPs, Indicators, Incident, Report)
 
My
personal preference is for the first option – but I am very interested in what others think. I think we need to scope the Sighting object and discuss its purpose fairly early on to work out exactly where it will fit in the model.
 
Cheers
 

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com
 

 


From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Terry MacDonald
Sent: Tuesday, 27 October 2015 9:21 AM
To: Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
Hi Jason
 
- What is "Alternative_ID" ?
 
The Alternative_ID was taken from the IndicatorType object.  From that object’s description it ‘Specifies an alternative
identifier (or alias) for the cyber threat Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to
include it just in case. TBH we may want to think more about how we handle ‘aliases’ in general across the whole STIX model…
 
- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.
 
Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really
like to see what everyone else thinks.
 
Suggested Mandatory Fields
·         
Version
·         
Title

·         
Timestamp / Time Period
·         
One or more referenced objects (i.e. idref) – ( This would be done via Top-level relationship object )
 
Suggested Optional Fields
·         
Sighting Count
·         
Timestamp / Time Period
·         
Victim Organization information
·         
Producer Organization information
·         
Sighting Confidence
·         
TLP / Data Markings
·         
Alternative Sighting ID
·         
Sighting Type
·         
Description
·         
Short Description
 
Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year ( https://github.com/STIXProject/schemas/issues/306 ).
In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?

 

Please note this reflects my own personal viewpoint.
 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com

 
 
From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Jason Keirstead
Sent: Tuesday, 27 October 2015 8:34 AM
To: Terry MacDonald < terry@soltra.com >
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting
 


Questions


 


- What is "Alternative_ID" ?


 


- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.


 


-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

 


 



Original message -----
From: Terry MacDonald < terry@soltra.com >
Sent by: < cti-stix@lists.oasis-open.org >
To: " cti-stix@lists.oasis-open.org "
< cti-stix@lists.oasis-open.org >
Cc:
Subject: [cti-stix] Top-level Sighting Object from last meeting
Date: Mon, Oct 26, 2015 2:00 PM
 

Hi All,
 
Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend the top-level STIX Sighting Object conversation starter out again.  So here
are the slides. Please feel free to comment/feedback/complain/call me names.

 
Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only for Observable Instances; it assumes that Indicators will similarly be restricted
to only allowing Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.

 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com

 
 


 


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  





--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

This e-mail and any attachments to it (the Communication ) is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together ANZ ). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.

Hi Dean,
 
It is possible that options 2 and 3 could be handled by the investigation/tagging object I’ve suggested in another thread.

 
This would then allow the Sighting object to only focus on Observable Instances as per option 1.
 
Cheers
 

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com
 

 


From: Thompson, Dean [mailto:Dean.Thompson@anz.com]

Sent: Wednesday, 28 October 2015 9:14 AM
To: Terry MacDonald <terry@soltra.com>; 'Jason Keirstead' <Jason.Keirstead@ca.ibm.com>
Cc: 'cti-stix@lists.oasis-open.org' <cti-stix@lists.oasis-open.org>
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
 
Hi!,
 
Does this depend on what is producing the sighting object ?, for example the first option appeals to me because from an ability to auto-script and
generate it could be potentially easy to make those links of observations to a sighting object.  With regards to “Threat Actor’s” and “TTP’s”, doesn’t it get a little hard because (based on the experience I have had), you have more softer definitions you place
into those top level objects, they are not straight out IP addresses, MD5’s or email addresses.
 
Do others seeing the sighting object as being a construct which would more times than not be something that is auto-generated by various systems,
rather than a construct put together manually which include thought and analysis ? (that’s not to say that you couldn’t do that, just that it is a lot harder).
 
Personally, I prefer option 1.
 
Regards,
 
Dean
 
 


From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Terry MacDonald
Sent: Tuesday, 27 October 2015 9:57 AM
To: Terry MacDonald; Jason Keirstead
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
Hi All,
 
One other thing I wanted to highlight was a point raised by Aharon late last week in the STIX meeting. We need to discuss what exactly
we want the Sighting Object to be able to reference. As I understand it the available options are:
 
·         
Should a Sighting Object only reference ‘detected’ information (e.g. Observable Instances
only – most similar to an Indicator)
OR
·         
Should a Sighting Object reference
any other top-level Object (e.g. Threat Actor’s, TTPs, etc). This will be the most flexible and least restrictive for the future.
OR
·         
Should a Sighting Object reference
some top-level Objects based on STIX model  (e.g. Threat Actor’s, TTPs, Indicators, Incident, Report)
 
My
personal preference is for the first option – but I am very interested in what others think. I think we need to scope the Sighting object and discuss its purpose fairly early on to work out exactly where it will fit in the model.
 
Cheers
 

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com
 

 


From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Terry MacDonald
Sent: Tuesday, 27 October 2015 9:21 AM
To: Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
Hi Jason
 
- What is "Alternative_ID" ?
 
The Alternative_ID was taken from the IndicatorType object.  From that object’s description it ‘Specifies an alternative identifier
(or alias) for the cyber threat Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to include it
just in case. TBH we may want to think more about how we handle ‘aliases’ in general across the whole STIX model…
 
- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.
 
Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really like to see
what everyone else thinks.
 
Suggested Mandatory Fields
·         
Version
·         
Title

·         
Timestamp / Time Period
·         
One or more referenced objects (i.e. idref) – ( This would be done via Top-level relationship object )
 
Suggested Optional Fields
·         
Sighting Count
·         
Timestamp / Time Period
·         
Victim Organization information
·         
Producer Organization information
·         
Sighting Confidence
·         
TLP / Data Markings
·         
Alternative Sighting ID
·         
Sighting Type
·         
Description
·         
Short Description
 
Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year ( https://github.com/STIXProject/schemas/issues/306 ).
In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?

 

Please note this reflects my own personal viewpoint.
 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com

 
 
From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Jason Keirstead
Sent: Tuesday, 27 October 2015 8:34 AM
To: Terry MacDonald < terry@soltra.com >
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting
 


Questions


 


- What is "Alternative_ID" ?


 


- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.


 


-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

 


 



Original message -----
From: Terry MacDonald < terry@soltra.com >
Sent by: < cti-stix@lists.oasis-open.org >
To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
Cc:
Subject: [cti-stix] Top-level Sighting Object from last meeting
Date: Mon, Oct 26, 2015 2:00 PM
 

Hi All,
 
Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend the top-level STIX Sighting Object conversation starter out again.  So here are the slides.
Please feel free to comment/feedback/complain/call me names.
 
Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only for Observable Instances; it assumes that Indicators will similarly be restricted to only allowing
Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.

 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com

 
 


 


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  





--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php




This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication
in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only,
unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ does not accept liability in connection with the integrity
of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.

 
Hi!,
 
Yep, this makes sense.  This leaves option #1 for the auto-generated sightings which works in my book.
Option #2/Option #3 as you have stated is more in line with investigation and tagging which happens later in the investigation after more ‘grey matter’ has
been applied.
 
Regards,
 
Dean
 
 


From: Terry MacDonald [mailto:terry@soltra.com]

Sent: Wednesday, 28 October 2015 9:20 AM
To: Thompson, Dean; 'Jason Keirstead'
Cc: 'cti-stix@lists.oasis-open.org'
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
Hi Dean,
 
It is possible that options 2 and 3 could be handled by the investigation/tagging object I’ve suggested in another thread.

 
This would then allow the Sighting object to only focus on Observable Instances as per option 1.
 
Cheers
 

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com
 

 


From: Thompson, Dean [ mailto:Dean.Thompson@anz.com ]

Sent: Wednesday, 28 October 2015 9:14 AM
To: Terry MacDonald < terry@soltra.com >; 'Jason Keirstead' < Jason.Keirstead@ca.ibm.com >
Cc: 'cti-stix@lists.oasis-open.org' < cti-stix@lists.oasis-open.org >
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
 
Hi!,
 
Does this depend on what is producing the sighting object ?, for example the first option appeals to me because from an ability to auto-script and generate
it could be potentially easy to make those links of observations to a sighting object.  With regards to “Threat Actor’s” and “TTP’s”, doesn’t it get a little hard because (based on the experience I have had), you have more softer definitions you place into
those top level objects, they are not straight out IP addresses, MD5’s or email addresses.
 
Do others seeing the sighting object as being a construct which would more times than not be something that is auto-generated by various systems, rather than
a construct put together manually which include thought and analysis ? (that’s not to say that you couldn’t do that, just that it is a lot harder).
 
