CTI STIX Subcommittee

Expand all | Collapse all

Need for Investigation/Tag object?

  • 1.  Need for Investigation/Tag object?

    Posted 10-27-2015 20:04
    Hi All,   Sarah’s email below reminded me of some thoughts that have been bubbling around for a while.   I think there is a need for us to support describing and sharing Threat intelligence while it is still under investigation. Historically STIX has been used by Organizations who are generally sharing information about attacks after they have finished. It seems to me that we are rapidly moving towards an automated future where Organizations are sharing information about attacks while they are happening . This change is a subtle one, but one that has implications for STIX.   At present we have no way for an Organizations to temporarily ‘group’ different STIX objects together. When one is conducting an investigation into a series of suspicious events prompted by your Organization’s monitoring processes, we often want to tag/relate these events together, without actually creating an official ‘Incident’ (as we’re not sure anything has actually happened yet). The Incident object is where one would put the information when it is confirmed there is a problem, but I believe we at least need a way of ‘tagging’ and ‘grouping’ potentially related items together.   Does anyone else see the need for something like this?   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206 terry@soltra.com     From: Sarah Kelley [mailto:Sarah.Kelley@cisecurity.org] Sent: Tuesday, 27 October 2015 10:18 PM To: Unknown Unknown <athiasjerome@gmail.com>; Jordan, Bret <bret.jordan@bluecoat.com> Cc: Terry MacDonald <terry@soltra.com>; Baker, Jon <bakerj@mitre.org>; Jonathan Bush (DTCC) <jbush@dtcc.com>; Cory Casanave <cory-c@modeldriven.com>; cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Conceptul model for sighting   I am a huge proponent of letting (almost) anything link to anything. In fact, limiting what can have an association/link/relationship with what is my current biggest frustration with Stix (we use workarounds to get around this limitation).    I would add the possible use cases:   My org observed 3 instances of this threat actor hitting our network My org observed 12 instances of the Poison Ivy TTP on our network Or even (though weaker): My org was hit by this particular campaign 27 times       Sarah Kelley Senior CERT Analyst Center for Internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7×24 SOC) Email:  cert@cisecurity.org www.cisecurity.org Follow us @CISecurity  


  • 2.  RE: Need for Investigation/Tag object?

    Posted 10-27-2015 21:30
      Hi!,   I totally support this idea as we are always running intelligence data through our environment and we don’t know whether or not we have something at the initial point.  Our final goal is to have a bi-directional relationship with our tooling and our CTI data repository so that as things happen they are being logged in our system.  If they turn out to be a dead-end, they are, otherwise they are fully qualified.  The intended result is that if we discover something and can share it (next to real-time), it helps those that are listening to our feed to be aware of the situation and monitor for it in their own environment.   I am thinking of things like telemetry from our DDoS probes, network abnormality systems and so forth.   Regards,   Dean   From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Terry MacDonald Sent: Wednesday, 28 October 2015 7:04 AM To: Sarah Kelley; Unknown Unknown; Jordan, Bret Cc: Baker, Jon; Jonathan Bush (DTCC); Cory Casanave; cti-stix@lists.oasis-open.org Subject: [cti-stix] Need for Investigation/Tag object?   Hi All,   Sarah’s email below reminded me of some thoughts that have been bubbling around for a while.   I think there is a need for us to support describing and sharing Threat intelligence while it is still under investigation. Historically STIX has been used by Organizations who are generally sharing information about attacks after they have finished. It seems to me that we are rapidly moving towards an automated future where Organizations are sharing information about attacks while they are happening . This change is a subtle one, but one that has implications for STIX.   At present we have no way for an Organizations to temporarily ‘group’ different STIX objects together. When one is conducting an investigation into a series of suspicious events prompted by your Organization’s monitoring processes, we often want to tag/relate these events together, without actually creating an official ‘Incident’ (as we’re not sure anything has actually happened yet). The Incident object is where one would put the information when it is confirmed there is a problem, but I believe we at least need a way of ‘tagging’ and ‘grouping’ potentially related items together.   Does anyone else see the need for something like this?   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206 terry@soltra.com     From: Sarah Kelley [ mailto:Sarah.Kelley@cisecurity.org ] Sent: Tuesday, 27 October 2015 10:18 PM To: Unknown Unknown < athiasjerome@gmail.com >; Jordan, Bret < bret.jordan@bluecoat.com > Cc: Terry MacDonald < terry@soltra.com >; Baker, Jon < bakerj@mitre.org >; Jonathan Bush (DTCC) < jbush@dtcc.com >; Cory Casanave < cory-c@modeldriven.com >; cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Conceptul model for sighting   I am a huge proponent of letting (almost) anything link to anything. In fact, limiting what can have an association/link/relationship with what is my current biggest frustration with Stix (we use workarounds to get around this limitation).    I would add the possible use cases:   My org observed 3 instances of this threat actor hitting our network My org observed 12 instances of the Poison Ivy TTP on our network Or even (though weaker): My org was hit by this particular campaign 27 times       Sarah Kelley Senior CERT Analyst Center for Internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7Ã?24 SOC) Email:  cert@cisecurity.org www.cisecurity.org Follow us @CISecurity   This e-mail and any attachments to it (the Communication ) is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together ANZ ). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.


