CTI STIX Subcommittee

  • 1.  Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability

    Posted 08-31-2017 19:03




    > I personally can’t see a reason to have a relationship between an indicator and a vulnerability, but I don’t want to stand in the way of someone else making that connection if they see value
    in it.
     
    This is exactly my point. Nothing in the spec currently prohibits people from doing this, and if we can’t come up with a good example, then we shouldn’t suggest it in the spec. If we’re going to arbitrarily add new SDOs to the suggested
    relationship types, why not just remove all suggested SDO types on relationships and have just a list of recommended relationship names?
     
    I feel like we’re falling into the trap of adding something to the spec because it’s easy to do so (it’s only a handful of characters), without considering the broader implications. The burden should be on the reason a change * needs *
    to be in the spec (you can’t currently do something that needs to be done), rather than on arguing why something shouldn’t be there.
     
    Greg
     
     


    On 2017-08-31, 12:28 UTC, "Sarah Kelley" < Sarah.Kelley@cisecurity.org > wrote:



     

    I think I agree with Terry here.
     
    I personally can’t see a reason to have a relationship between an indicator and a vulnerability, but I don’t want to stand in the way of someone else making that connection if they see value in it. I feel like if we say no to this, we’ll
    be right back to the problems I had when I started in this committee with STIX 1. Namely, I couldn’t connect an indicator directly to a threat actor because “there’s really a TTP in the middle somewhere”. My argument in response to that was two-fold. First,
    that wasn’t always true. (ex: A threat actor used an email address to register a domain. No real TTP to document, but two indicators to tie to a threat actor.) Second, there may have been a TTP, but I may not have known what it was.

     
    Ultimately, I’m all for letting the analyst do what they need to do, because if we don’t allow it in the spec, they’re just going to do it anyway, however they need to.

     

    Sarah Kelley
    Senior Cyber Threat Analyst
    Multi-State Information Sharing and Analysis Center (MS-ISAC)                   
    31 Tech Valley Drive
    East Greenbush, NY 12061
     
    sarah.kelley@cisecurity.org
    518-266-3493
    24x7 Security Operations Center
    SOC@cisecurity.org  - 1-866-787-4722
     


          
                 
     

    From: <cti-stix@lists.oasis-open.org> on behalf of "terry.macdonald@cosive.com" <terry.macdonald@cosive.com>
    Date: Wednesday, August 30, 2017 at 9:09 PM
    To: "Back, Greg" <gback@mitre.org>
    Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, Allan Thomson <athomson@lookingglasscyber.com>, Bret Jordan <Bret_Jordan@symantec.com>
    Subject: [cti-stix] Re: [EXT] Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability


     






    Hi Greg,

     


    I think its really important to encourage threat intelligence from organisations that only want to do the minimum. We need to make it as easy and as flexible as possible. I do understand your concerns, but this is an area where I feel strongly
    that allowing people the flexibility to build the threat intel their own way will encourage them to contribute the threat intel as it's being developed. It's about enabling people to share their partially finished workings, and crowd-sourcing information from
    the group, hypothesising and guessing relationships. I expect that in real use we could have an Indicator pointing to 10 different vulnerabilities and 5 different attack patterns, each with their own confidence weighting, and each with relationships created
    by different users. All of this information will be invaluable to consumers, who will need to find some way of weighting and balancing this information in a way that will let them decide which information they trust. 


     


    In my mind the more relationships we can have between SDOs the better, as it is all information that consumers can use.












    Cheers


     



    Terry MacDonald   Chief Product Officer


     





     


    M:   +64 211 918 814


    E:   terry.macdonald@cosive.com


    W:   www.cosive.com


     



     


     








     

    On Thu, Aug 31, 2017 at 12:50 PM, Back, Greg < gback@mitre.org > wrote:



    I went back and read the relationships section of the spec. I forgot that it does explicitly mention that “shortcut” relationships are an integral part of STIX (which I’ve always
    disagreed with).
     
    There’s nothing explicitly preventing someone from creating the relationship being proposed (I don’t think [1]). But I’m asserting that it’s a bad idea for us to explicitly declare
    that relationship because it encourages sloppy linkages (unless there’s another example besides eliding the Attack Pattern in Terry’s original example, or the vulnerabilty scanning example that Jason mentioned on GitHub). Without a good reason, I feel like
    explicitly promoting a “shortcut” relationship when there is a more explicit (or, some may say, pedantic) way to represent it counts as “two ways of doing the same thing”.
     
    If I’m the only one who feels this way, I’ll accept the consensus, but I can’t promise I’ll agree with it. ;-)
     
    Greg
     
    [1] The spec says “ STIX also allows relationships from any SDO to any SDO that have not been defined in
    this specification. These relationships MAY use the related-to
    relationship type or MAY use a custom relationship type.“ It doesn’t say explicitly that you can use a defined relationship between two SDOs where that specific defined relationship isn’t listed, but it doesn’t say that you can’t, either.


     
     


    On 2017-08-30, 23:12 UTC, "Bret Jordan" < Bret_Jordan@symantec.com > wrote:



     


    +1

    Sent from my iPhone



    On Aug 30, 2017, at 4:54 PM, Allan Thomson < athomson@lookingglasscyber.com > wrote:







    +1



     


    Allan Thomson.

    CTO, lookingglass cyber solutions.
    Www.lookingglasscyber.com . This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential.
    The information in this message is intended only for use by the individual(s) to whom it is addressed. If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure,
    copying or distribution of the contents contained within is strictly prohibited.







    From:
    cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Terry MacDonald < terry.macdonald@cosive.com >
    Sent: Wednesday, August 30, 2017 3:51:10 PM
    To: Back, Greg
    Cc: cti-stix@lists.oasis-open.org
    Subject: Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability


     




    Hi Greg,


     


    I think we should allow Analysts to track whatever makes sense to them. We should not constrain the model (and we do not)  - it should be up to people to use the building blocks
    we provide them where they see it makes sense.

     


    My reasoning for this is that during an investigation you are putting together information, and trying to figure out whats occurring. It is entirely possible that an organisation
    hasn't actually analysed the attack pattern at all, but instead just knows from media reports that if you see this packet, then its heartbleed scanning attempt. They may not even care which attack pattern it is, because they may not track attack patterns at
    all.


     


    We don't lose anything by adding this relationship to the model. They already have a way of relating this using the related-to relationship type. This just adds more description
    a relationship that is already possible.


     


    This of course also means that if the analyst periodically goes through mapping vulnerabilities to attack_pattern SDOs (or someone else in the community does), then they are free
    to map that relationship as well.


     


    The whole point of STIX 2.x series to to free ourselves from the constraints imposed by a limited set of relationships, and to allow the threat analysts to use the parts of STIX
    that make sense to them. I view it like LEGO(R). We provide simple building blocks and ways of connecting all the bits together, then we let the Analysts build the structures that make most sense to them.














    Cheers


     



    Terry MacDonald  
    Chief Product Officer


     





     


    M:   +64
    211 918 814


    E:   terry.macdonald@cosive.com


    W:   www.cosive.com


     



     


     








     

    On Thu, Aug 31, 2017 at 10:13 AM, Back, Greg < gback@mitre.org > wrote:



    So, I think of that as actually being “Scanning for and attempting to exploit Heartbleed” as an Attack Pattern, and you can have Indicator -> (indicates)-> Attack Pattern -> (targets)
    -> Vulnerability. I don’t think the “shortcut” Indicator -> (indicates) -> Vulnerability is useful enough to justify the new relationship.

     
    Jason brought up the idea of vulnerability scanning on GitHub, but as he suggested (and I totally agree) OVAL covers that use case pretty well, and it seems outside the scope of
    CTI.
     
    Greg


     


    On 2017-08-30, 22:06 UTC, "Terry MacDonald" < terry.macdonald@cosive.com > wrote:



     


    Hi Greg,


     


    Heartbleed springs to mind. If there is a vulnerability that affects a large portion, and people start scanning for it, then this relationship would allow a TIP to show this fact
    in our data model.