Personally, I prefer option 1.
 
Regards,
 
Dean
 
 


From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Terry MacDonald
Sent: Tuesday, 27 October 2015 9:57 AM
To: Terry MacDonald; Jason Keirstead
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
Hi All,
 
One other thing I wanted to highlight was a point raised by Aharon late last week in the STIX meeting. We need to discuss
what exactly we want the Sighting Object to be able to reference. As I understand it the available options are:
 
·         
Should a Sighting Object only reference ‘detected’ information (e.g. Observable Instances
only – most similar to an Indicator)
OR
·         
Should a Sighting Object reference
any other top-level Object (e.g. Threat Actor’s, TTPs, etc). This will be the most flexible and least restrictive for the future.
OR
·         
Should a Sighting Object reference
some top-level Objects based on STIX model  (e.g. Threat Actor’s, TTPs, Indicators, Incident, Report)
 
My
personal preference is for the first option – but I am very interested in what others think. I think we need to scope the Sighting object and discuss its purpose fairly early on to work out exactly where it will fit in the model.
 
Cheers
 

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com
 

 


From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Terry MacDonald
Sent: Tuesday, 27 October 2015 9:21 AM
To: Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting


 
Hi Jason
 
- What is "Alternative_ID" ?
 
The Alternative_ID was taken from the IndicatorType object.  From that object’s description it ‘Specifies an alternative
identifier (or alias) for the cyber threat Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to
include it just in case. TBH we may want to think more about how we handle ‘aliases’ in general across the whole STIX model…
 
- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.
 
Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really
like to see what everyone else thinks.
 
Suggested Mandatory Fields
·         
Version
·         
Title

·         
Timestamp / Time Period
·         
One or more referenced objects (i.e. idref) – ( This would be done via Top-level relationship object )
 
Suggested Optional Fields
·         
Sighting Count
·         
Timestamp / Time Period
·         
Victim Organization information
·         
Producer Organization information
·         
Sighting Confidence
·         
TLP / Data Markings
·         
Alternative Sighting ID
·         
Sighting Type
·         
Description
·         
Short Description
 
Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year ( https://github.com/STIXProject/schemas/issues/306 ).
In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?

 

Please note this reflects my own personal viewpoint.
 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com

 
 
From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Jason Keirstead
Sent: Tuesday, 27 October 2015 8:34 AM
To: Terry MacDonald < terry@soltra.com >
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting
 


Questions


 


- What is "Alternative_ID" ?


 


- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.


 


-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

 


 



Original message -----
From: Terry MacDonald < terry@soltra.com >
Sent by: < cti-stix@lists.oasis-open.org >
To: " cti-stix@lists.oasis-open.org "
< cti-stix@lists.oasis-open.org >
Cc:
Subject: [cti-stix] Top-level Sighting Object from last meeting
Date: Mon, Oct 26, 2015 2:00 PM
 

Hi All,
 
Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend the top-level STIX Sighting Object conversation starter out again.  So here
are the slides. Please feel free to comment/feedback/complain/call me names.

 
Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only for Observable Instances; it assumes that Indicators will similarly be restricted
to only allowing Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.

 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com

 
 


 


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  





--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:

https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php




This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify
the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated
to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ does not accept liability in connection with the integrity of or errors in the Communication,
computer virus, data corruption, interference or delay arising from or in respect of the Communication.


This e-mail and any attachments to it (the Communication ) is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together ANZ ). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.

I think the vast majority of sightings will be more or less auto generated.  There may be a need to support sightings of other higher level objects, but the quantity or volume of those will be really small in relative terms. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Oct 27, 2015, at 15:13, Thompson, Dean < Dean.Thompson@anz.com > wrote:   Hi!,   Does this depend on what is producing the sighting object ?, for example the first option appeals to me because from an ability to auto-script and generate it could be potentially easy to make those links of observations to a sighting object.  With regards to “Threat Actor’s” and “TTP’s”, doesn’t it get a little hard because (based on the experience I have had), you have more softer definitions you place into those top level objects, they are not straight out IP addresses, MD5’s or email addresses.   Do others seeing the sighting object as being a construct which would more times than not be something that is auto-generated by various systems, rather than a construct put together manually which include thought and analysis ? (that’s not to say that you couldn’t do that, just that it is a lot harder).   Personally, I prefer option 1.   Regards,   Dean     From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On Behalf Of   Terry MacDonald Sent:   Tuesday, 27 October 2015 9:57 AM To:   Terry MacDonald; Jason Keirstead Cc:   cti-stix@lists.oasis-open.org Subject:   RE: [cti-stix] Top-level Sighting Object from last meeting   Hi All,   One other thing I wanted to highlight was a point raised by Aharon late last week in the STIX meeting. We need to discuss what exactly we want the Sighting Object to be able to reference. As I understand it the available options are:   ·            Should a Sighting Object only reference ‘detected’ information (e.g. Observable Instances   only   – most similar to an Indicator) OR ·            Should a Sighting Object reference   any   other top-level Object (e.g. Threat Actor’s, TTPs, etc). This will be the most flexible and least restrictive for the future. OR ·            Should a Sighting Object reference   some   top-level Objects based on STIX model  (e.g. Threat Actor’s, TTPs, Indicators, Incident, Report)   My   personal   preference is for the first option – but I am very interested in what others think. I think we need to scope the Sighting object and discuss its purpose fairly early on to work out exactly where it will fit in the model.   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206   terry@soltra.com     From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On Behalf Of   Terry MacDonald Sent:   Tuesday, 27 October 2015 9:21 AM To:   Jason Keirstead < Jason.Keirstead@ca.ibm.com > Cc:   cti-stix@lists.oasis-open.org Subject:   RE: [cti-stix] Top-level Sighting Object from last meeting   Hi Jason   - What is Alternative_ID ?   The Alternative_ID was taken from the IndicatorType object.  From that object’s description it ‘Specifies an alternative identifier (or alias) for the cyber threat Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to include it just in case. TBH we may want to think more about how we handle ‘aliases’ in general across the whole STIX model…   - Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.   Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really like to see what everyone else thinks.   Suggested Mandatory Fields ·            Version ·            Title ·            Timestamp / Time Period ·            One or more referenced objects (i.e. idref) – ( This would be done via Top-level relationship object )   Suggested Optional Fields ·            Sighting Count ·            Timestamp / Time Period ·            Victim Organization information ·            Producer Organization information ·            Sighting Confidence ·            TLP / Data Markings ·            Alternative Sighting ID ·            Sighting Type ·            Description ·            Short Description   Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year ( https://github.com/STIXProject/schemas/issues/306 ). In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?   <image001.jpg> Please note this reflects my own personal viewpoint.   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206   terry@soltra.com     From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On Behalf Of   Jason Keirstead Sent:   Tuesday, 27 October 2015 8:34 AM To:   Terry MacDonald < terry@soltra.com > Cc:   cti-stix@lists.oasis-open.org Subject:   Re: [cti-stix] Top-level Sighting Object from last meeting   Questions   - What is Alternative_ID ?   - Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.   - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security     www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown      
Original message ----- From: Terry MacDonald < terry@soltra.com > Sent by: < cti-stix@lists.oasis-open.org > To: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > Cc: Subject: [cti-stix] Top-level Sighting Object from last meeting Date: Mon, Oct 26, 2015 2:00 PM   Hi All,   Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend the top-level STIX Sighting Object conversation starter out again.  So here are the slides. Please feel free to comment/feedback/complain/call me names.     Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only for Observable Instances; it assumes that Indicators will similarly be restricted to only allowing Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206   terry@soltra.com       --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php   --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:   https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php This e-mail and any attachments to it (the Communication ) is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together ANZ ). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication. Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

 
Hi!,
 
Yep, totally agree.
 
Regards,
 
Dean
 


From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Jordan, Bret
Sent: Wednesday, 28 October 2015 9:23 AM
To: Thompson, Dean
Cc: Terry MacDonald; Jason Keirstead; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting


 
I think the vast majority of sightings will be more or less auto generated.  There may be a need to support sightings of other higher level objects, but the quantity or volume of those will be really small in relative terms.







