CTI STIX Subcommittee

I would agree, but the spec currently lets you put in any string.

I would propose that in STIX 2.0, if the consensus is that it should be a
controlled vocabulary, that that be enforced in the spec, and that
documents that don't follow the vocabulary are invalid.

I am not looking to do anything with the indicator at all on the recieving
end - this is an indicator the software will produce as a result of an
automated response. I find the current vocabulary to be very restrictive
and full of obvious gaps. Even simple things like "Compromised Host" are
absent. Also, all of the instances current vocabulary should be able to be
prefixed with "Potential" in my opinion. ("Potential Malware Artifact")

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown




From: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com>
To: Jason Keirstead/CanEast/IBM@IBMCA,
"cti-users@lists.oasis-open.org"
<cti-users@lists.oasis-open.org>
Date: 2015/10/22 12:55 PM
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation
Questions



Jason, it seems to me that there is a value to having a controlled
vocabulary for Indicator Type. You can probably enumerate the benefits in
your circumstances better than anyone outside of your situation. The value
of controlling the vocabulary should translate into a benefit to your users
and provide an incentive for adoption.
Others will want to discuss adopting an ontology to control handling of
indicators based on type. While my first thought is “There be dragons” (
https://en.wikipedia.org/wiki/Here_be_dragons) it’s also true that an
indicator type might not be as challenging as other ontologies. Are you
able to describe how the indicator type affects the way you understand or
treat the indicator?
I have built ontologies and found it interesting work, but it’s definitely
non-trivial. I’d like to hear more about how you proceed.

Cliff Palmer

From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org
] On Behalf Of Jason Keirstead
Sent: Thursday, October 22, 2015 11:18 AM
To: cti-users@lists.oasis-open.org
Subject: [cti-users] Indicator Type / Vocabulary Implementation Questions



HI all, I am producing some new STIX content in an automated fashion, and
am looking for feedback on my planned usage of indicator types:

As with many things STIX, the way you do this is so wide open, it makes
implementation decisions difficult

"The default vocabulary type is IndicatorTypeVocab-1.1 in the
http://stix.mitre.org/default_vocabularies-1 namespace. This type is
defined in the stix_default_vocabularies.xsd file or at the URL
http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
. Users may also define their own vocabulary using the type extension
mechanism, specify a vocabulary name and reference using the
attributes, or simply use this as a string field."

@see
http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1/


So essentially, I can stick to the default vocabulary, *OR* I can define my
own vocabulary, *OR* I can use it as a free-form string.

The problem i have with the default vocabulary, is this list is very
restrictive, and there is no "Other" type.

First question - Has there ever been thought to extending this vocabulary,
or adding an "Other" type that one could then annotate in some way? I
haven't seen this question come up on the STIX list.

Second question - My other problem is, I can't define a new fixed
vocabulary because this is user-generated stuff. I pretty much am stuck
with either using the fixed vocabulary, or letting the user type in
whatever they want. How many people are sticking to the controlled
vocabulary here? If I use this as a free-form string, will it cause some
tools to blow up? Anyone have experience here?



-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

It would be nice to understand what software is doing with the field. Does it show up in the UI as a sort/filter? Do you base processing on it?

I heard a recent proposal to remove it entirely. What would be the impact of that?

John

From: <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com<mailto:Jason.Keirstead@ca.ibm.com>>
Date: Thursday, October 22, 2015 at 1:10 PM
To: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com<mailto:Cliff.Palmer@gd-ms.com>>
Cc: "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>" <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>>
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions


I would agree, but the spec currently lets you put in any string.

I would propose that in STIX 2.0, if the consensus is that it should be a controlled vocabulary, that that be enforced in the spec, and that documents that don't follow the vocabulary are invalid.

I am not looking to do anything with the indicator at all on the recieving end - this is an indicator the software will produce as a result of an automated response. I find the current vocabulary to be very restrictive and full of obvious gaps. Even simple things like "Compromised Host" are absent. Also, all of the instances current vocabulary should be able to be prefixed with "Potential" in my opinion. ("Potential Malware Artifact")

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


[Inactive hide details for "Palmer, Cliff A. (NE)" ---2015/10/22 12:55:52 PM---Jason, it seems to me that there is a value to ha]"Palmer, Cliff A. (NE)" ---2015/10/22 12:55:52 PM---Jason, it seems to me that there is a value to having a controlled vocabulary for Indicator Type. Y

From: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com<mailto:Cliff.Palmer@gd-ms.com>>
To: Jason Keirstead/CanEast/IBM@IBMCA, "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>" <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>>
Date: 2015/10/22 12:55 PM
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions

________________________________



Jason, it seems to me that there is a value to having a controlled vocabulary for Indicator Type. You can probably enumerate the benefits in your circumstances better than anyone outside of your situation. The value of controlling the vocabulary should translate into a benefit to your users and provide an incentive for adoption.
Others will want to discuss adopting an ontology to control handling of indicators based on type. While my first thought is “There be dragons” (https://en.wikipedia.org/wiki/Here_be_dragons) it’s also true that an indicator type might not be as challenging as other ontologies. Are you able to describe how the indicator type affects the way you understand or treat the indicator?
I have built ontologies and found it interesting work, but it’s definitely non-trivial. I’d like to hear more about how you proceed.

Cliff Palmer

From: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org> [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jason Keirstead
Sent: Thursday, October 22, 2015 11:18 AM
To: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>
Subject: [cti-users] Indicator Type / Vocabulary Implementation Questions

HI all, I am producing some new STIX content in an automated fashion, and am looking for feedback on my planned usage of indicator types:

As with many things STIX, the way you do this is so wide open, it makes implementation decisions difficult

"The default vocabulary type is IndicatorTypeVocab-1.1<http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1> in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd. Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field."

@see http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1/

So essentially, I can stick to the default vocabulary, *OR* I can define my own vocabulary, *OR* I can use it as a free-form string.

The problem i have with the default vocabulary, is this list is very restrictive, and there is no "Other" type.

First question - Has there ever been thought to extending this vocabulary, or adding an "Other" type that one could then annotate in some way? I haven't seen this question come up on the STIX list.

Second question - My other problem is, I can't define a new fixed vocabulary because this is user-generated stuff. I pretty much am stuck with either using the fixed vocabulary, or letting the user type in whatever they want. How many people are sticking to the controlled vocabulary here? If I use this as a free-form string, will it cause some tools to blow up? Anyone have experience here?



-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security<http://www.ibm.com/security> | www.securityintelligence.com<http://www.securityintelligence.com/>

Without data, all you are is just another person with an opinion - Unknown

In regards to forcing a controlled vocab in STIX 2, I am torn. A controlled vocab would make STIX easier for software developers, but more difficult for product owners who are trying to push the boundaries of STIX within their products. Just the other day I was working on a proposal that had us doing something different with STIX that required us to release a few custom vocab entries. However, I could argue against custom vocabs as I have seen implementations of STIX that do not understand the whole concept of including additional XSDs in the namespace/header portion of the XML document.



Aharon

From: <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>> on behalf of "Wunder, John A." <jwunder@mitre.org<mailto:jwunder@mitre.org>>
Date: Thursday, October 22, 2015 at 1:14 PM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com<mailto:Jason.Keirstead@ca.ibm.com>>, "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com<mailto:Cliff.Palmer@gd-ms.com>>
Cc: "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>" <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>>
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions

It would be nice to understand what software is doing with the field. Does it show up in the UI as a sort/filter? Do you base processing on it?

I heard a recent proposal to remove it entirely. What would be the impact of that?

John

From: <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com<mailto:Jason.Keirstead@ca.ibm.com>>
Date: Thursday, October 22, 2015 at 1:10 PM
To: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com<mailto:Cliff.Palmer@gd-ms.com>>
Cc: "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>" <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>>
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions


I would agree, but the spec currently lets you put in any string.

I would propose that in STIX 2.0, if the consensus is that it should be a controlled vocabulary, that that be enforced in the spec, and that documents that don't follow the vocabulary are invalid.

I am not looking to do anything with the indicator at all on the recieving end - this is an indicator the software will produce as a result of an automated response. I find the current vocabulary to be very restrictive and full of obvious gaps. Even simple things like "Compromised Host" are absent. Also, all of the instances current vocabulary should be able to be prefixed with "Potential" in my opinion. ("Potential Malware Artifact")

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


[Inactive hide details for "Palmer, Cliff A. (NE)" ---2015/10/22 12:55:52 PM---Jason, it seems to me that there is a value to ha]"Palmer, Cliff A. (NE)" ---2015/10/22 12:55:52 PM---Jason, it seems to me that there is a value to having a controlled vocabulary for Indicator Type. Y

From: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com<mailto:Cliff.Palmer@gd-ms.com>>
To: Jason Keirstead/CanEast/IBM@IBMCA, "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>" <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>>
Date: 2015/10/22 12:55 PM
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions

________________________________



Jason, it seems to me that there is a value to having a controlled vocabulary for Indicator Type. You can probably enumerate the benefits in your circumstances better than anyone outside of your situation. The value of controlling the vocabulary should translate into a benefit to your users and provide an incentive for adoption.
Others will want to discuss adopting an ontology to control handling of indicators based on type. While my first thought is “There be dragons” (https://en.wikipedia.org/wiki/Here_be_dragons) it’s also true that an indicator type might not be as challenging as other ontologies. Are you able to describe how the indicator type affects the way you understand or treat the indicator?
I have built ontologies and found it interesting work, but it’s definitely non-trivial. I’d like to hear more about how you proceed.

Cliff Palmer

From: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org> [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jason Keirstead
Sent: Thursday, October 22, 2015 11:18 AM
To: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>
Subject: [cti-users] Indicator Type / Vocabulary Implementation Questions

HI all, I am producing some new STIX content in an automated fashion, and am looking for feedback on my planned usage of indicator types:

As with many things STIX, the way you do this is so wide open, it makes implementation decisions difficult

"The default vocabulary type is IndicatorTypeVocab-1.1<http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1> in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd. Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field."

@see http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1/

So essentially, I can stick to the default vocabulary, *OR* I can define my own vocabulary, *OR* I can use it as a free-form string.

The problem i have with the default vocabulary, is this list is very restrictive, and there is no "Other" type.

First question - Has there ever been thought to extending this vocabulary, or adding an "Other" type that one could then annotate in some way? I haven't seen this question come up on the STIX list.

Second question - My other problem is, I can't define a new fixed vocabulary because this is user-generated stuff. I pretty much am stuck with either using the fixed vocabulary, or letting the user type in whatever they want. How many people are sticking to the controlled vocabulary here? If I use this as a free-form string, will it cause some tools to blow up? Anyone have experience here?



-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security<http://www.ibm.com/security> | www.securityintelligence.com<http://www.securityintelligence.com/>

Without data, all you are is just another person with an opinion - Unknown

The other issue with using XSDs to define custom vocabularies is

- It is not always possible for an implementer to easily put such artifacts
up on the internet in a vendor-controlled space; and

- Many STIX-consuming systems will not have access to the internet at all,
so they can't download the XSD to begin with

But to re-iterate - I can't even use a custom vocabulary here as this is
generated content and this user-generated content, which obviously can't
auto-generate an XSD and put it on the internet.

My options are either (a) Limit the user to only the controlled vocabulary,
or (b) Use the controlled vocabulary as a defaut, but in the end let them
use any string

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown




From: Aharon Chernin <achernin@soltra.com>
To: "Wunder, John A." <jwunder@mitre.org>, Jason
Keirstead/CanEast/IBM@IBMCA, "Palmer, Cliff A. (NE)"
<Cliff.Palmer@gd-ms.com>
Cc: "cti-users@lists.oasis-open.org"
<cti-users@lists.oasis-open.org>
Date: 2015/10/22 03:04 PM
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation
Questions
Sent by: <cti-users@lists.oasis-open.org>



In regards to forcing a controlled vocab in STIX 2, I am torn. A controlled
vocab would make STIX easier for software developers, but more difficult
for product owners who are trying to push the boundaries of STIX within
their products. Just the other day I was working on a proposal that had us
doing something different with STIX that required us to release a few
custom vocab entries. However, I could argue against custom vocabs as I
have seen implementations of STIX that do not understand the whole concept
of including additional XSDs in the namespace/header portion of the XML
document.



Aharon

From: <cti-users@lists.oasis-open.org> on behalf of "Wunder, John A." <
jwunder@mitre.org>
Date: Thursday, October 22, 2015 at 1:14 PM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>, "Palmer, Cliff A. (NE)" <
Cliff.Palmer@gd-ms.com>
Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation
Questions

It would be nice to understand what software is doing with the field. Does
it show up in the UI as a sort/filter? Do you base processing on it?

I heard a recent proposal to remove it entirely. What would be the impact
of that?

John

From: <cti-users@lists.oasis-open.org> on behalf of Jason Keirstead <
Jason.Keirstead@ca.ibm.com>
Date: Thursday, October 22, 2015 at 1:10 PM
To: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com>
Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation
Questions



I would agree, but the spec currently lets you put in any string.

I would propose that in STIX 2.0, if the consensus is that it should be a
controlled vocabulary, that that be enforced in the spec, and that
documents that don't follow the vocabulary are invalid.

I am not looking to do anything with the indicator at all on the recieving
end - this is an indicator the software will produce as a result of an
automated response. I find the current vocabulary to be very restrictive
and full of obvious gaps. Even simple things like "Compromised Host" are
absent. Also, all of the instances current vocabulary should be able to be
prefixed with "Potential" in my opinion. ("Potential Malware Artifact")

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Inactive hide details for "Palmer, Cliff A. (NE)" ---2015/10/22 12:55:52
PM---Jason, it seems to me that there is a value to ha"Palmer, Cliff A.
(NE)" ---2015/10/22 12:55:52 PM---Jason, it seems to me that there is a
value to having a controlled vocabulary for Indicator Type. Y

From: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com>
To: Jason Keirstead/CanEast/IBM@IBMCA, "cti-users@lists.oasis-open.org" <
cti-users@lists.oasis-open.org>
Date: 2015/10/22 12:55 PM
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation
Questions





Jason, it seems to me that there is a value to having a controlled
vocabulary for Indicator Type. You can probably enumerate the benefits in
your circumstances better than anyone outside of your situation. The value
of controlling the vocabulary should translate into a benefit to your users
and provide an incentive for adoption.
Others will want to discuss adopting an ontology to control handling of
indicators based on type. While my first thought is “There be dragons” (
https://en.wikipedia.org/wiki/Here_be_dragons) it’s also true that an
indicator type might not be as challenging as other ontologies. Are you
able to describe how the indicator type affects the way you understand or
treat the indicator?
I have built ontologies and found it interesting work, but it’s definitely
non-trivial. I’d like to hear more about how you proceed.

Cliff Palmer

From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org
] On Behalf Of Jason Keirstead
Sent: Thursday, October 22, 2015 11:18 AM
To: cti-users@lists.oasis-open.org
Subject: [cti-users] Indicator Type / Vocabulary Implementation Questions


HI all, I am producing some new STIX content in an automated fashion, and
am looking for feedback on my planned usage of indicator types:

As with many things STIX, the way you do this is so wide open, it makes
implementation decisions difficult



"The default vocabulary type is IndicatorTypeVocab-1.1 in the
http://stix.mitre.org/default_vocabularies-1 namespace. This
type is defined in the stix_default_vocabularies.xsd file or at
the URL
http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd
. Users may also define their own vocabulary using the type
extension mechanism, specify a vocabulary name and reference
using the attributes, or simply use this as a string field."

@see
http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1/


So essentially, I can stick to the default vocabulary, *OR* I can define my
own vocabulary, *OR* I can use it as a free-form string.

The problem i have with the default vocabulary, is this list is very
restrictive, and there is no "Other" type.

First question - Has there ever been thought to extending this vocabulary,
or adding an "Other" type that one could then annotate in some way? I
haven't seen this question come up on the STIX list.

Second question - My other problem is, I can't define a new fixed
vocabulary because this is user-generated stuff. I pretty much am stuck
with either using the fixed vocabulary, or letting the user type in
whatever they want. How many people are sticking to the controlled
vocabulary here? If I use this as a free-form string, will it cause some
tools to blow up? Anyone have experience here?



-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX. Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: cti-users-subscribe@lists.oasis-open.org
Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org
Post: cti-users@lists.oasis-open.org
List help: cti-users-help@lists.oasis-open.org
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/
[attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM]

Extensibility and the whole xsi-type concept only works if you can guarantee that every implementer of every product and device will "fully" implement it. If not, then you have things breaking all over the place. And our efforts of making sure we can accommodate every possible use-case, means, that in practical terms no one can actually communicate unless they are using the same software package (which is not realistic). Simplicity will gain us adoption, and from adoption we can iterate over time and add features.

I am in strong favor of "one-way-of-doing-things". I am also in strong favor of getting rid of and simplifying the extensibility so that we can guarantee interoperability.

To Jason's points, I would suggest we add an option for "other" and we also try to be more diligent about updating the controlled vocabulary. Maybe go so far as to say that every January we will rev the controlled vocabularies.



Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

> On Oct 22, 2015, at 12:04, Aharon Chernin <achernin@soltra.com> wrote:
>
> In regards to forcing a controlled vocab in STIX 2, I am torn. A controlled vocab would make STIX easier for software developers, but more difficult for product owners who are trying to push the boundaries of STIX within their products. Just the other day I was working on a proposal that had us doing something different with STIX that required us to release a few custom vocab entries. However, I could argue against custom vocabs as I have seen implementations of STIX that do not understand the whole concept of including additional XSDs in the namespace/header portion of the XML document.
>
>
>
> Aharon
>
> From: <cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>> on behalf of "Wunder, John A." <jwunder@mitre.org <mailto:jwunder@mitre.org>>
> Date: Thursday, October 22, 2015 at 1:14 PM
> To: Jason Keirstead <Jason.Keirstead@ca.ibm.com <mailto:Jason.Keirstead@ca.ibm.com>>, "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com <mailto:Cliff.Palmer@gd-ms.com>>
> Cc: "cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>" <cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>>
> Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions
>
> It would be nice to understand what software is doing with the field. Does it show up in the UI as a sort/filter? Do you base processing on it?
>
> I heard a recent proposal to remove it entirely. What would be the impact of that?
>
> John
>
> From: <cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com <mailto:Jason.Keirstead@ca.ibm.com>>
> Date: Thursday, October 22, 2015 at 1:10 PM
> To: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com <mailto:Cliff.Palmer@gd-ms.com>>
> Cc: "cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>" <cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>>
> Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions
>
> I would agree, but the spec currently lets you put in any string.
>
> I would propose that in STIX 2.0, if the consensus is that it should be a controlled vocabulary, that that be enforced in the spec, and that documents that don't follow the vocabulary are invalid.
>
> I am not looking to do anything with the indicator at all on the recieving end - this is an indicator the software will produce as a result of an automated response. I find the current vocabulary to be very restrictive and full of obvious gaps. Even simple things like "Compromised Host" are absent. Also, all of the instances current vocabulary should be able to be prefixed with "Potential" in my opinion. ("Potential Malware Artifact")
>
> -
> Jason Keirstead
> Product Architect, Security Intelligence, IBM Security Systems
> www.ibm.com/security | www.securityintelligence.com
>
> Without data, all you are is just another person with an opinion - Unknown
>
>
> <graycol.gif>"Palmer, Cliff A. (NE)" ---2015/10/22 12:55:52 PM---Jason, it seems to me that there is a value to having a controlled vocabulary for Indicator Type. Y
>
> From: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com <mailto:Cliff.Palmer@gd-ms.com>>
> To: Jason Keirstead/CanEast/IBM@IBMCA, "cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>" <cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>>
> Date: 2015/10/22 12:55 PM
> Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions
>
>
>
> Jason, it seems to me that there is a value to having a controlled vocabulary for Indicator Type. You can probably enumerate the benefits in your circumstances better than anyone outside of your situation. The value of controlling the vocabulary should translate into a benefit to your users and provide an incentive for adoption.
> Others will want to discuss adopting an ontology to control handling of indicators based on type. While my first thought is “There be dragons” (https://en.wikipedia.org/wiki/Here_be_dragons <https://en.wikipedia.org/wiki/Here_be_dragons>) it’s also true that an indicator type might not be as challenging as other ontologies. Are you able to describe how the indicator type affects the way you understand or treat the indicator?
> I have built ontologies and found it interesting work, but it’s definitely non-trivial. I’d like to hear more about how you proceed.
>
> Cliff Palmer
>
> From: cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org> [mailto:cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>] On Behalf Of Jason Keirstead
> Sent: Thursday, October 22, 2015 11:18 AM
> To: cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>
> Subject: [cti-users] Indicator Type / Vocabulary Implementation Questions
> HI all, I am producing some new STIX content in an automated fashion, and am looking for feedback on my planned usage of indicator types:
>
> As with many things STIX, the way you do this is so wide open, it makes implementation decisions difficult
>
>
> "The default vocabulary type is IndicatorTypeVocab-1.1 <http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1> in the http://stix.mitre.org/default_vocabularies-1 <http://stix.mitre.org/default_vocabularies-1> namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd <http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd>. Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field."
>
> @see http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1/ <http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1/>
>
> So essentially, I can stick to the default vocabulary, *OR* I can define my own vocabulary, *OR* I can use it as a free-form string.
>
> The problem i have with the default vocabulary, is this list is very restrictive, and there is no "Other" type.
>
> First question - Has there ever been thought to extending this vocabulary, or adding an "Other" type that one could then annotate in some way? I haven't seen this question come up on the STIX list.
>
> Second question - My other problem is, I can't define a new fixed vocabulary because this is user-generated stuff. I pretty much am stuck with either using the fixed vocabulary, or letting the user type in whatever they want. How many people are sticking to the controlled vocabulary here? If I use this as a free-form string, will it cause some tools to blow up? Anyone have experience here?
>
>
>
> -
> Jason Keirstead
> Product Architect, Security Intelligence, IBM Security Systems
> www.ibm.com/security <http://www.ibm.com/security> | www.securityintelligence.com <http://www.securityintelligence.com/>
>
> Without data, all you are is just another person with an opinion - Unknown
>
>
> <graycol.gif>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX. Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: cti-users-subscribe@lists.oasis-open.org
> Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org
> Post: cti-users@lists.oasis-open.org
> List help: cti-users-help@lists.oasis-open.org
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/

I think the controlled vocabularies are a great topic for the
Interoperability TC


On Thursday, 22 October 2015, Jordan, Bret <bret.jordan@bluecoat.com> wrote:

> Extensibility and the whole xsi-type concept only works if you can
> guarantee that every implementer of every product and device will "fully"
> implement it. If not, then you have things breaking all over the place.
> And our efforts of making sure we can accommodate every possible use-case,
> means, that in practical terms no one can actually communicate unless they
> are using the same software package (which is not realistic). Simplicity
> will gain us adoption, and from adoption we can iterate over time and add
> features.
>
> I am in strong favor of "one-way-of-doing-things". I am also in strong
> favor of getting rid of and simplifying the extensibility so that we can
> guarantee interoperability.
>
> To Jason's points, I would suggest we add an option for "other" and we
> also try to be more diligent about updating the controlled vocabulary.
> Maybe go so far as to say that *every* January we will rev the controlled
> vocabularies.
>
>
>
> Thanks,
>
> Bret
>
>
>
> *Bret Jordan CISSP*
> Director of Security Architecture and Standards | Office of the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
> can not be unscrambled is an egg."
>
> On Oct 22, 2015, at 12:04, Aharon Chernin <achernin@soltra.com
> <javascript:_e(%7B%7D,'cvml','achernin@soltra.com');>> wrote:
>
> In regards to forcing a controlled vocab in STIX 2, I am torn. A
> controlled vocab would make STIX easier for software developers, but more
> difficult for product owners who are trying to push the boundaries of STIX
> within their products. Just the other day I was working on a proposal that
> had us doing something different with STIX that required us to release a
> few custom vocab entries. However, I could argue against custom vocabs as I
> have seen implementations of STIX that do not understand the whole concept
> of including additional XSDs in the namespace/header portion of the XML
> document.
>
>
>
> Aharon
>
> From: <cti-users@lists.oasis-open.org
> <javascript:_e(%7B%7D,'cvml','cti-users@lists.oasis-open.org');>> on
> behalf of "Wunder, John A." <jwunder@mitre.org
> <javascript:_e(%7B%7D,'cvml','jwunder@mitre.org');>>
> Date: Thursday, October 22, 2015 at 1:14 PM
> To: Jason Keirstead <Jason.Keirstead@ca.ibm.com
> <javascript:_e(%7B%7D,'cvml','Jason.Keirstead@ca.ibm.com');>>, "Palmer,
> Cliff A. (NE)" <Cliff.Palmer@gd-ms.com
> <javascript:_e(%7B%7D,'cvml','Cliff.Palmer@gd-ms.com');>>
> Cc: "cti-users@lists.oasis-open.org
> <javascript:_e(%7B%7D,'cvml','cti-users@lists.oasis-open.org');>" <
> cti-users@lists.oasis-open.org
> <javascript:_e(%7B%7D,'cvml','cti-users@lists.oasis-open.org');>>
> Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation
> Questions
>
> It would be nice to understand what software is doing with the field. Does
> it show up in the UI as a sort/filter? Do you base processing on it?
>
> I heard a recent proposal to remove it entirely. What would be the impact
> of that?
>
> John
>
> From: <cti-users@lists.oasis-open.org
> <javascript:_e(%7B%7D,'cvml','cti-users@lists.oasis-open.org');>> on
> behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com
> <javascript:_e(%7B%7D,'cvml','Jason.Keirstead@ca.ibm.com');>>
> Date: Thursday, October 22, 2015 at 1:10 PM
> To: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com
> <javascript:_e(%7B%7D,'cvml','Cliff.Palmer@gd-ms.com');>>
> Cc: "cti-users@lists.oasis-open.org
> <javascript:_e(%7B%7D,'cvml','cti-users@lists.oasis-open.org');>" <
> cti-users@lists.oasis-open.org
> <javascript:_e(%7B%7D,'cvml','cti-users@lists.oasis-open.org');>>
> Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation
> Questions
>
> I would agree, but the spec currently lets you put in any string.
>
> I would propose that in STIX 2.0, if the consensus is that it should be a
> controlled vocabulary, that that be enforced in the spec, and that
> documents that don't follow the vocabulary are invalid.
>
> I am not looking to do anything with the indicator at all on the recieving
> end - this is an indicator the software will produce as a result of an
> automated response. I find the current vocabulary to be very restrictive
> and full of obvious gaps. Even simple things like "Compromised Host" are
> absent. Also, all of the instances current vocabulary should be able to be
> prefixed with "Potential" in my opinion. ("Potential Malware Artifact")
>
> -
> Jason Keirstead
> Product Architect, Security Intelligence, IBM Security Systems
> www.ibm.com/security | www.securityintelligence.com
>
> Without data, all you are is just another person with an opinion - Unknown
>
>
> <graycol.gif>"Palmer, Cliff A. (NE)" ---2015/10/22 12:55:52 PM---Jason,
> it seems to me that there is a value to having a controlled vocabulary for
> Indicator Type. Y
>
> From: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com
> <javascript:_e(%7B%7D,'cvml','Cliff.Palmer@gd-ms.com');>>
> To: Jason Keirstead/CanEast/IBM@IBMCA, "cti-users@lists.oasis-open.org
> <javascript:_e(%7B%7D,'cvml','cti-users@lists.oasis-open.org');>" <
> cti-users@lists.oasis-open.org
> <javascript:_e(%7B%7D,'cvml','cti-users@lists.oasis-open.org');>>
> Date: 2015/10/22 12:55 PM
> Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation
> Questions
> ------------------------------
>
>
>
> Jason, it seems to me that there is a value to having a controlled
> vocabulary for Indicator Type. You can probably enumerate the benefits in
> your circumstances better than anyone outside of your situation. The value
> of controlling the vocabulary should translate into a benefit to your users
> and provide an incentive for adoption.
> Others will want to discuss adopting an ontology to control handling of
> indicators based on type. While my first thought is “There be dragons” (
> *https://en.wikipedia.org/wiki/Here_be_dragons*
> <https://en.wikipedia.org/wiki/Here_be_dragons>) it’s also true that an
> indicator type might not be as challenging as other ontologies. Are you
> able to describe how the indicator type affects the way you understand or
> treat the indicator?
> I have built ontologies and found it interesting work, but it’s definitely
> non-trivial. I’d like to hear more about how you proceed.
>
> Cliff Palmer
>
> *From:* cti-users@lists.oasis-open.org
> <javascript:_e(%7B%7D,'cvml','cti-users@lists.oasis-open.org');> [
> mailto:cti-users@lists.oasis-open.org
> <javascript:_e(%7B%7D,'cvml','cti-users@lists.oasis-open.org');>] *On
> Behalf Of *Jason Keirstead
> * Sent:* Thursday, October 22, 2015 11:18 AM
> * To:* cti-users@lists.oasis-open.org
> <javascript:_e(%7B%7D,'cvml','cti-users@lists.oasis-open.org');>
> * Subject:* [cti-users] Indicator Type / Vocabulary Implementation
> Questions
>
> HI all, I am producing some new STIX content in an automated fashion, and
> am looking for feedback on my planned usage of indicator types:
>
> As with many things STIX, the way you do this is so wide open, it makes
> implementation decisions difficult
>
>
> "The default vocabulary type is *IndicatorTypeVocab-1.1*
> <http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1>
> in the *http://stix.mitre.org/default_vocabularies-1*
> <http://stix.mitre.org/default_vocabularies-1> namespace. This type
> is defined in the stix_default_vocabularies.xsd file or at the URL
> *http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd*
> <http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd>.
> Users may also define their own vocabulary using the type extension
> mechanism, specify a vocabulary name and reference using the attributes, or
> simply use this as a string field."
>
>
> @see
> *http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1/*
> <http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1/>
>
> So essentially, I can stick to the default vocabulary, *OR* I can define
> my own vocabulary, *OR* I can use it as a free-form string.
>
> The problem i have with the default vocabulary, is this list is very
> restrictive, and there is no "Other" type.
>
> * First question* - Has there ever been thought to extending this
> vocabulary, or adding an "Other" type that one could then annotate in some
> way? I haven't seen this question come up on the STIX list.
>
> * Second question* - My other problem is, I can't define a new fixed
> vocabulary because this is user-generated stuff. I pretty much am stuck
> with either using the fixed vocabulary, or letting the user type in
> whatever they want. How many people are sticking to the controlled
> vocabulary here? If I use this as a free-form string, will it cause some
> tools to blow up? Anyone have experience here?
>
>
>
> -
> Jason Keirstead
> Product Architect, Security Intelligence, IBM Security Systems
> *www.ibm.com/security* <http://www.ibm.com/security> |
> *www.securityintelligence.com* <http://www.securityintelligence.com/>
>
> Without data, all you are is just another person with an opinion - Unknown
>
>
> <graycol.gif>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX. Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: cti-users-subscribe@lists.oasis-open.org
> <javascript:_e(%7B%7D,'cvml','cti-users-subscribe@lists.oasis-open.org');>
> Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org
> <javascript:_e(%7B%7D,'cvml','cti-users-unsubscribe@lists.oasis-open.org');>
> Post: cti-users@lists.oasis-open.org
> <javascript:_e(%7B%7D,'cvml','cti-users@lists.oasis-open.org');>
> List help: cti-users-help@lists.oasis-open.org
> <javascript:_e(%7B%7D,'cvml','cti-users-help@lists.oasis-open.org');>
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>
>
>

Comments inline


From: <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com<mailto:bret.jordan@bluecoat.com>>
Date: Thursday, October 22, 2015 at 2:15 PM
To: Aharon Chernin <achernin@soltra.com<mailto:achernin@soltra.com>>
Cc: John Wunder <jwunder@mitre.org<mailto:jwunder@mitre.org>>, Jason Keirstead <Jason.Keirstead@ca.ibm.com<mailto:Jason.Keirstead@ca.ibm.com>>, "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com<mailto:Cliff.Palmer@gd-ms.com>>, "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>" <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>>
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions

Extensibility and the whole xsi-type concept only works if you can guarantee that every implementer of every product and device will "fully" implement it.
If not, then you have things breaking all over the place.

[sean]I would argue that this is fundamentally not true. The entire extensibility approach built into the language is designed such that every implementer can decide which profile of the language they wish to support. This may mean that they support particular extensions or that they support no extensions at all other than the default ones. Each extension is defined explicitly such that there is no ambiguity on what it is and implementers have a clear specification of what structure they need to support if they choose to support that extension. If an implementer chooses not to implement certain (or any) extensions they need to understand that by doing so they limit their ability to interoperate with other implementers who do implement them. Is it possible for every implementation to be fully interoperable for all information with every other implementation? No. I would argue that this will never be possible because different implementations (CTI platform, analytic workbench, SIEM, malware analysis tool, digital forensic analysis tool, etc.) are focused at doing different things with different information. The key is that they all deal with “cyber threat information” and effective cyber security involves use and integration/orchestration across them and their information. This is why it is important that STIX serve the purpose of an ontology/data-model across the domain serving both localized tactical use cases as well as bridging strategic ones.

And our efforts of making sure we can accommodate every possible use-case, means, that in practical terms no one can actually communicate unless they are using the same software package (which is not realistic).

[sean]First, I would assert that we are certainly NOT "making sure we can accommodate every possible use-case”. Not even close. We are targeting the most common use cases for cyber threat information. That does not mean only the most common use cases from a particular individuals perspective or usage scenarios but across the cyber security landscape. The terms esoteric and niche are often thrown around (not in this message but in others with the same tone and intent) by some who wish to discount the validity or importance of use cases other then theirs. I would request that we avoid derogatory use of terms like these going forward and would further assert that none of the broad set of use cases currently listed on the STIX use-cases wiki are esoteric or niche. They are ALL common use cases occurring as we speak and every day across a broad set of users in the cyber security domain. Ironically, I would say that the use cases on that list that are least common today are ones that are more difficult without something like STIX (e.g. Indicator Sighting Reporting) and are often asserted as the most common ones we need to focus on at the expense of others discounted as esoteric or niche.
And again, the conclusionary statement here is fundamentally untrue. Addressing the set of relevant use cases does not require that everyone use the same product. They simply need to agree on elements of the profiles they will support (based on their use cases) and use products that support those profile elements. Assertions that flexibility is impossible and everyone would have to be using the same product are demonstrably untrue in current use.

Simplicity will gain us adoption, and from adoption we can iterate over time and add features.

I am in strong favor of "one-way-of-doing-things". I am also in strong favor of getting rid of and simplifying the extensibility so that we can guarantee interoperability.

[sean]I would like to request that we stop using the buzzwords “simplicity” and “one-way-of-doing-things” in an ambiguous manner. They are at best distracting and disruptive if used without specifics of what particular issue is being discussed, what specific structure is being deemed too complex, what specific structure is being proposed as “simple” or the "one-way-of-doing-things” and details of how it supports the capabilities of the “complex” structure in a better way or explicitly argues that those capabilities are not relevant. Using them ambiguously is like a politician saying “its for the children”. Of course, we can all agree on the benefit of that, right? Well, unfortunately it typically means we are not all necessarily agreeing on the same thing. What I think is “simple” or the “one-way-of-doing things” is likely different from your thinking on the same terms. Specifics are absolutely necessary. I am very much interested in discussing such issues if we can do so in a manner that is specific.
It looks like it is being used here to imply that the “simplicity” of removing core capability like extensibility is an obviously good thing and gains us adoption. I would argue that this is a naïve presumption. May it gain us adoption for the absolute lowest common denominator? Perhaps. Would it kill adoption for a wide range of uses beyond the lowest common denominator and force those players to seek alternative (and likely competing) solutions? Very likely.
Simplifying and normalizing/standardizing are good things but only as they still fit within what is necessary to actually serve purpose.
Remember, Einstein’s quote is “Everything should be made as simple as possible, but not simpler”. The second half of the quote is absolutely crucial to the principle. Simple alone is not necessarily good but as simple as possible to still serve purpose is.
Where we can identify opportunities to simplify structure and still serve the purposes necessary I will be 100% supportive and always have been (remember, we have done this several times over the last few releases). Where arguments are made that “simplicity” should be pursued at the expense of serving the purposes necessary you will find me skeptical and requiring clear and unassailable justification. I view such defense of the community’s work to date as a key responsibility as an expert and as a co-chair.

To Jason's points, I would suggest we add an option for "other" and we also try to be more diligent about updating the controlled vocabulary. Maybe go so far as to say that every January we will rev the controlled vocabularies.

[sean]Looks like we have found common ground on a need to be more diligent about updating the default controlled vocabularies.



Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

On Oct 22, 2015, at 12:04, Aharon Chernin <achernin@soltra.com<mailto:achernin@soltra.com>> wrote:

In regards to forcing a controlled vocab in STIX 2, I am torn. A controlled vocab would make STIX easier for software developers, but more difficult for product owners who are trying to push the boundaries of STIX within their products. Just the other day I was working on a proposal that had us doing something different with STIX that required us to release a few custom vocab entries. However, I could argue against custom vocabs as I have seen implementations of STIX that do not understand the whole concept of including additional XSDs in the namespace/header portion of the XML document.



Aharon

From: <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>> on behalf of "Wunder, John A." <jwunder@mitre.org<mailto:jwunder@mitre.org>>
Date: Thursday, October 22, 2015 at 1:14 PM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com<mailto:Jason.Keirstead@ca.ibm.com>>, "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com<mailto:Cliff.Palmer@gd-ms.com>>
Cc: "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>" <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>>
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions

It would be nice to understand what software is doing with the field. Does it show up in the UI as a sort/filter? Do you base processing on it?

I heard a recent proposal to remove it entirely. What would be the impact of that?

John

From: <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com<mailto:Jason.Keirstead@ca.ibm.com>>
Date: Thursday, October 22, 2015 at 1:10 PM
To: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com<mailto:Cliff.Palmer@gd-ms.com>>
Cc: "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>" <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>>
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions


I would agree, but the spec currently lets you put in any string.

I would propose that in STIX 2.0, if the consensus is that it should be a controlled vocabulary, that that be enforced in the spec, and that documents that don't follow the vocabulary are invalid.

I am not looking to do anything with the indicator at all on the recieving end - this is an indicator the software will produce as a result of an automated response. I find the current vocabulary to be very restrictive and full of obvious gaps. Even simple things like "Compromised Host" are absent. Also, all of the instances current vocabulary should be able to be prefixed with "Potential" in my opinion. ("Potential Malware Artifact")

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security<http://www.ibm.com/security> | www.securityintelligence.com<http://www.securityintelligence.com>

Without data, all you are is just another person with an opinion - Unknown


<graycol.gif>"Palmer, Cliff A. (NE)" ---2015/10/22 12:55:52 PM---Jason, it seems to me that there is a value to having a controlled vocabulary for Indicator Type. Y

From: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com<mailto:Cliff.Palmer@gd-ms.com>>
To: Jason Keirstead/CanEast/IBM@IBMCA, "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>" <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>>
Date: 2015/10/22 12:55 PM
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions

________________________________



Jason, it seems to me that there is a value to having a controlled vocabulary for Indicator Type. You can probably enumerate the benefits in your circumstances better than anyone outside of your situation. The value of controlling the vocabulary should translate into a benefit to your users and provide an incentive for adoption.
Others will want to discuss adopting an ontology to control handling of indicators based on type. While my first thought is “There be dragons” (https://en.wikipedia.org/wiki/Here_be_dragons) it’s also true that an indicator type might not be as challenging as other ontologies. Are you able to describe how the indicator type affects the way you understand or treat the indicator?
I have built ontologies and found it interesting work, but it’s definitely non-trivial. I’d like to hear more about how you proceed.

Cliff Palmer

From: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org> [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jason Keirstead
Sent: Thursday, October 22, 2015 11:18 AM
To: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>
Subject: [cti-users] Indicator Type / Vocabulary Implementation Questions

HI all, I am producing some new STIX content in an automated fashion, and am looking for feedback on my planned usage of indicator types:

As with many things STIX, the way you do this is so wide open, it makes implementation decisions difficult

"The default vocabulary type is IndicatorTypeVocab-1.1<http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1> in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd. Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field."

@see http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1/

So essentially, I can stick to the default vocabulary, *OR* I can define my own vocabulary, *OR* I can use it as a free-form string.

The problem i have with the default vocabulary, is this list is very restrictive, and there is no "Other" type.

First question - Has there ever been thought to extending this vocabulary, or adding an "Other" type that one could then annotate in some way? I haven't seen this question come up on the STIX list.

Second question - My other problem is, I can't define a new fixed vocabulary because this is user-generated stuff. I pretty much am stuck with either using the fixed vocabulary, or letting the user type in whatever they want. How many people are sticking to the controlled vocabulary here? If I use this as a free-form string, will it cause some tools to blow up? Anyone have experience here?



-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security<http://www.ibm.com/security> | www.securityintelligence.com<http://www.securityintelligence.com/>

Without data, all you are is just another person with an opinion - Unknown


<graycol.gif>
This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX. Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: cti-users-subscribe@lists.oasis-open.org<mailto:cti-users-subscribe@lists.oasis-open.org>
Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org<mailto:cti-users-unsubscribe@lists.oasis-open.org>
Post: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>
List help: cti-users-help@lists.oasis-open.org<mailto:cti-users-help@lists.oasis-open.org>
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/

Comments inline

From: <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>> on behalf of Aharon Chernin <achernin@soltra.com<mailto:achernin@soltra.com>>
Date: Thursday, October 22, 2015 at 2:04 PM
To: John Wunder <jwunder@mitre.org<mailto:jwunder@mitre.org>>, Jason Keirstead <Jason.Keirstead@ca.ibm.com<mailto:Jason.Keirstead@ca.ibm.com>>, "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com<mailto:Cliff.Palmer@gd-ms.com>>
Cc: "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>" <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>>
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions

In regards to forcing a controlled vocab in STIX 2, I am torn. A controlled vocab would make STIX easier for software developers, but more difficult for product owners who are trying to push the boundaries of STIX within their products.

[sean]I would go further to propose that it is not only "product owners who are trying to push the boundaries of STIX within their products” who would find it more difficult (or in many cases impossible) but also large swaths of users in specific sharing communities or inter-tool exchanges who may need to characterize non-standard and/or more specific values for controlled vocabulary properties.

Just the other day I was working on a proposal that had us doing something different with STIX that required us to release a few custom vocab entries. However, I could argue against custom vocabs as I have seen implementations of STIX that do not understand the whole concept of including additional XSDs in the namespace/header portion of the XML document.

[sean]So, I would argue here that the answer is not to cripple needed capability but rather to find ways to help implementers do things correctly and more easily. I would also say let’s not get caught up in XML-centric issues as that is very likely not going to be the only option going forward.



Aharon

From: <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>> on behalf of "Wunder, John A." <jwunder@mitre.org<mailto:jwunder@mitre.org>>
Date: Thursday, October 22, 2015 at 1:14 PM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com<mailto:Jason.Keirstead@ca.ibm.com>>, "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com<mailto:Cliff.Palmer@gd-ms.com>>
Cc: "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>" <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>>
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions

It would be nice to understand what software is doing with the field. Does it show up in the UI as a sort/filter? Do you base processing on it?

I heard a recent proposal to remove it entirely. What would be the impact of that?

John

From: <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com<mailto:Jason.Keirstead@ca.ibm.com>>
Date: Thursday, October 22, 2015 at 1:10 PM
To: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com<mailto:Cliff.Palmer@gd-ms.com>>
Cc: "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>" <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>>
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions


I would agree, but the spec currently lets you put in any string.

I would propose that in STIX 2.0, if the consensus is that it should be a controlled vocabulary, that that be enforced in the spec, and that documents that don't follow the vocabulary are invalid.

I am not looking to do anything with the indicator at all on the recieving end - this is an indicator the software will produce as a result of an automated response. I find the current vocabulary to be very restrictive and full of obvious gaps. Even simple things like "Compromised Host" are absent. Also, all of the instances current vocabulary should be able to be prefixed with "Potential" in my opinion. ("Potential Malware Artifact")

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


[Inactive hide details for "Palmer, Cliff A. (NE)" ---2015/10/22 12:55:52 PM---Jason, it seems to me that there is a value to ha]"Palmer, Cliff A. (NE)" ---2015/10/22 12:55:52 PM---Jason, it seems to me that there is a value to having a controlled vocabulary for Indicator Type. Y

From: "Palmer, Cliff A. (NE)" <Cliff.Palmer@gd-ms.com<mailto:Cliff.Palmer@gd-ms.com>>
To: Jason Keirstead/CanEast/IBM@IBMCA, "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>" <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>>
Date: 2015/10/22 12:55 PM
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions

________________________________



Jason, it seems to me that there is a value to having a controlled vocabulary for Indicator Type. You can probably enumerate the benefits in your circumstances better than anyone outside of your situation. The value of controlling the vocabulary should translate into a benefit to your users and provide an incentive for adoption.
Others will want to discuss adopting an ontology to control handling of indicators based on type. While my first thought is “There be dragons” (https://en.wikipedia.org/wiki/Here_be_dragons) it’s also true that an indicator type might not be as challenging as other ontologies. Are you able to describe how the indicator type affects the way you understand or treat the indicator?
I have built ontologies and found it interesting work, but it’s definitely non-trivial. I’d like to hear more about how you proceed.

Cliff Palmer

From: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org> [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jason Keirstead
Sent: Thursday, October 22, 2015 11:18 AM
To: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>
Subject: [cti-users] Indicator Type / Vocabulary Implementation Questions

HI all, I am producing some new STIX content in an automated fashion, and am looking for feedback on my planned usage of indicator types:

As with many things STIX, the way you do this is so wide open, it makes implementation decisions difficult

"The default vocabulary type is IndicatorTypeVocab-1.1<http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1> in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd. Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field."

@see http://stixproject.github.io/data-model/1.2/stixVocabs/IndicatorTypeVocab-1.1/

So essentially, I can stick to the default vocabulary, *OR* I can define my own vocabulary, *OR* I can use it as a free-form string.

The problem i have with the default vocabulary, is this list is very restrictive, and there is no "Other" type.

First question - Has there ever been thought to extending this vocabulary, or adding an "Other" type that one could then annotate in some way? I haven't seen this question come up on the STIX list.

Second question - My other problem is, I can't define a new fixed vocabulary because this is user-generated stuff. I pretty much am stuck with either using the fixed vocabulary, or letting the user type in whatever they want. How many people are sticking to the controlled vocabulary here? If I use this as a free-form string, will it cause some tools to blow up? Anyone have experience here?



-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security<http://www.ibm.com/security> | www.securityintelligence.com<http://www.securityintelligence.com/>

Without data, all you are is just another person with an opinion - Unknown

Hi,

> I heard a recent proposal to remove it entirely. What would be the
> impact of that?

I had made the suggestion to remove the IncidentType entirely in
my somewhat provocative mail a few weeks ago, in which I wanted
to explore how much potential for simplification in going towards
STIX 2.0 there might be.

Why had I suggested to remove it?

The main reason is that I do not find the values that are currently part of the
standard vocabulary particularly useful:

- Why would I put 'IP Watchlist' or 'Domain Watchlist' or 'File Hash Watchlist'
into the Indicator Type? I could understand "Watchlist", which tells you
to watch for whatever Observable Patterns are indicated in the indicator.

- Another type is 'C2' -- at the same time I have the ability to reference
in the indicator a kill chain phase ... and if the referenced kill chain
is of any use, it will have something corresponding to 'C2'.

Now I have (again) two ways of expressing the same thing ... we have
just stumbled over this issue a few days ago in a sharing group we
are part of: we use the reference to the killchain phase to indicate
C2-activity, others use the indicator type.

Similarly, "Exfiltration" -- should that not be described with a reference
from the indicator to an TTP "Exfiltration"?

Other entries in the standard vocabulary ("Malicious Email", "Host Characteristics")
seem like there would be no end to the list of allowed vocabulary (think
"Malicious <enter CybOX object type here>" as pattern for generating vocabulary...)

My suggestion to get rid of the indicator type was really a bit of a calculated
provocation -- I have no trouble with keeping it in STIX. But we should
ensure that the standard vocabulary is defined such that it really adds
value rather than adding confusion by allowing yet more ways to describe
the same thing in different ways.

Kind regards,

Bernd

----------------

Bernd Grobauer, Siemens CERT

There is a common theme running in our important discourse. It is important for Vendors and those focusing on narrow Use Cases to understand the complexity of APT Intrusions. We understand and *completely* support many of the arguments made for simplicity and easily addressing narrowly focused use cases. If I just need to send a list of IP Address, Domains, etc. to security appliance, then an efficient/consistent/simplified mechanism is absolutely a key CTI requirement.

Those of us who have been dealing with the full scope of APT Targeting, Compromise, Lateral Movement, Entrenchment, repeated Mapping/Exploitation of Victim Organizations and Infrastructure, etc. for many many years (pre Titan Rain) are also key stakeholders in "Our Thing".

We are not pushing for "Complexity" just for complexities sake: we are pushing these higher dimensional representation concepts because this complexity is part of the reality we operate in on a daily basis. If we can't model all of the key elements of Adversary, TTP, and Target Domains, we can't change the Cyber Battle Space dynamics. Doing so globally, across sectors, in real-time, is the "Holy Grail" we seek. No one said this would be easy, but it is a much much better use of our collective energies in comparison to another decade of playing APT Whack-A-Mole and counting Body Bags.

Hopefully I'm not triggering a new wave of "Less Filling" <==> " Tastes Great"

Patrick,

Great description of why are so critical to a number of us. I think you hit the nail o.n the head


Paul Patrick

Sent from my iPhone

> On Oct 23, 2015, at 8:02 AM, Patrick Maroney <Pmaroney@Specere.org> wrote:
>
> There is a common theme running in our important discourse. It is important for Vendors and those focusing on narrow Use Cases to understand the complexity of APT Intrusions. We understand and *completely* support many of the arguments made for simplicity and easily addressing narrowly focused use cases. If I just need to send a list of IP Address, Domains, etc. to security appliance, then an efficient/consistent/simplified mechanism is absolutely a key CTI requirement.
>
> Those of us who have been dealing with the full scope of APT Targeting, Compromise, Lateral Movement, Entrenchment, repeated Mapping/Exploitation of Victim Organizations and Infrastructure, etc. for many many years (pre Titan Rain) are also key stakeholders in "Our Thing".
>
> We are not pushing for "Complexity" just for complexities sake: we are pushing these higher dimensional representation concepts because this complexity is part of the reality we operate in on a daily basis. If we can't model all of the key elements of Adversary, TTP, and Target Domains, we can't change the Cyber Battle Space dynamics. Doing so globally, across sectors, in real-time, is the "Holy Grail" we seek. No one said this would be easy, but it is a much much better use of our collective energies in comparison to another decade of playing APT Whack-A-Mole and counting Body Bags.
>
> Hopefully I'm not triggering a new wave of "Less Filling" <==> " Tastes Great"

Patrick,
Great perspective – it is a common and difficult problem to balance scope, complexity, extensibility and simplicity. The inconvenient truth is that Cyber security is not simple, but we don’t want to introduce arbitrary complexity either.

Well, I’m probably putting a target on my back, but I’m going to suggest that some things that may seem simple do, in fact, introduce more complexity and restriction as reality sets in. (remember when XML was the simple alternative, then we got XML Schema and 100 extensions – same for java).

I have noticed a set of recurring themes that if we could deal with in a consistent way, may help this difficult balance. So just consider these as some thoughts from the peanut gallery.


· Big Vs. complicated.

A very small and simple instance document may be described by a large schema. A large schema in and of its self is not necessarily complex. What is complex is:

o When you have to insert a lot of “stuff” the simple case doesn’t need. Some of this may be inevitable, but it can be mitigated by good design.

o When there are many ways to say the same thing. This is unclear semantics and/or redundant elements.

o When it is not clear how to do the simple thing. This can be mitigated with use case specific documentation (like the “idioms”)

o When large schema/vocabularies/models are not modular so you can look at manageable “chunks”.

· String encoding.
A very common “simplification” is to substitute a reference to a thing with a name or ID usually a string. E.g. victim: ”Joe Smith”. While this seems simple it causes multiple problems that result in downstream complexity. A reference to a thing should always be a type for that thing. E.g. victim: -> person: {name:”Joe Smith”}. Reasons for this are:

o What is in the “string” is unclear and tends to be inconsistent, making interoperability difficult.

o When other “facts” need be said about the thing, you have a place to put them and don’t try and encode it in complex strings.

o If the string is an ID, there is no consistency for the basis for the identifier.

· My hierarchy is not your hierarchy.
While it seems simple to put things in a hierarchy, hierarchies tend to be specific to a use case or perspective. Independent entities should be independent and referenced, not embedded as an attribute. The complexity introduced by some implementation frameworks for references can be a problem – but can be mitigated by a good framework/API. Problems with embedding include:

o The same entity may show up in multiple places, resulting in confusing redundant data.

o Embedded entities may lack identity, making analysis difficult.

o It is hard to “say more about” such an embedded entity or to reference it later.