     


    It makes sense in my mind.


     


    Cheers


    Terry MacDonald


    Cosive



     

    On 31/08/2017 08:03, "Back, Greg" < gback@mitre.org > wrote:



    From my comment [1]:
     
    Can someone give a practical example of a vulnerability and an indicator for that vulnerability (actual STIX JSON)? It would be beneficial to have this in the spec (or an associated implementation guidance document), and would help me understand to make
    sure we aren't introducing multiple ways of doing something.
    I recognize that sometimes "shortcut" relationships are necessary, rather than the more pedantic but accurate ones, but want to make sure we take that into account (my standard example from STIX 1/CybOX 2 is that malware doesn't
    really connect to a Domain name, but you connect to
    whatever IP address that domain happens to resolve to).
     
    Greg
     
     
    [1]

    https://github.com/oasis-tcs/cti-stix2/issues/15#issuecomment-326067773
     
     
     


    On 2017-08-30, 19:36 UTC, " cti-stix@lists.oasis-open.org on behalf of Terry MacDonald" < cti-stix@lists.oasis-open.org
    on behalf of terry.macdonald@cosive.com > wrote:



     


    Makes a lot of sense. I vote to make the change.


     

    On 31/08/2017 05:01, "Allan Thomson" < athomson@lookingglasscyber.com > wrote:



    We should add.
     
    STIX already has a fallback that allows to create a relationship between 2 SDOs and this just provides an explicit naming of that relationship instead of relying on the generic
    reln.
     

    Allan

     
     

    From:
    " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of Sarah Kelley
    < Sarah.Kelley@cisecurity.org >
    Date: Wednesday, August 30, 2017 at 7:39 AM
    To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability


     

    GITHUB issue # 15 ( https://github.com/oasis-tcs/cti-stix2/issues/15
    )
     
    During the STIX 2.0 CSD comment period, we received a suggestion to add a relationship from an indicator to a vulnerability saying that an indicator “indicates” the vulnerability.
     
    The relationship table for indicator would then look like this (with the change highlighted in yellow):
     




    Embedded Relationships




    created_by_ref


    identifier (of type identity)




    object_marking_refs


    identifier (of type marking-definition)




    Common Relationships




    duplicate-of, derived-from, related-to




    Source


    Relationship Type


    Target



    Description




    indicator


    indicates


    attack-pattern, campaign,

    intrusion-set,

    malware,

    threat-actor, tool,
    vulnerability


    This Relationship describes that the Indicator can detect evidence of the related Campaign, Intrusion Set, or Threat Actor. This evidence may not be direct: for example, the Indicator
    may detect secondary evidence of the Campaign, such as malware or behavior commonly used by that Campaign.
     
    For example, an indicates Relationship from an Indicator to a Campaign object representing Glass Gazelle means that the Indicator is capable of detecting evidence of Glass Gazelle,
    such as command and control IPs commonly used by that Campaign.




    Reverse Relationships


















     
     
    Are there any objections to making this change?
     
    Thanks,

     
    Sarah Kelley
    Senior Cyber Threat Analyst
    Multi-State Information Sharing and Analysis Center (MS-ISAC)                   
    31 Tech Valley Drive
    East Greenbush, NY 12061
     
    sarah.kelley@cisecurity.org
    518-266-3493
    24x7 Security Operations Center
    SOC@cisecurity.org  - 1-866-787-4722
     
    <image001.png>
          
    <image002.png>      <image003.png>     <image004.png>      <image005.png>
    This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying
    of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.


    . . . . .
















     










     



    .....



    This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited.
    Please notify the sender immediately and permanently delete the message and any attachments.


    . . . . .






  • 2.  Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability

    Posted 08-31-2017 19:28




    I agree with this. Analysts will already be able to add this relationship (assuming their tooling supports it), so we don’t need to give them the ability to do so by defining it. I also worry about the overlap of this with the vulnerability
    management space (OVAL/SCAP), as Jason has mentioned.
     

    From: <cti-stix@lists.oasis-open.org> on behalf of Greg Back <gback@mitre.org>
    Date: Thursday, August 31, 2017 at 10:46 AM
    To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Cc: Allan Thomson <athomson@lookingglasscyber.com>, "Bret Jordan (CS)" <Bret_Jordan@symantec.com>, Sarah Kelley <Sarah.Kelley@cisecurity.org>, Terry MacDonald <terry.macdonald@cosive.com>
    Subject: Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability


     

    > I personally can’t see a reason to have a relationship between an indicator and a vulnerability, but I don’t want to stand in the way of someone else making that connection if they see value
    in it.
     
    This is exactly my point. Nothing in the spec currently prohibits people from doing this, and if we can’t come up with a good example, then we shouldn’t suggest it in the spec. If we’re going to arbitrarily add new SDOs to the suggested
    relationship types, why not just remove all suggested SDO types on relationships and have just a list of recommended relationship names?
     
    I feel like we’re falling into the trap of adding something to the spec because it’s easy to do so (it’s only a handful of characters), without considering the broader implications. The burden should be on the reason a change * needs *
    to be in the spec (you can’t currently do something that needs to be done), rather than on arguing why something shouldn’t be there.
     
    Greg
     
     


    On 2017-08-31, 12:28 UTC, "Sarah Kelley" < Sarah.Kelley@cisecurity.org > wrote:



     

    I think I agree with Terry here.
     
    I personally can’t see a reason to have a relationship between an indicator and a vulnerability, but I don’t want to stand in the way of someone else making that connection if they see value in it. I feel like if we say no to this, we’ll
    be right back to the problems I had when I started in this committee with STIX 1. Namely, I couldn’t connect an indicator directly to a threat actor because “there’s really a TTP in the middle somewhere”. My argument in response to that was two-fold. First,
    that wasn’t always true. (ex: A threat actor used an email address to register a domain. No real TTP to document, but two indicators to tie to a threat actor.) Second, there may have been a TTP, but I may not have known what it was.

     
    Ultimately, I’m all for letting the analyst do what they need to do, because if we don’t allow it in the spec, they’re just going to do it anyway, however they need to.

     

    Sarah Kelley
    Senior Cyber Threat Analyst
    Multi-State Information Sharing and Analysis Center (MS-ISAC)                   
    31 Tech Valley Drive
    East Greenbush, NY 12061
     
    sarah.kelley@cisecurity.org
    518-266-3493
    24x7 Security Operations Center
    SOC@cisecurity.org  - 1-866-787-4722
     


          
                 
     

    From: <cti-stix@lists.oasis-open.org> on behalf of "terry.macdonald@cosive.com" <terry.macdonald@cosive.com>
    Date: Wednesday, August 30, 2017 at 9:09 PM
    To: "Back, Greg" <gback@mitre.org>
    Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, Allan Thomson <athomson@lookingglasscyber.com>, Bret Jordan <Bret_Jordan@symantec.com>
    Subject: [cti-stix] Re: [EXT] Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability


     







    Hi Greg,

     


    I think its really important to encourage threat intelligence from organisations that only want to do the minimum. We need to make it as easy and as flexible as possible. I do understand your concerns, but this is an area where I feel strongly
    that allowing people the flexibility to build the threat intel their own way will encourage them to contribute the threat intel as it's being developed. It's about enabling people to share their partially finished workings, and crowd-sourcing information from
    the group, hypothesising and guessing relationships. I expect that in real use we could have an Indicator pointing to 10 different vulnerabilities and 5 different attack patterns, each with their own confidence weighting, and each with relationships created
    by different users. All of this information will be invaluable to consumers, who will need to find some way of weighting and balancing this information in a way that will let them decide which information they trust. 


     


    In my mind the more relationships we can have between SDOs the better, as it is all information that consumers can use.












    Cheers


     



    Terry MacDonald   Chief Product Officer


     





     


    M:   +64 211 918 814


    E:   terry.macdonald@cosive.com


    W:   www.cosive.com


     



     


     








     

    On Thu, Aug 31, 2017 at 12:50 PM, Back, Greg < gback@mitre.org > wrote:



    I went back and read the relationships section of the spec. I forgot that it does explicitly mention that “shortcut” relationships are an integral part of STIX (which I’ve always
    disagreed with).
     