 


Thanks,


 


Bret



 


 


 



Bret Jordan CISSP

Director of Security Architecture and Standards Office of the CTO


Blue Coat Systems



PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









 



On Oct 27, 2015, at 15:13, Thompson, Dean < Dean.Thompson@anz.com > wrote:

 


 


Hi!,


 


Does this depend on what is producing the sighting object ?, for example the first option appeals to me because from an ability to auto-script and generate
it could be potentially easy to make those links of observations to a sighting object.  With regards to “Threat Actor’s” and “TTP’s”, doesn’t it get a little hard because (based on the experience I have had), you have more softer definitions you place into
those top level objects, they are not straight out IP addresses, MD5’s or email addresses.


 


Do others seeing the sighting object as being a construct which would more times than not be something that is auto-generated by various systems, rather than
a construct put together manually which include thought and analysis ? (that’s not to say that you couldn’t do that, just that it is a lot harder).


 


Personally, I prefer option 1.


 


Regards,


 


Dean


 


 




From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Terry MacDonald
Sent:   Tuesday, 27 October 2015 9:57 AM
To:   Terry MacDonald; Jason Keirstead
Cc:   cti-stix@lists.oasis-open.org
Subject:   RE: [cti-stix] Top-level Sighting Object from last meeting




 


Hi All,


 


One other thing I wanted to highlight was a point raised by Aharon late last week in the STIX meeting. We need to discuss what exactly we want
the Sighting Object to be able to reference. As I understand it the available options are:


 


·            Should
a Sighting Object only reference ‘detected’ information (e.g. Observable Instances   only   – most similar to an Indicator)


OR


·            Should
a Sighting Object reference   any   other top-level Object (e.g. Threat Actor’s, TTPs, etc). This will be the most flexible and least restrictive for the future.


OR


·            Should
a Sighting Object reference   some   top-level Objects based on STIX model  (e.g. Threat Actor’s, TTPs, Indicators, Incident, Report)


 


My   personal   preference is for the first option – but
I am very interested in what others think. I think we need to scope the Sighting object and discuss its purpose fairly early on to work out exactly where it will fit in the model.


 


Cheers


 



Terry MacDonald


Senior STIX Subject Matter Expert


SOLTRA   An FS-ISAC and DTCC Company


+61 (407) 203 206   terry@soltra.com


 



 




From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Terry MacDonald
Sent:   Tuesday, 27 October 2015 9:21 AM
To:   Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Cc:   cti-stix@lists.oasis-open.org
Subject:   RE: [cti-stix] Top-level Sighting Object from last meeting




 


Hi Jason


 


- What is "Alternative_ID" ?


 


The Alternative_ID was taken from the IndicatorType object.  From that object’s description it ‘Specifies an alternative identifier (or alias)
for the cyber threat Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to include it just in case.
TBH we may want to think more about how we handle ‘aliases’ in general across the whole STIX model…


 


- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.


 


Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really like to see what everyone
else thinks.


 


Suggested Mandatory Fields


·            Version


·            Title


·            Timestamp
/ Time Period


·            One
or more referenced objects (i.e. idref) – ( This would be done via Top-level relationship object )


 


Suggested Optional Fields


·            Sighting
Count


·            Timestamp
/ Time Period


·            Victim
Organization information


·            Producer
Organization information


·            Sighting
Confidence


·            TLP
/ Data Markings


·            Alternative
Sighting ID


·            Sighting
Type


·            Description


·            Short
Description


 


Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year ( https://github.com/STIXProject/schemas/issues/306 ).
In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?


 


<image001.jpg>


Please note this reflects my own personal viewpoint.


 


Cheers


 


Terry MacDonald


Senior STIX Subject Matter Expert


SOLTRA   An FS-ISAC and DTCC Company


+61 (407) 203 206   terry@soltra.com


 


 


From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Jason Keirstead
Sent:   Tuesday, 27 October 2015 8:34 AM
To:   Terry MacDonald < terry@soltra.com >
Cc:   cti-stix@lists.oasis-open.org
Subject:   Re: [cti-stix] Top-level Sighting Object from last meeting


 




Questions




 




- What is "Alternative_ID" ?




 




- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.




 




-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security     www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown  



 




 





Original message -----
From: Terry MacDonald < terry@soltra.com >
Sent by: < cti-stix@lists.oasis-open.org >
To: " cti-stix@lists.oasis-open.org "
< cti-stix@lists.oasis-open.org >
Cc:
Subject: [cti-stix] Top-level Sighting Object from last meeting
Date: Mon, Oct 26, 2015 2:00 PM
 


Hi All,
 
Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend
the top-level STIX Sighting Object conversation starter out again.  So here are the slides. Please feel free to comment/feedback/complain/call me names.  
 
Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only
for Observable Instances; it assumes that Indicators will similarly be restricted to only allowing Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.
 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA  
An FS-ISAC and DTCC Company
+61 (407) 203 206   terry@soltra.com
 
 



 




---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  







--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:   https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



 




This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended
recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication
are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ does not accept
liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.




 

This e-mail and any attachments to it (the Communication ) is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together ANZ ). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.

I agree with that as well.  In fact, as I read your statement Bret, I thought “if this isn’t the case, what are the chances that anyone would ever really use them?”.
There would simply be too much manual data entry to be practical.  These are the kinds of call-outs that we all need to identify and keep in mind.  In this particular
situation, it may not change how we design the object, but I suppose it could in some less-than-obvious way.
 
Great stuff…
 


From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Jordan, Bret
Sent: Tuesday, October 27, 2015 6:23 PM
To: Thompson, Dean
Cc: Terry MacDonald; Jason Keirstead; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting


 
I think the vast majority of sightings will be more or less auto generated.  There may be a need to support sightings of other higher level objects, but the quantity or volume of those will be really small in relative terms.







 


Thanks,


 


Bret



 


 


 



Bret Jordan CISSP

Director of Security Architecture and Standards Office of the CTO


Blue Coat Systems



PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









 



On Oct 27, 2015, at 15:13, Thompson, Dean < Dean.Thompson@anz.com > wrote:

 


 


Hi!,


 


Does this depend on what is producing the sighting object ?, for example the first option appeals to me because from an ability to auto-script and generate
it could be potentially easy to make those links of observations to a sighting object.  With regards to “Threat Actor’s” and “TTP’s”, doesn’t it get a little hard because (based on the experience I have had), you have more softer definitions you place into
those top level objects, they are not straight out IP addresses, MD5’s or email addresses.


 


Do others seeing the sighting object as being a construct which would more times than not be something that is auto-generated by various systems, rather than
a construct put together manually which include thought and analysis ? (that’s not to say that you couldn’t do that, just that it is a lot harder).


 


Personally, I prefer option 1.


 


Regards,


 


Dean


 


 




From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Terry MacDonald
Sent:   Tuesday, 27 October 2015 9:57 AM
To:   Terry MacDonald; Jason Keirstead
Cc:   cti-stix@lists.oasis-open.org
Subject:   RE: [cti-stix] Top-level Sighting Object from last meeting




 


Hi All,


 


One other thing I wanted to highlight was a point raised by Aharon late last week in the STIX meeting. We need to discuss what exactly we want
the Sighting Object to be able to reference. As I understand it the available options are:


 


·            Should
a Sighting Object only reference ‘detected’ information (e.g. Observable Instances   only   – most similar to an Indicator)


OR


·            Should
a Sighting Object reference   any   other top-level Object (e.g. Threat Actor’s, TTPs, etc). This will be the most flexible and least restrictive for the future.


OR


·            Should
a Sighting Object reference   some   top-level Objects based on STIX model  (e.g. Threat Actor’s, TTPs, Indicators, Incident, Report)


 


My   personal   preference is for the first option – but
I am very interested in what others think. I think we need to scope the Sighting object and discuss its purpose fairly early on to work out exactly where it will fit in the model.


 


Cheers


 



Terry MacDonald


Senior STIX Subject Matter Expert


SOLTRA   An FS-ISAC and DTCC Company


+61 (407) 203 206   terry@soltra.com


 



 




From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Terry MacDonald
Sent:   Tuesday, 27 October 2015 9:21 AM
To:   Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Cc:   cti-stix@lists.oasis-open.org
Subject:   RE: [cti-stix] Top-level Sighting Object from last meeting




 


Hi Jason


 


- What is "Alternative_ID" ?


 


The Alternative_ID was taken from the IndicatorType object.  From that object’s description it ‘Specifies an alternative identifier (or alias)
for the cyber threat Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to include it just in case.
TBH we may want to think more about how we handle ‘aliases’ in general across the whole STIX model…


 


- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.


 


Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really like to see what everyone
else thinks.