  • 3.  Re: Need for Investigation/Tag object?

    Posted 10-27-2015 21:57
    Yes, this is vital and one of the key use cases we have identified for TAXII 2.0.  We need a way for researchers intra-org and inter-org to communicate what they are seeing and what they think before they actually know .  This is done today via email and IM, but it would be nice if STIX and TAXII could support this so APPs could be written to do it.  Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Oct 27, 2015, at 13:03, Terry MacDonald < terry@soltra.com > wrote: Hi All,   Sarah’s email below reminded me of some thoughts that have been bubbling around for a while.   I think there is a need for us to support describing and sharing Threat intelligence while it is still under investigation. Historically STIX has been used by Organizations who are generally sharing information about attacks   after   they have finished. It seems to me that we are rapidly moving towards an automated future where Organizations are sharing information about attacks   while they are happening . This change is a subtle one, but one that has implications for STIX.   At present we have no way for an Organizations to temporarily ‘group’ different STIX objects together. When one is conducting an investigation into a series of suspicious events prompted by your Organization’s monitoring processes, we often want to tag/relate these events together, without actually creating an official ‘Incident’ (as we’re not sure anything has actually happened yet). The Incident object is where one would put the information when it is confirmed there is a problem, but I believe we at least need a way of ‘tagging’ and ‘grouping’ potentially related items together.   Does anyone else see the need for something like this?   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206   terry@soltra.com     From:   Sarah Kelley [ mailto:Sarah.Kelley@cisecurity.org ]   Sent:   Tuesday, 27 October 2015 10:18 PM To:   Unknown Unknown < athiasjerome@gmail.com >; Jordan, Bret < bret.jordan@bluecoat.com > Cc:   Terry MacDonald < terry@soltra.com >; Baker, Jon < bakerj@mitre.org >; Jonathan Bush (DTCC) < jbush@dtcc.com >; Cory Casanave < cory-c@modeldriven.com >;   cti-stix@lists.oasis-open.org Subject:   Re: [cti-stix] Conceptul model for sighting   I am a huge proponent of letting (almost) anything link to anything. In fact, limiting what can have an association/link/relationship with what is my current biggest frustration with Stix (we use workarounds to get around this limitation).    I would add the possible use cases:   My org observed 3 instances of this threat actor hitting our network My org observed 12 instances of the Poison Ivy TTP on our network Or even (though weaker): My org was hit by this particular campaign 27 times       Sarah Kelley Senior CERT Analyst Center for Internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7×24 SOC) Email:  cert@cisecurity.org www.cisecurity.org Follow us @CISecurity Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 4.  Re: Need for Investigation/Tag object?

    Posted 10-28-2015 02:32
    The abstraction (construct) for Relationship discussed in github will help. The clarification of CybOX instances vs patterns also (observations of events without full context yet) I think On Wednesday, 28 October 2015, Jordan, Bret < bret.jordan@bluecoat.com > wrote: Yes, this is vital and one of the key use cases we have identified for TAXII 2.0.  We need a way for researchers intra-org and inter-org to communicate what they are seeing and what they "think" before they actually "know".  This is done today via email and IM, but it would be nice if STIX and TAXII could support this so APPs could be written to do it.  Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."  On Oct 27, 2015, at 13:03, Terry MacDonald < terry@soltra.com > wrote: Hi All,   Sarah’s email below reminded me of some thoughts that have been bubbling around for a while.   I think there is a need for us to support describing and sharing Threat intelligence while it is still under investigation. Historically STIX has been used by Organizations who are generally sharing information about attacks   after   they have finished. It seems to me that we are rapidly moving towards an automated future where Organizations are sharing information about attacks   while they are happening . This change is a subtle one, but one that has implications for STIX.   At present we have no way for an Organizations to temporarily ‘group’ different STIX objects together. When one is conducting an investigation into a series of suspicious events prompted by your Organization’s monitoring processes, we often want to tag/relate these events together, without actually creating an official ‘Incident’ (as we’re not sure anything has actually happened yet). The Incident object is where one would put the information when it is confirmed there is a problem, but I believe we at least need a way of ‘tagging’ and ‘grouping’ potentially related items together.   Does anyone else see the need for something like this?   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206   terry@soltra.com     From:   Sarah Kelley [ mailto:Sarah.Kelley@cisecurity.org ]   Sent:   Tuesday, 27 October 2015 10:18 PM To:   Unknown Unknown < athiasjerome@gmail.com >; Jordan, Bret < bret.jordan@bluecoat.com > Cc:   Terry MacDonald < terry@soltra.com >; Baker, Jon < bakerj@mitre.org >; Jonathan Bush (DTCC) < jbush@dtcc.com >; Cory Casanave < cory-c@modeldriven.com >;   cti-stix@lists.oasis-open.org Subject:   Re: [cti-stix] Conceptul model for sighting   I am a huge proponent of letting (almost) anything link to anything. In fact, limiting what can have an association/link/relationship with what is my current biggest frustration with Stix (we use workarounds to get around this limitation).    I would add the possible use cases:   My org observed 3 instances of this threat actor hitting our network My org observed 12 instances of the Poison Ivy TTP on our network Or even (though weaker): My org was hit by this particular campaign 27 times       Sarah Kelley Senior CERT Analyst Center for Internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7×24 SOC) Email:  cert@cisecurity.org www.cisecurity.org Follow us @CISecurity


  • 5.  RE: Need for Investigation/Tag object?

    Posted 10-28-2015 10:42
    Not sure if this is the same thing, but could a similar use-case in TAXII 2.0 be for inquiries?  For example, “Have you (the target) seen this IP address?” (implying that I think it might be bad)  It isn’t about an event, but about something that the sender is concerned is about to be an event.   From: Jordan, Bret [mailto:bret.jordan@bluecoat.com] Sent: Tuesday, October 27, 2015 5:57 PM To: Terry MacDonald Cc: Sarah Kelley; Unknown Unknown; Jon Baker - MITRE; Bush, Jonathan; Cory Casanave; cti-stix@lists.oasis-open.org Subject: Re: Need for Investigation/Tag object?   Yes, this is vital and one of the key use cases we have identified for TAXII 2.0.  We need a way for researchers intra-org and inter-org to communicate what they are seeing and what they "think" before they actually "know".  This is done today via email and IM, but it would be nice if STIX and TAXII could support this so APPs could be written to do it.    Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."    On Oct 27, 2015, at 13:03, Terry MacDonald < terry@soltra.com > wrote:   Hi All,   Sarah’s email below reminded me of some thoughts that have been bubbling around for a while.   I think there is a need for us to support describing and sharing Threat intelligence while it is still under investigation. Historically STIX has been used by Organizations who are generally sharing information about attacks   after   they have finished. It seems to me that we are rapidly moving towards an automated future where Organizations are sharing information about attacks   while they are happening . This change is a subtle one, but one that has implications for STIX.   At present we have no way for an Organizations to temporarily ‘group’ different STIX objects together. When one is conducting an investigation into a series of suspicious events prompted by your Organization’s monitoring processes, we often want to tag/relate these events together, without actually creating an official ‘Incident’ (as we’re not sure anything has actually happened yet). The Incident object is where one would put the information when it is confirmed there is a problem, but I believe we at least need a way of ‘tagging’ and ‘grouping’ potentially related items together.   Does anyone else see the need for something like this?   Cheers   Terry MacDonald Senior STIX Subject Matter Expert SOLTRA   An FS-ISAC and DTCC Company +61 (407) 203 206   terry@soltra.com     From:   Sarah Kelley [ mailto:Sarah.Kelley@cisecurity.org ]   Sent:   Tuesday, 27 October 2015 10:18 PM To:   Unknown Unknown < athiasjerome@gmail.com >; Jordan, Bret < bret.jordan@bluecoat.com > Cc:   Terry MacDonald < terry@soltra.com >; Baker, Jon < bakerj@mitre.org >; Jonathan Bush (DTCC) < jbush@dtcc.com >; Cory Casanave < cory-c@modeldriven.com >;   cti-stix@lists.oasis-open.org Subject:   Re: [cti-stix] Conceptul model for sighting   I am a huge proponent of letting (almost) anything link to anything. In fact, limiting what can have an association/link/relationship with what is my current biggest frustration with Stix (we use workarounds to get around this limitation).    I would add the possible use cases:   My org observed 3 instances of this threat actor hitting our network My org observed 12 instances of the Poison Ivy TTP on our network Or even (though weaker): My org was hit by this particular campaign 27 times       Sarah Kelley Senior CERT Analyst Center for Internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7×24 SOC) Email:  cert@cisecurity.org www.cisecurity.org Follow us @CISecurity   DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses.  The company accepts no liability for any damage caused by any virus transmitted by this email.


  • 6.  Re: [cti-stix] Need for Investigation/Tag object?

    Posted 10-29-2015 20:53
    Terry & All: This is an actual Use Case that I've seen operationally in one of the ISAOs I participate in. It is not theoretical. .. and the real-time nature of this helps the non-targeted members of the ISAO to take proactive actions in response to what is known (shared) about the Threat Actor, the IoCs, and the TTPs. Offensive countermeasures in action. I could see this Use Case evolving into a very important one for driving adoption of threat intel platforms... especially if the CybOX objects are extracted, used in other tools for enrichment, then reconstructed as STIX again. Thus later permutation aligns with the Use Case Jyoti introduced in the CybOX Subcommittee call today. Jane Ginn, MSIA, MRP Cyber Threat Intelligence Network, Inc. jg@ctin.us