    There’s nothing explicitly preventing someone from creating the relationship being proposed (I don’t think [1]). But I’m asserting that it’s a bad idea for us to explicitly declare
    that relationship because it encourages sloppy linkages (unless there’s another example besides eliding the Attack Pattern in Terry’s original example, or the vulnerabilty scanning example that Jason mentioned on GitHub). Without a good reason, I feel like
    explicitly promoting a “shortcut” relationship when there is a more explicit (or, some may say, pedantic) way to represent it counts as “two ways of doing the same thing”.
     
    If I’m the only one who feels this way, I’ll accept the consensus, but I can’t promise I’ll agree with it. ;-)
     
    Greg
     
    [1] The spec says “ STIX also allows relationships from any SDO to any SDO that have not been defined in
    this specification. These relationships MAY use the related-to
    relationship type or MAY use a custom relationship type.“ It doesn’t say explicitly that you can use a defined relationship between two SDOs where that specific defined relationship isn’t listed, but it doesn’t say that you can’t, either.


     
     


    On 2017-08-30, 23:12 UTC, "Bret Jordan" < Bret_Jordan@symantec.com > wrote:



     


    +1

    Sent from my iPhone



    On Aug 30, 2017, at 4:54 PM, Allan Thomson < athomson@lookingglasscyber.com > wrote:







    +1



     


    Allan Thomson.

    CTO, lookingglass cyber solutions.
    Www.lookingglasscyber.com . This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential.
    The information in this message is intended only for use by the individual(s) to whom it is addressed. If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure,
    copying or distribution of the contents contained within is strictly prohibited.







    From:
    cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Terry MacDonald < terry.macdonald@cosive.com >
    Sent: Wednesday, August 30, 2017 3:51:10 PM
    To: Back, Greg
    Cc: cti-stix@lists.oasis-open.org
    Subject: Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability


     




    Hi Greg,


     


    I think we should allow Analysts to track whatever makes sense to them. We should not constrain the model (and we do not)  - it should be up to people to use the building blocks
    we provide them where they see it makes sense.

     


    My reasoning for this is that during an investigation you are putting together information, and trying to figure out whats occurring. It is entirely possible that an organisation
    hasn't actually analysed the attack pattern at all, but instead just knows from media reports that if you see this packet, then its heartbleed scanning attempt. They may not even care which attack pattern it is, because they may not track attack patterns at
    all.


     


    We don't lose anything by adding this relationship to the model. They already have a way of relating this using the related-to relationship type. This just adds more description
    a relationship that is already possible.


     


    This of course also means that if the analyst periodically goes through mapping vulnerabilities to attack_pattern SDOs (or someone else in the community does), then they are free
    to map that relationship as well.


     


    The whole point of STIX 2.x series to to free ourselves from the constraints imposed by a limited set of relationships, and to allow the threat analysts to use the parts of STIX
    that make sense to them. I view it like LEGO(R). We provide simple building blocks and ways of connecting all the bits together, then we let the Analysts build the structures that make most sense to them.














    Cheers


     



    Terry MacDonald  
    Chief Product Officer


     





     


    M:   +64
    211 918 814


    E:   terry.macdonald@cosive.com


    W:   www.cosive.com


     



     


     








     

    On Thu, Aug 31, 2017 at 10:13 AM, Back, Greg < gback@mitre.org > wrote:



    So, I think of that as actually being “Scanning for and attempting to exploit Heartbleed” as an Attack Pattern, and you can have Indicator -> (indicates)-> Attack Pattern -> (targets)
    -> Vulnerability. I don’t think the “shortcut” Indicator -> (indicates) -> Vulnerability is useful enough to justify the new relationship.

     
    Jason brought up the idea of vulnerability scanning on GitHub, but as he suggested (and I totally agree) OVAL covers that use case pretty well, and it seems outside the scope of
    CTI.
     
    Greg


     


    On 2017-08-30, 22:06 UTC, "Terry MacDonald" < terry.macdonald@cosive.com > wrote:



     


    Hi Greg,


     


    Heartbleed springs to mind. If there is a vulnerability that affects a large portion, and people start scanning for it, then this relationship would allow a TIP to show this fact
    in our data model.


     


    It makes sense in my mind.


     


    Cheers


    Terry MacDonald


    Cosive



     

    On 31/08/2017 08:03, "Back, Greg" < gback@mitre.org > wrote:



    From my comment [1]:
     
    Can someone give a practical example of a vulnerability and an indicator for that vulnerability (actual STIX JSON)? It would be beneficial to have this in the spec (or an associated implementation guidance document), and would help me understand to make
    sure we aren't introducing multiple ways of doing something.
    I recognize that sometimes "shortcut" relationships are necessary, rather than the more pedantic but accurate ones, but want to make sure we take that into account (my standard example from STIX 1/CybOX 2 is that malware doesn't
    really connect to a Domain name, but you connect to
    whatever IP address that domain happens to resolve to).
     
    Greg
     
     
    [1]

    https://github.com/oasis-tcs/cti-stix2/issues/15#issuecomment-326067773
     
     
     


    On 2017-08-30, 19:36 UTC, " cti-stix@lists.oasis-open.org on behalf of Terry MacDonald" < cti-stix@lists.oasis-open.org
    on behalf of terry.macdonald@cosive.com > wrote:



     


    Makes a lot of sense. I vote to make the change.


     

    On 31/08/2017 05:01, "Allan Thomson" < athomson@lookingglasscyber.com > wrote:



    We should add.
     
    STIX already has a fallback that allows to create a relationship between 2 SDOs and this just provides an explicit naming of that relationship instead of relying on the generic
    reln.
     

    Allan

     
     

    From:
    " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of Sarah Kelley
    < Sarah.Kelley@cisecurity.org >
    Date: Wednesday, August 30, 2017 at 7:39 AM
    To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability


     

    GITHUB issue # 15 ( https://github.com/oasis-tcs/cti-stix2/issues/15
    )
     
    During the STIX 2.0 CSD comment period, we received a suggestion to add a relationship from an indicator to a vulnerability saying that an indicator “indicates” the vulnerability.
     
    The relationship table for indicator would then look like this (with the change highlighted in yellow):
     




    Embedded Relationships




    created_by_ref


    identifier (of type identity)




    object_marking_refs


    identifier (of type marking-definition)




    Common Relationships




    duplicate-of, derived-from, related-to




    Source


    Relationship Type


    Target



    Description




    indicator


    indicates


    attack-pattern, campaign,

    intrusion-set,

    malware,

    threat-actor, tool,
    vulnerability


    This Relationship describes that the Indicator can detect evidence of the related Campaign, Intrusion Set, or Threat Actor. This evidence may not be direct: for example, the Indicator
    may detect secondary evidence of the Campaign, such as malware or behavior commonly used by that Campaign.
     
    For example, an indicates Relationship from an Indicator to a Campaign object representing Glass Gazelle means that the Indicator is capable of detecting evidence of Glass Gazelle,
    such as command and control IPs commonly used by that Campaign.




    Reverse Relationships


















     
     
    Are there any objections to making this change?
     
    Thanks,

     
    Sarah Kelley
    Senior Cyber Threat Analyst
    Multi-State Information Sharing and Analysis Center (MS-ISAC)                   
    31 Tech Valley Drive
    East Greenbush, NY 12061
     
    sarah.kelley@cisecurity.org
    518-266-3493
    24x7 Security Operations Center
    SOC@cisecurity.org  - 1-866-787-4722
     
    <image001.png>
          
    <image002.png>      <image003.png>     <image004.png>      <image005.png>
    This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying
    of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.


    . . . . .
















     










     



    .....




    This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited.
    Please notify the sender immediately and permanently delete the message and any attachments.


    . . . . .