 


Suggested Mandatory Fields


·            Version


·            Title


·            Timestamp
/ Time Period


·            One
or more referenced objects (i.e. idref) – ( This would be done via Top-level relationship object )


 


Suggested Optional Fields


·            Sighting
Count


·            Timestamp
/ Time Period


·            Victim
Organization information


·            Producer
Organization information


·            Sighting
Confidence


·            TLP
/ Data Markings


·            Alternative
Sighting ID


·            Sighting
Type


·            Description


·            Short
Description


 


Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year ( https://github.com/STIXProject/schemas/issues/306 ).
In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?


 


<image001.jpg>


Please note this reflects my own personal viewpoint.


 


Cheers


 


Terry MacDonald


Senior STIX Subject Matter Expert


SOLTRA   An FS-ISAC and DTCC Company


+61 (407) 203 206   terry@soltra.com


 


 


From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Jason Keirstead
Sent:   Tuesday, 27 October 2015 8:34 AM
To:   Terry MacDonald < terry@soltra.com >
Cc:   cti-stix@lists.oasis-open.org
Subject:   Re: [cti-stix] Top-level Sighting Object from last meeting


 




Questions




 




- What is "Alternative_ID" ?




 




- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.




 




-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security     www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown  



 




 





Original message -----
From: Terry MacDonald < terry@soltra.com >
Sent by: < cti-stix@lists.oasis-open.org >
To: " cti-stix@lists.oasis-open.org "
< cti-stix@lists.oasis-open.org >
Cc:
Subject: [cti-stix] Top-level Sighting Object from last meeting
Date: Mon, Oct 26, 2015 2:00 PM
 


Hi All,
 
Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend
the top-level STIX Sighting Object conversation starter out again.  So here are the slides. Please feel free to comment/feedback/complain/call me names.  
 
Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only
for Observable Instances; it assumes that Indicators will similarly be restricted to only allowing Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.
 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA  
An FS-ISAC and DTCC Company
+61 (407) 203 206   terry@soltra.com
 
 



 




---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  







--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:   https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



 




This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended
recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication
are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ does not accept
liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.




 

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses.  The company accepts no liability for any damage caused by any virus transmitted by this email.

The best use case I can think of for automated non-observable (non-indicator?) sightings is TTPs: for example, a virus scanner might say they found a piece of malware (TTP/Malware) or an application security firewall might say that it saw some SQLi attempts
(TTP/Attack_Pattern).


I don’t know what I’m suggesting here, just a use case I thought I’d throw out. I do like the idea of having some kind of “not quite incident but kinda like incident” construct to represent things like this and limiting Sighting to just things
we have an observable for, but I can imagine the objection people have when they wonder whether to produce a “Sighting” or an “Event” or an “Incident".


John



On Oct 28, 2015, at 6:37 AM, Bush, Jonathan < jbush@dtcc.com > wrote:






I agree with that as well.  In fact, as I read your statement Bret, I thought “if this isn’t the case, what are the chances that anyone would ever really use them?”.
There would simply be too much manual data entry to be practical.  These are the kinds of call-outs that we all need to identify and keep in mind.  In this particular
situation, it may not change how we design the object, but I suppose it could in some less-than-obvious way.
 
Great stuff…
 


From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Jordan, Bret
Sent: Tuesday, October 27, 2015 6:23 PM
To: Thompson, Dean
Cc: Terry MacDonald; Jason Keirstead;
cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting


 
I think the vast majority of sightings will be more or less auto generated.  There may be a need to support sightings of other higher level objects, but the quantity or volume of those will be really small in relative terms.







 


Thanks,


 


Bret



 


 


 



Bret Jordan CISSP

Director of Security Architecture and Standards Office of the CTO


Blue Coat Systems



PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









 



On Oct 27, 2015, at 15:13, Thompson, Dean < Dean.Thompson@anz.com > wrote:

 


 


Hi!,


 


Does this depend on what is producing the sighting object ?, for example the first option appeals to me because from an ability to auto-script and
generate it could be potentially easy to make those links of observations to a sighting object.  With regards to “Threat Actor’s” and “TTP’s”, doesn’t it get a little hard because (based on the experience I have had), you have more softer definitions you place
into those top level objects, they are not straight out IP addresses, MD5’s or email addresses.


 


Do others seeing the sighting object as being a construct which would more times than not be something that is auto-generated by various systems, rather
than a construct put together manually which include thought and analysis ? (that’s not to say that you couldn’t do that, just that it is a lot harder).


 


Personally, I prefer option 1.


 


Regards,


 


Dean


 


 




From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Terry MacDonald
Sent:   Tuesday, 27 October 2015 9:57 AM
To:   Terry MacDonald; Jason Keirstead
Cc:   cti-stix@lists.oasis-open.org
Subject:   RE: [cti-stix] Top-level Sighting Object from last meeting




 


Hi All,


 


One other thing I wanted to highlight was a point raised by Aharon late last week in the STIX meeting. We need to discuss what exactly
we want the Sighting Object to be able to reference. As I understand it the available options are:


 


·            Should
a Sighting Object only reference ‘detected’ information (e.g. Observable Instances   only   – most similar to an Indicator)


OR


·            Should
a Sighting Object reference   any   other top-level Object (e.g. Threat Actor’s, TTPs, etc). This will be the most flexible and least restrictive for the future.


OR


·            Should
a Sighting Object reference   some   top-level Objects based on STIX model  (e.g. Threat Actor’s, TTPs, Indicators, Incident, Report)


 


My   personal   preference is for the
first option – but I am very interested in what others think. I think we need to scope the Sighting object and discuss its purpose fairly early on to work out exactly where it will fit in the model.


 


Cheers


 



Terry MacDonald


Senior STIX Subject Matter Expert


SOLTRA   An FS-ISAC and DTCC Company


+61 (407) 203 206   terry@soltra.com


 



 




From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Terry MacDonald
Sent:   Tuesday, 27 October 2015 9:21 AM
To:   Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Cc:   cti-stix@lists.oasis-open.org
Subject:   RE: [cti-stix] Top-level Sighting Object from last meeting




 


Hi Jason


 


- What is "Alternative_ID" ?


 


The Alternative_ID was taken from the IndicatorType object.  From that object’s description it ‘Specifies an alternative identifier (or
alias) for the cyber threat Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to include it just
in case. TBH we may want to think more about how we handle ‘aliases’ in general across the whole STIX model…


 


- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.


 


Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really like to see what
everyone else thinks.


 


Suggested Mandatory Fields


·            Version


·            Title


·            Timestamp
/ Time Period


·            One
or more referenced objects (i.e. idref) – ( This would be done via Top-level relationship object )


 


Suggested Optional Fields


·            Sighting
Count


·            Timestamp
/ Time Period


·            Victim
Organization information


·            Producer
Organization information


·            Sighting
Confidence


·            TLP
/ Data Markings


·            Alternative
Sighting ID


·            Sighting
Type


·            Description


·            Short
Description


 


Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year ( https://github.com/STIXProject/schemas/issues/306 ).
In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?


 


<image001.jpg>


Please note this reflects my own personal viewpoint.


 


Cheers


 


Terry MacDonald


Senior STIX Subject Matter Expert


SOLTRA   An FS-ISAC and DTCC Company


+61 (407) 203 206   terry@soltra.com


 


 


From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Jason Keirstead
Sent:   Tuesday, 27 October 2015 8:34 AM
To:   Terry MacDonald < terry@soltra.com >
Cc:   cti-stix@lists.oasis-open.org
Subject:   Re: [cti-stix] Top-level Sighting Object from last meeting


 




Questions




 




- What is "Alternative_ID" ?




 




- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.




 




-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security     www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown  



 




 





Original message -----
From: Terry MacDonald < terry@soltra.com >
Sent by: < cti-stix@lists.oasis-open.org >
To: " cti-stix@lists.oasis-open.org "
< cti-stix@lists.oasis-open.org >
Cc:
Subject: [cti-stix] Top-level Sighting Object from last meeting
Date: Mon, Oct 26, 2015 2:00 PM
 


Hi All,
 
Given the flurry of discussions about features for STIX v2.0, it’s probably the right time
to resend the top-level STIX Sighting Object conversation starter out again.  So here are the slides. Please feel free to comment/feedback/complain/call me names.  
 
Please note – the strawman UML model is an abstraction based on the use of the Sighting Object
only for Observable Instances; it assumes that Indicators will similarly be restricted to only allowing Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.
 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA  
An FS-ISAC and DTCC Company
+61 (407) 203 206   terry@soltra.com
 
 



 




---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  







--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:   https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



 




This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only of
the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the
Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ does
not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.