· There is more to say
When you try and put everything someone may need to know in a single “data package”, the packages become large and very coupled to a single perspective of what must or can be communicated. Having an architecture that allows for accessing additional data – be it extended vocabularies or more information on Joe Smith allows the structures to be smaller, simpler and less coupled. Building the expectation of linking into the architecture allows for this simplicity, which also provides for extensibility. This can also be done in “secure” or partially connected communities by building linking into security and using intermediate data cashes.

o Note: My view is that this is solved: every reference should be a URI, how you “dereference” that URI is where your secure boundaries come in.

· Realistic extension

Some of our technologies fight extensibility and ad-hoc mechanisms are to be built-in to support it, sometimes these mechanisms add complexity. On the other hand, assuming there will never be a need for extension is unrealistic in an open community. Sometimes it is better to:

o Use a technology that allows for extension naturally

o Be realistic about where extensibility is really needed. When it is – use the extensibility mechanisms for everything. E.g. all vocabularies are an “extension”, even if some are considered well known and curated.

· It is obvious what it means

Much design and implementation experiences come from closed or smaller environments than CTI. If, for example, we are integrating 3 systems in company XYZ there is a shared understanding and culture of the team. What things mean, constraints and formats tend to be worked out dynamically – and this is practical in such an environment. In a large and dynamic community it is simply amazing how different people interpret the same things. In a community environment there is a need for clear and precise semantics and, wherever possible, automated validation. Loose specifications will never be interoperable. If not interoperable, what is the point?

· This is the only technology we will need

Whatever it is, there is a favorite of the day and a desire to “just do that”. Well, not everyone will have the same favorites and the style of the day changes (sometimes it seems like we are the fashion industry). Over-committing to a single technology builds that technologies limitations into your solution – which may look really stupid in 5 years. Separation of concerns is vital.

· Real complexity

As a final thought – recognize “real complexity” – if what you are trying to do and communicate is not simple, don’t expect a simple result. The challenge is recognizing and supporting the real complexity in as simple a way as possible. If complexity is being introduced for other than “real” reasons, what is introducing them?

This got longer than intended, sorry about that! If we can find our way to deal with these issues in a consistent way with good design and a supporting implementation framework that makes them easy to deal with we can have a usable balance between simplicity, scope and extensibility.

-Cory Casanave

From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Patrick Maroney
Sent: Friday, October 23, 2015 9:03 AM
To: jason.keirstead@ca.ibm.com; Grobauer, Bernd; jwunder@mitre.org; cliff.palmer@gd-ms.com
Cc: cti-users@lists.oasis-open.org
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions

There is a common theme running in our important discourse. It is important for Vendors and those focusing on narrow Use Cases to understand the complexity of APT Intrusions. We understand and *completely* support many of the arguments made for simplicity and easily addressing narrowly focused use cases. If I just need to send a list of IP Address, Domains, etc. to security appliance, then an efficient/consistent/simplified mechanism is absolutely a key CTI requirement.

Those of us who have been dealing with the full scope of APT Targeting, Compromise, Lateral Movement, Entrenchment, repeated Mapping/Exploitation of Victim Organizations and Infrastructure, etc. for many many years (pre Titan Rain) are also key stakeholders in "Our Thing".

We are not pushing for "Complexity" just for complexities sake: we are pushing these higher dimensional representation concepts because this complexity is part of the reality we operate in on a daily basis. If we can't model all of the key elements of Adversary, TTP, and Target Domains, we can't change the Cyber Battle Space dynamics. Doing so globally, across sectors, in real-time, is the "Holy Grail" we seek. No one said this would be easy, but it is a much much better use of our collective energies in comparison to another decade of playing APT Whack-A-Mole and counting Body Bags.

Hopefully I'm not triggering a new wave of "Less Filling" <==> " Tastes Great"

Great post.

Thanks Cory.

sean

From: <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>> on behalf of Cory Casanave <cory-c@modeldriven.com<mailto:cory-c@modeldriven.com>>
Date: Friday, October 23, 2015 at 11:29 AM
To: Patrick Maroney <Pmaroney@Specere.org<mailto:Pmaroney@Specere.org>>, "jason.keirstead@ca.ibm.com<mailto:jason.keirstead@ca.ibm.com>" <jason.keirstead@ca.ibm.com<mailto:jason.keirstead@ca.ibm.com>>, Bernd Grobauer <bernd.grobauer@siemens.com<mailto:bernd.grobauer@siemens.com>>, John Wunder <jwunder@mitre.org<mailto:jwunder@mitre.org>>, "cliff.palmer@gd-ms.com<mailto:cliff.palmer@gd-ms.com>" <cliff.palmer@gd-ms.com<mailto:cliff.palmer@gd-ms.com>>
Cc: "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>" <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>>
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions

Patrick,
Great perspective – it is a common and difficult problem to balance scope, complexity, extensibility and simplicity. The inconvenient truth is that Cyber security is not simple, but we don’t want to introduce arbitrary complexity either.

Well, I’m probably putting a target on my back, but I’m going to suggest that some things that may seem simple do, in fact, introduce more complexity and restriction as reality sets in. (remember when XML was the simple alternative, then we got XML Schema and 100 extensions – same for java).

I have noticed a set of recurring themes that if we could deal with in a consistent way, may help this difficult balance. So just consider these as some thoughts from the peanut gallery.


· Big Vs. complicated.

A very small and simple instance document may be described by a large schema. A large schema in and of its self is not necessarily complex. What is complex is:

o When you have to insert a lot of “stuff” the simple case doesn’t need. Some of this may be inevitable, but it can be mitigated by good design.

o When there are many ways to say the same thing. This is unclear semantics and/or redundant elements.

o When it is not clear how to do the simple thing. This can be mitigated with use case specific documentation (like the “idioms”)

o When large schema/vocabularies/models are not modular so you can look at manageable “chunks”.

· String encoding.
A very common “simplification” is to substitute a reference to a thing with a name or ID usually a string. E.g. victim: ”Joe Smith”. While this seems simple it causes multiple problems that result in downstream complexity. A reference to a thing should always be a type for that thing. E.g. victim: -> person: {name:”Joe Smith”}. Reasons for this are:

o What is in the “string” is unclear and tends to be inconsistent, making interoperability difficult.

o When other “facts” need be said about the thing, you have a place to put them and don’t try and encode it in complex strings.

o If the string is an ID, there is no consistency for the basis for the identifier.

· My hierarchy is not your hierarchy.
While it seems simple to put things in a hierarchy, hierarchies tend to be specific to a use case or perspective. Independent entities should be independent and referenced, not embedded as an attribute. The complexity introduced by some implementation frameworks for references can be a problem – but can be mitigated by a good framework/API. Problems with embedding include:

o The same entity may show up in multiple places, resulting in confusing redundant data.

o Embedded entities may lack identity, making analysis difficult.

o It is hard to “say more about” such an embedded entity or to reference it later.

· There is more to say
When you try and put everything someone may need to know in a single “data package”, the packages become large and very coupled to a single perspective of what must or can be communicated. Having an architecture that allows for accessing additional data – be it extended vocabularies or more information on Joe Smith allows the structures to be smaller, simpler and less coupled. Building the expectation of linking into the architecture allows for this simplicity, which also provides for extensibility. This can also be done in “secure” or partially connected communities by building linking into security and using intermediate data cashes.

o Note: My view is that this is solved: every reference should be a URI, how you “dereference” that URI is where your secure boundaries come in.

· Realistic extension

Some of our technologies fight extensibility and ad-hoc mechanisms are to be built-in to support it, sometimes these mechanisms add complexity. On the other hand, assuming there will never be a need for extension is unrealistic in an open community. Sometimes it is better to:

o Use a technology that allows for extension naturally

o Be realistic about where extensibility is really needed. When it is – use the extensibility mechanisms for everything. E.g. all vocabularies are an “extension”, even if some are considered well known and curated.

· It is obvious what it means

Much design and implementation experiences come from closed or smaller environments than CTI. If, for example, we are integrating 3 systems in company XYZ there is a shared understanding and culture of the team. What things mean, constraints and formats tend to be worked out dynamically – and this is practical in such an environment. In a large and dynamic community it is simply amazing how different people interpret the same things. In a community environment there is a need for clear and precise semantics and, wherever possible, automated validation. Loose specifications will never be interoperable. If not interoperable, what is the point?

· This is the only technology we will need

Whatever it is, there is a favorite of the day and a desire to “just do that”. Well, not everyone will have the same favorites and the style of the day changes (sometimes it seems like we are the fashion industry). Over-committing to a single technology builds that technologies limitations into your solution – which may look really stupid in 5 years. Separation of concerns is vital.

· Real complexity

As a final thought – recognize “real complexity” – if what you are trying to do and communicate is not simple, don’t expect a simple result. The challenge is recognizing and supporting the real complexity in as simple a way as possible. If complexity is being introduced for other than “real” reasons, what is introducing them?

This got longer than intended, sorry about that! If we can find our way to deal with these issues in a consistent way with good design and a supporting implementation framework that makes them easy to deal with we can have a usable balance between simplicity, scope and extensibility.

-Cory Casanave

From: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org> [mailto:cti-users@lists.oasis-open.org] On Behalf Of Patrick Maroney
Sent: Friday, October 23, 2015 9:03 AM
To: jason.keirstead@ca.ibm.com<mailto:jason.keirstead@ca.ibm.com>; Grobauer, Bernd; jwunder@mitre.org<mailto:jwunder@mitre.org>; cliff.palmer@gd-ms.com<mailto:cliff.palmer@gd-ms.com>
Cc: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions

There is a common theme running in our important discourse. It is important for Vendors and those focusing on narrow Use Cases to understand the complexity of APT Intrusions. We understand and *completely* support many of the arguments made for simplicity and easily addressing narrowly focused use cases. If I just need to send a list of IP Address, Domains, etc. to security appliance, then an efficient/consistent/simplified mechanism is absolutely a key CTI requirement.

Those of us who have been dealing with the full scope of APT Targeting, Compromise, Lateral Movement, Entrenchment, repeated Mapping/Exploitation of Victim Organizations and Infrastructure, etc. for many many years (pre Titan Rain) are also key stakeholders in "Our Thing".

We are not pushing for "Complexity" just for complexities sake: we are pushing these higher dimensional representation concepts because this complexity is part of the reality we operate in on a daily basis. If we can't model all of the key elements of Adversary, TTP, and Target Domains, we can't change the Cyber Battle Space dynamics. Doing so globally, across sectors, in real-time, is the "Holy Grail" we seek. No one said this would be easy, but it is a much much better use of our collective energies in comparison to another decade of playing APT Whack-A-Mole and counting Body Bags.

Hopefully I'm not triggering a new wave of "Less Filling" <==> " Tastes Great"

Yes Great post. (Apologies catching up!)

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 | terry@soltra.com<mailto:terry@soltra.com>


From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Barnum, Sean D.
Sent: Saturday, 24 October 2015 2:41 AM
To: Cory Casanave <cory-c@modeldriven.com>; Patrick Maroney <Pmaroney@Specere.org>; jason.keirstead@ca.ibm.com; Grobauer, Bernd <bernd.grobauer@siemens.com>; Wunder, John A. <jwunder@mitre.org>; cliff.palmer@gd-ms.com
Cc: cti-users@lists.oasis-open.org
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions

Great post.

Thanks Cory.

sean

From: <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>> on behalf of Cory Casanave <cory-c@modeldriven.com<mailto:cory-c@modeldriven.com>>
Date: Friday, October 23, 2015 at 11:29 AM
To: Patrick Maroney <Pmaroney@Specere.org<mailto:Pmaroney@Specere.org>>, "jason.keirstead@ca.ibm.com<mailto:jason.keirstead@ca.ibm.com>" <jason.keirstead@ca.ibm.com<mailto:jason.keirstead@ca.ibm.com>>, Bernd Grobauer <bernd.grobauer@siemens.com<mailto:bernd.grobauer@siemens.com>>, John Wunder <jwunder@mitre.org<mailto:jwunder@mitre.org>>, "cliff.palmer@gd-ms.com<mailto:cliff.palmer@gd-ms.com>" <cliff.palmer@gd-ms.com<mailto:cliff.palmer@gd-ms.com>>
Cc: "cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>" <cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>>
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions

Patrick,
Great perspective – it is a common and difficult problem to balance scope, complexity, extensibility and simplicity. The inconvenient truth is that Cyber security is not simple, but we don’t want to introduce arbitrary complexity either.

Well, I’m probably putting a target on my back, but I’m going to suggest that some things that may seem simple do, in fact, introduce more complexity and restriction as reality sets in. (remember when XML was the simple alternative, then we got XML Schema and 100 extensions – same for java).

I have noticed a set of recurring themes that if we could deal with in a consistent way, may help this difficult balance. So just consider these as some thoughts from the peanut gallery.


· Big Vs. complicated.

A very small and simple instance document may be described by a large schema. A large schema in and of its self is not necessarily complex. What is complex is:

o When you have to insert a lot of “stuff” the simple case doesn’t need. Some of this may be inevitable, but it can be mitigated by good design.

o When there are many ways to say the same thing. This is unclear semantics and/or redundant elements.

o When it is not clear how to do the simple thing. This can be mitigated with use case specific documentation (like the “idioms”)

o When large schema/vocabularies/models are not modular so you can look at manageable “chunks”.

· String encoding.
A very common “simplification” is to substitute a reference to a thing with a name or ID usually a string. E.g. victim: ”Joe Smith”. While this seems simple it causes multiple problems that result in downstream complexity. A reference to a thing should always be a type for that thing. E.g. victim: -> person: {name:”Joe Smith”}. Reasons for this are:

o What is in the “string” is unclear and tends to be inconsistent, making interoperability difficult.

o When other “facts” need be said about the thing, you have a place to put them and don’t try and encode it in complex strings.

o If the string is an ID, there is no consistency for the basis for the identifier.

· My hierarchy is not your hierarchy.
While it seems simple to put things in a hierarchy, hierarchies tend to be specific to a use case or perspective. Independent entities should be independent and referenced, not embedded as an attribute. The complexity introduced by some implementation frameworks for references can be a problem – but can be mitigated by a good framework/API. Problems with embedding include:

o The same entity may show up in multiple places, resulting in confusing redundant data.

o Embedded entities may lack identity, making analysis difficult.

o It is hard to “say more about” such an embedded entity or to reference it later.

· There is more to say
When you try and put everything someone may need to know in a single “data package”, the packages become large and very coupled to a single perspective of what must or can be communicated. Having an architecture that allows for accessing additional data – be it extended vocabularies or more information on Joe Smith allows the structures to be smaller, simpler and less coupled. Building the expectation of linking into the architecture allows for this simplicity, which also provides for extensibility. This can also be done in “secure” or partially connected communities by building linking into security and using intermediate data cashes.

o Note: My view is that this is solved: every reference should be a URI, how you “dereference” that URI is where your secure boundaries come in.

· Realistic extension

Some of our technologies fight extensibility and ad-hoc mechanisms are to be built-in to support it, sometimes these mechanisms add complexity. On the other hand, assuming there will never be a need for extension is unrealistic in an open community. Sometimes it is better to:

o Use a technology that allows for extension naturally

o Be realistic about where extensibility is really needed. When it is – use the extensibility mechanisms for everything. E.g. all vocabularies are an “extension”, even if some are considered well known and curated.

· It is obvious what it means

Much design and implementation experiences come from closed or smaller environments than CTI. If, for example, we are integrating 3 systems in company XYZ there is a shared understanding and culture of the team. What things mean, constraints and formats tend to be worked out dynamically – and this is practical in such an environment. In a large and dynamic community it is simply amazing how different people interpret the same things. In a community environment there is a need for clear and precise semantics and, wherever possible, automated validation. Loose specifications will never be interoperable. If not interoperable, what is the point?

· This is the only technology we will need

Whatever it is, there is a favorite of the day and a desire to “just do that”. Well, not everyone will have the same favorites and the style of the day changes (sometimes it seems like we are the fashion industry). Over-committing to a single technology builds that technologies limitations into your solution – which may look really stupid in 5 years. Separation of concerns is vital.

· Real complexity

As a final thought – recognize “real complexity” – if what you are trying to do and communicate is not simple, don’t expect a simple result. The challenge is recognizing and supporting the real complexity in as simple a way as possible. If complexity is being introduced for other than “real” reasons, what is introducing them?

This got longer than intended, sorry about that! If we can find our way to deal with these issues in a consistent way with good design and a supporting implementation framework that makes them easy to deal with we can have a usable balance between simplicity, scope and extensibility.

-Cory Casanave

From: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org> [mailto:cti-users@lists.oasis-open.org] On Behalf Of Patrick Maroney
Sent: Friday, October 23, 2015 9:03 AM
To: jason.keirstead@ca.ibm.com<mailto:jason.keirstead@ca.ibm.com>; Grobauer, Bernd; jwunder@mitre.org<mailto:jwunder@mitre.org>; cliff.palmer@gd-ms.com<mailto:cliff.palmer@gd-ms.com>
Cc: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions

There is a common theme running in our important discourse. It is important for Vendors and those focusing on narrow Use Cases to understand the complexity of APT Intrusions. We understand and *completely* support many of the arguments made for simplicity and easily addressing narrowly focused use cases. If I just need to send a list of IP Address, Domains, etc. to security appliance, then an efficient/consistent/simplified mechanism is absolutely a key CTI requirement.

Those of us who have been dealing with the full scope of APT Targeting, Compromise, Lateral Movement, Entrenchment, repeated Mapping/Exploitation of Victim Organizations and Infrastructure, etc. for many many years (pre Titan Rain) are also key stakeholders in "Our Thing".

We are not pushing for "Complexity" just for complexities sake: we are pushing these higher dimensional representation concepts because this complexity is part of the reality we operate in on a daily basis. If we can't model all of the key elements of Adversary, TTP, and Target Domains, we can't change the Cyber Battle Space dynamics. Doing so globally, across sectors, in real-time, is the "Holy Grail" we seek. No one said this would be easy, but it is a much much better use of our collective energies in comparison to another decade of playing APT Whack-A-Mole and counting Body Bags.

Hopefully I'm not triggering a new wave of "Less Filling" <==> " Tastes Great"

Note, I have made this reply to CTI-STIX from CTI-Users I agree pretty much 100% with what you say Bernd. I see there is a bit of a conflict here - There is obviously a need to have a controlled vocabulary, so that tools and researchers can share categorized intelligence efficiently; however... - The current vocabulary list is seemingly arbitrary - and has many gaps, and also redundancies, as you mentioned. Off the top of my head it should have 2x - 3x as many options, and like you mention, some are redundant. I totally agree that it makes no sense to have different Watchlist types when that can be inferred easily from the data. Due to how STIX 1.X is constructed, we can easily revision this vocabulary as a non-breaking change. I would propose that the STIX TC undertake a work product to revision this vocabulary. This is a "quick win" that the TC can provide. If desired - I would volunteer to take the initial stab at extending the vocabulary. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown "Grobauer, Bernd" ---2015/10/23 07:50:32 AM---Hi, > I heard a recent proposal to remove it entirely. What would be the From: "Grobauer, Bernd" <Bernd.Grobauer@siemens.com> To: "jwunder@mitre.org" <jwunder@mitre.org>, Jason Keirstead/CanEast/IBM@IBMCA, "Cliff.Palmer@gd-ms.com" <Cliff.Palmer@gd-ms.com> Cc: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org> Date: 2015/10/23 07:50 AM Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions Sent by: <cti-users@lists.oasis-open.org> Hi, > I heard a recent proposal to remove it entirely. What would be the > impact of that? I had made the suggestion to remove the IncidentType entirely in my somewhat provocative mail a few weeks ago, in which I wanted to explore how much potential for simplification in going towards STIX 2.0 there might be. Why had I suggested to remove it? The main reason is that I do not find the values that are currently part of the standard vocabulary particularly useful: - Why would I put 'IP Watchlist' or 'Domain Watchlist' or 'File Hash Watchlist'  into the Indicator Type? I could understand "Watchlist", which tells you  to watch for whatever Observable Patterns are indicated in the indicator. - Another type is 'C2' -- at the same time I have the ability to reference  in the indicator a kill chain phase ... and if the referenced kill chain  is of any use, it will have something corresponding to 'C2'.  Now I have (again) two ways of expressing the same thing ... we have  just stumbled over this issue a few days ago in a sharing group we  are part of: we use the reference to the killchain phase to indicate  C2-activity, others use the indicator type.  Similarly, "Exfiltration" -- should that not be described with a reference  from the indicator to an TTP "Exfiltration"? Other entries in the standard vocabulary ("Malicious Email", "Host Characteristics") seem like there would be no end to the list of allowed vocabulary (think "Malicious <enter CybOX object type here>" as pattern for generating vocabulary...) My suggestion to get rid of the indicator type was really a bit of a calculated provocation -- I have no trouble with keeping it in STIX. But we should ensure that the standard vocabulary is defined such that it really adds value rather than adding confusion by allowing yet more ways to describe the same thing in different ways. Kind regards, Bernd ---------------- Bernd Grobauer, Siemens CERT

>If desired - I would volunteer to take the initial stab at extending the vocabulary.


Yes, please. :-)


I would suggest a first step of making sure their is an issue for this in the tracker.


Thank you Jason.


sean








From: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Date: Friday, October 23, 2015 at 9:38 AM
To: Bernd Grobauer < Bernd.Grobauer@siemens.com >
Cc: John Wunder < jwunder@mitre.org >, " Cliff.Palmer@gd-ms.com " < Cliff.Palmer@gd-ms.com >, " cti-stix@lists.oasis-open.org "
< cti-stix@lists.oasis-open.org >
Subject: [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions





Note, I have made this reply to CTI-STIX from CTI-Users

I agree pretty much 100% with what you say Bernd. I see there is a bit of a conflict here

- There is obviously a need to have a controlled vocabulary, so that tools and researchers can share categorized intelligence efficiently; however...

- The current vocabulary list is seemingly arbitrary - and has many gaps, and also redundancies, as you mentioned. Off the top of my head it should have 2x - 3x as many options, and like you mention, some are redundant. I totally agree that it makes no sense
to have different Watchlist types when that can be inferred easily from the data.

Due to how STIX 1.X is constructed, we can easily revision this vocabulary as a non-breaking change. I would propose that the STIX TC undertake a work product to revision this vocabulary. This is a "quick win" that the TC can provide.

If desired - I would volunteer to take the initial stab at extending the vocabulary.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


"Grobauer,
Bernd" ---2015/10/23 07:50:32 AM---Hi, > I heard a recent proposal to remove it entirely. What would be the

From: "Grobauer, Bernd" < Bernd.Grobauer@siemens.com >
To: " jwunder@mitre.org " < jwunder@mitre.org >, Jason Keirstead/CanEast/IBM@IBMCA, " Cliff.Palmer@gd-ms.com "
< Cliff.Palmer@gd-ms.com >
Cc: " cti-users@lists.oasis-open.org " < cti-users@lists.oasis-open.org >
Date: 2015/10/23 07:50 AM
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions
Sent by: < cti-users@lists.oasis-open.org >





Hi,

> I heard a recent proposal to remove it entirely. What would be the
> impact of that?

I had made the suggestion to remove the IncidentType entirely in
my somewhat provocative mail a few weeks ago, in which I wanted
to explore how much potential for simplification in going towards
STIX 2.0 there might be.

Why had I suggested to remove it?

The main reason is that I do not find the values that are currently part of the
standard vocabulary particularly useful:

- Why would I put 'IP Watchlist' or 'Domain Watchlist' or 'File Hash Watchlist'
 into the Indicator Type? I could understand "Watchlist", which tells you
 to watch for whatever Observable Patterns are indicated in the indicator.

- Another type is 'C2' -- at the same time I have the ability to reference
 in the indicator a kill chain phase ... and if the referenced kill chain
 is of any use, it will have something corresponding to 'C2'.

 Now I have (again) two ways of expressing the same thing ... we have
 just stumbled over this issue a few days ago in a sharing group we
 are part of: we use the reference to the killchain phase to indicate
 C2-activity, others use the indicator type.

 Similarly, "Exfiltration" -- should that not be described with a reference
 from the indicator to an TTP "Exfiltration"?

Other entries in the standard vocabulary ("Malicious Email", "Host Characteristics")
seem like there would be no end to the list of allowed vocabulary (think
"Malicious <enter CybOX object type here>" as pattern for generating vocabulary...)

My suggestion to get rid of the indicator type was really a bit of a calculated
provocation -- I have no trouble with keeping it in STIX. But we should
ensure that the standard vocabulary is defined such that it really adds
value rather than adding confusion by allowing yet more ways to describe
the same thing in different ways.

Kind regards,

Bernd

----------------

Bernd Grobauer, Siemens CERT

Bernd,

I definitely agree with you that the IndicatorType default vocab needs a lot of love and additional attention.
The current values came from the input of the community and what people wanted but everyone always knew it needed improving.

May I suggest that rather than talking about removing the property that we instead have a structured discussion around collaboratively improving the values and more directly characterizing how different players may wish to use that property and its values?

I think the first step would be to enter an issue in the tracker for this so that we can get it on the table. I also agree with an earlier statement that the issue of default vocab values has clear overlap with the interoperability SC so while we need to work internally within the STIX SC for ensuring our default vocabs have the appropriate values for STIX use cases it probably also makes sense to work at a higher level on the process by which we define and manage the various default controlled vocabs.