  • 3.  Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability

    Posted 09-05-2017 18:07




    As Greg states – the specification gives complete freedom to relate any SDO to any other SDO, using any relationship name, suggested or “custom’.  It goes even further by saying the following:
     
                   
    Relationship types defined in the specification SHOULD be used to ensure consistency.
     
    This implies (according to my reading) that the number of “suggested” relationship types should be kept to a small set whose semantics are not open to much interpretation.
    I think the set we have is consistent with that idea.  We should feel VERY resistant to added others, especially if it seems there isn’t a generally agreed upon use
    case.
     
    Of course, on the other side of the ledger, the specification gives analysts the ability to “model” CTI using relationships in ways that make sense to them – including
    “shortcuts” (sorry Greg).
     
                Rich
    -- 
     
    Rich Piazza
    The MITRE Corporation
    781-271-3760
     

    From: <cti-stix@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org>
    Date: Thursday, August 31, 2017 at 3:28 PM
    To: "Back, Greg" <gback@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Cc: Allan Thomson <athomson@lookingglasscyber.com>, Bret Jordan <Bret_Jordan@symantec.com>, Sarah Kelley <Sarah.Kelley@cisecurity.org>, Terry MacDonald <terry.macdonald@cosive.com>
    Subject: Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability


     

    I agree with this. Analysts will already be able to add this relationship (assuming their tooling supports it), so we don’t need to give them the ability to do so by defining it. I also worry about the overlap of this with the vulnerability
    management space (OVAL/SCAP), as Jason has mentioned.
     

    From: <cti-stix@lists.oasis-open.org> on behalf of Greg Back <gback@mitre.org>
    Date: Thursday, August 31, 2017 at 10:46 AM
    To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
    Cc: Allan Thomson <athomson@lookingglasscyber.com>, "Bret Jordan (CS)" <Bret_Jordan@symantec.com>, Sarah Kelley <Sarah.Kelley@cisecurity.org>, Terry MacDonald <terry.macdonald@cosive.com>
    Subject: Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability


     

    > I personally can’t see a reason to have a relationship between an indicator and a vulnerability, but I don’t want to stand in the way of someone else making that connection if they see value
    in it.
     
    This is exactly my point. Nothing in the spec currently prohibits people from doing this, and if we can’t come up with a good example, then we shouldn’t suggest it in the spec. If we’re going to arbitrarily add new SDOs to the suggested
    relationship types, why not just remove all suggested SDO types on relationships and have just a list of recommended relationship names?
     
    I feel like we’re falling into the trap of adding something to the spec because it’s easy to do so (it’s only a handful of characters), without considering the broader implications. The burden should be on the reason a change * needs *
    to be in the spec (you can’t currently do something that needs to be done), rather than on arguing why something shouldn’t be there.
     
    Greg
     
     


    On 2017-08-31, 12:28 UTC, "Sarah Kelley" < Sarah.Kelley@cisecurity.org > wrote:



     

    I think I agree with Terry here.
     
    I personally can’t see a reason to have a relationship between an indicator and a vulnerability, but I don’t want to stand in the way of someone else making that connection if they see value in it. I feel like if we say no to this, we’ll
    be right back to the problems I had when I started in this committee with STIX 1. Namely, I couldn’t connect an indicator directly to a threat actor because “there’s really a TTP in the middle somewhere”. My argument in response to that was two-fold. First,
    that wasn’t always true. (ex: A threat actor used an email address to register a domain. No real TTP to document, but two indicators to tie to a threat actor.) Second, there may have been a TTP, but I may not have known what it was.

     
    Ultimately, I’m all for letting the analyst do what they need to do, because if we don’t allow it in the spec, they’re just going to do it anyway, however they need to.

     

    Sarah Kelley
    Senior Cyber Threat Analyst
    Multi-State Information Sharing and Analysis Center (MS-ISAC)                   
    31 Tech Valley Drive
    East Greenbush, NY 12061
     
    sarah.kelley@cisecurity.org
    518-266-3493
    24x7 Security Operations Center
    SOC@cisecurity.org  - 1-866-787-4722
     


          
                 
     

    From: <cti-stix@lists.oasis-open.org> on behalf of "terry.macdonald@cosive.com" <terry.macdonald@cosive.com>
    Date: Wednesday, August 30, 2017 at 9:09 PM
    To: "Back, Greg" <gback@mitre.org>
    Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, Allan Thomson <athomson@lookingglasscyber.com>, Bret Jordan <Bret_Jordan@symantec.com>
    Subject: [cti-stix] Re: [EXT] Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability


     








    Hi Greg,

     


    I think its really important to encourage threat intelligence from organisations that only want to do the minimum. We need to make it as easy and as flexible as possible. I do understand your concerns, but this is an area where I feel strongly
    that allowing people the flexibility to build the threat intel their own way will encourage them to contribute the threat intel as it's being developed. It's about enabling people to share their partially finished workings, and crowd-sourcing information from
    the group, hypothesising and guessing relationships. I expect that in real use we could have an Indicator pointing to 10 different vulnerabilities and 5 different attack patterns, each with their own confidence weighting, and each with relationships created
    by different users. All of this information will be invaluable to consumers, who will need to find some way of weighting and balancing this information in a way that will let them decide which information they trust. 


     


    In my mind the more relationships we can have between SDOs the better, as it is all information that consumers can use.












    Cheers


     



    Terry MacDonald   Chief Product Officer


     





     


    M:   +64 211 918 814


    E:   terry.macdonald@cosive.com


    W:   www.cosive.com


     



     


     








     

    On Thu, Aug 31, 2017 at 12:50 PM, Back, Greg < gback@mitre.org > wrote:



    I went back and read the relationships section of the spec. I forgot that it does explicitly mention that “shortcut” relationships are an integral part of STIX (which I’ve always
    disagreed with).
     
    There’s nothing explicitly preventing someone from creating the relationship being proposed (I don’t think [1]). But I’m asserting that it’s a bad idea for us to explicitly declare
    that relationship because it encourages sloppy linkages (unless there’s another example besides eliding the Attack Pattern in Terry’s original example, or the vulnerabilty scanning example that Jason mentioned on GitHub). Without a good reason, I feel like
    explicitly promoting a “shortcut” relationship when there is a more explicit (or, some may say, pedantic) way to represent it counts as “two ways of doing the same thing”.
     
    If I’m the only one who feels this way, I’ll accept the consensus, but I can’t promise I’ll agree with it. ;-)
     
    Greg
     
    [1] The spec says “ STIX also allows relationships from any SDO to any SDO that have not been defined in
    this specification. These relationships MAY use the related-to
    relationship type or MAY use a custom relationship type.“ It doesn’t say explicitly that you can use a defined relationship between two SDOs where that specific defined relationship isn’t listed, but it doesn’t say that you can’t, either.


     
     


    On 2017-08-30, 23:12 UTC, "Bret Jordan" < Bret_Jordan@symantec.com > wrote:



     


    +1

    Sent from my iPhone



    On Aug 30, 2017, at 4:54 PM, Allan Thomson < athomson@lookingglasscyber.com > wrote:







    +1



     


    Allan Thomson.

    CTO, lookingglass cyber solutions.
    Www.lookingglasscyber.com . This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential.
    The information in this message is intended only for use by the individual(s) to whom it is addressed. If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure,
    copying or distribution of the contents contained within is strictly prohibited.







    From:
    cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Terry MacDonald < terry.macdonald@cosive.com >
    Sent: Wednesday, August 30, 2017 3:51:10 PM
    To: Back, Greg
    Cc: cti-stix@lists.oasis-open.org
    Subject: Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability


     




    Hi Greg,


     


    I think we should allow Analysts to track whatever makes sense to them. We should not constrain the model (and we do not)  - it should be up to people to use the building blocks
    we provide them where they see it makes sense.

     


    My reasoning for this is that during an investigation you are putting together information, and trying to figure out whats occurring. It is entirely possible that an organisation
    hasn't actually analysed the attack pattern at all, but instead just knows from media reports that if you see this packet, then its heartbleed scanning attempt. They may not even care which attack pattern it is, because they may not track attack patterns at
    all.