 


DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email
and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses.  The company accepts no liability for any damage caused by any virus transmitted by this email.

Just a question while we're trying to define sightings on the top level. By what mechanism(s) looking at the UML? In the beginning of this thread, it looks like we'll be using id/idref.

Going off John W's example for TTP/CAPEC, I imagine it would be worth while to denote you saw CAPEC-66, regardless of value of the string id/idref of the element or parent TTP, and do some action (re-sharing, reporting, etc.).


The mechanism(s) used within the Sightings may evolve from solutions agreed upon within other discussions like id-objects. Which makes this a nested use-case when you try to bisect it.

Is the scenario the above, creating/matching a sightings based on content rather than id/idref, a valid use-case for the community?

-Marlon
 

From : Wunder, John A. [mailto:jwunder@mitre.org]

Sent : Wednesday, October 28, 2015 09:07 AM
To : Bush, Jonathan <jbush@dtcc.com>
Cc : Jordan, Bret <bret.jordan@bluecoat.com>; Thompson, Dean <Dean.Thompson@anz.com>; Terry MacDonald <terry@soltra.com>; Jason Keirstead <Jason.Keirstead@ca.ibm.com>; cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org>

Subject : Re: [cti-stix] Top-level Sighting Object from last meeting
 

The best use case I can think of for automated non-observable (non-indicator?) sightings is TTPs: for example, a virus scanner might say they found a piece of malware (TTP/Malware) or an application security firewall might say that it saw some SQLi attempts
(TTP/Attack_Pattern).


I don’t know what I’m suggesting here, just a use case I thought I’d throw out. I do like the idea of having some kind of “not quite incident but kinda like incident” construct to represent things like this and limiting Sighting to just things
we have an observable for, but I can imagine the objection people have when they wonder whether to produce a “Sighting” or an “Event” or an “Incident".


John



On Oct 28, 2015, at 6:37 AM, Bush, Jonathan < jbush@dtcc.com > wrote:






I agree with that as well.  In fact, as I read your statement Bret, I thought “if this isn’t the case, what are the chances that anyone would ever really use them?”.
There would simply be too much manual data entry to be practical.  These are the kinds of call-outs that we all need to identify and keep in mind.  In this particular
situation, it may not change how we design the object, but I suppose it could in some less-than-obvious way.
 
Great stuff…
 


From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Jordan, Bret
Sent: Tuesday, October 27, 2015 6:23 PM
To: Thompson, Dean
Cc: Terry MacDonald; Jason Keirstead;
cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting


 
I think the vast majority of sightings will be more or less auto generated.  There may be a need to support sightings of other higher level objects, but the quantity or volume of those will be really small in relative terms.







 


Thanks,


 


Bret



 


 


 



Bret Jordan CISSP

Director of Security Architecture and Standards Office of the CTO


Blue Coat Systems



PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









 



On Oct 27, 2015, at 15:13, Thompson, Dean < Dean.Thompson@anz.com > wrote:

 


 


Hi!,


 


Does this depend on what is producing the sighting object ?, for example the first option appeals to me because from an ability to auto-script and
generate it could be potentially easy to make those links of observations to a sighting object.  With regards to “Threat Actor’s” and “TTP’s”, doesn’t it get a little hard because (based on the experience I have had), you have more softer definitions you place
into those top level objects, they are not straight out IP addresses, MD5’s or email addresses.


 


Do others seeing the sighting object as being a construct which would more times than not be something that is auto-generated by various systems, rather
than a construct put together manually which include thought and analysis ? (that’s not to say that you couldn’t do that, just that it is a lot harder).


 


Personally, I prefer option 1.


 


Regards,


 


Dean


 


 




From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Terry MacDonald
Sent:   Tuesday, 27 October 2015 9:57 AM
To:   Terry MacDonald; Jason Keirstead
Cc:   cti-stix@lists.oasis-open.org
Subject:   RE: [cti-stix] Top-level Sighting Object from last meeting




 


Hi All,


 


One other thing I wanted to highlight was a point raised by Aharon late last week in the STIX meeting. We need to discuss what exactly
we want the Sighting Object to be able to reference. As I understand it the available options are:


 


·            Should
a Sighting Object only reference ‘detected’ information (e.g. Observable Instances   only   – most similar to an Indicator)


OR


·            Should
a Sighting Object reference   any   other top-level Object (e.g. Threat Actor’s, TTPs, etc). This will be the most flexible and least restrictive for the future.


OR


·            Should
a Sighting Object reference   some   top-level Objects based on STIX model  (e.g. Threat Actor’s, TTPs, Indicators, Incident, Report)


 


My   personal   preference is for the
first option – but I am very interested in what others think. I think we need to scope the Sighting object and discuss its purpose fairly early on to work out exactly where it will fit in the model.


 


Cheers


 



Terry MacDonald


Senior STIX Subject Matter Expert


SOLTRA   An FS-ISAC and DTCC Company


+61 (407) 203 206   terry@soltra.com


 



 




From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Terry MacDonald
Sent:   Tuesday, 27 October 2015 9:21 AM
To:   Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Cc:   cti-stix@lists.oasis-open.org
Subject:   RE: [cti-stix] Top-level Sighting Object from last meeting




 


Hi Jason


 


- What is "Alternative_ID" ?


 


The Alternative_ID was taken from the IndicatorType object.  From that object’s description it ‘Specifies an alternative identifier (or
alias) for the cyber threat Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to include it just
in case. TBH we may want to think more about how we handle ‘aliases’ in general across the whole STIX model…


 


- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.


 


Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really like to see what
everyone else thinks.


 


Suggested Mandatory Fields


·            Version


·            Title


·            Timestamp
/ Time Period


·            One
or more referenced objects (i.e. idref) – ( This would be done via Top-level relationship object )


 


Suggested Optional Fields


·            Sighting
Count


·            Timestamp
/ Time Period


·            Victim
Organization information


·            Producer
Organization information


·            Sighting
Confidence


·            TLP
/ Data Markings


·            Alternative
Sighting ID


·            Sighting
Type


·            Description


·            Short
Description


 


Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year ( https://github.com/STIXProject/schemas/issues/306 ).
In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?


 


<image001.jpg>


Please note this reflects my own personal viewpoint.


 


Cheers


 


Terry MacDonald


Senior STIX Subject Matter Expert


SOLTRA   An FS-ISAC and DTCC Company


+61 (407) 203 206   terry@soltra.com


 


 


From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Jason Keirstead
Sent:   Tuesday, 27 October 2015 8:34 AM
To:   Terry MacDonald < terry@soltra.com >
Cc:   cti-stix@lists.oasis-open.org
Subject:   Re: [cti-stix] Top-level Sighting Object from last meeting


 




Questions




 




- What is "Alternative_ID" ?




 




- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.




 




-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security     www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown  



 




 





Original message -----
From: Terry MacDonald < terry@soltra.com >
Sent by: < cti-stix@lists.oasis-open.org >
To: " cti-stix@lists.oasis-open.org "
< cti-stix@lists.oasis-open.org >
Cc:
Subject: [cti-stix] Top-level Sighting Object from last meeting
Date: Mon, Oct 26, 2015 2:00 PM
 


Hi All,
 
Given the flurry of discussions about features for STIX v2.0, it’s probably the right time
to resend the top-level STIX Sighting Object conversation starter out again.  So here are the slides. Please feel free to comment/feedback/complain/call me names.  
 
Please note – the strawman UML model is an abstraction based on the use of the Sighting Object
only for Observable Instances; it assumes that Indicators will similarly be restricted to only allowing Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.
 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA  
An FS-ISAC and DTCC Company
+61 (407) 203 206   terry@soltra.com
 
 



 




---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  







--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:   https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



 




This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only of
the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the
Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ does
not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.




 


DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email
and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses.  The company accepts no liability for any damage caused by any virus transmitted by this email.

John,
 
Maybe this is a potential delineation then:
 
Observable Instances with extra context = Sightings
Not like an Incident but Kinda like an Incident = Investigation/Tagging object (as I proposed yesterday).
 
This would allow the ‘grouping’ aspect to be handled by the Investigation(tagging) object, and the ‘these are things I’ve seen’ aspect
to be handled by the Sightings object.  The delineation is clear enough to make both objects easy to understand.
 