As an aside, it may be useful to know that one of the uses for the IndicatorType property that some community members expressed intent for in the past was for aiding in automated filtering and orchestration of Indicators upon ingest. For example, automated routing of 'IP Watchlist' or 'Domain Watchlist’ Indicators to network analysts or tools while routing 'File Hash Watchlist’ to host/endpoint analysts or tools or routing “Malware Artifacts” or “C2” to malware analysts for further investigation.
I don’t necessarily think that saying “C2” in IndicatorType and associating the Indicator with “Command and Control” as a Kill Chain phase are the same thing. They are both mentioning C2 but for different reasons and in different contexts.
Just thought I would point out how some have mentioned using the property.

sean




On 10/23/15, 6:49 AM, "cti-users@lists.oasis-open.org on behalf of Grobauer, Bernd" <cti-users@lists.oasis-open.org on behalf of Bernd.Grobauer@siemens.com> wrote:

>Hi,
>
>> I heard a recent proposal to remove it entirely. What would be the
>> impact of that?
>
>I had made the suggestion to remove the IncidentType entirely in
>my somewhat provocative mail a few weeks ago, in which I wanted
>to explore how much potential for simplification in going towards
>STIX 2.0 there might be.
>
>Why had I suggested to remove it?
>
>The main reason is that I do not find the values that are currently part of the
>standard vocabulary particularly useful:
>
>- Why would I put 'IP Watchlist' or 'Domain Watchlist' or 'File Hash Watchlist'
> into the Indicator Type? I could understand "Watchlist", which tells you
> to watch for whatever Observable Patterns are indicated in the indicator.
>
>- Another type is 'C2' -- at the same time I have the ability to reference
> in the indicator a kill chain phase ... and if the referenced kill chain
> is of any use, it will have something corresponding to 'C2'.
>
> Now I have (again) two ways of expressing the same thing ... we have
> just stumbled over this issue a few days ago in a sharing group we
> are part of: we use the reference to the killchain phase to indicate
> C2-activity, others use the indicator type.
>
> Similarly, "Exfiltration" -- should that not be described with a reference
> from the indicator to an TTP "Exfiltration"?
>
>Other entries in the standard vocabulary ("Malicious Email", "Host Characteristics")
>seem like there would be no end to the list of allowed vocabulary (think
>"Malicious <enter CybOX object type here>" as pattern for generating vocabulary...)
>
>My suggestion to get rid of the indicator type was really a bit of a calculated
>provocation -- I have no trouble with keeping it in STIX. But we should
>ensure that the standard vocabulary is defined such that it really adds
>value rather than adding confusion by allowing yet more ways to describe
>the same thing in different ways.
>
>Kind regards,
>
>Bernd
>
>----------------
>
>Bernd Grobauer, Siemens CERT
>
>
>
>

I have created an issue for this as when I was reviewing the vocab list, it
did not cover our use case.

The issue I created:
https://github.com/STIXProject/specifications/issues/35

I believe that this will help people use the Vocab better, and may reduce
the need for custom vocabs.

Please comment on this issue to provide feed back.

Thanks.

I have included the text of the issue here for reference:
There is a discussion on cti-users and cti-stix about improving the
IndicatorTypeVocab.

I believe that having a vocab is a useful thing. But I believe the existing
vocab needs to be improved.

First off, type information, like e-mail, ip, file hash, domain, etc.
should be removed. You should/must be able to get this information from the
Observable that is part of the Indicator.

For one, there is no vocab to describe a malicious observiable, say network
packet, stream, or other activity. Though if the e-mail type is removed
from Malicious E-mail, and it just became Malicious (Observable), then we
would have something.

Removing type information would reduce the IndicatorTypeVocab down to:
Compromised
Malicious
Watchlist
C2
Anonymization
Exfiltration

The first three are interesting, Compromised means that this Observable
indicates that you ARE compromised. The Malicious means that you WILL be
compromised by this Observable and Watchlist means that you MAY get
compromised by this Observable.

Arguably, C2 should fall under Compromised, but as it probably requires
further investigation to figure out the original compromised host, I'm fine
leaving this as it's own separate type.

On Fri, Oct 23, 2015 at 7:19 AM, Barnum, Sean D. <sbarnum@mitre.org> wrote:

> I think the first step would be to enter an issue in the tracker for this
> so that we can get it on the table. I also agree with an earlier statement
> that the issue of default vocab values has clear overlap with the
> interoperability SC so while we need to work internally within the STIX SC
> for ensuring our default vocabs have the appropriate values for STIX use
> cases it probably also makes sense to work at a higher level on the process
> by which we define and manage the various default controlled vocabs.

I have created an issue for this as when I was reviewing the vocab list, it did not cover our use case. The issue I created: https://github.com/STIXProject/specifications/issues/35 I believe that this will help people use the Vocab better, and may reduce the need for custom vocabs. Please comment on this issue to provide feed back. Thanks. I have included the text of the issue here for reference: There is a discussion on cti-users and cti-stix about improving the IndicatorTypeVocab. I believe that having a vocab is a useful thing. But I believe the existing vocab needs to be improved. First off, type information, like e-mail, ip, file hash, domain, etc. should be removed. You should/must be able to get this information from the Observable that is part of the Indicator. For one, there is no vocab to describe a malicious observiable, say network packet, stream, or other activity. Though if the e-mail type is removed from Malicious E-mail, and it just became Malicious (Observable), then we would have something. Removing type information would reduce the IndicatorTypeVocab down to: Compromised Malicious Watchlist C2 Anonymization Exfiltration The first three are interesting, Compromised means that this Observable indicates that you ARE compromised. The Malicious means that you WILL be compromised by this Observable and Watchlist means that you MAY get compromised by this Observable. Arguably, C2 should fall under Compromised, but as it probably requires further investigation to figure out the original compromised host, I'm fine leaving this as it's own separate type. On Fri, Oct 23, 2015 at 7:19 AM, Barnum, Sean D. < sbarnum@mitre.org > wrote: I think the first step would be to enter an issue in the tracker for this so that we can get it on the table. I also agree with an earlier statement that the issue of default vocab values has clear overlap with the interoperability SC so while we need to work internally within the STIX SC for ensuring our default vocabs have the appropriate values for STIX use cases it probably also makes sense to work at a higher level on the process by which we define and manage the various default controlled vocabs.

I like the direction this is going

"Removing type information would reduce the IndicatorTypeVocab down to:
Compromised
Malicious
Watchlist
C2
Anonymization
Exfiltration
"

This is very similar to what I have been working through

This was my internal list so far - thoughts?

Anomalous Activity
Malicious Activity
Command and Control *
Anonymization
Data Exfiltration
Lateral Movement
Privilege Escalation
Reconnaissance
Host/Process Compromise
Watchlist
Quantified Risk
Policy Violation **


* I prefer descriptive names other than acronyms like "C2", it makes it
easier for translation purposes.

** Not sure about this one... its kind of straying outside the CTI realm..
although i do see a great value / need for it in the vocabulary.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown




From: John-Mark Gurney <jmg@newcontext.com>
To: "Barnum, Sean D." <sbarnum@mitre.org>
Cc: "Grobauer, Bernd" <Bernd.Grobauer@siemens.com>, "Wunder, John
A." <jwunder@mitre.org>, Jason Keirstead/CanEast/IBM@IBMCA,
"Cliff.Palmer@gd-ms.com" <Cliff.Palmer@gd-ms.com>,
"cti-users@lists.oasis-open.org"
<cti-users@lists.oasis-open.org>, cti-stix@lists.oasis-open.org
Date: 2015/10/23 03:57 PM
Subject: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary
Implementation Questions
Sent by: <cti-stix@lists.oasis-open.org>



I have created an issue for this as when I was reviewing the vocab list, it
did not cover our use case.

The issue I created:
https://github.com/STIXProject/specifications/issues/35

I believe that this will help people use the Vocab better, and may reduce
the need for custom vocabs.

Please comment on this issue to provide feed back.

Thanks.

I have included the text of the issue here for reference:
There is a discussion on cti-users and cti-stix about improving the
IndicatorTypeVocab.

I believe that having a vocab is a useful thing. But I believe the existing
vocab needs to be improved.

First off, type information, like e-mail, ip, file hash, domain, etc.
should be removed. You should/must be able to get this information from the
Observable that is part of the Indicator.

For one, there is no vocab to describe a malicious observiable, say network
packet, stream, or other activity. Though if the e-mail type is removed
from Malicious E-mail, and it just became Malicious (Observable), then we
would have something.

Removing type information would reduce the IndicatorTypeVocab down to:
Compromised
Malicious
Watchlist
C2
Anonymization
Exfiltration

The first three are interesting, Compromised means that this Observable
indicates that you ARE compromised. The Malicious means that you WILL be
compromised by this Observable and Watchlist means that you MAY get
compromised by this Observable.

Arguably, C2 should fall under Compromised, but as it probably requires
further investigation to figure out the original compromised host, I'm fine
leaving this as it's own separate type.

On Fri, Oct 23, 2015 at 7:19 AM, Barnum, Sean D. <sbarnum@mitre.org> wrote:
I think the first step would be to enter an issue in the tracker for this
so that we can get it on the table. I also agree with an earlier
statement that the issue of default vocab values has clear overlap with
the interoperability SC so while we need to work internally within the
STIX SC for ensuring our default vocabs have the appropriate values for
STIX use cases it probably also makes sense to work at a higher level on
the process by which we define and manage the various default controlled
vocabs.

Jason, How would you feel this relates to killchain? J Sent from my iPhone On 24 Oct 2015, at 11:05, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: I like the direction this is going " Removing type information would reduce the IndicatorTypeVocab down to: Compromised Malicious Watchlist C2 Anonymization Exfiltration " This is very similar to what I have been working through This was my internal list so far - thoughts? Anomalous Activity Malicious Activity Command and Control * Anonymization Data Exfiltration Lateral Movement Privilege Escalation Reconnaissance Host/Process Compromise Watchlist Quantified Risk Policy Violation ** * I prefer descriptive names other than acronyms like "C2", it makes it easier for translation purposes. ** Not sure about this one... its kind of straying outside the CTI realm.. although i do see a great value / need for it in the vocabulary. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> John-Mark Gurney ---2015/10/23 03:57:30 PM---I have created an issue for this as when I was reviewing the vocab list, it did not cover our use ca From: John-Mark Gurney < jmg@newcontext.com > To: "Barnum, Sean D." < sbarnum@mitre.org > Cc: "Grobauer, Bernd" < Bernd.Grobauer@siemens.com >, "Wunder, John A." < jwunder@mitre.org >, Jason Keirstead/CanEast/IBM@IBMCA, " Cliff.Palmer@gd-ms.com " < Cliff.Palmer@gd-ms.com >, " cti-users@lists.oasis-open.org " < cti-users@lists.oasis-open.org >, cti-stix@lists.oasis-open.org Date: 2015/10/23 03:57 PM Subject: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions Sent by: < cti-stix@lists.oasis-open.org > I have created an issue for this as when I was reviewing the vocab list, it did not cover our use case. The issue I created: https://github.com/STIXProject/specifications/issues/35 I believe that this will help people use the Vocab better, and may reduce the need for custom vocabs. Please comment on this issue to provide feed back. Thanks. I have included the text of the issue here for reference: There is a discussion on cti-users and cti-stix about improving the IndicatorTypeVocab. I believe that having a vocab is a useful thing. But I believe the existing vocab needs to be improved. First off, type information, like e-mail, ip, file hash, domain, etc. should be removed. You should/must be able to get this information from the Observable that is part of the Indicator. For one, there is no vocab to describe a malicious observiable, say network packet, stream, or other activity. Though if the e-mail type is removed from Malicious E-mail, and it just became Malicious (Observable), then we would have something. Removing type information would reduce the IndicatorTypeVocab down to: Compromised Malicious Watchlist C2 Anonymization Exfiltration The first three are interesting, Compromised means that this Observable indicates that you ARE compromised. The Malicious means that you WILL be compromised by this Observable and Watchlist means that you MAY get compromised by this Observable. Arguably, C2 should fall under Compromised, but as it probably requires further investigation to figure out the original compromised host, I'm fine leaving this as it's own separate type. On Fri, Oct 23, 2015 at 7:19 AM, Barnum, Sean D. < sbarnum@mitre.org > wrote: I think the first step would be to enter an issue in the tracker for this so that we can get it on the table. I also agree with an earlier statement that the issue of default vocab values has clear overlap with the interoperability SC so while we need to work internally within the STIX SC for ensuring our default vocabs have the appropriate values for STIX use cases it probably also makes sense to work at a higher level on the process by which we define and manage the various default controlled vocabs.

Should be pretty self-explanatory....

Anomalous Activity <Could be any but usually
Reconnaissance/Weaponization/Delivery>
Malicious Activity <Delivery / Exploitation>
Command and Control

Should be pretty self-explanatory.... Anomalous Activity <Could be any but usually Reconnaissance/Weaponization/Delivery> Malicious Activity <Delivery / Exploitation> Command and Control <Command and Control> Anonymization <Actions> Data Exfiltration <Actions> Lateral Movement <Installation> Privilege Escalation <Installation> Reconnaissance < Reconnaissance > Host/Process Compromise <Installation> Watchlist <N/A> Quantified Risk <N/A> Policy Violation ** <N/A> - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown Joep Gommers ---2015/10/24 06:33:42 AM---Jason, How would you feel this relates to killchain? From: Joep Gommers <joep@eclecticiq.com> To: Jason Keirstead/CanEast/IBM@IBMCA Cc: John-Mark Gurney <jmg@newcontext.com>, "Barnum, Sean D." <sbarnum@mitre.org>, "Grobauer, Bernd" <Bernd.Grobauer@siemens.com>, "Wunder, John A." <jwunder@mitre.org>, "Cliff.Palmer@gd-ms.com" <Cliff.Palmer@gd-ms.com>, "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Date: 2015/10/24 06:33 AM Subject: Re: [cti-users] Re: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions Jason, How would you feel this relates to killchain? J Sent from my iPhone On 24 Oct 2015, at 11:05, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: I like the direction this is going " Removing type information would reduce the IndicatorTypeVocab down to: Compromised Malicious Watchlist C2 Anonymization Exfiltration " This is very similar to what I have been working through This was my internal list so far - thoughts? Anomalous Activity Malicious Activity Command and Control * Anonymization Data Exfiltration Lateral Movement Privilege Escalation Reconnaissance Host/Process Compromise Watchlist Quantified Risk Policy Violation ** * I prefer descriptive names other than acronyms like "C2", it makes it easier for translation purposes. ** Not sure about this one... its kind of straying outside the CTI realm.. although i do see a great value / need for it in the vocabulary. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> John-Mark Gurney ---2015/10/23 03:57:30 PM---I have created an issue for this as when I was reviewing the vocab list, it did not cover our use ca From: John-Mark Gurney < jmg@newcontext.com > To: "Barnum, Sean D." < sbarnum@mitre.org > Cc: "Grobauer, Bernd" < Bernd.Grobauer@siemens.com >, "Wunder, John A." < jwunder@mitre.org >, Jason Keirstead/CanEast/IBM@IBMCA, " Cliff.Palmer@gd-ms.com " < Cliff.Palmer@gd-ms.com >, " cti-users@lists.oasis-open.org " < cti-users@lists.oasis-open.org >, cti-stix@lists.oasis-open.org Date: 2015/10/23 03:57 PM Subject: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions Sent by: < cti-stix@lists.oasis-open.org > I have created an issue for this as when I was reviewing the vocab list, it did not cover our use case. The issue I created: https://github.com/STIXProject/specifications/issues/35 I believe that this will help people use the Vocab better, and may reduce the need for custom vocabs. Please comment on this issue to provide feed back. Thanks. I have included the text of the issue here for reference: There is a discussion on cti-users and cti-stix about improving the IndicatorTypeVocab. I believe that having a vocab is a useful thing. But I believe the existing vocab needs to be improved. First off, type information, like e-mail, ip, file hash, domain, etc. should be removed. You should/must be able to get this information from the Observable that is part of the Indicator. For one, there is no vocab to describe a malicious observiable, say network packet, stream, or other activity. Though if the e-mail type is removed from Malicious E-mail, and it just became Malicious (Observable), then we would have something. Removing type information would reduce the IndicatorTypeVocab down to: Compromised Malicious Watchlist C2 Anonymization Exfiltration The first three are interesting, Compromised means that this Observable indicates that you ARE compromised. The Malicious means that you WILL be compromised by this Observable and Watchlist means that you MAY get compromised by this Observable. Arguably, C2 should fall under Compromised, but as it probably requires further investigation to figure out the original compromised host, I'm fine leaving this as it's own separate type. On Fri, Oct 23, 2015 at 7:19 AM, Barnum, Sean D. < sbarnum@mitre.org > wrote: I think the first step would be to enter an issue in the tracker for this so that we can get it on the table. I also agree with an earlier statement that the issue of default vocab values has clear overlap with the interoperability SC so while we need to work internally within the STIX SC for ensuring our default vocabs have the appropriate values for STIX use cases it probably also makes sense to work at a higher level on the process by which we define and manage the various default controlled vocabs. [attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM] [attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM]

What you're pointing there is another thing I thought about which is the
relationships between different vocabularies.
While partially implemented in my tools in an effort to avoid inconstancy,
it was not yet introduced in the mailinglists

(Again, a structure à la CWE/CAPEC could be mid-term solution before a
RDF/OWL ontology)

On Saturday, 24 October 2015, Jason Keirstead <Jason.Keirstead@ca.ibm.com>
wrote:

> Should be pretty self-explanatory....
>
> Anomalous Activity *<Could be any but usually
> Reconnaissance/Weaponization/Delivery>*
> Malicious Activity *<Delivery / Exploitation>*
> Command and Control *

What you're pointing there is another thing I thought about which is the relationships between different vocabularies. While partially implemented in my tools in an effort to avoid inconstancy, it was not yet introduced in the mailinglists  (Again, a structure à la CWE/CAPEC could be mid-term solution before a RDF/OWL ontology) On Saturday, 24 October 2015, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: Should be pretty self-explanatory.... Anomalous Activity <Could be any but usually Reconnaissance/Weaponization/Delivery> Malicious Activity <Delivery / Exploitation> Command and Control <Command and Control> Anonymization <Actions> Data Exfiltration <Actions> Lateral Movement <Installation> Privilege Escalation <Installation> Reconnaissance < Reconnaissance > Host/Process Compromise <Installation> Watchlist <N/A> Quantified Risk <N/A> Policy Violation ** <N/A> - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown Joep Gommers ---2015/10/24 06:33:42 AM---Jason, How would you feel this relates to killchain? From: Joep Gommers < joep@eclecticiq.com > To: Jason Keirstead/CanEast/IBM@IBMCA Cc: John-Mark Gurney < jmg@newcontext.com >, "Barnum, Sean D." < sbarnum@mitre.org >, "Grobauer, Bernd" < Bernd.Grobauer@siemens.com >, "Wunder, John A." < jwunder@mitre.org >, " Cliff.Palmer@gd-ms.com " < Cliff.Palmer@gd-ms.com >, " cti-users@lists.oasis-open.org " < cti-users@lists.oasis-open.org >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Date: 2015/10/24 06:33 AM Subject: Re: [cti-users] Re: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions Jason, How would you feel this relates to killchain? J Sent from my iPhone On 24 Oct 2015, at 11:05, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: I like the direction this is going " Removing type information would reduce the IndicatorTypeVocab down to: Compromised Malicious Watchlist C2 Anonymization Exfiltration " This is very similar to what I have been working through This was my internal list so far - thoughts? Anomalous Activity Malicious Activity Command and Control * Anonymization Data Exfiltration Lateral Movement Privilege Escalation Reconnaissance Host/Process Compromise Watchlist Quantified Risk Policy Violation ** * I prefer descriptive names other than acronyms like "C2", it makes it easier for translation purposes. ** Not sure about this one... its kind of straying outside the CTI realm.. although i do see a great value / need for it in the vocabulary. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> John-Mark Gurney ---2015/10/23 03:57:30 PM---I have created an issue for this as when I was reviewing the vocab list, it did not cover our use ca From: John-Mark Gurney < jmg@newcontext.com > To: "Barnum, Sean D." < sbarnum@mitre.org > Cc: "Grobauer, Bernd" < Bernd.Grobauer@siemens.com >, "Wunder, John A." < jwunder@mitre.org >, Jason Keirstead/CanEast/IBM@IBMCA, " Cliff.Palmer@gd-ms.com " < Cliff.Palmer@gd-ms.com >, " cti-users@lists.oasis-open.org " < cti-users@lists.oasis-open.org >, cti-stix@lists.oasis-open.org Date: 2015/10/23 03:57 PM Subject: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions Sent by: < cti-stix@lists.oasis-open.org > I have created an issue for this as when I was reviewing the vocab list, it did not cover our use case. The issue I created: https://github.com/STIXProject/specifications/issues/35 I believe that this will help people use the Vocab better, and may reduce the need for custom vocabs. Please comment on this issue to provide feed back. Thanks. I have included the text of the issue here for reference: There is a discussion on cti-users and cti-stix about improving the IndicatorTypeVocab. I believe that having a vocab is a useful thing. But I believe the existing vocab needs to be improved. First off, type information, like e-mail, ip, file hash, domain, etc. should be removed. You should/must be able to get this information from the Observable that is part of the Indicator. For one, there is no vocab to describe a malicious observiable, say network packet, stream, or other activity. Though if the e-mail type is removed from Malicious E-mail, and it just became Malicious (Observable), then we would have something. Removing type information would reduce the IndicatorTypeVocab down to: Compromised Malicious Watchlist C2 Anonymization Exfiltration The first three are interesting, Compromised means that this Observable indicates that you ARE compromised. The Malicious means that you WILL be compromised by this Observable and Watchlist means that you MAY get compromised by this Observable. Arguably, C2 should fall under Compromised, but as it probably requires further investigation to figure out the original compromised host, I'm fine leaving this as it's own separate type. On Fri, Oct 23, 2015 at 7:19 AM, Barnum, Sean D. < sbarnum@mitre.org > wrote: I think the first step would be to enter an issue in the tracker for this so that we can get it on the table. I also agree with an earlier statement that the issue of default vocab values has clear overlap with the interoperability SC so while we need to work internally within the STIX SC for ensuring our default vocabs have the appropriate values for STIX use cases it probably also makes sense to work at a higher level on the process by which we define and manage the various default controlled vocabs. [attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM] [attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM]

Pardon me if I am off base with this thought but throwing out to see what sticks.



In another group, they had similar problem of divergent lists of “vocabularies” or “dictionaries”.

Example was how many states are in a sequence of a work flow and what are they called.

Common problem seems to be that your list is not my list.

In the end, they used they used a:

DictionaryOwner: e.g. one or another standards body or proprietary (e.g. OASIS-CTI)

DictionaryAttribute: e.g. the variable name (e.g. IndicatorType)

DictionaryValue: e.g. the variable value (of form string)

Where the Owner provided the context for what permissible Values could be used.



The hope in some cases was that a sufficiently well-defined standard set could obviate the need for proprietary ones.

Regularly updating the standard, could help minimize the other lists.

However, if a set needed to be “these and only these values”, then the need for multiple sets remains.



________________________________

Michael Hammer

Principal Engineer

michael.hammer@yaanatech.com <mailto:michael.hammer@yaanatech.com>

Mobile: +1 408 202 9291

542 Gibraltar Drive

Milpitas, CA 95035 USA

<http://www.yaanatech.com/> www.yaanatech.com



From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jerome Athias
Sent: Saturday, October 24, 2015 9:19 AM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: Joep Gommers <joep@eclecticiq.com>; Grobauer, Bernd <Bernd.Grobauer@siemens.com>; Cliff.Palmer@gd-ms.com; cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org; John-Mark Gurney <jmg@newcontext.com>; Wunder, John A. <jwunder@mitre.org>; Barnum, Sean D. <sbarnum@mitre.org>
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions



What you're pointing there is another thing I thought about which is the relationships between different vocabularies.

While partially implemented in my tools in an effort to avoid inconstancy, it was not yet introduced in the mailinglists



(Again, a structure à la CWE/CAPEC could be mid-term solution before a RDF/OWL ontology)

On Saturday, 24 October 2015, Jason Keirstead <Jason.Keirstead@ca.ibm.com <mailto:Jason.Keirstead@ca.ibm.com> > wrote:

Should be pretty self-explanatory....

Anomalous Activity <Could be any but usually Reconnaissance/Weaponization/Delivery>
Malicious Activity <Delivery / Exploitation>
Command and Control

Michael,

Never apologize for bringing an opinion to the table ?. It’s the discussions and reasoning from many different viewpoints that will make STIX/TAXII and CybOX better – so throw out what ever you would like to ?.

This similar idea was brought up on the CTI-STIX mailing list (where the discussion has migrated to) by Bret Jordan:

Perhaps this issue could be solved by a layered approach.....

Step 1: Greatly increase the default vocabulary, removing weirdness and things that are duplicate in nature. Try and get the default vocabulary to a 60/40 or 70/30 rule. It would also be really nice if the terms were backed by a numerical element. String matching in code in notoriously inefficient.

Step 2: Provide a secondary entry point for an additional vocabulary for those groups that want or need to define their own. We would obviously need an entry point in to the controlled vocabulary that can be a "fall back", something that is a lot higher up the food chain.

By doing something like this, software that can only work with the default vocabulary can skip or throw away things it does not understand and have a fall back to something that is "close enough" for what they need. In the second example below, the "sub_type" would be options and parsers could easily throw it away or skip it. In fact most JSON parsers today naturally just skip things that do not map to a struct.


{
"stixtype": "indicator",
"type": "IP Watchlist",
....
{


or

{
"stixtype": "indicator",
"type": "Malware",
"sub_type" : {
"vocab": "http://a.b.com/vocab-foo",
"type": "X-RAT-Downloader"
},
....
{

It seems to me that this is a good in-between option.

I’d definitely suggest following the discussion on the CTI-STIX list. We’d really appreciate your involvement in the STIX Sub Committee if you have the time!

Cheers

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 | terry@soltra.com<mailto:terry@soltra.com>


From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Michael Hammer
Sent: Wednesday, 28 October 2015 6:57 AM
To: athiasjerome@gmail.com; Jason.Keirstead@ca.ibm.com
Cc: joep@eclecticiq.com; Bernd.Grobauer@siemens.com; Cliff.Palmer@gd-ms.com; cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org; jmg@newcontext.com; jwunder@mitre.org; sbarnum@mitre.org
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions

Pardon me if I am off base with this thought but throwing out to see what sticks.

In another group, they had similar problem of divergent lists of “vocabularies” or “dictionaries”.
Example was how many states are in a sequence of a work flow and what are they called.
Common problem seems to be that your list is not my list.
In the end, they used they used a:
DictionaryOwner: e.g. one or another standards body or proprietary (e.g. OASIS-CTI)
DictionaryAttribute: e.g. the variable name (e.g. IndicatorType)
DictionaryValue: e.g. the variable value (of form string)
Where the Owner provided the context for what permissible Values could be used.

The hope in some cases was that a sufficiently well-defined standard set could obviate the need for proprietary ones.
Regularly updating the standard, could help minimize the other lists.
However, if a set needed to be “these and only these values”, then the need for multiple sets remains.

________________________________
Michael Hammer
Principal Engineer
michael.hammer@yaanatech.com<mailto:michael.hammer@yaanatech.com>
Mobile: +1 408 202 9291
542 Gibraltar Drive
Milpitas, CA 95035 USA
www.yaanatech.com<http://www.yaanatech.com/>

From: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org> [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jerome Athias
Sent: Saturday, October 24, 2015 9:19 AM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com<mailto:Jason.Keirstead@ca.ibm.com>>
Cc: Joep Gommers <joep@eclecticiq.com<mailto:joep@eclecticiq.com>>; Grobauer, Bernd <Bernd.Grobauer@siemens.com<mailto:Bernd.Grobauer@siemens.com>>; Cliff.Palmer@gd-ms.com<mailto:Cliff.Palmer@gd-ms.com>; cti-stix@lists.oasis-open.org<mailto:cti-stix@lists.oasis-open.org>; cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>; John-Mark Gurney <jmg@newcontext.com<mailto:jmg@newcontext.com>>; Wunder, John A. <jwunder@mitre.org<mailto:jwunder@mitre.org>>; Barnum, Sean D. <sbarnum@mitre.org<mailto:sbarnum@mitre.org>>
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions

What you're pointing there is another thing I thought about which is the relationships between different vocabularies.
While partially implemented in my tools in an effort to avoid inconstancy, it was not yet introduced in the mailinglists

(Again, a structure à la CWE/CAPEC could be mid-term solution before a RDF/OWL ontology)

On Saturday, 24 October 2015, Jason Keirstead <Jason.Keirstead@ca.ibm.com<mailto:Jason.Keirstead@ca.ibm.com>> wrote:

Should be pretty self-explanatory....
Anomalous Activity <Could be any but usually Reconnaissance/Weaponization/Delivery>
Malicious Activity <Delivery / Exploitation>
Command and Control

Michael,
 
Never apologize for bringing an opinion to the table
J . It’s the discussions and reasoning from many
different viewpoints that will make STIX/TAXII and CybOX better – so throw out what ever you would like to
J .
 
This similar idea was brought up on the CTI-STIX mailing list (where the discussion has migrated to) by Bret Jordan:
 
Perhaps this issue could be solved by a layered approach.....
 
Step 1: Greatly increase the default vocabulary, removing weirdness and things that are duplicate in nature. Try and get the default vocabulary to a 60/40 or 70/30 rule.  It would also be really nice if the terms were backed by a numerical
element.  String matching in code in notoriously inefficient.  
 
Step 2: Provide a secondary entry point for an additional vocabulary for those groups that want or need to define their own.  We would obviously need an entry point in to the controlled vocabulary that can be a "fall back", something that
is a lot higher up the food chain.  
 
By doing something like this, software that can only work with the default vocabulary can skip or throw away things it does not understand and have a fall back to something that is "close enough" for what they need.  In the second example
below, the "sub_type" would be options and parsers could easily throw it away or skip it.  In fact most JSON parsers today naturally just skip things that do not map to a struct.  
 
 
{
  "stixtype": "indicator",
  "type": "IP Watchlist",
  ....
{
 
 
or 
 
{
  "stixtype": "indicator",
  "type": "Malware",
  "sub_type" : {
    "vocab": " http://a.b.com/vocab-foo ",
    "type": "X-RAT-Downloader"
  },
  ....
{
 
It seems to me that this is a good in-between option.

 
I’d definitely suggest following the discussion on the CTI-STIX list. We’d really appreciate your involvement in the STIX Sub Committee
if you have the time!
 
Cheers
 

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com
 

 


From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org]
On Behalf Of Michael Hammer
Sent: Wednesday, 28 October 2015 6:57 AM
To: athiasjerome@gmail.com; Jason.Keirstead@ca.ibm.com
Cc: joep@eclecticiq.com; Bernd.Grobauer@siemens.com; Cliff.Palmer@gd-ms.com; cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org; jmg@newcontext.com; jwunder@mitre.org; sbarnum@mitre.org
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions


 
Pardon me if I am off base with this thought but throwing out to see what sticks.
 
In another group, they had similar problem of divergent lists of “vocabularies” or “dictionaries”.
Example was how many states are in a sequence of a work flow and what are they called.
Common problem seems to be that your list is not my list.
In the end, they used they used a:
DictionaryOwner:  e.g. one or another standards body or proprietary (e.g. OASIS-CTI)
DictionaryAttribute: e.g. the variable name (e.g. IndicatorType)
DictionaryValue: e.g. the variable value (of form string)
Where the Owner provided the context for what permissible Values could be used.
 
The hope in some cases was that a sufficiently well-defined standard set could obviate the need for proprietary ones.
Regularly updating the standard, could help minimize the other lists.
However, if a set needed to be “these and only these values”, then the need for multiple sets remains.
 
________________________________
Michael Hammer
Principal Engineer
michael.hammer@yaanatech.com
Mobile:
+1
408 202 9291
542 Gibraltar Drive
Milpitas, CA 95035 USA
www.yaanatech.com
 
From:
cti-users@lists.oasis-open.org [ mailto:cti-users@lists.oasis-open.org ]
On Behalf Of Jerome Athias
Sent: Saturday, October 24, 2015 9:19 AM
To: Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Cc: Joep Gommers < joep@eclecticiq.com >; Grobauer, Bernd < Bernd.Grobauer@siemens.com >;
Cliff.Palmer@gd-ms.com ;
cti-stix@lists.oasis-open.org ;
cti-users@lists.oasis-open.org ; John-Mark Gurney < jmg@newcontext.com >; Wunder, John A. < jwunder@mitre.org >; Barnum, Sean D. < sbarnum@mitre.org >
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions
 
What you're pointing there is another thing I thought about which is the relationships between different vocabularies.

While partially implemented in my tools in an effort to avoid inconstancy, it was not yet introduced in the mailinglists 


 


(Again, a structure à la CWE/CAPEC could be mid-term solution before a RDF/OWL ontology)

On Saturday, 24 October 2015, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote:


Should be pretty self-explanatory....
Anomalous Activity
<Could be any but usually Reconnaissance/Weaponization/Delivery>
Malicious Activity <Delivery / Exploitation>
Command and Control <Command and Control>
Anonymization <Actions>
Data Exfiltration <Actions>
Lateral Movement <Installation>
Privilege Escalation <Installation>
Reconnaissance <Reconnaissance >
Host/Process Compromise <Installation>
Watchlist <N/A>
Quantified Risk <N/A>
Policy Violation ** <N/A>
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Joep
Gommers ---2015/10/24 06:33:42 AM---Jason, How would you feel this relates to killchain?

From: Joep Gommers < joep@eclecticiq.com >
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: John-Mark Gurney < jmg@newcontext.com >, "Barnum, Sean D."
< sbarnum@mitre.org >, "Grobauer, Bernd" < Bernd.Grobauer@siemens.com >, "Wunder, John A."
< jwunder@mitre.org >, " Cliff.Palmer@gd-ms.com " < Cliff.Palmer@gd-ms.com >,
" cti-users@lists.oasis-open.org " < cti-users@lists.oasis-open.org >, " cti-stix@lists.oasis-open.org "
< cti-stix@lists.oasis-open.org >
Date: 2015/10/24 06:33 AM
Subject:
Re: [cti-users] Re: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions








Jason,

How would you feel this relates to killchain?

J

Sent from my iPhone

On 24 Oct 2015, at 11:05, Jason Keirstead < Jason.Keirstead@ca.ibm.com >
wrote:
I like the direction this is going
" Removing type information would reduce the IndicatorTypeVocab down to:

Compromised
Malicious
Watchlist
C2
Anonymization
Exfiltration
"
This is very similar to what I have been working through

This was my internal list so far - thoughts?
Anomalous Activity
Malicious Activity
Command and Control *
Anonymization
Data Exfiltration
Lateral Movement
Privilege Escalation
Reconnaissance
Host/Process Compromise
Watchlist
Quantified Risk
Policy Violation **


* I prefer descriptive names other than acronyms like "C2", it makes it easier for translation purposes.

** Not sure about this one... its kind of straying outside the CTI realm.. although i do see a great value / need for it in the vocabulary.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


<graycol.gif> John-Mark Gurney ---2015/10/23 03:57:30 PM---I have created an issue for this as when I was reviewing the vocab list, it did not cover our use ca

From: John-Mark Gurney < jmg@newcontext.com >
To: "Barnum, Sean D." < sbarnum@mitre.org >
Cc: "Grobauer, Bernd" < Bernd.Grobauer@siemens.com >, "Wunder, John A." < jwunder@mitre.org >,
Jason Keirstead/CanEast/IBM@IBMCA, " Cliff.Palmer@gd-ms.com " < Cliff.Palmer@gd-ms.com >,
" cti-users@lists.oasis-open.org " < cti-users@lists.oasis-open.org >,

cti-stix@lists.oasis-open.org
Date: 2015/10/23 03:57 PM
Subject: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions
Sent by: < cti-stix@lists.oasis-open.org >








I have created an issue for this as when I was reviewing the vocab list, it did not cover our use case.

The issue I created:
https://github.com/STIXProject/specifications/issues/35

I believe that this will help people use the Vocab better, and may reduce the need for custom vocabs.

Please comment on this issue to provide feed back.

Thanks.

I have included the text of the issue here for reference:
There is a discussion on cti-users and cti-stix about improving the IndicatorTypeVocab.

I believe that having a vocab is a useful thing. But I believe the existing vocab needs to be improved.

First off, type information, like e-mail, ip, file hash, domain, etc. should be removed. You should/must be able to get this information from the Observable that is part of the Indicator.

For one, there is no vocab to describe a malicious observiable, say network packet, stream, or other activity. Though if the e-mail type is removed from Malicious E-mail, and it just became Malicious (Observable), then we would have something.

Removing type information would reduce the IndicatorTypeVocab down to:
Compromised
Malicious
Watchlist
C2
Anonymization
Exfiltration

The first three are interesting, Compromised means that this Observable indicates that you ARE compromised. The Malicious means that you WILL be compromised by this Observable and Watchlist means that you MAY get compromised by this Observable.

Arguably, C2 should fall under Compromised, but as it probably requires further investigation to figure out the original compromised host, I'm fine leaving this as it's own separate type.

On Fri, Oct 23, 2015 at 7:19 AM, Barnum, Sean D. < sbarnum@mitre.org >
wrote:
I think the first step would be to enter an issue in the tracker for this so that we can get it on the table. I also agree with an earlier statement that the issue
of default vocab values has clear overlap with the interoperability SC so while we need to work internally within the STIX SC for ensuring our default vocabs have the appropriate values for STIX use cases it probably also makes sense to work at a higher level
on the process by which we define and manage the various default controlled vocabs.

[attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM] [attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM]

 

RE:

"sub_type" : {
"vocab": "http://a.b.com/vocab-foo",
"type": "X-RAT-Downloader"
},

The problems with this are the same as with the current system...

- As a tool, I likely do not have any internet access to publish a vocabulary list
- Even if I did, I probably do not have access to a location on the corporate website to publish it.

Sent from IBM Verse



Terry MacDonald --- [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions ---
From:"Terry MacDonald" <terry@soltra.com>To:"Michael Hammer" <michael.hammer@yaanatech.com>, athiasjerome@gmail.com, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>Cc:joep@eclecticiq.com, Bernd.Grobauer@siemens.com, Cliff.Palmer@gd-ms.com, cti-stix@lists.oasis-open.org, cti-users@lists.oasis-open.org, jmg@newcontext.com, jwunder@mitre.org, sbarnum@mitre.orgDate:Tue, Oct 27, 2015 1:15 PMSubject:[cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions



Michael,

Never apologize for bringing an opinion to the table J. It’s the discussions and reasoning from many different viewpoints that will make STIX/TAXII and CybOX better – so throw out what ever you would like to J.

This similar idea was brought up on the CTI-STIX mailing list (where the discussion has migrated to) by Bret Jordan:

Perhaps this issue could be solved by a layered approach.....

Step 1: Greatly increase the default vocabulary, removing weirdness and things that are duplicate in nature. Try and get the default vocabulary to a 60/40 or 70/30 rule. It would also be really nice if the terms were backed by a numerical element. String matching in code in notoriously inefficient.

Step 2: Provide a secondary entry point for an additional vocabulary for those groups that want or need to define their own. We would obviously need an entry point in to the controlled vocabulary that can be a "fall back", something that is a lot higher up the food chain.

By doing something like this, software that can only work with the default vocabulary can skip or throw away things it does not understand and have a fall back to something that is "close enough" for what they need. In the second example below, the "sub_type" would be options and parsers could easily throw it away or skip it. In fact most JSON parsers today naturally just skip things that do not map to a struct.


{
"stixtype": "indicator",
"type": "IP Watchlist",
....
{


or

{
"stixtype": "indicator",
"type": "Malware",
"sub_type" : {
"vocab": "http://a.b.com/vocab-foo",
"type": "X-RAT-Downloader"
},
....
{

It seems to me that this is a good in-between option.

I’d definitely suggest following the discussion on the CTI-STIX list. We’d really appreciate your involvement in the STIX Sub Committee if you have the time!

Cheers


Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 | terry@soltra.com





From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Michael Hammer Sent: Wednesday, 28 October 2015 6:57 AM To: athiasjerome@gmail.com; Jason.Keirstead@ca.ibm.com Cc: joep@eclecticiq.com; Bernd.Grobauer@siemens.com; Cliff.Palmer@gd-ms.com; cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org; jmg@newcontext.com; jwunder@mitre.org; sbarnum@mitre.org Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions



Pardon me if I am off base with this thought but throwing out to see what sticks.

In another group, they had similar problem of divergent lists of “vocabularies” or “dictionaries”.
Example was how many states are in a sequence of a work flow and what are they called.
Common problem seems to be that your list is not my list.
In the end, they used they used a:
DictionaryOwner: e.g. one or another standards body or proprietary (e.g. OASIS-CTI)
DictionaryAttribute: e.g. the variable name (e.g. IndicatorType)
DictionaryValue: e.g. the variable value (of form string)
Where the Owner provided the context for what permissible Values could be used.

The hope in some cases was that a sufficiently well-defined standard set could obviate the need for proprietary ones.
Regularly updating the standard, could help minimize the other lists.
However, if a set needed to be “these and only these values”, then the need for multiple sets remains.

________________________________
Michael Hammer
Principal Engineer
michael.hammer@yaanatech.com
Mobile: +1 408 202 9291
542 Gibraltar Drive
Milpitas, CA 95035 USA
www.yaanatech.com

From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jerome Athias Sent: Saturday, October 24, 2015 9:19 AM To: Jason Keirstead <Jason.Keirstead@ca.ibm.com> Cc: Joep Gommers <joep@eclecticiq.com>; Grobauer, Bernd <Bernd.Grobauer@siemens.com>; Cliff.Palmer@gd-ms.com; cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org; John-Mark Gurney <jmg@newcontext.com>; Wunder, John A. <jwunder@mitre.org>; Barnum, Sean D. <sbarnum@mitre.org> Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions

What you're pointing there is another thing I thought about which is the relationships between different vocabularies.

While partially implemented in my tools in an effort to avoid inconstancy, it was not yet introduced in the mailinglists





(Again, a structure à la CWE/CAPEC could be mid-term solution before a RDF/OWL ontology) On Saturday, 24 October 2015, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

Should be pretty self-explanatory....
Anomalous Activity <Could be any but usually Reconnaissance/Weaponization/Delivery> Malicious Activity <Delivery / Exploitation> Command and Control

Hi Jason,

The external access would only be required in order to access the custom vocabulary. The fall back default vocabulary (as proposed by Bret) wouldn’t need external tool connectivity.

As for updating the default vocabulary I believe that most vendors would have an update mechanism built into their tools. It shouldn’t be too difficult to import the update at HQ and send it out as an update.

In any case, most TAXII servers will be connected to the Internet in order to exchange TAXII/STIX. Adding functionality to lookup a custom vocabulary wouldn’t be too onerous in my opinion.

Cheers

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 | terry@soltra.com<mailto:terry@soltra.com>


From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jason Keirstead
Sent: Wednesday, 28 October 2015 8:14 AM
To: Terry MacDonald <terry@soltra.com>
Cc: Michael Hammer <michael.hammer@yaanatech.com>; athiasjerome@gmail.com; joep@eclecticiq.com; Bernd.Grobauer@siemens.com; Cliff.Palmer@gd-ms.com; cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org; jmg@newcontext.com; jwunder@mitre.org; sbarnum@mitre.org
Subject: [cti-users] Re: [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions


RE:



"sub_type" : {

"vocab": "http://a.b.com/vocab-foo",

"type": "X-RAT-Downloader"

},



The problems with this are the same as with the current system...



- As a tool, I likely do not have any internet access to publish a vocabulary list

- Even if I did, I probably do not have access to a location on the corporate website to publish it.



Sent from IBM Verse

Terry MacDonald --- [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions ---

From:

"Terry MacDonald" <terry@soltra.com<mailto:terry@soltra.com>>

To:

"Michael Hammer" <michael.hammer@yaanatech.com<mailto:michael.hammer@yaanatech.com>>, athiasjerome@gmail.com<mailto:athiasjerome@gmail.com>, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com<mailto:Jason.Keirstead@ca.ibm.com>>

Cc:

joep@eclecticiq.com<mailto:joep@eclecticiq.com>, Bernd.Grobauer@siemens.com<mailto:Bernd.Grobauer@siemens.com>, Cliff.Palmer@gd-ms.com<mailto:Cliff.Palmer@gd-ms.com>, cti-stix@lists.oasis-open.org<mailto:cti-stix@lists.oasis-open.org>, cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>, jmg@newcontext.com<mailto:jmg@newcontext.com>, jwunder@mitre.org<mailto:jwunder@mitre.org>, sbarnum@mitre.org<mailto:sbarnum@mitre.org>

Date:

Tue, Oct 27, 2015 1:15 PM

Subject:

[cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions

________________________________

Michael,

Never apologize for bringing an opinion to the table ?. It’s the discussions and reasoning from many different viewpoints that will make STIX/TAXII and CybOX better – so throw out what ever you would like to ?.

This similar idea was brought up on the CTI-STIX mailing list (where the discussion has migrated to) by Bret Jordan:

Perhaps this issue could be solved by a layered approach.....

Step 1: Greatly increase the default vocabulary, removing weirdness and things that are duplicate in nature. Try and get the default vocabulary to a 60/40 or 70/30 rule. It would also be really nice if the terms were backed by a numerical element. String matching in code in notoriously inefficient.

Step 2: Provide a secondary entry point for an additional vocabulary for those groups that want or need to define their own. We would obviously need an entry point in to the controlled vocabulary that can be a "fall back", something that is a lot higher up the food chain.

By doing something like this, software that can only work with the default vocabulary can skip or throw away things it does not understand and have a fall back to something that is "close enough" for what they need. In the second example below, the "sub_type" would be options and parsers could easily throw it away or skip it. In fact most JSON parsers today naturally just skip things that do not map to a struct.


{
"stixtype": "indicator",
"type": "IP Watchlist",
....
{


or

{
"stixtype": "indicator",
"type": "Malware",
"sub_type" : {
"vocab": "http://a.b.com/vocab-foo",
"type": "X-RAT-Downloader"
},
....
{

It seems to me that this is a good in-between option.

I’d definitely suggest following the discussion on the CTI-STIX list. We’d really appreciate your involvement in the STIX Sub Committee if you have the time!

Cheers

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 | terry@soltra.com<mailto:terry@soltra.com>


From: cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org> [mailto:cti-users@lists.oasis-open.org] On Behalf Of Michael Hammer
Sent: Wednesday, 28 October 2015 6:57 AM
To: athiasjerome@gmail.com<mailto:athiasjerome@gmail.com>; Jason.Keirstead@ca.ibm.com<mailto:Jason.Keirstead@ca.ibm.com>
Cc: joep@eclecticiq.com<mailto:joep@eclecticiq.com>; Bernd.Grobauer@siemens.com<mailto:Bernd.Grobauer@siemens.com>; Cliff.Palmer@gd-ms.com<mailto:Cliff.Palmer@gd-ms.com>; cti-stix@lists.oasis-open.org<mailto:cti-stix@lists.oasis-open.org>; cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>; jmg@newcontext.com<mailto:jmg@newcontext.com>; jwunder@mitre.org<mailto:jwunder@mitre.org>; sbarnum@mitre.org<mailto:sbarnum@mitre.org>
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions

Pardon me if I am off base with this thought but throwing out to see what sticks.

In another group, they had similar problem of divergent lists of “vocabularies” or “dictionaries”.
Example was how many states are in a sequence of a work flow and what are they called.
Common problem seems to be that your list is not my list.
In the end, they used they used a:
DictionaryOwner: e.g. one or another standards body or proprietary (e.g. OASIS-CTI)
DictionaryAttribute: e.g. the variable name (e.g. IndicatorType)
DictionaryValue: e.g. the variable value (of form string)
Where the Owner provided the context for what permissible Values could be used.

The hope in some cases was that a sufficiently well-defined standard set could obviate the need for proprietary ones.
Regularly updating the standard, could help minimize the other lists.
However, if a set needed to be “these and only these values”, then the need for multiple sets remains.

________________________________
Michael Hammer
Principal Engineer
michael.hammer@yaanatech.com<mailto:michael.hammer@yaanatech.com>
Mobile: +1408 202 9291
542 Gibraltar Drive
Milpitas, CA 95035 USA
www.yaanatech.com<http://www.yaanatech.com/>

From:cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org> [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jerome Athias
Sent: Saturday, October 24, 2015 9:19 AM
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com<mailto:Jason.Keirstead@ca.ibm.com>>
Cc: Joep Gommers <joep@eclecticiq.com<mailto:joep@eclecticiq.com>>; Grobauer, Bernd <Bernd.Grobauer@siemens.com<mailto:Bernd.Grobauer@siemens.com>>; Cliff.Palmer@gd-ms.com<mailto:Cliff.Palmer@gd-ms.com>; cti-stix@lists.oasis-open.org<mailto:cti-stix@lists.oasis-open.org>; cti-users@lists.oasis-open.org<mailto:cti-users@lists.oasis-open.org>; John-Mark Gurney <jmg@newcontext.com<mailto:jmg@newcontext.com>>; Wunder, John A. <jwunder@mitre.org<mailto:jwunder@mitre.org>>; Barnum, Sean D. <sbarnum@mitre.org<mailto:sbarnum@mitre.org>>
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions

What you're pointing there is another thing I thought about which is the relationships between different vocabularies.
While partially implemented in my tools in an effort to avoid inconstancy, it was not yet introduced in the mailinglists

(Again, a structure à la CWE/CAPEC could be mid-term solution before a RDF/OWL ontology)

On Saturday, 24 October 2015, Jason Keirstead <Jason.Keirstead@ca.ibm.com<mailto:Jason.Keirstead@ca.ibm.com>> wrote:

Should be pretty self-explanatory....
Anomalous Activity <Could be any but usually Reconnaissance/Weaponization/Delivery>
Malicious Activity <Delivery / Exploitation>
Command and Control

Hi Jason,
 
The external access would only be required in order to access the custom vocabulary. The fall back default vocabulary (as proposed
by Bret) wouldn’t need external tool connectivity.
 
As for updating the default vocabulary I believe that most vendors would have an update mechanism built into their tools. It shouldn’t
be too difficult to import the update at HQ and send it out as an update.
 
In any case, most TAXII servers will be connected to the Internet in order to exchange TAXII/STIX. Adding functionality to lookup a
custom vocabulary wouldn’t be too onerous in my opinion.
 
Cheers
 

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com
 

 


From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org]
On Behalf Of Jason Keirstead
Sent: Wednesday, 28 October 2015 8:14 AM
To: Terry MacDonald <terry@soltra.com>
Cc: Michael Hammer <michael.hammer@yaanatech.com>; athiasjerome@gmail.com; joep@eclecticiq.com; Bernd.Grobauer@siemens.com; Cliff.Palmer@gd-ms.com; cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org; jmg@newcontext.com; jwunder@mitre.org;
sbarnum@mitre.org
Subject: [cti-users] Re: [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions


 
RE:
 
  "sub_type" : {
    "vocab": " http://a.b.com/vocab-foo ",
    "type": "X-RAT-Downloader"
  },
 
The problems with this are the same as with the current system...
 
- As a tool, I likely do not have any internet access to publish a vocabulary list
- Even if I did, I probably do not have access to a location on the corporate website to publish it.
 
Sent from IBM Verse
 


Terry MacDonald --- [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions ---



 




From:


"Terry MacDonald" < terry@soltra.com >




To:


"Michael Hammer" < michael.hammer@yaanatech.com >,
athiasjerome@gmail.com , "Jason Keirstead" < Jason.Keirstead@ca.ibm.com >




Cc:


joep@eclecticiq.com ,
Bernd.Grobauer@siemens.com ,
Cliff.Palmer@gd-ms.com , cti-stix@lists.oasis-open.org ,
cti-users@lists.oasis-open.org ,
jmg@newcontext.com ,
jwunder@mitre.org , sbarnum@mitre.org




Date:


Tue, Oct 27, 2015 1:15 PM




Subject:


[cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions







 

Michael,
 
Never apologize for bringing an opinion to the table
J . It’s the discussions and reasoning from many
different viewpoints that will make STIX/TAXII and CybOX better – so throw out what ever you would like to
J .
 
This similar idea was brought up on the CTI-STIX mailing list (where the discussion has migrated to) by Bret Jordan:
 
Perhaps this issue could be solved by a layered approach.....
 
Step 1: Greatly increase the default vocabulary, removing weirdness and things that are duplicate in nature. Try and get the default vocabulary to a 60/40 or 70/30 rule.  It would also be really nice if the terms were backed by a numerical
element.  String matching in code in notoriously inefficient.  
 
Step 2: Provide a secondary entry point for an additional vocabulary for those groups that want or need to define their own.  We would obviously need an entry point in to the controlled vocabulary that can be a "fall back", something that
is a lot higher up the food chain.  
 
By doing something like this, software that can only work with the default vocabulary can skip or throw away things it does not understand and have a fall back to something that is "close enough" for what they need.  In the second example
below, the "sub_type" would be options and parsers could easily throw it away or skip it.  In fact most JSON parsers today naturally just skip things that do not map to a struct.  
 
 
{
  "stixtype": "indicator",
  "type": "IP Watchlist",
  ....
{
 
 
or 
 
{
  "stixtype": "indicator",
  "type": "Malware",
  "sub_type" : {
    "vocab": " http://a.b.com/vocab-foo ",
    "type": "X-RAT-Downloader"
  },
  ....
{
 
It seems to me that this is a good in-between option.

 
I’d definitely suggest following the discussion on the CTI-STIX list. We’d really appreciate your involvement in the STIX Sub Committee
if you have the time!
 
Cheers
 

Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA   An FS-ISAC and DTCC Company
+61 (407) 203 206
terry@soltra.com
 

 


From:
cti-users@lists.oasis-open.org [ mailto:cti-users@lists.oasis-open.org ]
On Behalf Of Michael Hammer
Sent: Wednesday, 28 October 2015 6:57 AM
To: athiasjerome@gmail.com ;
Jason.Keirstead@ca.ibm.com
Cc: joep@eclecticiq.com ;
Bernd.Grobauer@siemens.com ; Cliff.Palmer@gd-ms.com ;
cti-stix@lists.oasis-open.org ;
cti-users@lists.oasis-open.org ;
jmg@newcontext.com ;
jwunder@mitre.org ; sbarnum@mitre.org
Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions


 
Pardon me if I am off base with this thought but throwing out to see what sticks.
 
In another group, they had similar problem of divergent lists of “vocabularies” or “dictionaries”.
Example was how many states are in a sequence of a work flow and what are they called.
Common problem seems to be that your list is not my list.
In the end, they used they used a:
DictionaryOwner:  e.g. one or another standards body or proprietary (e.g. OASIS-CTI)
DictionaryAttribute: e.g. the variable name (e.g. IndicatorType)
DictionaryValue: e.g. the variable value (of form string)
Where the Owner provided the context for what permissible Values could be used.
 
The hope in some cases was that a sufficiently well-defined standard set could obviate the need for proprietary ones.
Regularly updating the standard, could help minimize the other lists.
However, if a set needed to be “these and only these values”, then the need for multiple sets remains.
 
________________________________
Michael Hammer
Principal Engineer
michael.hammer@yaanatech.com
Mobile:
+1408 202 9291
542 Gibraltar Drive
Milpitas, CA 95035 USA
www.yaanatech.com
 
From: cti-users@lists.oasis-open.org
[ mailto:cti-users@lists.oasis-open.org ]
On Behalf Of Jerome Athias
Sent: Saturday, October 24, 2015 9:19 AM
To: Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Cc: Joep Gommers < joep@eclecticiq.com >; Grobauer, Bernd < Bernd.Grobauer@siemens.com >;
Cliff.Palmer@gd-ms.com ;
cti-stix@lists.oasis-open.org ;
cti-users@lists.oasis-open.org ; John-Mark Gurney < jmg@newcontext.com >; Wunder, John A. < jwunder@mitre.org >; Barnum, Sean D. < sbarnum@mitre.org >
Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions
 
What you're pointing there is another thing I thought about which is the relationships between different vocabularies.

While partially implemented in my tools in an effort to avoid inconstancy, it was not yet introduced in the mailinglists 


 


(Again, a structure à la CWE/CAPEC could be mid-term solution before a RDF/OWL ontology)

On Saturday, 24 October 2015, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote:


Should be pretty self-explanatory....
Anomalous Activity
<Could be any but usually Reconnaissance/Weaponization/Delivery>
Malicious Activity <Delivery / Exploitation>
Command and Control <Command and Control>
Anonymization <Actions>
Data Exfiltration <Actions>
Lateral Movement <Installation>
Privilege Escalation <Installation>
Reconnaissance <Reconnaissance >
Host/Process Compromise <Installation>
Watchlist <N/A>
Quantified Risk <N/A>
Policy Violation ** <N/A>
-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Joep
Gommers ---2015/10/24 06:33:42 AM---Jason, How would you feel this relates to killchain?

From: Joep Gommers < joep@eclecticiq.com >
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: John-Mark Gurney < jmg@newcontext.com >, "Barnum, Sean D."
< sbarnum@mitre.org >, "Grobauer, Bernd" < Bernd.Grobauer@siemens.com >, "Wunder, John A."
< jwunder@mitre.org >, " Cliff.Palmer@gd-ms.com " < Cliff.Palmer@gd-ms.com >,
" cti-users@lists.oasis-open.org " < cti-users@lists.oasis-open.org >, " cti-stix@lists.oasis-open.org "
< cti-stix@lists.oasis-open.org >
Date: 2015/10/24 06:33 AM
Subject:
Re: [cti-users] Re: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions










Jason,

How would you feel this relates to killchain?

J

Sent from my iPhone

On 24 Oct 2015, at 11:05, Jason Keirstead < Jason.Keirstead@ca.ibm.com >
wrote:
I like the direction this is going
" Removing type information would reduce the IndicatorTypeVocab down to:
Compromised
Malicious
Watchlist
C2
Anonymization
Exfiltration
"
This is very similar to what I have been working through

This was my internal list so far - thoughts?
Anomalous Activity
Malicious Activity
Command and Control *
Anonymization
Data Exfiltration
Lateral Movement
Privilege Escalation
Reconnaissance
Host/Process Compromise
Watchlist
Quantified Risk
Policy Violation **


* I prefer descriptive names other than acronyms like "C2", it makes it easier for translation purposes.

** Not sure about this one... its kind of straying outside the CTI realm.. although i do see a great value / need for it in the vocabulary.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security
www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


<graycol.gif> John-Mark Gurney ---2015/10/23 03:57:30 PM---I have created an issue for this as when I was reviewing the vocab list, it did not cover our use ca

From: John-Mark Gurney < jmg@newcontext.com >
To: "Barnum, Sean D." < sbarnum@mitre.org >
Cc: "Grobauer, Bernd" < Bernd.Grobauer@siemens.com >, "Wunder, John A." < jwunder@mitre.org >,
Jason Keirstead/CanEast/IBM@IBMCA, " Cliff.Palmer@gd-ms.com " < Cliff.Palmer@gd-ms.com >,
" cti-users@lists.oasis-open.org " < cti-users@lists.oasis-open.org >,

cti-stix@lists.oasis-open.org
Date: 2015/10/23 03:57 PM
Subject: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions
Sent by: < cti-stix@lists.oasis-open.org >










I have created an issue for this as when I was reviewing the vocab list, it did not cover our use case.

The issue I created:
https://github.com/STIXProject/specifications/issues/35

I believe that this will help people use the Vocab better, and may reduce the need for custom vocabs.

Please comment on this issue to provide feed back.

Thanks.

I have included the text of the issue here for reference:
There is a discussion on cti-users and cti-stix about improving the IndicatorTypeVocab.

I believe that having a vocab is a useful thing. But I believe the existing vocab needs to be improved.

First off, type information, like e-mail, ip, file hash, domain, etc. should be removed. You should/must be able to get this information from the Observable that is part of the Indicator.

For one, there is no vocab to describe a malicious observiable, say network packet, stream, or other activity. Though if the e-mail type is removed from Malicious E-mail, and it just became Malicious (Observable), then we would have something.

Removing type information would reduce the IndicatorTypeVocab down to:
Compromised
Malicious
Watchlist
C2
Anonymization
Exfiltration

The first three are interesting, Compromised means that this Observable indicates that you ARE compromised. The Malicious means that you WILL be compromised by this Observable and Watchlist means that you MAY get compromised by this Observable.

Arguably, C2 should fall under Compromised, but as it probably requires further investigation to figure out the original compromised host, I'm fine leaving this as it's own separate type.

On Fri, Oct 23, 2015 at 7:19 AM, Barnum, Sean D. < sbarnum@mitre.org >
wrote:
I think the first step would be to enter an issue in the tracker for this so that we can get it on the table. I also agree with an earlier statement that the issue
of default vocab values has clear overlap with the interoperability SC so while we need to work internally within the STIX SC for ensuring our default vocabs have the appropriate values for STIX use cases it probably also makes sense to work at a higher level
on the process by which we define and manage the various default controlled vocabs.

[attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM] [attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM]

 



 

So what happens when I need to use a custom vocabulary, but have no internet access...?

Sent from IBM Verse


Terry MacDonald --- [cti-stix] RE: [cti-users] Re: [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions ---
From:"Terry MacDonald" <terry@soltra.com>To:"Jason Keirstead" <Jason.Keirstead@ca.ibm.com>Cc:"Michael Hammer" <michael.hammer@yaanatech.com>, athiasjerome@gmail.com, joep@eclecticiq.com, Bernd.Grobauer@siemens.com, Cliff.Palmer@gd-ms.com, cti-stix@lists.oasis-open.org, cti-users@lists.oasis-open.org, jmg@newcontext.com, jwunder@mitre.org, sbarnum@mitre.orgDate:Tue, Oct 27, 2015 2:24 PMSubject:[cti-stix] RE: [cti-users] Re: [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions



Hi Jason,

The external access would only be required in order to access the custom vocabulary. The fall back default vocabulary (as proposed by Bret) wouldn’t need external tool connectivity.

As for updating the default vocabulary I believe that most vendors would have an update mechanism built into their tools. It shouldn’t be too difficult to import the update at HQ and send it out as an update.

In any case, most TAXII servers will be connected to the Internet in order to exchange TAXII/STIX. Adding functionality to lookup a custom vocabulary wouldn’t be too onerous in my opinion.

Cheers


Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 | terry@soltra.com





From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jason Keirstead Sent: Wednesday, 28 October 2015 8:14 AM To: Terry MacDonald <terry@soltra.com> Cc: Michael Hammer <michael.hammer@yaanatech.com>; athiasjerome@gmail.com; joep@eclecticiq.com; Bernd.Grobauer@siemens.com; Cliff.Palmer@gd-ms.com; cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org; jmg@newcontext.com; jwunder@mitre.org; sbarnum@mitre.org Subject: [cti-users] Re: [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions



RE:

"sub_type" : {
"vocab": "http://a.b.com/vocab-foo",
"type": "X-RAT-Downloader"
},

The problems with this are the same as with the current system...

- As a tool, I likely do not have any internet access to publish a vocabulary list
- Even if I did, I probably do not have access to a location on the corporate website to publish it.

Sent from IBM Verse



Terry MacDonald --- [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions ---



From:
"Terry MacDonald" <terry@soltra.com>
To:
"Michael Hammer" <michael.hammer@yaanatech.com>, athiasjerome@gmail.com, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
Cc:
joep@eclecticiq.com, Bernd.Grobauer@siemens.com, Cliff.Palmer@gd-ms.com, cti-stix@lists.oasis-open.org, cti-users@lists.oasis-open.org, jmg@newcontext.com, jwunder@mitre.org, sbarnum@mitre.org
Date:
Tue, Oct 27, 2015 1:15 PM
Subject:
[cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions




Michael,

Never apologize for bringing an opinion to the table J. It’s the discussions and reasoning from many different viewpoints that will make STIX/TAXII and CybOX better – so throw out what ever you would like to J.

This similar idea was brought up on the CTI-STIX mailing list (where the discussion has migrated to) by Bret Jordan:

Perhaps this issue could be solved by a layered approach.....

Step 1: Greatly increase the default vocabulary, removing weirdness and things that are duplicate in nature. Try and get the default vocabulary to a 60/40 or 70/30 rule. It would also be really nice if the terms were backed by a numerical element. String matching in code in notoriously inefficient.

Step 2: Provide a secondary entry point for an additional vocabulary for those groups that want or need to define their own. We would obviously need an entry point in to the controlled vocabulary that can be a "fall back", something that is a lot higher up the food chain.

By doing something like this, software that can only work with the default vocabulary can skip or throw away things it does not understand and have a fall back to something that is "close enough" for what they need. In the second example below, the "sub_type" would be options and parsers could easily throw it away or skip it. In fact most JSON parsers today naturally just skip things that do not map to a struct.


{
"stixtype": "indicator",
"type": "IP Watchlist",
....
{


or

{
"stixtype": "indicator",
"type": "Malware",
"sub_type" : {
"vocab": "http://a.b.com/vocab-foo",
"type": "X-RAT-Downloader"
},
....
{

It seems to me that this is a good in-between option.

I’d definitely suggest following the discussion on the CTI-STIX list. We’d really appreciate your involvement in the STIX Sub Committee if you have the time!

Cheers


Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 | terry@soltra.com





From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Michael Hammer Sent: Wednesday, 28 October 2015 6:57 AM To: athiasjerome@gmail.com; Jason.Keirstead@ca.ibm.com Cc: joep@eclecticiq.com; Bernd.Grobauer@siemens.com; Cliff.Palmer@gd-ms.com; cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org; jmg@newcontext.com; jwunder@mitre.org; sbarnum@mitre.org Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions



Pardon me if I am off base with this thought but throwing out to see what sticks.

In another group, they had similar problem of divergent lists of “vocabularies” or “dictionaries”.
Example was how many states are in a sequence of a work flow and what are they called.
Common problem seems to be that your list is not my list.
In the end, they used they used a:
DictionaryOwner: e.g. one or another standards body or proprietary (e.g. OASIS-CTI)
DictionaryAttribute: e.g. the variable name (e.g. IndicatorType)
DictionaryValue: e.g. the variable value (of form string)
Where the Owner provided the context for what permissible Values could be used.

The hope in some cases was that a sufficiently well-defined standard set could obviate the need for proprietary ones.
Regularly updating the standard, could help minimize the other lists.
However, if a set needed to be “these and only these values”, then the need for multiple sets remains.

________________________________
Michael Hammer
Principal Engineer
michael.hammer@yaanatech.com
Mobile: +1408 202 9291
542 Gibraltar Drive
Milpitas, CA 95035 USA
www.yaanatech.com

From:cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jerome Athias Sent: Saturday, October 24, 2015 9:19 AM To: Jason Keirstead <Jason.Keirstead@ca.ibm.com> Cc: Joep Gommers <joep@eclecticiq.com>; Grobauer, Bernd <Bernd.Grobauer@siemens.com>; Cliff.Palmer@gd-ms.com; cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org; John-Mark Gurney <jmg@newcontext.com>; Wunder, John A. <jwunder@mitre.org>; Barnum, Sean D. <sbarnum@mitre.org> Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions

What you're pointing there is another thing I thought about which is the relationships between different vocabularies.

While partially implemented in my tools in an effort to avoid inconstancy, it was not yet introduced in the mailinglists





(Again, a structure à la CWE/CAPEC could be mid-term solution before a RDF/OWL ontology) On Saturday, 24 October 2015, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

Should be pretty self-explanatory....
Anomalous Activity <Could be any but usually Reconnaissance/Weaponization/Delivery> Malicious Activity <Delivery / Exploitation> Command and Control

Hi Jason,   The external access would only be required in order to access the custom vocabulary. The fall back default vocabulary (as proposed by Bret) wouldn’t need external tool connectivity.   As for updating the default vocabulary I believe that most vendors would have an update mechanism built into their tools. It shouldn’t be too difficult to import the update at HQ and send it out as an update.   In any case, most TAXII servers will be connected to the Internet in order to exchange TAXII/STIX. Adding functionality to lookup a custom vocabulary wouldn’t be too onerous in my opinion.   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206 terry@soltra.com     From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Jason Keirstead Sent: Wednesday, 28 October 2015 8:14 AM To: Terry MacDonald <terry@soltra.com> Cc: Michael Hammer <michael.hammer@yaanatech.com>; athiasjerome@gmail.com; joep@eclecticiq.com; Bernd.Grobauer@siemens.com; Cliff.Palmer@gd-ms.com; cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org; jmg@newcontext.com; jwunder@mitre.org; sbarnum@mitre.org Subject: [cti-users] Re: [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions   RE:     "sub_type" : {     "vocab": " http://a.b.com/vocab-foo ",     "type": "X-RAT-Downloader"   },   The problems with this are the same as with the current system...   - As a tool, I likely do not have any internet access to publish a vocabulary list - Even if I did, I probably do not have access to a location on the corporate website to publish it.   Sent from IBM Verse   Terry MacDonald --- [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions ---   From: "Terry MacDonald" < terry@soltra.com > To: "Michael Hammer" < michael.hammer@yaanatech.com >, athiasjerome@gmail.com , "Jason Keirstead" < Jason.Keirstead@ca.ibm.com > Cc: joep@eclecticiq.com , Bernd.Grobauer@siemens.com , Cliff.Palmer@gd-ms.com , cti-stix@lists.oasis-open.org , cti-users@lists.oasis-open.org , jmg@newcontext.com , jwunder@mitre.org , sbarnum@mitre.org Date: Tue, Oct 27, 2015 1:15 PM Subject: [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions   Michael,   Never apologize for bringing an opinion to the table J . It’s the discussions and reasoning from many different viewpoints that will make STIX/TAXII and CybOX better – so throw out what ever you would like to J .   This similar idea was brought up on the CTI-STIX mailing list (where the discussion has migrated to) by Bret Jordan:   Perhaps this issue could be solved by a layered approach.....   Step 1: Greatly increase the default vocabulary, removing weirdness and things that are duplicate in nature. Try and get the default vocabulary to a 60/40 or 70/30 rule.  It would also be really nice if the terms were backed by a numerical element.  String matching in code in notoriously inefficient.     Step 2: Provide a secondary entry point for an additional vocabulary for those groups that want or need to define their own.  We would obviously need an entry point in to the controlled vocabulary that can be a "fall back", something that is a lot higher up the food chain.     By doing something like this, software that can only work with the default vocabulary can skip or throw away things it does not understand and have a fall back to something that is "close enough" for what they need.  In the second example below, the "sub_type" would be options and parsers could easily throw it away or skip it.  In fact most JSON parsers today naturally just skip things that do not map to a struct.       {   "stixtype": "indicator",   "type": "IP Watchlist",   .... {     or    {   "stixtype": "indicator",   "type": "Malware",   "sub_type" : {     "vocab": " http://a.b.com/vocab-foo ",     "type": "X-RAT-Downloader"   },   .... {   It seems to me that this is a good in-between option.   I’d definitely suggest following the discussion on the CTI-STIX list. We’d really appreciate your involvement in the STIX Sub Committee if you have the time!   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206 terry@soltra.com     From: cti-users@lists.oasis-open.org [ mailto:cti-users@lists.oasis-open.org ] On Behalf Of Michael Hammer Sent: Wednesday, 28 October 2015 6:57 AM To: athiasjerome@gmail.com ; Jason.Keirstead@ca.ibm.com Cc: joep@eclecticiq.com ; Bernd.Grobauer@siemens.com ; Cliff.Palmer@gd-ms.com ; cti-stix@lists.oasis-open.org ; cti-users@lists.oasis-open.org ; jmg@newcontext.com ; jwunder@mitre.org ; sbarnum@mitre.org Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions   Pardon me if I am off base with this thought but throwing out to see what sticks.   In another group, they had similar problem of divergent lists of “vocabularies” or “dictionaries”. Example was how many states are in a sequence of a work flow and what are they called. Common problem seems to be that your list is not my list. In the end, they used they used a: DictionaryOwner:  e.g. one or another standards body or proprietary (e.g. OASIS-CTI) DictionaryAttribute: e.g. the variable name (e.g. IndicatorType) DictionaryValue: e.g. the variable value (of form string) Where the Owner provided the context for what permissible Values could be used.   The hope in some cases was that a sufficiently well-defined standard set could obviate the need for proprietary ones. Regularly updating the standard, could help minimize the other lists. However, if a set needed to be “these and only these values”, then the need for multiple sets remains.   ________________________________ Michael Hammer Principal Engineer michael.hammer@yaanatech.com Mobile: +1408 202 9291 542 Gibraltar Drive Milpitas, CA 95035 USA www.yaanatech.com   From: cti-users@lists.oasis-open.org [ mailto:cti-users@lists.oasis-open.org ] On Behalf Of Jerome Athias Sent: Saturday, October 24, 2015 9:19 AM To: Jason Keirstead < Jason.Keirstead@ca.ibm.com > Cc: Joep Gommers < joep@eclecticiq.com >; Grobauer, Bernd < Bernd.Grobauer@siemens.com >; Cliff.Palmer@gd-ms.com ; cti-stix@lists.oasis-open.org ; cti-users@lists.oasis-open.org ; John-Mark Gurney < jmg@newcontext.com >; Wunder, John A. < jwunder@mitre.org >; Barnum, Sean D. < sbarnum@mitre.org > Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions   What you're pointing there is another thing I thought about which is the relationships between different vocabularies. While partially implemented in my tools in an effort to avoid inconstancy, it was not yet introduced in the mailinglists    (Again, a structure à la CWE/CAPEC could be mid-term solution before a RDF/OWL ontology) On Saturday, 24 October 2015, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: Should be pretty self-explanatory.... Anomalous Activity <Could be any but usually Reconnaissance/Weaponization/Delivery> Malicious Activity <Delivery / Exploitation> Command and Control <Command and Control> Anonymization <Actions> Data Exfiltration <Actions> Lateral Movement <Installation> Privilege Escalation <Installation> Reconnaissance <Reconnaissance > Host/Process Compromise <Installation> Watchlist <N/A> Quantified Risk <N/A> Policy Violation ** <N/A> - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown Joep Gommers ---2015/10/24 06:33:42 AM---Jason, How would you feel this relates to killchain? From: Joep Gommers < joep@eclecticiq.com > To: Jason Keirstead/CanEast/IBM@IBMCA Cc: John-Mark Gurney < jmg@newcontext.com >, "Barnum, Sean D." < sbarnum@mitre.org >, "Grobauer, Bernd" < Bernd.Grobauer@siemens.com >, "Wunder, John A." < jwunder@mitre.org >, " Cliff.Palmer@gd-ms.com " < Cliff.Palmer@gd-ms.com >, " cti-users@lists.oasis-open.org " < cti-users@lists.oasis-open.org >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Date: 2015/10/24 06:33 AM Subject: Re: [cti-users] Re: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions Jason, How would you feel this relates to killchain? J Sent from my iPhone On 24 Oct 2015, at 11:05, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: I like the direction this is going " Removing type information would reduce the IndicatorTypeVocab down to: Compromised Malicious Watchlist C2 Anonymization Exfiltration " This is very similar to what I have been working through This was my internal list so far - thoughts? Anomalous Activity Malicious Activity Command and Control * Anonymization Data Exfiltration Lateral Movement Privilege Escalation Reconnaissance Host/Process Compromise Watchlist Quantified Risk Policy Violation ** * I prefer descriptive names other than acronyms like "C2", it makes it easier for translation purposes. ** Not sure about this one... its kind of straying outside the CTI realm.. although i do see a great value / need for it in the vocabulary. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> John-Mark Gurney ---2015/10/23 03:57:30 PM---I have created an issue for this as when I was reviewing the vocab list, it did not cover our use ca From: John-Mark Gurney < jmg@newcontext.com > To: "Barnum, Sean D." < sbarnum@mitre.org > Cc: "Grobauer, Bernd" < Bernd.Grobauer@siemens.com >, "Wunder, John A." < jwunder@mitre.org >, Jason Keirstead/CanEast/IBM@IBMCA, " Cliff.Palmer@gd-ms.com " < Cliff.Palmer@gd-ms.com >, " cti-users@lists.oasis-open.org " < cti-users@lists.oasis-open.org >, cti-stix@lists.oasis-open.org Date: 2015/10/23 03:57 PM Subject: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions Sent by: < cti-stix@lists.oasis-open.org > I have created an issue for this as when I was reviewing the vocab list, it did not cover our use case. The issue I created: https://github.com/STIXProject/specifications/issues/35 I believe that this will help people use the Vocab better, and may reduce the need for custom vocabs. Please comment on this issue to provide feed back. Thanks. I have included the text of the issue here for reference: There is a discussion on cti-users and cti-stix about improving the IndicatorTypeVocab. I believe that having a vocab is a useful thing. But I believe the existing vocab needs to be improved. First off, type information, like e-mail, ip, file hash, domain, etc. should be removed. You should/must be able to get this information from the Observable that is part of the Indicator. For one, there is no vocab to describe a malicious observiable, say network packet, stream, or other activity. Though if the e-mail type is removed from Malicious E-mail, and it just became Malicious (Observable), then we would have something. Removing type information would reduce the IndicatorTypeVocab down to: Compromised Malicious Watchlist C2 Anonymization Exfiltration The first three are interesting, Compromised means that this Observable indicates that you ARE compromised. The Malicious means that you WILL be compromised by this Observable and Watchlist means that you MAY get compromised by this Observable. Arguably, C2 should fall under Compromised, but as it probably requires further investigation to figure out the original compromised host, I'm fine leaving this as it's own separate type. On Fri, Oct 23, 2015 at 7:19 AM, Barnum, Sean D. < sbarnum@mitre.org > wrote: I think the first step would be to enter an issue in the tracker for this so that we can get it on the table. I also agree with an earlier statement that the issue of default vocab values has clear overlap with the interoperability SC so while we need to work internally within the STIX SC for ensuring our default vocabs have the appropriate values for STIX use cases it probably also makes sense to work at a higher level on the process by which we define and manage the various default controlled vocabs. [attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM] [attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM]    

Michael,   Never apologize for bringing an opinion to the table J . It’s the discussions and reasoning from many different viewpoints that will make STIX/TAXII and CybOX better – so throw out what ever you would like to J .   This similar idea was brought up on the CTI-STIX mailing list (where the discussion has migrated to) by Bret Jordan:   Perhaps this issue could be solved by a layered approach.....   Step 1: Greatly increase the default vocabulary, removing weirdness and things that are duplicate in nature. Try and get the default vocabulary to a 60/40 or 70/30 rule.  It would also be really nice if the terms were backed by a numerical element.  String matching in code in notoriously inefficient.     Step 2: Provide a secondary entry point for an additional vocabulary for those groups that want or need to define their own.  We would obviously need an entry point in to the controlled vocabulary that can be a "fall back", something that is a lot higher up the food chain.     By doing something like this, software that can only work with the default vocabulary can skip or throw away things it does not understand and have a fall back to something that is "close enough" for what they need.  In the second example below, the "sub_type" would be options and parsers could easily throw it away or skip it.  In fact most JSON parsers today naturally just skip things that do not map to a struct.       {   "stixtype": "indicator",   "type": "IP Watchlist",   .... {     or    {   "stixtype": "indicator",   "type": "Malware",   "sub_type" : {     "vocab": " http://a.b.com/vocab-foo ",     "type": "X-RAT-Downloader"   },   .... {   It seems to me that this is a good in-between option.   I’d definitely suggest following the discussion on the CTI-STIX list. We’d really appreciate your involvement in the STIX Sub Committee if you have the time!   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206 terry@soltra.com     From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Michael Hammer Sent: Wednesday, 28 October 2015 6:57 AM To: athiasjerome@gmail.com; Jason.Keirstead@ca.ibm.com Cc: joep@eclecticiq.com; Bernd.Grobauer@siemens.com; Cliff.Palmer@gd-ms.com; cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org; jmg@newcontext.com; jwunder@mitre.org; sbarnum@mitre.org Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions   Pardon me if I am off base with this thought but throwing out to see what sticks.   In another group, they had similar problem of divergent lists of “vocabularies” or “dictionaries”. Example was how many states are in a sequence of a work flow and what are they called. Common problem seems to be that your list is not my list. In the end, they used they used a: DictionaryOwner:  e.g. one or another standards body or proprietary (e.g. OASIS-CTI) DictionaryAttribute: e.g. the variable name (e.g. IndicatorType) DictionaryValue: e.g. the variable value (of form string) Where the Owner provided the context for what permissible Values could be used.   The hope in some cases was that a sufficiently well-defined standard set could obviate the need for proprietary ones. Regularly updating the standard, could help minimize the other lists. However, if a set needed to be “these and only these values”, then the need for multiple sets remains.   ________________________________ Michael Hammer Principal Engineer michael.hammer@yaanatech.com Mobile: +1 408 202 9291 542 Gibraltar Drive Milpitas, CA 95035 USA www.yaanatech.com   From: cti-users@lists.oasis-open.org [ mailto:cti-users@lists.oasis-open.org ] On Behalf Of Jerome Athias Sent: Saturday, October 24, 2015 9:19 AM To: Jason Keirstead < Jason.Keirstead@ca.ibm.com > Cc: Joep Gommers < joep@eclecticiq.com >; Grobauer, Bernd < Bernd.Grobauer@siemens.com >; Cliff.Palmer@gd-ms.com ; cti-stix@lists.oasis-open.org ; cti-users@lists.oasis-open.org ; John-Mark Gurney < jmg@newcontext.com >; Wunder, John A. < jwunder@mitre.org >; Barnum, Sean D. < sbarnum@mitre.org > Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions   What you're pointing there is another thing I thought about which is the relationships between different vocabularies. While partially implemented in my tools in an effort to avoid inconstancy, it was not yet introduced in the mailinglists    (Again, a structure à la CWE/CAPEC could be mid-term solution before a RDF/OWL ontology) On Saturday, 24 October 2015, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: Should be pretty self-explanatory.... Anomalous Activity <Could be any but usually Reconnaissance/Weaponization/Delivery> Malicious Activity <Delivery / Exploitation> Command and Control <Command and Control> Anonymization <Actions> Data Exfiltration <Actions> Lateral Movement <Installation> Privilege Escalation <Installation> Reconnaissance <Reconnaissance > Host/Process Compromise <Installation> Watchlist <N/A> Quantified Risk <N/A> Policy Violation ** <N/A> - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown Joep Gommers ---2015/10/24 06:33:42 AM---Jason, How would you feel this relates to killchain? From: Joep Gommers < joep@eclecticiq.com > To: Jason Keirstead/CanEast/IBM@IBMCA Cc: John-Mark Gurney < jmg@newcontext.com >, "Barnum, Sean D." < sbarnum@mitre.org >, "Grobauer, Bernd" < Bernd.Grobauer@siemens.com >, "Wunder, John A." < jwunder@mitre.org >, " Cliff.Palmer@gd-ms.com " < Cliff.Palmer@gd-ms.com >, " cti-users@lists.oasis-open.org " < cti-users@lists.oasis-open.org >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Date: 2015/10/24 06:33 AM Subject: Re: [cti-users] Re: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions Jason, How would you feel this relates to killchain? J Sent from my iPhone On 24 Oct 2015, at 11:05, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: I like the direction this is going " Removing type information would reduce the IndicatorTypeVocab down to: Compromised Malicious Watchlist C2 Anonymization Exfiltration " This is very similar to what I have been working through This was my internal list so far - thoughts? Anomalous Activity Malicious Activity Command and Control * Anonymization Data Exfiltration Lateral Movement Privilege Escalation Reconnaissance Host/Process Compromise Watchlist Quantified Risk Policy Violation ** * I prefer descriptive names other than acronyms like "C2", it makes it easier for translation purposes. ** Not sure about this one... its kind of straying outside the CTI realm.. although i do see a great value / need for it in the vocabulary. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown <graycol.gif> John-Mark Gurney ---2015/10/23 03:57:30 PM---I have created an issue for this as when I was reviewing the vocab list, it did not cover our use ca From: John-Mark Gurney < jmg@newcontext.com > To: "Barnum, Sean D." < sbarnum@mitre.org > Cc: "Grobauer, Bernd" < Bernd.Grobauer@siemens.com >, "Wunder, John A." < jwunder@mitre.org >, Jason Keirstead/CanEast/IBM@IBMCA, " Cliff.Palmer@gd-ms.com " < Cliff.Palmer@gd-ms.com >, " cti-users@lists.oasis-open.org " < cti-users@lists.oasis-open.org >, cti-stix@lists.oasis-open.org Date: 2015/10/23 03:57 PM Subject: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions Sent by: < cti-stix@lists.oasis-open.org > I have created an issue for this as when I was reviewing the vocab list, it did not cover our use case. The issue I created: https://github.com/STIXProject/specifications/issues/35 I believe that this will help people use the Vocab better, and may reduce the need for custom vocabs. Please comment on this issue to provide feed back. Thanks. I have included the text of the issue here for reference: There is a discussion on cti-users and cti-stix about improving the IndicatorTypeVocab. I believe that having a vocab is a useful thing. But I believe the existing vocab needs to be improved. First off, type information, like e-mail, ip, file hash, domain, etc. should be removed. You should/must be able to get this information from the Observable that is part of the Indicator. For one, there is no vocab to describe a malicious observiable, say network packet, stream, or other activity. Though if the e-mail type is removed from Malicious E-mail, and it just became Malicious (Observable), then we would have something. Removing type information would reduce the IndicatorTypeVocab down to: Compromised Malicious Watchlist C2 Anonymization Exfiltration The first three are interesting, Compromised means that this Observable indicates that you ARE compromised. The Malicious means that you WILL be compromised by this Observable and Watchlist means that you MAY get compromised by this Observable. Arguably, C2 should fall under Compromised, but as it probably requires further investigation to figure out the original compromised host, I'm fine leaving this as it's own separate type. On Fri, Oct 23, 2015 at 7:19 AM, Barnum, Sean D. < sbarnum@mitre.org > wrote: I think the first step would be to enter an issue in the tracker for this so that we can get it on the table. I also agree with an earlier statement that the issue of default vocab values has clear overlap with the interoperability SC so while we need to work internally within the STIX SC for ensuring our default vocabs have the appropriate values for STIX use cases it probably also makes sense to work at a higher level on the process by which we define and manage the various default controlled vocabs. [attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM] [attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM]  

Agreed. But for those that really want to use their own list, and are just adamant about it, then they can publish their list on a web site or github or where ever. The key is to have at least a fall back to a value that is "close enough" for tools that have no access to the extended vocabulary.

Now along these lines, it might be possible to send a vocabulary in a STIX package, if someone was so inclined. And the vocab field would just contain an ID REF.

I guess another hard question we really need to ask is, what is the scope of the problem we are trying to solve?

How many users are going to need this solution?
a) If the number is 0-5% maybe we do not do it until STIX 2.5 / STIX 3.0
b) If the number is between 5-20% then we should figure out a solution
c) If between 20%-40% maybe we need 2-3 defined vocabularies
c) If greater than 40%, then we need to fix the default vocabulary so they do not need to use their own.


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

> On Oct 27, 2015, at 14:14, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:
>
> RE:
>
> "sub_type" : {
> "vocab": "http://a.b.com/vocab-foo <http://a.b.com/vocab-foo>",
> "type": "X-RAT-Downloader"
> },
>
> The problems with this are the same as with the current system...
>
> - As a tool, I likely do not have any internet access to publish a vocabulary list
> - Even if I did, I probably do not have access to a location on the corporate website to publish it.
>
> Sent from IBM Verse
>
>
>
> Terry MacDonald --- [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions ---
>
> From: "Terry MacDonald" <terry@soltra.com <mailto:terry@soltra.com>>
> To: "Michael Hammer" <michael.hammer@yaanatech.com <mailto:michael.hammer@yaanatech.com>>, athiasjerome@gmail.com <mailto:athiasjerome@gmail.com>, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com <mailto:Jason.Keirstead@ca.ibm.com>>
> Cc: joep@eclecticiq.com <mailto:joep@eclecticiq.com>, Bernd.Grobauer@siemens.com <mailto:Bernd.Grobauer@siemens.com>, Cliff.Palmer@gd-ms.com <mailto:Cliff.Palmer@gd-ms.com>, cti-stix@lists.oasis-open.org <mailto:cti-stix@lists.oasis-open.org>, cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>, jmg@newcontext.com <mailto:jmg@newcontext.com>, jwunder@mitre.org <mailto:jwunder@mitre.org>, sbarnum@mitre.org <mailto:sbarnum@mitre.org>
> Date: Tue, Oct 27, 2015 1:15 PM
> Subject: [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions
>
> Michael,
>
> Never apologize for bringing an opinion to the table J. It’s the discussions and reasoning from many different viewpoints that will make STIX/TAXII and CybOX better – so throw out what ever you would like to J.
>
> This similar idea was brought up on the CTI-STIX mailing list (where the discussion has migrated to) by Bret Jordan:
>
> Perhaps this issue could be solved by a layered approach.....
>
> Step 1: Greatly increase the default vocabulary, removing weirdness and things that are duplicate in nature. Try and get the default vocabulary to a 60/40 or 70/30 rule. It would also be really nice if the terms were backed by a numerical element. String matching in code in notoriously inefficient.
>
> Step 2: Provide a secondary entry point for an additional vocabulary for those groups that want or need to define their own. We would obviously need an entry point in to the controlled vocabulary that can be a "fall back", something that is a lot higher up the food chain.
>
> By doing something like this, software that can only work with the default vocabulary can skip or throw away things it does not understand and have a fall back to something that is "close enough" for what they need. In the second example below, the "sub_type" would be options and parsers could easily throw it away or skip it. In fact most JSON parsers today naturally just skip things that do not map to a struct.
>
>
> {
> "stixtype": "indicator",
> "type": "IP Watchlist",
> ....
> {
>
>
> or
>
> {
> "stixtype": "indicator",
> "type": "Malware",
> "sub_type" : {
> "vocab": "http://a.b.com/vocab-foo <http://a.b.com/vocab-foo>",
> "type": "X-RAT-Downloader"
> },
> ....
> {
>
> It seems to me that this is a good in-between option.
>
> I’d definitely suggest following the discussion on the CTI-STIX list. We’d really appreciate your involvement in the STIX Sub Committee if you have the time!
>
> Cheers
>
> Terry MacDonald
> Senior STIX Subject Matter Expert
> SOLTRA | An FS-ISAC and DTCC Company
> +61 (407) 203 206 | terry@soltra.com <mailto:terry@soltra.com>
>
>
> From: cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org> [mailto:cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>] On Behalf Of Michael Hammer
> Sent: Wednesday, 28 October 2015 6:57 AM
> To: athiasjerome@gmail.com <mailto:athiasjerome@gmail.com>; Jason.Keirstead@ca.ibm.com <mailto:Jason.Keirstead@ca.ibm.com>
> Cc: joep@eclecticiq.com <mailto:joep@eclecticiq.com>; Bernd.Grobauer@siemens.com <mailto:Bernd.Grobauer@siemens.com>; Cliff.Palmer@gd-ms.com <mailto:Cliff.Palmer@gd-ms.com>; cti-stix@lists.oasis-open.org <mailto:cti-stix@lists.oasis-open.org>; cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>; jmg@newcontext.com <mailto:jmg@newcontext.com>; jwunder@mitre.org <mailto:jwunder@mitre.org>; sbarnum@mitre.org <mailto:sbarnum@mitre.org>
> Subject: RE: [cti-users] Indicator Type / Vocabulary Implementation Questions
>
> Pardon me if I am off base with this thought but throwing out to see what sticks.
>
> In another group, they had similar problem of divergent lists of “vocabularies” or “dictionaries”.
> Example was how many states are in a sequence of a work flow and what are they called.
> Common problem seems to be that your list is not my list.
> In the end, they used they used a:
> DictionaryOwner: e.g. one or another standards body or proprietary (e.g. OASIS-CTI)
> DictionaryAttribute: e.g. the variable name (e.g. IndicatorType)
> DictionaryValue: e.g. the variable value (of form string)
> Where the Owner provided the context for what permissible Values could be used.
>
> The hope in some cases was that a sufficiently well-defined standard set could obviate the need for proprietary ones.
> Regularly updating the standard, could help minimize the other lists.
> However, if a set needed to be “these and only these values”, then the need for multiple sets remains.
>
> ________________________________
> Michael Hammer
> Principal Engineer
> michael.hammer@yaanatech.com <mailto:michael.hammer@yaanatech.com>
> Mobile: +1408 202 9291
> 542 Gibraltar Drive
> Milpitas, CA 95035 USA
> www.yaanatech.com <http://www.yaanatech.com/>
>
> From:cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org> [mailto:cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>] On Behalf Of Jerome Athias
> Sent: Saturday, October 24, 2015 9:19 AM
> To: Jason Keirstead <Jason.Keirstead@ca.ibm.com <mailto:Jason.Keirstead@ca.ibm.com>>
> Cc: Joep Gommers <joep@eclecticiq.com <mailto:joep@eclecticiq.com>>; Grobauer, Bernd <Bernd.Grobauer@siemens.com <mailto:Bernd.Grobauer@siemens.com>>; Cliff.Palmer@gd-ms.com <mailto:Cliff.Palmer@gd-ms.com>; cti-stix@lists.oasis-open.org <mailto:cti-stix@lists.oasis-open.org>; cti-users@lists.oasis-open.org <mailto:cti-users@lists.oasis-open.org>; John-Mark Gurney <jmg@newcontext.com <mailto:jmg@newcontext.com>>; Wunder, John A. <jwunder@mitre.org <mailto:jwunder@mitre.org>>; Barnum, Sean D. <sbarnum@mitre.org <mailto:sbarnum@mitre.org>>
> Subject: Re: [cti-users] Indicator Type / Vocabulary Implementation Questions
>
> What you're pointing there is another thing I thought about which is the relationships between different vocabularies.
> While partially implemented in my tools in an effort to avoid inconstancy, it was not yet introduced in the mailinglists
>
> (Again, a structure à la CWE/CAPEC could be mid-term solution before a RDF/OWL ontology)
>
> On Saturday, 24 October 2015, Jason Keirstead <Jason.Keirstead@ca.ibm.com <mailto:Jason.Keirstead@ca.ibm.com>> wrote:
> Should be pretty self-explanatory....
>
> Anomalous Activity <Could be any but usually Reconnaissance/Weaponization/Delivery>
> Malicious Activity <Delivery / Exploitation>
> Command and Control

Agreed.  But for those that really want to use their own list, and are just adamant about it, then they can publish their list on a web site or github or where ever.  The key is to have at least a fall back to a value that is close enough for tools that have no access to the extended vocabulary.   Now along these lines, it might be possible to send a vocabulary in a STIX package, if someone was so inclined.  And the  vocab field would just contain an ID REF.   I guess another hard question we really need to ask is, what is the scope of the problem we are trying to solve? How many users are going to need this solution? a) If the number is 0-5% maybe we do not do it until STIX 2.5 / STIX 3.0 b) If the number is between 5-20% then we should figure out a solution  c) If between 20%-40% maybe we need 2-3 defined vocabularies c) If greater than 40%, then we need to fix the default vocabulary so they do not need to use their own. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Oct 27, 2015, at 14:14, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: RE:   sub_type : {     vocab : http://a.b.com/vocab-foo ,     type : X-RAT-Downloader   }, The problems with this are the same as with the current system... - As a tool, I likely do not have any internet access to publish a vocabulary list - Even if I did, I probably do not have access to a location on the corporate website to publish it. Sent from IBM Verse Terry MacDonald --- [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions ---   From: Terry MacDonald < terry@soltra.com > To: Michael Hammer < michael.hammer@yaanatech.com >,   athiasjerome@gmail.com , Jason Keirstead < Jason.Keirstead@ca.ibm.com > Cc: joep@eclecticiq.com ,   Bernd.Grobauer@siemens.com ,   Cliff.Palmer@gd-ms.com ,   cti-stix@lists.oasis-open.org ,   cti-users@lists.oasis-open.org ,   jmg@newcontext.com ,   jwunder@mitre.org ,   sbarnum@mitre.org Date: Tue, Oct 27, 2015 1:15 PM Subject: [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions Michael,   Never apologize for bringing an opinion to the table   J . It’s the discussions and reasoning from many different viewpoints that will make STIX/TAXII and CybOX better – so throw out what ever you would like to   J .   This similar idea was brought up on the CTI-STIX mailing list (where the discussion has migrated to) by Bret Jordan:   Perhaps this issue could be solved by a layered approach.....   Step 1: Greatly increase the default vocabulary, removing weirdness and things that are duplicate in nature. Try and get the default vocabulary to a 60/40 or 70/30 rule.  It would also be really nice if the terms were backed by a numerical element.  String matching in code in notoriously inefficient.     Step 2: Provide a secondary entry point for an additional vocabulary for those groups that want or need to define their own.  We would obviously need an entry point in to the controlled vocabulary that can be a fall back , something that is a lot higher up the food chain.     By doing something like this, software that can only work with the default vocabulary can skip or throw away things it does not understand and have a fall back to something that is close enough for what they need.  In the second example below, the sub_type would be options and parsers could easily throw it away or skip it.  In fact most JSON parsers today naturally just skip things that do not map to a struct.       {   stixtype : indicator ,   type : IP Watchlist ,   .... {     or    {   stixtype : indicator ,   type : Malware ,   sub_type : {     vocab : http://a.b.com/vocab-foo ,     type : X-RAT-Downloader   },   .... {   It seems to me that this is a good in-between option.   I’d definitely suggest following the discussion on the CTI-STIX list. We’d really appreciate your involvement in the STIX Sub Committee if you have the time!   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206   terry@soltra.com     From:   cti-users@lists.oasis-open.org   [ mailto:cti-users@lists.oasis-open.org ]   On Behalf Of   Michael Hammer Sent:   Wednesday, 28 October 2015 6:57 AM To:   athiasjerome@gmail.com ;   Jason.Keirstead@ca.ibm.com Cc:   joep@eclecticiq.com ;   Bernd.Grobauer@siemens.com ;   Cliff.Palmer@gd-ms.com ;   cti-stix@lists.oasis-open.org ;   cti-users@lists.oasis-open.org ;   jmg@newcontext.com ;   jwunder@mitre.org ;   sbarnum@mitre.org Subject:   RE: [cti-users] Indicator Type / Vocabulary Implementation Questions   Pardon me if I am off base with this thought but throwing out to see what sticks.   In another group, they had similar problem of divergent lists of “vocabularies” or “dictionaries”. Example was how many states are in a sequence of a work flow and what are they called. Common problem seems to be that your list is not my list. In the end, they used they used a: DictionaryOwner:  e.g. one or another standards body or proprietary (e.g. OASIS-CTI) DictionaryAttribute: e.g. the variable name (e.g. IndicatorType) DictionaryValue: e.g. the variable value (of form string) Where the Owner provided the context for what permissible Values could be used.   The hope in some cases was that a sufficiently well-defined standard set could obviate the need for proprietary ones. Regularly updating the standard, could help minimize the other lists. However, if a set needed to be “these and only these values”, then the need for multiple sets remains.   ________________________________ Michael Hammer Principal Engineer michael.hammer@yaanatech.com Mobile:   +1 408 202 9291 542 Gibraltar Drive Milpitas, CA 95035 USA www.yaanatech.com   From: cti-users@lists.oasis-open.org   [ mailto:cti-users@lists.oasis-open.org ]   On Behalf Of   Jerome Athias Sent:   Saturday, October 24, 2015 9:19 AM To:   Jason Keirstead < Jason.Keirstead@ca.ibm.com > Cc:   Joep Gommers < joep@eclecticiq.com >; Grobauer, Bernd < Bernd.Grobauer@siemens.com >;   Cliff.Palmer@gd-ms.com ;   cti-stix@lists.oasis-open.org ;   cti-users@lists.oasis-open.org ; John-Mark Gurney < jmg@newcontext.com >; Wunder, John A. < jwunder@mitre.org >; Barnum, Sean D. < sbarnum@mitre.org > Subject:   Re: [cti-users] Indicator Type / Vocabulary Implementation Questions   What you're pointing there is another thing I thought about which is the relationships between different vocabularies. While partially implemented in my tools in an effort to avoid inconstancy, it was not yet introduced in the mailinglists    (Again, a structure à la CWE/CAPEC could be mid-term solution before a RDF/OWL ontology) On Saturday, 24 October 2015, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: Should be pretty self-explanatory.... Anomalous Activity   <Could be any but usually Reconnaissance/Weaponization/Delivery> Malicious Activity   <Delivery / Exploitation> Command and Control   <Command and Control> Anonymization   <Actions> Data Exfiltration   <Actions> Lateral Movement   <Installation> Privilege Escalation   <Installation> Reconnaissance   <Reconnaissance > Host/Process Compromise   <Installation> Watchlist   <N/A> Quantified Risk   <N/A> Policy Violation **   <N/A> - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security     www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown   Joep Gommers ---2015/10/24 06:33:42 AM---Jason, How would you feel this relates to killchain? From:   Joep Gommers < joep@eclecticiq.com > To:   Jason Keirstead/CanEast/IBM@IBMCA Cc:   John-Mark Gurney < jmg@newcontext.com >, Barnum, Sean D. < sbarnum@mitre.org >, Grobauer, Bernd < Bernd.Grobauer@siemens.com >, Wunder, John A. < jwunder@mitre.org >, Cliff.Palmer@gd-ms.com < Cliff.Palmer@gd-ms.com >, cti-users@lists.oasis-open.org < cti-users@lists.oasis-open.org >, cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > Date:   2015/10/24 06:33 AM Subject:   Re: [cti-users] Re: [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions Jason, How would you feel this relates to killchain? J Sent from my iPhone On 24 Oct 2015, at 11:05, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: I like the direction this is going Removing type information would reduce the IndicatorTypeVocab down to: Compromised Malicious Watchlist C2 Anonymization Exfiltration This is very similar to what I have been working through This was my internal list so far - thoughts? Anomalous Activity Malicious Activity Command and Control * Anonymization Data Exfiltration Lateral Movement Privilege Escalation Reconnaissance Host/Process Compromise Watchlist Quantified Risk Policy Violation ** * I prefer descriptive names other than acronyms like C2 , it makes it easier for translation purposes. ** Not sure about this one... its kind of straying outside the CTI realm.. although i do see a great value / need for it in the vocabulary. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security     www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown   <graycol.gif> John-Mark Gurney ---2015/10/23 03:57:30 PM---I have created an issue for this as when I was reviewing the vocab list, it did not cover our use ca From:   John-Mark Gurney < jmg@newcontext.com > To:   Barnum, Sean D. < sbarnum@mitre.org > Cc:   Grobauer, Bernd < Bernd.Grobauer@siemens.com >, Wunder, John A. < jwunder@mitre.org >, Jason Keirstead/CanEast/IBM@IBMCA, Cliff.Palmer@gd-ms.com < Cliff.Palmer@gd-ms.com >, cti-users@lists.oasis-open.org < cti-users@lists.oasis-open.org >,   cti-stix@lists.oasis-open.org Date:   2015/10/23 03:57 PM Subject:   [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions Sent by:   < cti-stix@lists.oasis-open.org > I have created an issue for this as when I was reviewing the vocab list, it did not cover our use case. The issue I created: https://github.com/STIXProject/specifications/issues/35 I believe that this will help people use the Vocab better, and may reduce the need for custom vocabs. Please comment on this issue to provide feed back. Thanks. I have included the text of the issue here for reference: There is a discussion on cti-users and cti-stix about improving the IndicatorTypeVocab. I believe that having a vocab is a useful thing. But I believe the existing vocab needs to be improved. First off, type information, like e-mail, ip, file hash, domain, etc. should be removed. You should/must be able to get this information from the Observable that is part of the Indicator. For one, there is no vocab to describe a malicious observiable, say network packet, stream, or other activity. Though if the e-mail type is removed from Malicious E-mail, and it just became Malicious (Observable), then we would have something. Removing type information would reduce the IndicatorTypeVocab down to: Compromised Malicious Watchlist C2 Anonymization Exfiltration The first three are interesting, Compromised means that this Observable indicates that you ARE compromised. The Malicious means that you WILL be compromised by this Observable and Watchlist means that you MAY get compromised by this Observable. Arguably, C2 should fall under Compromised, but as it probably requires further investigation to figure out the original compromised host, I'm fine leaving this as it's own separate type. On Fri, Oct 23, 2015 at 7:19 AM, Barnum, Sean D. < sbarnum@mitre.org > wrote: I think the first step would be to enter an issue in the tracker for this so that we can get it on the table. I also agree with an earlier statement that the issue of default vocab values has clear overlap with the interoperability SC so while we need to work internally within the STIX SC for ensuring our default vocabs have the appropriate values for STIX use cases it probably also makes sense to work at a higher level on the process by which we define and manage the various default controlled vocabs. [attachment graycol.gif deleted by Jason Keirstead/CanEast/IBM] [attachment graycol.gif deleted by Jason Keirstead/CanEast/IBM] Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

I’m not sure that a lot of tools will need to retrieve the full list for custom vocabularies anyway. Some tools just using them for correlation and bucketing will just use whatever values they get regardless of vocabulary, others will bucket based
on what values they get from value+vocab_uri (without retrieving the whole list), and others will share the list at design time and the reference will be more of a URI than a URL.


I really like this approach. To me it strikes a good balance between compatibility and extensibility. I would worry about the complexity of a solution where we have to send a full vocabulary in content (do you *always* send the vocabulary? if
not, what do you do if you don’t already have it? how do you update a vocabulary that you sent previously?)



John



On Oct 27, 2015, at 5:54 PM, Jordan, Bret < bret.jordan@BLUECOAT.COM > wrote:



Agreed.  But for those that really want to use their own list, and are just adamant about it, then they can publish their list on a web site or github or where ever.  The key is to have at least a fall back to a value that is "close enough" for tools that have
no access to the extended vocabulary.  


Now along these lines, it might be possible to send a vocabulary in a STIX package, if someone was so inclined.  And the  vocab field would just contain an ID REF.  


I guess another hard question we really need to ask is, what is the scope of the problem we are trying to solve?


How many users are going to need this solution?
a) If the number is 0-5% maybe we do not do it until STIX 2.5 / STIX 3.0
b) If the number is between 5-20% then we should figure out a solution 
c) If between 20%-40% maybe we need 2-3 defined vocabularies
c) If greater than 40%, then we need to fix the default vocabulary so they do not need to use their own.











Thanks,


Bret











Bret Jordan CISSP

Director of Security Architecture and Standards Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











On Oct 27, 2015, at 14:14, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote:


RE:

  "sub_type" : {
    "vocab": " http://a.b.com/vocab-foo ",
    "type": "X-RAT-Downloader"
  },

The problems with this are the same as with the current system...

- As a tool, I likely do not have any internet access to publish a vocabulary list
- Even if I did, I probably do not have access to a location on the corporate website to publish it.

Sent from IBM Verse



Terry MacDonald --- [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions ---  




From:
"Terry MacDonald" < terry@soltra.com >


To:
"Michael Hammer" < michael.hammer@yaanatech.com >,   athiasjerome@gmail.com ,
"Jason Keirstead" < Jason.Keirstead@ca.ibm.com >


Cc:
joep@eclecticiq.com ,   Bernd.Grobauer@siemens.com ,   Cliff.Palmer@gd-ms.com ,   cti-stix@lists.oasis-open.org ,   cti-users@lists.oasis-open.org ,   jmg@newcontext.com ,   jwunder@mitre.org ,   sbarnum@mitre.org


Date:
Tue, Oct 27, 2015 1:15 PM


Subject:
[cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions








Michael,

 

Never apologize for bringing an opinion to the table   J .
It’s the discussions and reasoning from many different viewpoints that will make STIX/TAXII and CybOX better – so throw out what ever you would like to   J .

 

This similar idea was brought up on the CTI-STIX mailing list (where the discussion has migrated to) by Bret Jordan:

 

Perhaps this issue could be solved by a layered approach.....

 

Step 1: Greatly increase the default vocabulary, removing weirdness and things that are duplicate in nature. Try and get the default vocabulary to a 60/40 or 70/30 rule.  It would also be really nice if the terms were backed by a numerical element.  String
matching in code in notoriously inefficient.  

 

Step 2: Provide a secondary entry point for an additional vocabulary for those groups that want or need to define their own.  We would obviously need an entry point in to the controlled vocabulary that can be a "fall back", something that is a lot higher up
the food chain.  

 

By doing something like this, software that can only work with the default vocabulary can skip or throw away things it does not understand and have a fall back to something that is "close enough" for what they need.  In the second example below, the "sub_type"
would be options and parsers could easily throw it away or skip it.  In fact most JSON parsers today naturally just skip things that do not map to a struct.  

 

 

{

  "stixtype": "indicator",

  "type": "IP Watchlist",

  ....

{

 

 

or 

 

{

  "stixtype": "indicator",

  "type": "Malware",

  "sub_type" : {

    "vocab": " http://a.b.com/vocab-foo ",

    "type": "X-RAT-Downloader"

  },

  ....

{

 

It seems to me that this is a good in-between option.

 

I’d definitely suggest following the discussion on the CTI-STIX list. We’d really appreciate your involvement in the STIX Sub Committee if you have the time!

 

Cheers

 


Terry MacDonald

Senior STIX Subject Matter Expert

SOLTRA   An FS-ISAC and DTCC Company

+61 (407) 203 206   terry@soltra.com

 


 



From:   cti-users@lists.oasis-open.org   [ mailto:cti-users@lists.oasis-open.org ]   On
Behalf Of   Michael Hammer
Sent:   Wednesday, 28 October 2015 6:57 AM
To:   athiasjerome@gmail.com ;   Jason.Keirstead@ca.ibm.com
Cc:   joep@eclecticiq.com ;   Bernd.Grobauer@siemens.com ;   Cliff.Palmer@gd-ms.com ;   cti-stix@lists.oasis-open.org ;   cti-users@lists.oasis-open.org ;   jmg@newcontext.com ;   jwunder@mitre.org ;   sbarnum@mitre.org
Subject:   RE: [cti-users] Indicator Type / Vocabulary Implementation Questions



 

Pardon me if I am off base with this thought but throwing out to see what sticks.

 

In another group, they had similar problem of divergent lists of “vocabularies” or “dictionaries”.

Example was how many states are in a sequence of a work flow and what are they called.

Common problem seems to be that your list is not my list.

In the end, they used they used a:

DictionaryOwner:  e.g. one or another standards body or proprietary (e.g. OASIS-CTI)

DictionaryAttribute: e.g. the variable name (e.g. IndicatorType)

DictionaryValue: e.g. the variable value (of form string)

Where the Owner provided the context for what permissible Values could be used.

 

The hope in some cases was that a sufficiently well-defined standard set could obviate the need for proprietary ones.

Regularly updating the standard, could help minimize the other lists.

However, if a set needed to be “these and only these values”, then the need for multiple sets remains.

 

________________________________

Michael Hammer

Principal Engineer

michael.hammer@yaanatech.com

Mobile:   +1 408
202 9291

542 Gibraltar Drive

Milpitas, CA 95035 USA

www.yaanatech.com

 

From: cti-users@lists.oasis-open.org   [ mailto:cti-users@lists.oasis-open.org ]   On
Behalf Of   Jerome Athias
Sent:   Saturday, October 24, 2015 9:19 AM
To:   Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Cc:   Joep Gommers < joep@eclecticiq.com >; Grobauer, Bernd < Bernd.Grobauer@siemens.com >;   Cliff.Palmer@gd-ms.com ;   cti-stix@lists.oasis-open.org ;   cti-users@lists.oasis-open.org ;
John-Mark Gurney < jmg@newcontext.com >; Wunder, John A. < jwunder@mitre.org >;
Barnum, Sean D. < sbarnum@mitre.org >
Subject:   Re: [cti-users] Indicator Type / Vocabulary Implementation Questions

 

What you're pointing there is another thing I thought about which is the relationships between different vocabularies.


While partially implemented in my tools in an effort to avoid inconstancy, it was not yet introduced in the mailinglists 



 



(Again, a structure à la CWE/CAPEC could be mid-term solution before a RDF/OWL ontology)

On Saturday, 24 October 2015, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote:



Should be pretty self-explanatory....

Anomalous Activity   <Could be any but usually Reconnaissance/Weaponization/Delivery>
Malicious Activity   <Delivery / Exploitation>
Command and Control   <Command and Control>
Anonymization   <Actions>
Data Exfiltration   <Actions>
Lateral Movement   <Installation>
Privilege Escalation   <Installation>
Reconnaissance   <Reconnaissance >
Host/Process Compromise   <Installation>
Watchlist   <N/A>
Quantified Risk   <N/A>
Policy Violation **   <N/A>

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security     www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown  



Joep Gommers ---2015/10/24 06:33:42 AM---Jason, How would you feel this relates to killchain?

From:   Joep Gommers < joep@eclecticiq.com >
To:   Jason Keirstead/CanEast/IBM@IBMCA
Cc:   John-Mark Gurney < jmg@newcontext.com >,
"Barnum, Sean D." < sbarnum@mitre.org >, "Grobauer, Bernd" < Bernd.Grobauer@siemens.com >,
"Wunder, John A." < jwunder@mitre.org >, " Cliff.Palmer@gd-ms.com "
< Cliff.Palmer@gd-ms.com >, " cti-users@lists.oasis-open.org "
< cti-users@lists.oasis-open.org >, " cti-stix@lists.oasis-open.org "
< cti-stix@lists.oasis-open.org >
Date:   2015/10/24 06:33 AM
Subject:   Re: [cti-users] Re: [cti-stix] Re: [cti-users] Indicator Type
/ Vocabulary Implementation Questions










Jason,

How would you feel this relates to killchain?

J

Sent from my iPhone

On 24 Oct 2015, at 11:05, Jason Keirstead < Jason.Keirstead@ca.ibm.com >
wrote:

I like the direction this is going

" Removing type information would reduce the IndicatorTypeVocab down to:

Compromised
Malicious
Watchlist
C2
Anonymization
Exfiltration

"

This is very similar to what I have been working through

This was my internal list so far - thoughts?

Anomalous Activity
Malicious Activity
Command and Control *
Anonymization
Data Exfiltration
Lateral Movement
Privilege Escalation
Reconnaissance
Host/Process Compromise
Watchlist
Quantified Risk
Policy Violation **



* I prefer descriptive names other than acronyms like "C2", it makes it easier for translation purposes.

** Not sure about this one... its kind of straying outside the CTI realm.. although i do see a great value / need for it in the vocabulary.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security     www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown  


<graycol.gif> John-Mark Gurney ---2015/10/23 03:57:30 PM---I have created an issue for this as when I was reviewing the vocab list, it did not cover our use ca

From:   John-Mark Gurney < jmg@newcontext.com >
To:   "Barnum, Sean D." < sbarnum@mitre.org >
Cc:   "Grobauer, Bernd" < Bernd.Grobauer@siemens.com >, "Wunder, John A."
< jwunder@mitre.org >, Jason Keirstead/CanEast/IBM@IBMCA, " Cliff.Palmer@gd-ms.com "
< Cliff.Palmer@gd-ms.com >, " cti-users@lists.oasis-open.org "
< cti-users@lists.oasis-open.org >,   cti-stix@lists.oasis-open.org
Date:   2015/10/23 03:57 PM
Subject:   [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions
Sent by:   < cti-stix@lists.oasis-open.org >










I have created an issue for this as when I was reviewing the vocab list, it did not cover our use case.

The issue I created:
https://github.com/STIXProject/specifications/issues/35

I believe that this will help people use the Vocab better, and may reduce the need for custom vocabs.

Please comment on this issue to provide feed back.

Thanks.

I have included the text of the issue here for reference:
There is a discussion on cti-users and cti-stix about improving the IndicatorTypeVocab.

I believe that having a vocab is a useful thing. But I believe the existing vocab needs to be improved.

First off, type information, like e-mail, ip, file hash, domain, etc. should be removed. You should/must be able to get this information from the Observable that is part of the Indicator.

For one, there is no vocab to describe a malicious observiable, say network packet, stream, or other activity. Though if the e-mail type is removed from Malicious E-mail, and it just became Malicious (Observable), then we would have something.

Removing type information would reduce the IndicatorTypeVocab down to:
Compromised
Malicious
Watchlist
C2
Anonymization
Exfiltration

The first three are interesting, Compromised means that this Observable indicates that you ARE compromised. The Malicious means that you WILL be compromised by this Observable and Watchlist means that you MAY get compromised by this Observable.

Arguably, C2 should fall under Compromised, but as it probably requires further investigation to figure out the original compromised host, I'm fine leaving this as it's own separate type.

On Fri, Oct 23, 2015 at 7:19 AM, Barnum, Sean D. < sbarnum@mitre.org >
wrote:

I think the first step would be to enter an issue in the tracker for this so that we can get it on the table. I also agree with an earlier statement that the issue of default vocab values has clear overlap
with the interoperability SC so while we need to work internally within the STIX SC for ensuring our default vocabs have the appropriate values for STIX use cases it probably also makes sense to work at a higher level on the process by which we define and
manage the various default controlled vocabs.

[attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM] [attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM]

>I’m not sure that a lot of tools will need to retrieve the full list for custom vocabularies anyway. Some tools just using them for correlation and bucketing will just use whatever values they get regardless of vocabulary, others will bucket based on
>what values they get from value+vocab_uri (without retrieving the whole list), and others will share the list at design time and the reference will be more of a URI than a URL.


[sean]I would agree with this









>I would worry about the complexity of a solution where we have to send a full vocabulary in content (do you *always* send the vocabulary? if not, what do you do if you don’t already have it? how do you update a vocabulary that you sent previously?)




[sean]I also agree with this







[sean]On the Bret’s proposed idea of a layered approach I could see where this may be feasible and useful



I  think it is important we consider the four identified usage scenarios from the community that drove the current vocabulary approach and ensure that the new approach
covers the necessary ground.
The four usage scenarios are:

Desire to convey a value that is conformant with a CTI community consensus vocabulary for that property and to support enforced validation that it does conform Desire to  convey a value that is conformant with a consensus vocabulary (defined by other than the CTI community) for that property and to support enforced validation
that it does conform Desire to  convey a value that is conformant with a consensus vocabulary (defined by other than the CTI community) for that property but not requiring support for
enforced validation that it does conform (typically due to technical, policy or political reasons) Desire to convey a value relevant to the producers context but not necessarily conformant to any available consensus vocabulary (I.e., a value that needs to be conveyed but for which no consensus vocabulary exists)
The order of the list is the clear order of preference in which approach to take.  Always try to do #1. If you can’t do #1
then try to do #2. If you can’t do #2 then try to do #3. If you  can’t do #1, #2 or #3 then #4 is your last resort escape clause. This allows us to drive towards interoperability first at a universal level
then at a localized level all while not ignoring that real-world use will also still have (hopefully rare) exceptions to these.




It looks like the proposed layered approach should be able to support #1 with its primary type field and an explicit default CTI community consensus vocabulary.

It looks like it should be able to support #2 with its sub_type structure as long as the consumer can access the referenced vocabulary and it is explicitly specified. This approach would put the onus on the consumer for performing any validation though,
which may likely be true for non-XML serializations of the current approach as well.
It looks like it should be able to support #3  with its sub_type structure. This actually looks very similar to the current
approach in supporting this usage scenario.
It looks like it should be able to support #4 with its sub-type structure as long as the default CTI community consensus vocabulary contained something like an “Other” value and the sub_type/vocab property were optional. 


I  think the only thing that really give me pause is considering whether potential values for #2, #3 or #4 would always align with some value in the  default
CTI community consensus vocabulary as is described as part of the intent h ere ("fall back to something that is "close enough" for what they need”). I would suspect that even if we carefully crafted a default vocabulary that successfully covers most
of the ground, the diversity of uses out there will always have exceptions. I would think the inclusion of something like “Other” in the default vocab would mitigate this issue. Basically, try to map your non-default vocab value to the closest thing possible
in the default vocab and then provide your specific value in addition. If it is not practical to map your  non-default vocab value to the closest thing possible in the default vocab then choose “Other” as the primary type and provide your specific
value in addition.


Overall, it looks workable.


sean














From: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of John Wunder < jwunder@mitre.org >
Date: Wednesday, October 28, 2015 at 8:57 AM
To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
Subject: Re: [cti-stix] [cti-users] Indicator Type / Vocabulary Implementation Questions






I’m not sure that a lot of tools will need to retrieve the full list for custom vocabularies anyway. Some tools just using them for correlation and bucketing will just use whatever values they get regardless of vocabulary, others will bucket based
on what values they get from value+vocab_uri (without retrieving the whole list), and others will share the list at design time and the reference will be more of a URI than a URL.


I really like this approach. To me it strikes a good balance between compatibility and extensibility. I would worry about the complexity of a solution where we have to send a full vocabulary in content (do you *always* send the vocabulary? if
not, what do you do if you don’t already have it? how do you update a vocabulary that you sent previously?)



John



On Oct 27, 2015, at 5:54 PM, Jordan, Bret < bret.jordan@BLUECOAT.COM > wrote:



Agreed.  But for those that really want to use their own list, and are just adamant about it, then they can publish their list on a web site or github or where ever.  The key is to have at least a fall back to a value that is "close enough" for tools that have
no access to the extended vocabulary.  


Now along these lines, it might be possible to send a vocabulary in a STIX package, if someone was so inclined.  And the  vocab field would just contain an ID REF.  


I guess another hard question we really need to ask is, what is the scope of the problem we are trying to solve?


How many users are going to need this solution?
a) If the number is 0-5% maybe we do not do it until STIX 2.5 / STIX 3.0
b) If the number is between 5-20% then we should figure out a solution 
c) If between 20%-40% maybe we need 2-3 defined vocabularies
c) If greater than 40%, then we need to fix the default vocabulary so they do not need to use their own.











Thanks,


Bret











Bret Jordan CISSP

Director of Security Architecture and Standards Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











On Oct 27, 2015, at 14:14, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote:


RE:

  "sub_type" : {
    "vocab": " http://a.b.com/vocab-foo ",
    "type": "X-RAT-Downloader"
  },

The problems with this are the same as with the current system...

- As a tool, I likely do not have any internet access to publish a vocabulary list
- Even if I did, I probably do not have access to a location on the corporate website to publish it.

Sent from IBM Verse



Terry MacDonald --- [cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions ---  




From:
"Terry MacDonald" < terry@soltra.com >


To:
"Michael Hammer" < michael.hammer@yaanatech.com >,   athiasjerome@gmail.com ,
"Jason Keirstead" < Jason.Keirstead@ca.ibm.com >


Cc:
joep@eclecticiq.com ,   Bernd.Grobauer@siemens.com ,   Cliff.Palmer@gd-ms.com ,   cti-stix@lists.oasis-open.org ,   cti-users@lists.oasis-open.org ,   jmg@newcontext.com ,   jwunder@mitre.org ,   sbarnum@mitre.org


Date:
Tue, Oct 27, 2015 1:15 PM


Subject:
[cti-stix] RE: [cti-users] Indicator Type / Vocabulary Implementation Questions








Michael,

 

Never apologize for bringing an opinion to the table   J .
It’s the discussions and reasoning from many different viewpoints that will make STIX/TAXII and CybOX better – so throw out what ever you would like to   J .

 

This similar idea was brought up on the CTI-STIX mailing list (where the discussion has migrated to) by Bret Jordan:

 

Perhaps this issue could be solved by a layered approach.....

 

Step 1: Greatly increase the default vocabulary, removing weirdness and things that are duplicate in nature. Try and get the default vocabulary to a 60/40 or 70/30 rule.  It would also be really nice if the terms were backed by a numerical element.  String
matching in code in notoriously inefficient.  

 

Step 2: Provide a secondary entry point for an additional vocabulary for those groups that want or need to define their own.  We would obviously need an entry point in to the controlled vocabulary that can be a "fall back", something that is a lot higher up
the food chain.  

 

By doing something like this, software that can only work with the default vocabulary can skip or throw away things it does not understand and have a fall back to something that is "close enough" for what they need.  In the second example below, the "sub_type"
would be options and parsers could easily throw it away or skip it.  In fact most JSON parsers today naturally just skip things that do not map to a struct.  

 

 

{

  "stixtype": "indicator",

  "type": "IP Watchlist",

  ....

{

 

 

or 

 

{

  "stixtype": "indicator",

  "type": "Malware",

  "sub_type" : {

    "vocab": " http://a.b.com/vocab-foo ",

    "type": "X-RAT-Downloader"

  },

  ....

{

 

It seems to me that this is a good in-between option.

 

I’d definitely suggest following the discussion on the CTI-STIX list. We’d really appreciate your involvement in the STIX Sub Committee if you have the time!

 

Cheers

 


Terry MacDonald

Senior STIX Subject Matter Expert

SOLTRA   An FS-ISAC and DTCC Company

+61 (407) 203 206   terry@soltra.com

 


 



From:   cti-users@lists.oasis-open.org   [ mailto:cti-users@lists.oasis-open.org ]   On
Behalf Of   Michael Hammer
Sent:   Wednesday, 28 October 2015 6:57 AM
To:   athiasjerome@gmail.com ;   Jason.Keirstead@ca.ibm.com
Cc:   joep@eclecticiq.com ;   Bernd.Grobauer@siemens.com ;   Cliff.Palmer@gd-ms.com ;   cti-stix@lists.oasis-open.org ;   cti-users@lists.oasis-open.org ;   jmg@newcontext.com ;   jwunder@mitre.org ;   sbarnum@mitre.org
Subject:   RE: [cti-users] Indicator Type / Vocabulary Implementation Questions



 

Pardon me if I am off base with this thought but throwing out to see what sticks.

 

In another group, they had similar problem of divergent lists of “vocabularies” or “dictionaries”.

Example was how many states are in a sequence of a work flow and what are they called.

Common problem seems to be that your list is not my list.

In the end, they used they used a:

DictionaryOwner:  e.g. one or another standards body or proprietary (e.g. OASIS-CTI)

DictionaryAttribute: e.g. the variable name (e.g. IndicatorType)

DictionaryValue: e.g. the variable value (of form string)

Where the Owner provided the context for what permissible Values could be used.

 

The hope in some cases was that a sufficiently well-defined standard set could obviate the need for proprietary ones.

Regularly updating the standard, could help minimize the other lists.

However, if a set needed to be “these and only these values”, then the need for multiple sets remains.

 

________________________________

Michael Hammer

Principal Engineer

michael.hammer@yaanatech.com

Mobile:   +1 408
202 9291

542 Gibraltar Drive

Milpitas, CA 95035 USA

www.yaanatech.com

 

From: cti-users@lists.oasis-open.org   [ mailto:cti-users@lists.oasis-open.org ]   On
Behalf Of   Jerome Athias
Sent:   Saturday, October 24, 2015 9:19 AM
To:   Jason Keirstead < Jason.Keirstead@ca.ibm.com >
Cc:   Joep Gommers < joep@eclecticiq.com >; Grobauer, Bernd < Bernd.Grobauer@siemens.com >;   Cliff.Palmer@gd-ms.com ;   cti-stix@lists.oasis-open.org ;   cti-users@lists.oasis-open.org ;
John-Mark Gurney < jmg@newcontext.com >; Wunder, John A. < jwunder@mitre.org >;
Barnum, Sean D. < sbarnum@mitre.org >
Subject:   Re: [cti-users] Indicator Type / Vocabulary Implementation Questions

 

What you're pointing there is another thing I thought about which is the relationships between different vocabularies.


While partially implemented in my tools in an effort to avoid inconstancy, it was not yet introduced in the mailinglists 



 



(Again, a structure à la CWE/CAPEC could be mid-term solution before a RDF/OWL ontology)

On Saturday, 24 October 2015, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote:



Should be pretty self-explanatory....

Anomalous Activity   <Could be any but usually Reconnaissance/Weaponization/Delivery>
Malicious Activity   <Delivery / Exploitation>
Command and Control   <Command and Control>
Anonymization   <Actions>
Data Exfiltration   <Actions>
Lateral Movement   <Installation>
Privilege Escalation   <Installation>
Reconnaissance   <Reconnaissance >
Host/Process Compromise   <Installation>
Watchlist   <N/A>
Quantified Risk   <N/A>
Policy Violation **   <N/A>

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security     www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown  



Joep Gommers ---2015/10/24 06:33:42 AM---Jason, How would you feel this relates to killchain?

From:   Joep Gommers < joep@eclecticiq.com >
To:   Jason Keirstead/CanEast/IBM@IBMCA
Cc:   John-Mark Gurney < jmg@newcontext.com >,
"Barnum, Sean D." < sbarnum@mitre.org >, "Grobauer, Bernd" < Bernd.Grobauer@siemens.com >,
"Wunder, John A." < jwunder@mitre.org >, " Cliff.Palmer@gd-ms.com "
< Cliff.Palmer@gd-ms.com >, " cti-users@lists.oasis-open.org "
< cti-users@lists.oasis-open.org >, " cti-stix@lists.oasis-open.org "
< cti-stix@lists.oasis-open.org >
Date:   2015/10/24 06:33 AM
Subject:   Re: [cti-users] Re: [cti-stix] Re: [cti-users] Indicator Type
/ Vocabulary Implementation Questions










Jason,

How would you feel this relates to killchain?

J

Sent from my iPhone

On 24 Oct 2015, at 11:05, Jason Keirstead < Jason.Keirstead@ca.ibm.com >
wrote:

I like the direction this is going

" Removing type information would reduce the IndicatorTypeVocab down to:

Compromised
Malicious
Watchlist
C2
Anonymization
Exfiltration

"

This is very similar to what I have been working through

This was my internal list so far - thoughts?

Anomalous Activity
Malicious Activity
Command and Control *
Anonymization
Data Exfiltration
Lateral Movement
Privilege Escalation
Reconnaissance
Host/Process Compromise
Watchlist
Quantified Risk
Policy Violation **



* I prefer descriptive names other than acronyms like "C2", it makes it easier for translation purposes.

** Not sure about this one... its kind of straying outside the CTI realm.. although i do see a great value / need for it in the vocabulary.

-
Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security     www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown  


<graycol.gif> John-Mark Gurney ---2015/10/23 03:57:30 PM---I have created an issue for this as when I was reviewing the vocab list, it did not cover our use ca

From:   John-Mark Gurney < jmg@newcontext.com >
To:   "Barnum, Sean D." < sbarnum@mitre.org >
Cc:   "Grobauer, Bernd" < Bernd.Grobauer@siemens.com >, "Wunder, John A."
< jwunder@mitre.org >, Jason Keirstead/CanEast/IBM@IBMCA, " Cliff.Palmer@gd-ms.com "
< Cliff.Palmer@gd-ms.com >, " cti-users@lists.oasis-open.org "
< cti-users@lists.oasis-open.org >,   cti-stix@lists.oasis-open.org
Date:   2015/10/23 03:57 PM
Subject:   [cti-stix] Re: [cti-users] Indicator Type / Vocabulary Implementation Questions
Sent by:   < cti-stix@lists.oasis-open.org >










I have created an issue for this as when I was reviewing the vocab list, it did not cover our use case.

The issue I created:
https://github.com/STIXProject/specifications/issues/35

I believe that this will help people use the Vocab better, and may reduce the need for custom vocabs.

Please comment on this issue to provide feed back.

Thanks.

I have included the text of the issue here for reference:
There is a discussion on cti-users and cti-stix about improving the IndicatorTypeVocab.

I believe that having a vocab is a useful thing. But I believe the existing vocab needs to be improved.

First off, type information, like e-mail, ip, file hash, domain, etc. should be removed. You should/must be able to get this information from the Observable that is part of the Indicator.

For one, there is no vocab to describe a malicious observiable, say network packet, stream, or other activity. Though if the e-mail type is removed from Malicious E-mail, and it just became Malicious (Observable), then we would have something.

Removing type information would reduce the IndicatorTypeVocab down to:
Compromised
Malicious
Watchlist
C2
Anonymization
Exfiltration

The first three are interesting, Compromised means that this Observable indicates that you ARE compromised. The Malicious means that you WILL be compromised by this Observable and Watchlist means that you MAY get compromised by this Observable.

Arguably, C2 should fall under Compromised, but as it probably requires further investigation to figure out the original compromised host, I'm fine leaving this as it's own separate type.

On Fri, Oct 23, 2015 at 7:19 AM, Barnum, Sean D. < sbarnum@mitre.org >
wrote:

I think the first step would be to enter an issue in the tracker for this so that we can get it on the table. I also agree with an earlier statement that the issue of default vocab values has clear overlap
with the interoperability SC so while we need to work internally within the STIX SC for ensuring our default vocabs have the appropriate values for STIX use cases it probably also makes sense to work at a higher level on the process by which we define and
manage the various default controlled vocabs.

[attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM] [attachment "graycol.gif" deleted by Jason Keirstead/CanEast/IBM]