     


    We don't lose anything by adding this relationship to the model. They already have a way of relating this using the related-to relationship type. This just adds more description
    a relationship that is already possible.


     


    This of course also means that if the analyst periodically goes through mapping vulnerabilities to attack_pattern SDOs (or someone else in the community does), then they are free
    to map that relationship as well.


     


    The whole point of STIX 2.x series to to free ourselves from the constraints imposed by a limited set of relationships, and to allow the threat analysts to use the parts of STIX
    that make sense to them. I view it like LEGO(R). We provide simple building blocks and ways of connecting all the bits together, then we let the Analysts build the structures that make most sense to them.














    Cheers


     



    Terry MacDonald  
    Chief Product Officer


     





     


    M:   +64
    211 918 814


    E:   terry.macdonald@cosive.com


    W:   www.cosive.com


     



     


     








     

    On Thu, Aug 31, 2017 at 10:13 AM, Back, Greg < gback@mitre.org > wrote:



    So, I think of that as actually being “Scanning for and attempting to exploit Heartbleed” as an Attack Pattern, and you can have Indicator -> (indicates)-> Attack Pattern -> (targets)
    -> Vulnerability. I don’t think the “shortcut” Indicator -> (indicates) -> Vulnerability is useful enough to justify the new relationship.

     
    Jason brought up the idea of vulnerability scanning on GitHub, but as he suggested (and I totally agree) OVAL covers that use case pretty well, and it seems outside the scope of
    CTI.
     
    Greg


     


    On 2017-08-30, 22:06 UTC, "Terry MacDonald" < terry.macdonald@cosive.com > wrote:



     


    Hi Greg,


     


    Heartbleed springs to mind. If there is a vulnerability that affects a large portion, and people start scanning for it, then this relationship would allow a TIP to show this fact
    in our data model.


     


    It makes sense in my mind.


     


    Cheers


    Terry MacDonald


    Cosive



     

    On 31/08/2017 08:03, "Back, Greg" < gback@mitre.org > wrote:



    From my comment [1]:
     
    Can someone give a practical example of a vulnerability and an indicator for that vulnerability (actual STIX JSON)? It would be beneficial to have this in the spec (or an associated implementation guidance document), and would help me understand to make
    sure we aren't introducing multiple ways of doing something.
    I recognize that sometimes "shortcut" relationships are necessary, rather than the more pedantic but accurate ones, but want to make sure we take that into account (my standard example from STIX 1/CybOX 2 is that malware doesn't
    really connect to a Domain name, but you connect to
    whatever IP address that domain happens to resolve to).
     
    Greg
     
     
    [1]

    https://github.com/oasis-tcs/cti-stix2/issues/15#issuecomment-326067773
     
     
     


    On 2017-08-30, 19:36 UTC, " cti-stix@lists.oasis-open.org on behalf of Terry MacDonald" < cti-stix@lists.oasis-open.org
    on behalf of terry.macdonald@cosive.com > wrote:



     


    Makes a lot of sense. I vote to make the change.


     

    On 31/08/2017 05:01, "Allan Thomson" < athomson@lookingglasscyber.com > wrote:



    We should add.
     
    STIX already has a fallback that allows to create a relationship between 2 SDOs and this just provides an explicit naming of that relationship instead of relying on the generic
    reln.
     

    Allan

     
     

    From:
    " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of Sarah Kelley
    < Sarah.Kelley@cisecurity.org >
    Date: Wednesday, August 30, 2017 at 7:39 AM
    To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
    Subject: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability


     

    GITHUB issue # 15 ( https://github.com/oasis-tcs/cti-stix2/issues/15
    )
     
    During the STIX 2.0 CSD comment period, we received a suggestion to add a relationship from an indicator to a vulnerability saying that an indicator “indicates” the vulnerability.
     
    The relationship table for indicator would then look like this (with the change highlighted in yellow):
     




    Embedded Relationships




    created_by_ref


    identifier (of type identity)




    object_marking_refs


    identifier (of type marking-definition)




    Common Relationships




    duplicate-of, derived-from, related-to




    Source


    Relationship Type


    Target



    Description




    indicator


    indicates


    attack-pattern, campaign,

    intrusion-set,

    malware,

    threat-actor, tool,
    vulnerability


    This Relationship describes that the Indicator can detect evidence of the related Campaign, Intrusion Set, or Threat Actor. This evidence may not be direct: for example, the Indicator
    may detect secondary evidence of the Campaign, such as malware or behavior commonly used by that Campaign.
     
    For example, an indicates Relationship from an Indicator to a Campaign object representing Glass Gazelle means that the Indicator is capable of detecting evidence of Glass Gazelle,
    such as command and control IPs commonly used by that Campaign.




    Reverse Relationships


















     
     
    Are there any objections to making this change?
     
    Thanks,

     
    Sarah Kelley
    Senior Cyber Threat Analyst
    Multi-State Information Sharing and Analysis Center (MS-ISAC)                   
    31 Tech Valley Drive
    East Greenbush, NY 12061
     
    sarah.kelley@cisecurity.org
    518-266-3493
    24x7 Security Operations Center
    SOC@cisecurity.org  - 1-866-787-4722
     
    <image001.png>
          
    <image002.png>      <image003.png>     <image004.png>      <image005.png>
    This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying
    of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.


    . . . . .
















     










     



    .....





    This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited.
    Please notify the sender immediately and permanently delete the message and any attachments.


    . . . . .