Cheers
 

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com
 

 


From: Wunder, John A. [mailto:jwunder@mitre.org]

Sent: Thursday, 29 October 2015 12:08 AM
To: Jonathan Bush (DTCC) <jbush@dtcc.com>
Cc: Jordan, Bret <bret.jordan@bluecoat.com>; Thompson, Dean <Dean.Thompson@anz.com>; Terry MacDonald <terry@soltra.com>; Jason Keirstead <Jason.Keirstead@ca.ibm.com>; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting


 
The best use case I can think of for automated non-observable (non-indicator?) sightings is TTPs: for example, a virus scanner might say they found a piece of malware (TTP/Malware) or an application security firewall might say that it saw
some SQLi attempts (TTP/Attack_Pattern).

 


I don’t know what I’m suggesting here, just a use case I thought I’d throw out. I do like the idea of having some kind of “not quite incident but kinda like incident” construct to represent things like this and limiting Sighting to just
things we have an observable for, but I can imagine the objection people have when they wonder whether to produce a “Sighting” or an “Event” or an “Incident".

 


John


 



On Oct 28, 2015, at 6:37 AM, Bush, Jonathan < jbush@dtcc.com > wrote:

 


I agree with that as well.  In fact, as I read your statement Bret, I thought “if this isn’t the case, what are the chances that anyone would ever really use them?”.
There would simply be too much manual data entry to be practical.  These are the kinds of call-outs that we all need to identify and keep in mind.  In this particular
situation, it may not change how we design the object, but I suppose it could in some less-than-obvious way.
 
Great stuff…
 


From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Jordan, Bret
Sent: Tuesday, October 27, 2015 6:23 PM
To: Thompson, Dean
Cc: Terry MacDonald; Jason Keirstead;
cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting


 
I think the vast majority of sightings will be more or less auto generated.  There may be a need to support sightings of other higher level objects, but the quantity or volume of those will be really small in relative
terms.







 


Thanks,


 


Bret



 


 


 



Bret Jordan CISSP

Director of Security Architecture and Standards Office of the CTO


Blue Coat Systems



PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









 



On Oct 27, 2015, at 15:13, Thompson, Dean < Dean.Thompson@anz.com > wrote:

 


 


Hi!,


 


Does this depend on what is producing the sighting object ?, for example the first option appeals to me because from an ability to auto-script and
generate it could be potentially easy to make those links of observations to a sighting object.  With regards to “Threat Actor’s” and “TTP’s”, doesn’t it get a little hard because (based on the experience I have had), you have more softer definitions you place
into those top level objects, they are not straight out IP addresses, MD5’s or email addresses.


 


Do others seeing the sighting object as being a construct which would more times than not be something that is auto-generated by various systems,
rather than a construct put together manually which include thought and analysis ? (that’s not to say that you couldn’t do that, just that it is a lot harder).


 


Personally, I prefer option 1.


 


Regards,


 


Dean


 


 




From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Terry MacDonald
Sent:   Tuesday, 27 October 2015 9:57 AM
To:   Terry MacDonald; Jason Keirstead
Cc:   cti-stix@lists.oasis-open.org
Subject:   RE: [cti-stix] Top-level Sighting Object from last meeting




 


Hi All,


 


One other thing I wanted to highlight was a point raised by Aharon late last week in the STIX meeting. We need to discuss what exactly we want the Sighting Object
to be able to reference. As I understand it the available options are:


 


·            Should
a Sighting Object only reference ‘detected’ information (e.g. Observable Instances   only   – most similar to an Indicator)


OR


·            Should
a Sighting Object reference   any   other top-level Object (e.g. Threat Actor’s, TTPs, etc). This will be the most flexible and least restrictive for the future.


OR


·            Should
a Sighting Object reference   some   top-level Objects based on STIX model  (e.g. Threat Actor’s, TTPs, Indicators, Incident, Report)


 


My   personal   preference is for the first option – but I am very interested
in what others think. I think we need to scope the Sighting object and discuss its purpose fairly early on to work out exactly where it will fit in the model.


 


Cheers


 



Terry MacDonald


Senior STIX Subject Matter Expert


SOLTRA   An FS-ISAC and DTCC Company


+61 (407) 203 206   terry@soltra.com


 



 




From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Terry MacDonald
Sent:   Tuesday, 27 October 2015 9:21 AM
To:   Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Cc:   cti-stix@lists.oasis-open.org
Subject:   RE: [cti-stix] Top-level Sighting Object from last meeting




 


Hi Jason


 


- What is "Alternative_ID" ?


 


The Alternative_ID was taken from the IndicatorType object.  From that object’s description it ‘Specifies an alternative identifier (or alias) for the cyber threat
Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to include it just in case. TBH we may want
to think more about how we handle ‘aliases’ in general across the whole STIX model…


 


- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.


 


Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really like to see what everyone else thinks.


 


Suggested Mandatory Fields


·            Version


·            Title


·            Timestamp
/ Time Period


·            One
or more referenced objects (i.e. idref) – ( This would be done via Top-level relationship object )


 


Suggested Optional Fields


·            Sighting
Count


·            Timestamp
/ Time Period


·            Victim
Organization information


·            Producer
Organization information


·            Sighting
Confidence


·            TLP
/ Data Markings


·            Alternative
Sighting ID


·            Sighting
Type


·            Description


·            Short
Description


 


Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year ( https://github.com/STIXProject/schemas/issues/306 ).
In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?


 


<image001.jpg>


Please note this reflects my own personal viewpoint.


 


Cheers


 


Terry MacDonald


Senior STIX Subject Matter Expert


SOLTRA   An FS-ISAC and DTCC Company


+61 (407) 203 206   terry@soltra.com


 


 


From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Jason Keirstead
Sent:   Tuesday, 27 October 2015 8:34 AM
To:   Terry MacDonald < terry@soltra.com >
Cc:   cti-stix@lists.oasis-open.org
Subject:   Re: [cti-stix] Top-level Sighting Object from last meeting


 




Questions




 




- What is "Alternative_ID" ?




 




- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.




 




-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security     www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown  



 




 





Original message -----
From: Terry MacDonald < terry@soltra.com >
Sent by: < cti-stix@lists.oasis-open.org >
To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
Cc:
Subject: [cti-stix] Top-level Sighting Object from last meeting
Date: Mon, Oct 26, 2015 2:00 PM
 


Hi All,
 
Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend the top-level
STIX Sighting Object conversation starter out again.  So here are the slides. Please feel free to comment/feedback/complain/call me names.  
 
Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only for Observable
Instances; it assumes that Indicators will similarly be restricted to only allowing Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.
 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206   terry@soltra.com
 
 



 




---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  







--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:   https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



 




This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only
of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in
the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ
does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.




 

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email
and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses.  The company accepts no liability for any damage caused by any virus transmitted by this email.




 

