CTI STIX Subcommittee

  • 1.  Re: [cti-stix] Targeting in STIX 2.0

    Posted 09-21-2015 18:11
    A couple points of (hopefully useful) context. Victim Targeting is just one form of TTP (just like Malware or Attack_Patterns or Infrastructure, etc.). A TTP is never intended to contain multiples of these things in a single TTP instance. I know that this may be confusing and is a result of our desire to keep things simple when we started out and using only schema to specify language structure without the ability to clearly define semantics. I think there is an opportunity to more formally flesh out these semantics in STIX 2.0 to make this separability more clear. The other more germane point is that one of the issues under consideration for 2.0 is breaking out the Victim construct into a separate component. Victim is currently broken up into its concrete part expressed within Incident and its abstract part expressed within TTP. In reality, these two portions utilize near identical structure and having them in two places only makes it more complex and less pivotable. I think this may directly benefit the issue you describe here. sean From: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of Aharon Chernin < achernin@soltra.com > Date: Monday, September 21, 2015 at 12:57 PM To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Subject: [cti-stix] Targeting in STIX 2.0 Hate to change the subject. Also, I hate thinking about new high level objects. Not every type of data should be high level object worthy, or else we risk STIX 2.0 having 30 of them and becoming more complex. I was looking at some proper STIX 1.0 last week. The documents were well formed, but at the same time they were MASSIVE and had tens of thousands of relationships. I wanted to provide some feedback to the author on how to reduce the complexity of the document while preserving the context that the document contained. That’s when it hit me. If targeting wasn’t included within the TTP object, the documents would have been dramatically smaller and easier to digest. Keep in mind that if we found a good home for targeting, we could use targeting in other concepts (like fraud for example). Questions: Do you agree that we should have open discussion regarding the removal of targeting from TTP in 2.x? If so, where would it go? A new top level object * sigh* ? Or maybe in another existing object? --  Aharon Chernin CTO SOLTRA   An FS-ISAC & DTCC Company 18301 Bermuda green Dr Tampa, fl 33647 813.470.2173 achernin@soltra.com www.soltra.com


  • 2.  Re: [cti-stix] Targeting in STIX 2.0

    Posted 09-21-2015 18:18
    BTW:  Thanks for getting us back on "point" (Pun-Intentional  ;-) Targets, Versions, and Time! Oh My! Patrick Maroney President Integrated Networking Technologies, Inc. Desk: (856)983-0001 Cell: (609)841-5104 Email: pmaroney@specere.org On Mon, Sep 21, 2015 at 11:10 AM -0700, "Barnum, Sean D." < sbarnum@mitre.org > wrote: A couple points of (hopefully useful) context. Victim Targeting is just one form of TTP (just like Malware or Attack_Patterns or Infrastructure, etc.). A TTP is never intended to contain multiples of these things in a single TTP instance. I know that this may be confusing and is a result of our desire to keep things simple when we started out and using only schema to specify language structure without the ability to clearly define semantics. I think there is an opportunity to more formally flesh out these semantics in STIX 2.0 to make this separability more clear. The other more germane point is that one of the issues under consideration for 2.0 is breaking out the Victim construct into a separate component. Victim is currently broken up into its concrete part expressed within Incident and its abstract part expressed within TTP. In reality, these two portions utilize near identical structure and having them in two places only makes it more complex and less pivotable. I think this may directly benefit the issue you describe here. sean From: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of Aharon Chernin < achernin@soltra.com > Date: Monday, September 21, 2015 at 12:57 PM To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Subject: [cti-stix] Targeting in STIX 2.0 Hate to change the subject. Also, I hate thinking about new high level objects. Not every type of data should be high level object worthy, or else we risk STIX 2.0 having 30 of them and becoming more complex. I was looking at some proper STIX 1.0 last week. The documents were well formed, but at the same time they were MASSIVE and had tens of thousands of relationships. I wanted to provide some feedback to the author on how to reduce the complexity of the document while preserving the context that the document contained. That’s when it hit me. If targeting wasn’t included within the TTP object, the documents would have been dramatically smaller and easier to digest. Keep in mind that if we found a good home for targeting, we could use targeting in other concepts (like fraud for example). Questions: Do you agree that we should have open discussion regarding the removal of targeting from TTP in 2.x? If so, where would it go? A new top level object * sigh* ? Or maybe in another existing object? --  Aharon Chernin CTO SOLTRA   An FS-ISAC & DTCC Company 18301 Bermuda green Dr Tampa, fl 33647 813.470.2173 achernin@soltra.com www.soltra.com