  • 4.  Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability

    Posted 09-05-2017 20:13
    I've always thought of STIX v2 as Lego(R). And just as kids use the basic building blocks to make what they want to, STIX v2 should allow analysts and incident responders to record and share what they know. We shouldn't forcibly stop them from relating objects just because it didn't meet our mental model of how things should be related.  I'm very much of the opinion that we should be monitoring the sharing of STIX v2 content, and we should see what relationships people are coming up with, and we should standardize the popular ones that are being used. In this way STIX will develop over time in the way that the population wants (like a real language) and we will be descriptive rather than prescriptive in the relational verbs we support. Cheers Terry MacDonald Cosive On 6/09/2017 06:05, "Piazza, Rich" < rpiazza@mitre.org > wrote: As Greg states – the specification gives complete freedom to relate any SDO to any other SDO, using any relationship name, suggested or “custom’.  It goes even further by saying the following:                   Relationship types defined in the specification SHOULD be used to ensure consistency.   This implies (according to my reading) that the number of “suggested” relationship types should be kept to a small set whose semantics are not open to much interpretation. I think the set we have is consistent with that idea.  We should feel VERY resistant to added others, especially if it seems there isn’t a generally agreed upon use case.   Of course, on the other side of the ledger, the specification gives analysts the ability to “model” CTI using relationships in ways that make sense to them – including “shortcuts” (sorry Greg).               Rich --    Rich Piazza The MITRE Corporation 781-271-3760   From: < cti-stix@lists.oasis-open.org > on behalf of John Wunder < jwunder@mitre.org > Date: Thursday, August 31, 2017 at 3:28 PM To: "Back, Greg" < gback@mitre.org >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Cc: Allan Thomson < athomson@lookingglasscyber. com >, Bret Jordan < Bret_Jordan@symantec.com >, Sarah Kelley < Sarah.Kelley@cisecurity.org >, Terry MacDonald < terry.macdonald@cosive.com > Subject: Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability   I agree with this. Analysts will already be able to add this relationship (assuming their tooling supports it), so we don’t need to give them the ability to do so by defining it. I also worry about the overlap of this with the vulnerability management space (OVAL/SCAP), as Jason has mentioned.   From: < cti-stix@lists.oasis-open.org > on behalf of Greg Back < gback@mitre.org > Date: Thursday, August 31, 2017 at 10:46 AM To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Cc: Allan Thomson < athomson@lookingglasscyber. com >, "Bret Jordan (CS)" < Bret_Jordan@symantec.com >, Sarah Kelley < Sarah.Kelley@cisecurity.org >, Terry MacDonald < terry.macdonald@cosive.com > Subject: Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability   > I personally can’t see a reason to have a relationship between an indicator and a vulnerability, but I don’t want to stand in the way of someone else making that connection if they see value in it.   This is exactly my point. Nothing in the spec currently prohibits people from doing this, and if we can’t come up with a good example, then we shouldn’t suggest it in the spec. If we’re going to arbitrarily add new SDOs to the suggested relationship types, why not just remove all suggested SDO types on relationships and have just a list of recommended relationship names?   I feel like we’re falling into the trap of adding something to the spec because it’s easy to do so (it’s only a handful of characters), without considering the broader implications. The burden should be on the reason a change * needs * to be in the spec (you can’t currently do something that needs to be done), rather than on arguing why something shouldn’t be there.   Greg     On 2017-08-31, 12:28 UTC, "Sarah Kelley" < Sarah.Kelley@cisecurity.org > wrote:   I think I agree with Terry here.   I personally can’t see a reason to have a relationship between an indicator and a vulnerability, but I don’t want to stand in the way of someone else making that connection if they see value in it. I feel like if we say no to this, we’ll be right back to the problems I had when I started in this committee with STIX 1. Namely, I couldn’t connect an indicator directly to a threat actor because “there’s really a TTP in the middle somewhere”. My argument in response to that was two-fold. First, that wasn’t always true. (ex: A threat actor used an email address to register a domain. No real TTP to document, but two indicators to tie to a threat actor.) Second, there may have been a TTP, but I may not have known what it was.   Ultimately, I’m all for letting the analyst do what they need to do, because if we don’t allow it in the spec, they’re just going to do it anyway, however they need to.   Sarah Kelley Senior Cyber Threat Analyst Multi-State Information Sharing and Analysis Center (MS-ISAC)                    31 Tech Valley Drive East Greenbush, NY 12061   sarah.kelley@cisecurity.org 518-266-3493 24x7 Security Operations Center SOC@cisecurity.org  - 1-866-787-4722                          From: < cti-stix@lists.oasis-open.org > on behalf of " terry.macdonald@cosive.com " < terry.macdonald@cosive.com > Date: Wednesday, August 30, 2017 at 9:09 PM To: "Back, Greg" < gback@mitre.org > Cc: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >, Allan Thomson < athomson@lookingglasscyber. com >, Bret Jordan < Bret_Jordan@symantec.com > Subject: [cti-stix] Re: [EXT] Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability   Hi Greg,   I think its really important to encourage threat intelligence from organisations that only want to do the minimum. We need to make it as easy and as flexible as possible. I do understand your concerns, but this is an area where I feel strongly that allowing people the flexibility to build the threat intel their own way will encourage them to contribute the threat intel as it's being developed. It's about enabling people to share their partially finished workings, and crowd-sourcing information from the group, hypothesising and guessing relationships. I expect that in real use we could have an Indicator pointing to 10 different vulnerabilities and 5 different attack patterns, each with their own confidence weighting, and each with relationships created by different users. All of this information will be invaluable to consumers, who will need to find some way of weighting and balancing this information in a way that will let them decide which information they trust.    In my mind the more relationships we can have between SDOs the better, as it is all information that consumers can use. Cheers   Terry MacDonald   Chief Product Officer     M:   +64 211 918 814 E:   terry.macdonald@cosive.com W:   www.cosive.com         On Thu, Aug 31, 2017 at 12:50 PM, Back, Greg < gback@mitre.org > wrote: I went back and read the relationships section of the spec. I forgot that it does explicitly mention that “shortcut” relationships are an integral part of STIX (which I’ve always disagreed with).   There’s nothing explicitly preventing someone from creating the relationship being proposed (I don’t think [1]). But I’m asserting that it’s a bad idea for us to explicitly declare that relationship because it encourages sloppy linkages (unless there’s another example besides eliding the Attack Pattern in Terry’s original example, or the vulnerabilty scanning example that Jason mentioned on GitHub). Without a good reason, I feel like explicitly promoting a “shortcut” relationship when there is a more explicit (or, some may say, pedantic) way to represent it counts as “two ways of doing the same thing”.   If I’m the only one who feels this way, I’ll accept the consensus, but I can’t promise I’ll agree with it. ;-)   Greg   [1] The spec says “ STIX also allows relationships from any SDO to any SDO that have not been defined in this specification. These relationships MAY use the related-to relationship type or MAY use a custom relationship type.“ It doesn’t say explicitly that you can use a defined relationship between two SDOs where that specific defined relationship isn’t listed, but it doesn’t say that you can’t, either.     On 2017-08-30, 23:12 UTC, "Bret Jordan" < Bret_Jordan@symantec.com > wrote:   +1 Sent from my iPhone On Aug 30, 2017, at 4:54 PM, Allan Thomson < athomson@lookingglasscyber. com > wrote: +1   Allan Thomson. CTO, lookingglass cyber solutions. Www.lookingglasscyber.com . This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential. The information in this message is intended only for use by the individual(s) to whom it is addressed. If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure, copying or distribution of the contents contained within is strictly prohibited. From: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Terry MacDonald < terry.macdonald@cosive.com > Sent: Wednesday, August 30, 2017 3:51:10 PM To: Back, Greg Cc: cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability   Hi Greg,   I think we should allow Analysts to track whatever makes sense to them. We should not constrain the model (and we do not)  - it should be up to people to use the building blocks we provide them where they see it makes sense.   My reasoning for this is that during an investigation you are putting together information, and trying to figure out whats occurring. It is entirely possible that an organisation hasn't actually analysed the attack pattern at all, but instead just knows from media reports that if you see this packet, then its heartbleed scanning attempt. They may not even care which attack pattern it is, because they may not track attack patterns at all.   We don't lose anything by adding this relationship to the model. They already have a way of relating this using the related-to relationship type. This just adds more description a relationship that is already possible.   This of course also means that if the analyst periodically goes through mapping vulnerabilities to attack_pattern SDOs (or someone else in the community does), then they are free to map that relationship as well.   The whole point of STIX 2.x series to to free ourselves from the constraints imposed by a limited set of relationships, and to allow the threat analysts to use the parts of STIX that make sense to them. I view it like LEGO(R). We provide simple building blocks and ways of connecting all the bits together, then we let the Analysts build the structures that make most sense to them. Cheers   Terry MacDonald   Chief Product Officer     M:   +64 211 918 814 E:   terry.macdonald@cosive.com W:   www.cosive.com         On Thu, Aug 31, 2017 at 10:13 AM, Back, Greg < gback@mitre.org > wrote: So, I think of that as actually being “Scanning for and attempting to exploit Heartbleed” as an Attack Pattern, and you can have Indicator -> (indicates)-> Attack Pattern -> (targets) -> Vulnerability. I don’t think the “shortcut” Indicator -> (indicates) -> Vulnerability is useful enough to justify the new relationship.   Jason brought up the idea of vulnerability scanning on GitHub, but as he suggested (and I totally agree) OVAL covers that use case pretty well, and it seems outside the scope of CTI.   Greg   On 2017-08-30, 22:06 UTC, "Terry MacDonald" < terry.macdonald@cosive.com > wrote:   Hi Greg,   Heartbleed springs to mind. If there is a vulnerability that affects a large portion, and people start scanning for it, then this relationship would allow a TIP to show this fact in our data model.   It makes sense in my mind.   Cheers Terry MacDonald Cosive   On 31/08/2017 08:03, "Back, Greg" < gback@mitre.org > wrote: From my comment [1]:   Can someone give a practical example of a vulnerability and an indicator for that vulnerability (actual STIX JSON)? It would be beneficial to have this in the spec (or an associated implementation guidance document), and would help me understand to make sure we aren't introducing multiple ways of doing something. I recognize that sometimes "shortcut" relationships are necessary, rather than the more pedantic but accurate ones, but want to make sure we take that into account (my standard example from STIX 1/CybOX 2 is that malware doesn't really connect to a Domain name, but you connect to whatever IP address that domain happens to resolve to).   Greg     [1] https://github.com/oasis-tcs/ cti-stix2/issues/15# issuecomment-326067773       On 2017-08-30, 19:36 UTC, " cti-stix@lists.oasis-open.org on behalf of Terry MacDonald" < cti-stix@lists.oasis-open.org on behalf of terry.macdonald@cosive.com > wrote:   Makes a lot of sense. I vote to make the change.   On 31/08/2017 05:01, "Allan Thomson" < athomson@lookingglasscyber. com > wrote: We should add.   STIX already has a fallback that allows to create a relationship between 2 SDOs and this just provides an explicit naming of that relationship instead of relying on the generic reln.   Allan     From: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of Sarah Kelley < Sarah.Kelley@cisecurity.org > Date: Wednesday, August 30, 2017 at 7:39 AM To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Subject: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability   GITHUB issue # 15 ( https://github.com/oasis-tcs/ cti-stix2/issues/15 )   During the STIX 2.0 CSD comment period, we received a suggestion to add a relationship from an indicator to a vulnerability saying that an indicator “indicates” the vulnerability.   The relationship table for indicator would then look like this (with the change highlighted in yellow):   Embedded Relationships created_by_ref identifier (of type identity) object_marking_refs identifier (of type marking-definition) Common Relationships duplicate-of, derived-from, related-to Source Relationship Type Target Description indicator indicates attack-pattern, campaign, intrusion-set, malware, threat-actor, tool, vulnerability This Relationship describes that the Indicator can detect evidence of the related Campaign, Intrusion Set, or Threat Actor. This evidence may not be direct: for example, the Indicator may detect secondary evidence of the Campaign, such as malware or behavior commonly used by that Campaign.   For example, an indicates Relationship from an Indicator to a Campaign object representing Glass Gazelle means that the Indicator is capable of detecting evidence of Glass Gazelle, such as command and control IPs commonly used by that Campaign. Reverse Relationships — — — —     Are there any objections to making this change?   Thanks,   Sarah Kelley Senior Cyber Threat Analyst Multi-State Information Sharing and Analysis Center (MS-ISAC)                    31 Tech Valley Drive East Greenbush, NY 12061   sarah.kelley@cisecurity.org 518-266-3493 24x7 Security Operations Center SOC@cisecurity.org  - 1-866-787-4722   <image001.png>        <image002.png>      <image003. png>     <image004.png>      < image005.png> This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . . . .     ..... This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . . . .


  • 5.  Re: [EXT] Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability

    Posted 09-05-2017 22:30
    I fully support and like the idea of monitoring the eco-system (hand waving around how that would be done) and then standardizing things that get used. Bret From: Terry MacDonald <terry.macdonald@cosive.com> Sent: Tuesday, September 5, 2017 2:12:34 PM To: Rich Piazza Cc: Allan Thomson; cti-stix@lists.oasis-open.org; Back, Greg; Wunder, John A.; Bret Jordan; Sarah Kelley Subject: [EXT] Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability   I've always thought of STIX v2 as Lego(R). And just as kids use the basic building blocks to make what they want to, STIX v2 should allow analysts and incident responders to record and share what they know. We shouldn't forcibly stop them from relating objects just because it didn't meet our mental model of how things should be related.  I'm very much of the opinion that we should be monitoring the sharing of STIX v2 content, and we should see what relationships people are coming up with, and we should standardize the popular ones that are being used. In this way STIX will develop over time in the way that the population wants (like a real language) and we will be descriptive rather than prescriptive in the relational verbs we support. Cheers Terry MacDonald Cosive On 6/09/2017 06:05, "Piazza, Rich" < rpiazza@mitre.org > wrote: As Greg states – the specification gives complete freedom to relate any SDO to any other SDO, using any relationship name, suggested or “custom’.  It goes even further by saying the following:                   Relationship types defined in the specification SHOULD be used to ensure consistency.   This implies (according to my reading) that the number of “suggested” relationship types should be kept to a small set whose semantics are not open to much interpretation. I think the set we have is consistent with that idea.  We should feel VERY resistant to added others, especially if it seems there isn’t a generally agreed upon use case.   Of course, on the other side of the ledger, the specification gives analysts the ability to “model” CTI using relationships in ways that make sense to them – including “shortcuts” (sorry Greg).               Rich --    Rich Piazza The MITRE Corporation 781-271-3760   From: < cti-stix@lists.oasis-open.org > on behalf of John Wunder < jwunder@mitre.org > Date: Thursday, August 31, 2017 at 3:28 PM To: "Back, Greg" < gback@mitre.org >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Cc: Allan Thomson < athomson@lookingglasscyber. com >, Bret Jordan < Bret_Jordan@symantec.com >, Sarah Kelley < Sarah.Kelley@cisecurity.org >, Terry MacDonald < terry.macdonald@cosive.com > Subject: Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability   I agree with this. Analysts will already be able to add this relationship (assuming their tooling supports it), so we don’t need to give them the ability to do so by defining it. I also worry about the overlap of this with the vulnerability management space (OVAL/SCAP), as Jason has mentioned.   From: < cti-stix@lists.oasis-open.org > on behalf of Greg Back < gback@mitre.org > Date: Thursday, August 31, 2017 at 10:46 AM To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Cc: Allan Thomson < athomson@lookingglasscyber. com >, "Bret Jordan (CS)" < Bret_Jordan@symantec.com >, Sarah Kelley < Sarah.Kelley@cisecurity.org >, Terry MacDonald < terry.macdonald@cosive.com > Subject: Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability   > I personally can’t see a reason to have a relationship between an indicator and a vulnerability, but I don’t want to stand in the way of someone else making that connection if they see value in it.   This is exactly my point. Nothing in the spec currently prohibits people from doing this, and if we can’t come up with a good example, then we shouldn’t suggest it in the spec. If we’re going to arbitrarily add new SDOs to the suggested relationship types, why not just remove all suggested SDO types on relationships and have just a list of recommended relationship names?   I feel like we’re falling into the trap of adding something to the spec because it’s easy to do so (it’s only a handful of characters), without considering the broader implications. The burden should be on the reason a change * needs * to be in the spec (you can’t currently do something that needs to be done), rather than on arguing why something shouldn’t be there.   Greg     On 2017-08-31, 12:28 UTC, "Sarah Kelley" < Sarah.Kelley@cisecurity.org > wrote:   I think I agree with Terry here.   I personally can’t see a reason to have a relationship between an indicator and a vulnerability, but I don’t want to stand in the way of someone else making that connection if they see value in it. I feel like if we say no to this, we’ll be right back to the problems I had when I started in this committee with STIX 1. Namely, I couldn’t connect an indicator directly to a threat actor because “there’s really a TTP in the middle somewhere”. My argument in response to that was two-fold. First, that wasn’t always true. (ex: A threat actor used an email address to register a domain. No real TTP to document, but two indicators to tie to a threat actor.) Second, there may have been a TTP, but I may not have known what it was.   Ultimately, I’m all for letting the analyst do what they need to do, because if we don’t allow it in the spec, they’re just going to do it anyway, however they need to.   Sarah Kelley Senior Cyber Threat Analyst Multi-State Information Sharing and Analysis Center (MS-ISAC)                    31 Tech Valley Drive East Greenbush, NY 12061   sarah.kelley@cisecurity.org 518-266-3493 24x7 Security Operations Center SOC@cisecurity.org  - 1-866-787-4722                          From: < cti-stix@lists.oasis-open.org > on behalf of " terry.macdonald@cosive.com " < terry.macdonald@cosive.com > Date: Wednesday, August 30, 2017 at 9:09 PM To: "Back, Greg" < gback@mitre.org > Cc: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >, Allan Thomson < athomson@lookingglasscyber. com >, Bret Jordan < Bret_Jordan@symantec.com > Subject: [cti-stix] Re: [EXT] Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability   Hi Greg,   I think its really important to encourage threat intelligence from organisations that only want to do the minimum. We need to make it as easy and as flexible as possible. I do understand your concerns, but this is an area where I feel strongly that allowing people the flexibility to build the threat intel their own way will encourage them to contribute the threat intel as it's being developed. It's about enabling people to share their partially finished workings, and crowd-sourcing information from the group, hypothesising and guessing relationships. I expect that in real use we could have an Indicator pointing to 10 different vulnerabilities and 5 different attack patterns, each with their own confidence weighting, and each with relationships created by different users. All of this information will be invaluable to consumers, who will need to find some way of weighting and balancing this information in a way that will let them decide which information they trust.    In my mind the more relationships we can have between SDOs the better, as it is all information that consumers can use. Cheers   Terry MacDonald   Chief Product Officer     M:   +64 211 918 814 E:   terry.macdonald@cosive.com W:   www.cosive.com         On Thu, Aug 31, 2017 at 12:50 PM, Back, Greg < gback@mitre.org > wrote: I went back and read the relationships section of the spec. I forgot that it does explicitly mention that “shortcut” relationships are an integral part of STIX (which I’ve always disagreed with).   