I think the vast majority of sightings will be more or less auto generated.  There may be a need to support sightings of other higher level objects, but the quantity or volume of those will be really small in relative terms. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Oct 27, 2015, at 15:13, Thompson, Dean < Dean.Thompson@anz.com > wrote:   Hi!,   Does this depend on what is producing the sighting object ?, for example the first option appeals to me because from an ability to auto-script and generate it could be potentially easy to make those links of observations to a sighting object.  With regards to “Threat Actor’s” and “TTP’s”, doesn’t it get a little hard because (based on the experience I have had), you have more softer definitions you place into those top level objects, they are not straight out IP addresses, MD5’s or email addresses.   Do others seeing the sighting object as being a construct which would more times than not be something that is auto-generated by various systems, rather than a construct put together manually which include thought and analysis ? (that’s not to say that you couldn’t do that, just that it is a lot harder).   Personally, I prefer option 1.   Regards,   Dean     From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On Behalf Of   Terry MacDonald Sent:   Tuesday, 27 October 2015 9:57 AM To:   Terry MacDonald; Jason Keirstead Cc:   cti-stix@lists.oasis-open.org Subject:   RE: [cti-stix] Top-level Sighting Object from last meeting   Hi All,   One other thing I wanted to highlight was a point raised by Aharon late last week in the STIX meeting. We need to discuss what exactly we want the Sighting Object to be able to reference. As I understand it the available options are:   ·            Should a Sighting Object only reference ‘detected’ information (e.g. Observable Instances   only   – most similar to an Indicator) OR ·            Should a Sighting Object reference   any   other top-level Object (e.g. Threat Actor’s, TTPs, etc). This will be the most flexible and least restrictive for the future. OR ·            Should a Sighting Object reference   some   top-level Objects based on STIX model  (e.g. Threat Actor’s, TTPs, Indicators, Incident, Report)   My   personal   preference is for the first option – but I am very interested in what others think. I think we need to scope the Sighting object and discuss its purpose fairly early on to work out exactly where it will fit in the model.   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206   terry@soltra.com     From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On Behalf Of   Terry MacDonald Sent:   Tuesday, 27 October 2015 9:21 AM To:   Jason Keirstead < Jason.Keirstead@ca.ibm.com > Cc:   cti-stix@lists.oasis-open.org Subject:   RE: [cti-stix] Top-level Sighting Object from last meeting   Hi Jason   - What is Alternative_ID ?   The Alternative_ID was taken from the IndicatorType object.  From that object’s description it ‘Specifies an alternative identifier (or alias) for the cyber threat Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to include it just in case. TBH we may want to think more about how we handle ‘aliases’ in general across the whole STIX model…   - Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.   Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really like to see what everyone else thinks.   Suggested Mandatory Fields ·            Version ·            Title ·            Timestamp / Time Period ·            One or more referenced objects (i.e. idref) – ( This would be done via Top-level relationship object )   Suggested Optional Fields ·            Sighting Count ·            Timestamp / Time Period ·            Victim Organization information ·            Producer Organization information ·            Sighting Confidence ·            TLP / Data Markings ·            Alternative Sighting ID ·            Sighting Type ·            Description ·            Short Description   Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year ( https://github.com/STIXProject/schemas/issues/306 ). In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?   <image001.jpg> Please note this reflects my own personal viewpoint.   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206   terry@soltra.com     From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On Behalf Of   Jason Keirstead Sent:   Tuesday, 27 October 2015 8:34 AM To:   Terry MacDonald < terry@soltra.com > Cc:   cti-stix@lists.oasis-open.org Subject:   Re: [cti-stix] Top-level Sighting Object from last meeting   Questions   - What is Alternative_ID ?   - Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.   - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security     www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown      
Original message ----- From: Terry MacDonald < terry@soltra.com > Sent by: < cti-stix@lists.oasis-open.org > To: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > Cc: Subject: [cti-stix] Top-level Sighting Object from last meeting Date: Mon, Oct 26, 2015 2:00 PM   Hi All,   Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend the top-level STIX Sighting Object conversation starter out again.  So here are the slides. Please feel free to comment/feedback/complain/call me names.     Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only for Observable Instances; it assumes that Indicators will similarly be restricted to only allowing Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206   terry@soltra.com       --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php   --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:   https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php This e-mail and any attachments to it (the Communication ) is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together ANZ ). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.

Must a sighting have an indicator or can you observe something “ad hoc”?
 


From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Jason Keirstead
Sent: Wednesday, October 28, 2015 2:57 PM
To: Jordan, Bret
Cc: Thompson, Dean; Terry MacDonald; cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting


 
Agree 100% and I think this also nerds to be considered as we decide what is "mandatory" and what isn't in the sighting.
 
We are looking at potentially having to feed tens of millions of sightings a day to one system in some
MSSP situations. They have to be as small and compact as possible. Ideally, just an ID and as little superfluous info as possible alongside it.
 
Sent from IBM Verse
 


Jordan, Bret --- Re: [cti-stix] Top-level Sighting Object from last meeting ---



 




From:


"Jordan, Bret" < bret.jordan@bluecoat.com >




To:


"Thompson, Dean" < Dean.Thompson@anz.com >




Cc:


"Terry MacDonald" < terry@soltra.com >, "Jason Keirstead" < Jason.Keirstead@ca.ibm.com >,
cti-stix@lists.oasis-open.org




Date:


Tue, Oct 27, 2015 3:23 PM




Subject:


Re: [cti-stix] Top-level Sighting Object from last meeting







 

I think the vast majority of sightings will be more or less auto generated.  There may be a need to support sightings of other higher level objects, but the quantity or volume of those will be really small in relative terms.







 


Thanks,


 


Bret



 


 


 



Bret Jordan CISSP

Director of Security Architecture and Standards Office of the CTO


Blue Coat Systems



PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









 



On Oct 27, 2015, at 15:13, Thompson, Dean < Dean.Thompson@anz.com > wrote:

 


 


Hi!,


 


Does this depend on what is producing the sighting object ?, for example the first option appeals to me because from an ability to auto-script and generate
it could be potentially easy to make those links of observations to a sighting object.  With regards to “Threat Actor’s” and “TTP’s”, doesn’t it get a little hard because (based on the experience I have had), you have more softer definitions you place into
those top level objects, they are not straight out IP addresses, MD5’s or email addresses.


 


Do others seeing the sighting object as being a construct which would more times than not be something that is auto-generated by various systems, rather than
a construct put together manually which include thought and analysis ? (that’s not to say that you couldn’t do that, just that it is a lot harder).


 


Personally, I prefer option 1.


 


Regards,


 


Dean


 


 




From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Terry MacDonald
Sent:   Tuesday, 27 October 2015 9:57 AM
To:   Terry MacDonald; Jason Keirstead
Cc:   cti-stix@lists.oasis-open.org
Subject:   RE: [cti-stix] Top-level Sighting Object from last meeting




 


Hi All,


 


One other thing I wanted to highlight was a point raised by Aharon late last week in the STIX meeting. We need to discuss what exactly we want
the Sighting Object to be able to reference. As I understand it the available options are:


 


·            Should
a Sighting Object only reference ‘detected’ information (e.g. Observable Instances   only   – most similar to an Indicator)


OR


·            Should
a Sighting Object reference   any   other top-level Object (e.g. Threat Actor’s, TTPs, etc). This will be the most flexible and least restrictive for the future.


OR


·            Should
a Sighting Object reference   some   top-level Objects based on STIX model  (e.g. Threat Actor’s, TTPs, Indicators, Incident, Report)


 


My   personal   preference is for the first option – but
I am very interested in what others think. I think we need to scope the Sighting object and discuss its purpose fairly early on to work out exactly where it will fit in the model.


 


Cheers


 



Terry MacDonald


Senior STIX Subject Matter Expert


SOLTRA   An FS-ISAC and DTCC Company


+61 (407) 203 206   terry@soltra.com


 



 




From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Terry MacDonald
Sent:   Tuesday, 27 October 2015 9:21 AM
To:   Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Cc:   cti-stix@lists.oasis-open.org
Subject:   RE: [cti-stix] Top-level Sighting Object from last meeting




 


Hi Jason


 


- What is "Alternative_ID" ?


 


The Alternative_ID was taken from the IndicatorType object.  From that object’s description it ‘Specifies an alternative identifier (or alias)
for the cyber threat Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to include it just in case.
TBH we may want to think more about how we handle ‘aliases’ in general across the whole STIX model…


 


- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.


 


Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really like to see what everyone
else thinks.


 


Suggested Mandatory Fields


·            Version


·            Title


·            Timestamp
/ Time Period


·            One
or more referenced objects (i.e. idref) – ( This would be done via Top-level relationship object )


 


Suggested Optional Fields


·            Sighting
Count


·            Timestamp
/ Time Period


·            Victim
Organization information


·            Producer
Organization information


·            Sighting
Confidence


·            TLP
/ Data Markings


·            Alternative
Sighting ID


·            Sighting
Type


·            Description


·            Short
Description


 


Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year ( https://github.com/STIXProject/schemas/issues/306 ).
In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?


 


<image001.jpg>


Please note this reflects my own personal viewpoint.


 


Cheers


 


Terry MacDonald


Senior STIX Subject Matter Expert


SOLTRA   An FS-ISAC and DTCC Company


+61 (407) 203 206   terry@soltra.com


 


 


From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Jason Keirstead
Sent:   Tuesday, 27 October 2015 8:34 AM
To:   Terry MacDonald < terry@soltra.com >
Cc:   cti-stix@lists.oasis-open.org
Subject:   Re: [cti-stix] Top-level Sighting Object from last meeting


 




Questions




 




- What is "Alternative_ID" ?




 




- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.




 




-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security     www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown  



 




 





Original message -----
From: Terry MacDonald < terry@soltra.com >
Sent by: < cti-stix@lists.oasis-open.org >
To: " cti-stix@lists.oasis-open.org "
< cti-stix@lists.oasis-open.org >
Cc:
Subject: [cti-stix] Top-level Sighting Object from last meeting
Date: Mon, Oct 26, 2015 2:00 PM
 


Hi All,
 
Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend
the top-level STIX Sighting Object conversation starter out again.  So here are the slides. Please feel free to comment/feedback/complain/call me names.  
 
Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only
for Observable Instances; it assumes that Indicators will similarly be restricted to only allowing Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.
 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA  
An FS-ISAC and DTCC Company
+61 (407) 203 206   terry@soltra.com
 
 



 




---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  







--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:   https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



 




This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended
recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication
are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ does not accept
liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.




 

Observing something “ad hoc” is simply an observation and is currently expressed using Observable.


A Sighting is saying that something was observed that has been identified as of potential interest by an Indicator. Kind of like a police APB.


sean









From: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of Cory Casanave < cory-c@modeldriven.com >
Date: Wednesday, October 28, 2015 at 5:18 PM
To: Jason Keirstead < Jason.Keirstead@ca.ibm.com >, "Jordan, Bret" < bret.jordan@bluecoat.com >
Cc: "Thompson, Dean" < Dean.Thompson@anz.com >, Terry MacDonald < terry@soltra.com >, " cti-stix@lists.oasis-open.org "
< cti-stix@lists.oasis-open.org >
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting








Must a sighting have an indicator or can you observe something “ad hoc”?
 


From:
cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ]
On Behalf Of Jason Keirstead
Sent: Wednesday, October 28, 2015 2:57 PM
To: Jordan, Bret
Cc: Thompson, Dean; Terry MacDonald;
cti-stix@lists.oasis-open.org
Subject: Re: [cti-stix] Top-level Sighting Object from last meeting


 
Agree 100% and I think this also nerds to be considered as we decide what is "mandatory" and what isn't in the sighting.
 
We are looking at potentially having to feed tens of millions of sightings a day to one system in some
MSSP situations. They have to be as small and compact as possible. Ideally, just an ID and as little superfluous info as possible alongside it.
 
Sent from IBM Verse
 


Jordan, Bret --- Re: [cti-stix] Top-level Sighting Object from last meeting ---



 




From:


"Jordan, Bret" < bret.jordan@bluecoat.com >




To:


"Thompson, Dean" < Dean.Thompson@anz.com >




Cc:


"Terry MacDonald" < terry@soltra.com >, "Jason Keirstead" < Jason.Keirstead@ca.ibm.com >,
cti-stix@lists.oasis-open.org




Date:


Tue, Oct 27, 2015 3:23 PM




Subject:


Re: [cti-stix] Top-level Sighting Object from last meeting







 

I think the vast majority of sightings will be more or less auto generated.  There may be a need to support sightings of other higher level objects, but the quantity or volume of those will be really small in relative terms.







 


Thanks,


 


Bret



 


 


 



Bret Jordan CISSP

Director of Security Architecture and Standards Office of the CTO


Blue Coat Systems



PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









 



On Oct 27, 2015, at 15:13, Thompson, Dean < Dean.Thompson@anz.com > wrote:

 


 


Hi!,


 


Does this depend on what is producing the sighting object ?, for example the first option appeals to me because from an ability to auto-script and
generate it could be potentially easy to make those links of observations to a sighting object.  With regards to “Threat Actor’s” and “TTP’s”, doesn’t it get a little hard because (based on the experience I have had), you have more softer definitions you place
into those top level objects, they are not straight out IP addresses, MD5’s or email addresses.


 


Do others seeing the sighting object as being a construct which would more times than not be something that is auto-generated by various systems,
rather than a construct put together manually which include thought and analysis ? (that’s not to say that you couldn’t do that, just that it is a lot harder).


 


Personally, I prefer option 1.


 


Regards,


 


Dean


 


 




From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Terry MacDonald
Sent:   Tuesday, 27 October 2015 9:57 AM
To:   Terry MacDonald; Jason Keirstead
Cc:   cti-stix@lists.oasis-open.org
Subject:   RE: [cti-stix] Top-level Sighting Object from last meeting




 


Hi All,


 


One other thing I wanted to highlight was a point raised by Aharon late last week in the STIX meeting. We need to discuss what exactly
we want the Sighting Object to be able to reference. As I understand it the available options are:


 


·            Should
a Sighting Object only reference ‘detected’ information (e.g. Observable Instances   only   – most similar to an Indicator)


OR


·            Should
a Sighting Object reference   any   other top-level Object (e.g. Threat Actor’s, TTPs, etc). This will be the most flexible and least restrictive for the future.


OR


·            Should
a Sighting Object reference   some   top-level Objects based on STIX model  (e.g. Threat Actor’s, TTPs, Indicators, Incident, Report)


 


My   personal   preference is for the first
option – but I am very interested in what others think. I think we need to scope the Sighting object and discuss its purpose fairly early on to work out exactly where it will fit in the model.


 


Cheers


 



Terry MacDonald


Senior STIX Subject Matter Expert


SOLTRA   An FS-ISAC and DTCC Company


+61 (407) 203 206   terry@soltra.com


 



 




From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Terry MacDonald
Sent:   Tuesday, 27 October 2015 9:21 AM
To:   Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Cc:   cti-stix@lists.oasis-open.org
Subject:   RE: [cti-stix] Top-level Sighting Object from last meeting




 


Hi Jason


 


- What is "Alternative_ID" ?


 


The Alternative_ID was taken from the IndicatorType object.  From that object’s description it ‘Specifies an alternative identifier (or
alias) for the cyber threat Indicator.’. The idea was to allow the Sighting to have a reference of some kind, referring back to the ID that the tool that identified it had given it. It may not be useful in the Sighting context but I wanted to include it just
in case. TBH we may want to think more about how we handle ‘aliases’ in general across the whole STIX model…


 


- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.


 


Yes, my thinking was that a subset of the Sighting fields would be mandatory. I’ve suggested some below but would really like to see
what everyone else thinks.


 


Suggested Mandatory Fields


·            Version


·            Title


·            Timestamp
/ Time Period


·            One
or more referenced objects (i.e. idref) – ( This would be done via Top-level relationship object )


 


Suggested Optional Fields


·            Sighting
Count


·            Timestamp
/ Time Period


·            Victim
Organization information


·            Producer
Organization information


·            Sighting
Confidence


·            TLP
/ Data Markings


·            Alternative
Sighting ID


·            Sighting
Type


·            Description


·            Short
Description


 


Mark’s other post earlier today reminded me that I had earlier requested a Sighting object last year ( https://github.com/STIXProject/schemas/issues/306 ).
In there I even drew a nice updated STIX model diagram to include where I personally saw the Sighting object located (thanks to Bret for the visio). But this may help provide more context?


 


<image001.jpg>


Please note this reflects my own personal viewpoint.


 


Cheers


 


Terry MacDonald


Senior STIX Subject Matter Expert


SOLTRA   An FS-ISAC and DTCC Company


+61 (407) 203 206   terry@soltra.com


 


 


From:   cti-stix@lists.oasis-open.org   [ mailto:cti-stix@lists.oasis-open.org ]   On
Behalf Of   Jason Keirstead
Sent:   Tuesday, 27 October 2015 8:34 AM
To:   Terry MacDonald < terry@soltra.com >
Cc:   cti-stix@lists.oasis-open.org
Subject:   Re: [cti-stix] Top-level Sighting Object from last meeting


 




Questions




 




- What is "Alternative_ID" ?




 




- Can you add to the proposal, which fields would be mandatory, and which optional? It's unclear to me. I presume a subset is mandatory, but not all.




 




-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security     www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown  



 




 





Original message -----
From: Terry MacDonald < terry@soltra.com >
Sent by: < cti-stix@lists.oasis-open.org >
To: " cti-stix@lists.oasis-open.org "
< cti-stix@lists.oasis-open.org >
Cc:
Subject: [cti-stix] Top-level Sighting Object from last meeting
Date: Mon, Oct 26, 2015 2:00 PM
 


Hi All,
 
Given the flurry of discussions about features for STIX v2.0, it’s probably the right time to resend
the top-level STIX Sighting Object conversation starter out again.  So here are the slides. Please feel free to comment/feedback/complain/call me names.  
 
Please note – the strawman UML model is an abstraction based on the use of the Sighting Object only
for Observable Instances; it assumes that Indicators will similarly be restricted to only allowing Observable Patterns. The idea being that Indicators = ‘things to look for’ and Sightings = ‘things we’ve found’.
 
Cheers
 
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA  
An FS-ISAC and DTCC Company
+61 (407) 203 206   terry@soltra.com
 
 



 




---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php  







--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at:   https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php



 




This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended
recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication
are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ does not accept
liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.