Hi!, I totally support this idea as we are always running intelligence data through our environment and we don’t know whether or not we have something at the initial point. Our final goal is to have a bi-directional relationship with our tooling and our CTI data repository so that as things happen they are being logged in our system. If they turn out to be a dead-end, they are, otherwise they are fully qualified. The intended result is that if we discover something and can share it (next to real-time), it helps those that are listening to our feed to be aware of the situation and monitor for it in their own environment. I am thinking of things like telemetry from our DDoS probes, network abnormality systems and so forth. Regards, Dean From:
cti-stix@lists.oasis-open.org [mailto:
cti-stix@lists.oasis-open.org] On Behalf Of Terry MacDonald Sent: Wednesday, 28 October 2015 7:04 AM To: Sarah Kelley; Unknown Unknown; Jordan, Bret Cc: Baker, Jon; Jonathan Bush (DTCC); Cory Casanave;
cti-stix@lists.oasis-open.org Subject: [cti-stix] Need for Investigation/Tag object? Hi All, Sarah’s email below reminded me of some thoughts that have been bubbling around for a while. I think there is a need for us to support describing and sharing Threat intelligence while it is still under investigation. Historically STIX has been used by Organizations who are generally sharing information about attacks after they have finished. It seems to me that we are rapidly moving towards an automated future where Organizations are sharing information about attacks while they are happening . This change is a subtle one, but one that has implications for STIX. At present we have no way for an Organizations to temporarily ‘group’ different STIX objects together. When one is conducting an investigation into a series of suspicious events prompted by your Organization’s monitoring processes, we often want to tag/relate these events together, without actually creating an official ‘Incident’ (as we’re not sure anything has actually happened yet). The Incident object is where one would put the information when it is confirmed there is a problem, but I believe we at least need a way of ‘tagging’ and ‘grouping’ potentially related items together. Does anyone else see the need for something like this? Cheers Terry MacDonald Senior STIX Subject Matter Expert SOLTRA An FS-ISAC and DTCC Company +61 (407) 203 206
terry@soltra.com From: Sarah Kelley [ mailto:
Sarah.Kelley@cisecurity.org ] Sent: Tuesday, 27 October 2015 10:18 PM To: Unknown Unknown <
athiasjerome@gmail.com >; Jordan, Bret <
bret.jordan@bluecoat.com > Cc: Terry MacDonald <
terry@soltra.com >; Baker, Jon <
bakerj@mitre.org >; Jonathan Bush (DTCC) <
jbush@dtcc.com >; Cory Casanave <
cory-c@modeldriven.com >;
cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Conceptul model for sighting I am a huge proponent of letting (almost) anything link to anything. In fact, limiting what can have an association/link/relationship with what is my current biggest frustration with Stix (we use workarounds to get around this limitation). I would add the possible use cases: My org observed 3 instances of this threat actor hitting our network My org observed 12 instances of the Poison Ivy TTP on our network Or even (though weaker): My org was hit by this particular campaign 27 times Sarah Kelley Senior CERT Analyst Center for Internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7Ã?24 SOC) Email:
cert@cisecurity.org www.cisecurity.org Follow us @CISecurity This e-mail and any attachments to it (the Communication ) is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together ANZ ). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.