There’s nothing explicitly preventing someone from creating the relationship being proposed (I don’t think [1]). But I’m asserting that it’s a bad idea for us to explicitly declare that relationship because it encourages sloppy linkages (unless there’s another example besides eliding the Attack Pattern in Terry’s original example, or the vulnerabilty scanning example that Jason mentioned on GitHub). Without a good reason, I feel like explicitly promoting a “shortcut” relationship when there is a more explicit (or, some may say, pedantic) way to represent it counts as “two ways of doing the same thing”.   If I’m the only one who feels this way, I’ll accept the consensus, but I can’t promise I’ll agree with it. ;-)   Greg   [1] The spec says “ STIX also allows relationships from any SDO to any SDO that have not been defined in this specification. These relationships MAY use the related-to relationship type or MAY use a custom relationship type.“ It doesn’t say explicitly that you can use a defined relationship between two SDOs where that specific defined relationship isn’t listed, but it doesn’t say that you can’t, either.     On 2017-08-30, 23:12 UTC, "Bret Jordan" < Bret_Jordan@symantec.com > wrote:   +1 Sent from my iPhone On Aug 30, 2017, at 4:54 PM, Allan Thomson < athomson@lookingglasscyber. com > wrote: +1   Allan Thomson. CTO, lookingglass cyber solutions. Www.lookingglasscyber.com . This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential. The information in this message is intended only for use by the individual(s) to whom it is addressed. If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure, copying or distribution of the contents contained within is strictly prohibited. From: cti-stix@lists.oasis-open.org < cti-stix@lists.oasis-open.org > on behalf of Terry MacDonald < terry.macdonald@cosive.com > Sent: Wednesday, August 30, 2017 3:51:10 PM To: Back, Greg Cc: cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability   Hi Greg,   I think we should allow Analysts to track whatever makes sense to them. We should not constrain the model (and we do not)  - it should be up to people to use the building blocks we provide them where they see it makes sense.   My reasoning for this is that during an investigation you are putting together information, and trying to figure out whats occurring. It is entirely possible that an organisation hasn't actually analysed the attack pattern at all, but instead just knows from media reports that if you see this packet, then its heartbleed scanning attempt. They may not even care which attack pattern it is, because they may not track attack patterns at all.   We don't lose anything by adding this relationship to the model. They already have a way of relating this using the related-to relationship type. This just adds more description a relationship that is already possible.   This of course also means that if the analyst periodically goes through mapping vulnerabilities to attack_pattern SDOs (or someone else in the community does), then they are free to map that relationship as well.   The whole point of STIX 2.x series to to free ourselves from the constraints imposed by a limited set of relationships, and to allow the threat analysts to use the parts of STIX that make sense to them. I view it like LEGO(R). We provide simple building blocks and ways of connecting all the bits together, then we let the Analysts build the structures that make most sense to them. Cheers   Terry MacDonald   Chief Product Officer     M:   +64 211 918 814 E:   terry.macdonald@cosive.com W:   www.cosive.com         On Thu, Aug 31, 2017 at 10:13 AM, Back, Greg < gback@mitre.org > wrote: So, I think of that as actually being “Scanning for and attempting to exploit Heartbleed” as an Attack Pattern, and you can have Indicator -> (indicates)-> Attack Pattern -> (targets) -> Vulnerability. I don’t think the “shortcut” Indicator -> (indicates) -> Vulnerability is useful enough to justify the new relationship.   Jason brought up the idea of vulnerability scanning on GitHub, but as he suggested (and I totally agree) OVAL covers that use case pretty well, and it seems outside the scope of CTI.   Greg   On 2017-08-30, 22:06 UTC, "Terry MacDonald" < terry.macdonald@cosive.com > wrote:   Hi Greg,   Heartbleed springs to mind. If there is a vulnerability that affects a large portion, and people start scanning for it, then this relationship would allow a TIP to show this fact in our data model.   It makes sense in my mind.   Cheers Terry MacDonald Cosive   On 31/08/2017 08:03, "Back, Greg" < gback@mitre.org > wrote: From my comment [1]:   Can someone give a practical example of a vulnerability and an indicator for that vulnerability (actual STIX JSON)? It would be beneficial to have this in the spec (or an associated implementation guidance document), and would help me understand to make sure we aren't introducing multiple ways of doing something. I recognize that sometimes "shortcut" relationships are necessary, rather than the more pedantic but accurate ones, but want to make sure we take that into account (my standard example from STIX 1/CybOX 2 is that malware doesn't really connect to a Domain name, but you connect to whatever IP address that domain happens to resolve to).   Greg     [1] https://github.com/oasis-tcs/ cti-stix2/issues/15# issuecomment-326067773       On 2017-08-30, 19:36 UTC, " cti-stix@lists.oasis-open.org on behalf of Terry MacDonald" < cti-stix@lists.oasis-open.org on behalf of terry.macdonald@cosive.com > wrote:   Makes a lot of sense. I vote to make the change.   On 31/08/2017 05:01, "Allan Thomson" < athomson@lookingglasscyber. com > wrote: We should add.   STIX already has a fallback that allows to create a relationship between 2 SDOs and this just provides an explicit naming of that relationship instead of relying on the generic reln.   Allan     From: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of Sarah Kelley < Sarah.Kelley@cisecurity.org > Date: Wednesday, August 30, 2017 at 7:39 AM To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Subject: [cti-stix] Small changes from 2.0 - 2.1 - add relationship from indicator to vulnerability   GITHUB issue # 15 ( https://github.com/oasis-tcs/ cti-stix2/issues/15 )   During the STIX 2.0 CSD comment period, we received a suggestion to add a relationship from an indicator to a vulnerability saying that an indicator “indicates” the vulnerability.   The relationship table for indicator would then look like this (with the change highlighted in yellow):   Embedded Relationships created_by_ref identifier (of type identity) object_marking_refs identifier (of type marking-definition) Common Relationships duplicate-of, derived-from, related-to Source Relationship Type Target Description indicator indicates attack-pattern, campaign, intrusion-set, malware, threat-actor, tool, vulnerability This Relationship describes that the Indicator can detect evidence of the related Campaign, Intrusion Set, or Threat Actor. This evidence may not be direct: for example, the Indicator may detect secondary evidence of the Campaign, such as malware or behavior commonly used by that Campaign.   For example, an indicates Relationship from an Indicator to a Campaign object representing Glass Gazelle means that the Indicator is capable of detecting evidence of Glass Gazelle, such as command and control IPs commonly used by that Campaign. Reverse Relationships — — — —     Are there any objections to making this change?   Thanks,   Sarah Kelley Senior Cyber Threat Analyst Multi-State Information Sharing and Analysis Center (MS-ISAC)                    31 Tech Valley Drive East Greenbush, NY 12061   sarah.kelley@cisecurity.org 518-266-3493 24x7 Security Operations Center SOC@cisecurity.org  - 1-866-787-4722   <image001.png>        <image002.png>      <image003. png>     <image004.png>      < image005.png> This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . . . .     ..... This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . . . .