OASIS Cyber Threat Intelligence (CTI) TC

Expand all | Collapse all

Top-Level Object Properties

  • 1.  Top-Level Object Properties

    Posted 02-03-2016 12:53



    All,


    There’s a new topic to think about! As discussed at the face to face, each top-level object in STIX and CybOX will inherit from a core set of properties…things like ID, etc. We haven’t quite agreed on what all of those fields are, though.


    Take a look at this writeup:  https://github.com/STIXProject/specifications/wiki/Active-Issue:-IDable-Construct-Properties . It has a set of fields
    that we have general agreement on, a list of fields we haven’t really discussed, and then a couple proposals (from Sean and from the twigs team). Feel free to either add your own proposal to that wiki page or discuss on the mailing lists and slack. The key
    question to consider: what fields should be available on *all* top-level objects?


    John


    PS: The twigs team added our proposal to the writeup on source references. You can see it on the issue page ( https://github.com/STIXProject/specifications/wiki/Active-Issue:-Relating-Source )
    by scrolling down to Proposal 2. If you want to respond to that one via e-mail, make sure to make a separate thread.








  • 2.  Re: [cti] Top-Level Object Properties

    Posted 02-03-2016 15:00
    I do not believe we have consensus on all of the items in the consensus section.  Namely, what are the ---- field all about? Example ----id (required) IDFormat The external ID itself Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Feb 3, 2016, at 05:53, Wunder, John A. < jwunder@mitre.org > wrote: All, There’s a new topic to think about! As discussed at the face to face, each top-level object in STIX and CybOX will inherit from a core set of properties…things like ID, etc. We haven’t quite agreed on what all of those fields are, though. Take a look at this writeup:  https://github.com/STIXProject/specifications/wiki/Active-Issue:-IDable-Construct-Properties . It has a set of fields that we have general agreement on, a list of fields we haven’t really discussed, and then a couple proposals (from Sean and from the twigs team). Feel free to either add your own proposal to that wiki page or discuss on the mailing lists and slack. The key question to consider: what fields should be available on *all* top-level objects? John PS: The twigs team added our proposal to the writeup on source references. You can see it on the issue page ( https://github.com/STIXProject/specifications/wiki/Active-Issue:-Relating-Source ) by scrolling down to Proposal 2. If you want to respond to that one via e-mail, make sure to make a separate thread. Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 3.  Re: [cti] Top-Level Object Properties

    Posted 02-03-2016 15:37




    The syntax means that those fields are a sub-object nested under the parent. So that would be one of the keys within the objects in the external_ids array.








    From: "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date: Wednesday, February 3, 2016 at 10:00 AM
    To: "Wunder, John A." < jwunder@mitre.org >
    Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: Re: [cti] Top-Level Object Properties





    I do not believe we have consensus on all of the items in the consensus section.  Namely, what are the "----" field all about?


    Example




    ----id (required)

    IDFormat

    The external ID itself



















    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On Feb 3, 2016, at 05:53, Wunder, John A. < jwunder@mitre.org > wrote:



    All,


    There’s a new topic to think about! As discussed at the face to face, each top-level object in STIX and CybOX will inherit from a core set of properties…things like ID, etc. We haven’t quite agreed on what all of those fields are, though.


    Take a look at this writeup:  https://github.com/STIXProject/specifications/wiki/Active-Issue:-IDable-Construct-Properties . It has
    a set of fields that we have general agreement on, a list of fields we haven’t really discussed, and then a couple proposals (from Sean and from the twigs team). Feel free to either add your own proposal to that wiki page or discuss on the mailing lists and
    slack. The key question to consider: what fields should be available on *all* top-level objects?


    John


    PS: The twigs team added our proposal to the writeup on source references. You can see it on the issue page ( https://github.com/STIXProject/specifications/wiki/Active-Issue:-Relating-Source )
    by scrolling down to Proposal 2. If you want to respond to that one via e-mail, make sure to make a separate thread.


















  • 4.  Re: [cti] Top-Level Object Properties

    Posted 02-03-2016 16:24
    Well then I do not think we have consensus on the external_ids object... I thought this was going to be just an array of string values.  Why does it need an id and why would we every make data field be a url .  External_Ids are going to be populated by internal systems or vendor products.  These solutions will give a name like malware foo xyz for example, this is not a URL. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Feb 3, 2016, at 08:36, Wunder, John A. < jwunder@mitre.org > wrote: The syntax means that those fields are a sub-object nested under the parent. So that would be one of the keys within the objects in the external_ids array. From: Jordan, Bret < bret.jordan@bluecoat.com > Date: Wednesday, February 3, 2016 at 10:00 AM To: Wunder, John A. < jwunder@mitre.org > Cc: cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject: Re: [cti] Top-Level Object Properties I do not believe we have consensus on all of the items in the consensus section.  Namely, what are the ---- field all about? Example ----id (required) IDFormat The external ID itself Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Feb 3, 2016, at 05:53, Wunder, John A. < jwunder@mitre.org > wrote: All, There’s a new topic to think about! As discussed at the face to face, each top-level object in STIX and CybOX will inherit from a core set of properties…things like ID, etc. We haven’t quite agreed on what all of those fields are, though. Take a look at this writeup:  https://github.com/STIXProject/specifications/wiki/Active-Issue:-IDable-Construct-Properties . It has a set of fields that we have general agreement on, a list of fields we haven’t really discussed, and then a couple proposals (from Sean and from the twigs team). Feel free to either add your own proposal to that wiki page or discuss on the mailing lists and slack. The key question to consider: what fields should be available on *all* top-level objects? John PS: The twigs team added our proposal to the writeup on source references. You can see it on the issue page ( https://github.com/STIXProject/specifications/wiki/Active-Issue:-Relating-Source ) by scrolling down to Proposal 2. If you want to respond to that one via e-mail, make sure to make a separate thread. Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 5.  RE: [cti] Top-Level Object Properties

    Posted 02-03-2016 16:40




    url is optional, you can use
    name , which is also optional – you just have to use one of them
     


    From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org]
    On Behalf Of Jordan, Bret
    Sent: Wednesday, February 03, 2016 11:24 AM
    To: Wunder, John A. <jwunder@mitre.org>
    Cc: cti@lists.oasis-open.org
    Subject: Re: [cti] Top-Level Object Properties


     
    Well then I do not think we have consensus on the external_ids object... I thought this was going to be just an array of string values.  Why does it need an "id" and why would we every make data field be a "url". 

     


    External_Ids are going to be populated by internal systems or vendor products.  These solutions will give a name like "malware foo xyz" for example, this is not a URL.


     










     


    Thanks,


     


    Bret



     


     


     



    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO


    Blue Coat Systems



    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









     



    On Feb 3, 2016, at 08:36, Wunder, John A. < jwunder@mitre.org > wrote:

     




    The syntax means that those fields are a sub-object nested under the parent. So that would be one of the keys within the objects in the external_ids
    array.



     


    From:
    "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date: Wednesday, February 3, 2016 at 10:00 AM
    To: "Wunder, John A." < jwunder@mitre.org >
    Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: Re: [cti] Top-Level Object Properties


     



    I do not believe we have consensus on all of the items in the consensus section.  Namely, what are the "----" field all about?


     


    Example




    ----id (required)


    IDFormat


    The external ID itself





     


     










     


    Thanks,


     


    Bret



     


     


     



    Bret Jordan CISSP


    Director of Security Architecture and Standards Office of the CTO


    Blue Coat Systems



    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









     



    On Feb 3, 2016, at 05:53, Wunder, John A. < jwunder@mitre.org > wrote:

     



    All,


     


    There’s a new topic to think about! As discussed at the face to face, each top-level object in STIX and CybOX will inherit from a core set of properties…things
    like ID, etc. We haven’t quite agreed on what all of those fields are, though.


     


    Take a look at this writeup:  https://github.com/STIXProject/specifications/wiki/Active-Issue:-IDable-Construct-Properties .
    It has a set of fields that we have general agreement on, a list of fields we haven’t really discussed, and then a couple proposals (from Sean and from the twigs team). Feel free to either add your own proposal to that wiki page or discuss on the mailing lists
    and slack. The key question to consider: what fields should be available on *all* top-level objects?


     


    John


     


    PS: The twigs team added our proposal to the writeup on source references. You can see it on the issue page ( https://github.com/STIXProject/specifications/wiki/Active-Issue:-Relating-Source )
    by scrolling down to Proposal 2. If you want to respond to that one via e-mail, make sure to make a separate thread.





     








     







  • 6.  Re: [cti] Top-Level Object Properties

    Posted 02-03-2016 16:52
    It should just be an Array of Strings and then the user can put in what every they want.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Feb 3, 2016, at 09:40, Piazza, Rich < rpiazza@mitre.org > wrote: url   is optional, you can use   name , which is also optional – you just have to use one of them   From:   cti@lists.oasis-open.org   [ mailto:cti@lists.oasis-open.org ]   On Behalf Of   Jordan, Bret Sent:   Wednesday, February 03, 2016 11:24 AM To:   Wunder, John A. < jwunder@mitre.org > Cc:   cti@lists.oasis-open.org Subject:   Re: [cti] Top-Level Object Properties   Well then I do not think we have consensus on the external_ids object... I thought this was going to be just an array of string values.  Why does it need an id and why would we every make data field be a url .    External_Ids are going to be populated by internal systems or vendor products.  These solutions will give a name like malware foo xyz for example, this is not a URL.     Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.     On Feb 3, 2016, at 08:36, Wunder, John A. < jwunder@mitre.org > wrote:   The syntax means that those fields are a sub-object nested under the parent. So that would be one of the keys within the objects in the external_ids array.   From:   Jordan, Bret < bret.jordan@bluecoat.com > Date:   Wednesday, February 3, 2016 at 10:00 AM To:   Wunder, John A. < jwunder@mitre.org > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Top-Level Object Properties   I do not believe we have consensus on all of the items in the consensus section.  Namely, what are the ---- field all about?   Example ----id (required) IDFormat The external ID itself       Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.     On Feb 3, 2016, at 05:53, Wunder, John A. < jwunder@mitre.org > wrote:   All,   There’s a new topic to think about! As discussed at the face to face, each top-level object in STIX and CybOX will inherit from a core set of properties…things like ID, etc. We haven’t quite agreed on what all of those fields are, though.   Take a look at this writeup:  https://github.com/STIXProject/specifications/wiki/Active-Issue:-IDable-Construct-Properties . It has a set of fields that we have general agreement on, a list of fields we haven’t really discussed, and then a couple proposals (from Sean and from the twigs team). Feel free to either add your own proposal to that wiki page or discuss on the mailing lists and slack. The key question to consider: what fields should be available on *all* top-level objects?   John   PS: The twigs team added our proposal to the writeup on source references. You can see it on the issue page ( https://github.com/STIXProject/specifications/wiki/Active-Issue:-Relating-Source ) by scrolling down to Proposal 2. If you want to respond to that one via e-mail, make sure to make a separate thread. Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 7.  Re: [cti] Top-Level Object Properties

    Posted 02-04-2016 02:21





    So fwiw I like having the identity/source separate from the reference. I do kind of agree that we could merge the url, name, and ID fields though…it’s a distinction that probably doesn’t matter for the vast majority of cases. I could go either way.









    From: "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date: Wednesday, February 3, 2016 at 11:51 AM
    To: Rich Piazza < rpiazza@mitre.org >
    Cc: "Wunder, John A." < jwunder@mitre.org >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: Re: [cti] Top-Level Object Properties





    It should just be an Array of Strings and then the user can put in what every they want.  











    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On Feb 3, 2016, at 09:40, Piazza, Rich < rpiazza@mitre.org > wrote:




    url   is optional,
    you can use   name ,
    which is also optional – you just have to use one of them

     



    From:   cti@lists.oasis-open.org   [ mailto:cti@lists.oasis-open.org ]   On
    Behalf Of   Jordan, Bret
    Sent:   Wednesday, February 03, 2016 11:24 AM
    To:   Wunder, John A. < jwunder@mitre.org >
    Cc:   cti@lists.oasis-open.org
    Subject:   Re: [cti] Top-Level Object Properties



     

    Well then I do not think we have consensus on the external_ids object... I thought this was going to be just an array of string values.  Why does it need an "id" and why would we every make data field be a "url". 


     



    External_Ids are going to be populated by internal systems or vendor products.  These solutions will give a name like "malware foo xyz" for example, this is not a URL.



     










     



    Thanks,



     



    Bret




     



     



     




    Bret Jordan CISSP


    Director of Security Architecture and Standards Office of the CTO



    Blue Coat Systems




    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050



    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 










     




    On Feb 3, 2016, at 08:36, Wunder, John A. < jwunder@mitre.org > wrote:


     





    The syntax means that those fields are a sub-object nested under the parent. So that would be one of the keys within the objects in the external_ids array.




     



    From:   "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date:   Wednesday, February 3, 2016 at 10:00 AM
    To:   "Wunder, John A." < jwunder@mitre.org >
    Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject:   Re: [cti] Top-Level Object Properties



     




    I do not believe we have consensus on all of the items in the consensus section.  Namely, what are the "----" field all about?


     



    Example





    ----id (required)



    IDFormat



    The external ID itself






     



     










     



    Thanks,



     



    Bret




     



     



     




    Bret Jordan CISSP


    Director of Security Architecture and Standards Office of the CTO



    Blue Coat Systems




    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050



    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 










     




    On Feb 3, 2016, at 05:53, Wunder, John A. < jwunder@mitre.org > wrote:


     




    All,



     



    There’s a new topic to think about! As discussed at the face to face, each top-level object in STIX and CybOX will inherit from a core set of properties…things like ID, etc. We haven’t
    quite agreed on what all of those fields are, though.



     



    Take a look at this writeup:  https://github.com/STIXProject/specifications/wiki/Active-Issue:-IDable-Construct-Properties .
    It has a set of fields that we have general agreement on, a list of fields we haven’t really discussed, and then a couple proposals (from Sean and from the twigs team). Feel free to either add your own proposal to that wiki page or discuss on the mailing lists
    and slack. The key question to consider: what fields should be available on *all* top-level objects?



     



    John



     



    PS: The twigs team added our proposal to the writeup on source references. You can see it on the issue page ( https://github.com/STIXProject/specifications/wiki/Active-Issue:-Relating-Source )
    by scrolling down to Proposal 2. If you want to respond to that one via e-mail, make sure to make a separate thread.



























  • 8.  Re: [cti] Top-Level Object Properties

    Posted 02-04-2016 12:41




    It would be much easier for me to comment on these topics if we had them in a living document and had the non-consensus items identified in some way (e.g., highlighted text). My opinion of certain fields will depend more on the normative text that surrounds
    them than the concept of them. 


    I’ve moved some text from the TWIGs document to the STIX pre-draft document [1] under the heading “Common Object Properties” and attempted to follow my own advice; non-consensus items are highlighted in yellow. I know we talked about doing this on the
    wiki, but the wiki makes my brain hurt and scream out for a better way of organizing the information (Does anyone else get the same thing? If it’s just me I’ll go along with the wiki). 


    Thank you.
    -Mark


    [1]  https://docs.google.com/document/d/1U48DOJzh2qELOEhhVWz_G6hL0Bazx1Y52wpOeR8jaVk/edit#








    From: < cti@lists.oasis-open.org > on behalf of "Wunder, John A." < jwunder@mitre.org >
    Date: Wednesday, February 3, 2016 at 9:20 PM
    To: "Jordan, Bret" < bret.jordan@bluecoat.com >, "Piazza, Rich" < rpiazza@mitre.org >
    Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: Re: [cti] Top-Level Object Properties







    So fwiw I like having the identity/source separate from the reference. I do kind of agree that we could merge the url, name, and ID fields though…it’s a distinction that probably doesn’t matter for the vast majority of cases. I could go either way.









    From: "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date: Wednesday, February 3, 2016 at 11:51 AM
    To: Rich Piazza < rpiazza@mitre.org >
    Cc: "Wunder, John A." < jwunder@mitre.org >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: Re: [cti] Top-Level Object Properties





    It should just be an Array of Strings and then the user can put in what every they want.  











    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On Feb 3, 2016, at 09:40, Piazza, Rich < rpiazza@mitre.org > wrote:




    url   is optional,
    you can use   name ,
    which is also optional – you just have to use one of them

     



    From:   cti@lists.oasis-open.org   [ mailto:cti@lists.oasis-open.org ]   On
    Behalf Of   Jordan, Bret
    Sent:   Wednesday, February 03, 2016 11:24 AM
    To:   Wunder, John A. < jwunder@mitre.org >
    Cc:   cti@lists.oasis-open.org
    Subject:   Re: [cti] Top-Level Object Properties



     

    Well then I do not think we have consensus on the external_ids object... I thought this was going to be just an array of string values.  Why does it need an "id" and why would we every make data field be a "url". 


     



    External_Ids are going to be populated by internal systems or vendor products.  These solutions will give a name like "malware foo xyz" for example, this is not a URL.



     










     



    Thanks,



     



    Bret




     



     



     




    Bret Jordan CISSP


    Director of Security Architecture and Standards Office of the CTO



    Blue Coat Systems




    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050



    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 










     




    On Feb 3, 2016, at 08:36, Wunder, John A. < jwunder@mitre.org > wrote:


     





    The syntax means that those fields are a sub-object nested under the parent. So that would be one of the keys within the objects in the external_ids array.




     



    From:   "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date:   Wednesday, February 3, 2016 at 10:00 AM
    To:   "Wunder, John A." < jwunder@mitre.org >
    Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject:   Re: [cti] Top-Level Object Properties



     




    I do not believe we have consensus on all of the items in the consensus section.  Namely, what are the "----" field all about?


     



    Example





    ----id (required)



    IDFormat



    The external ID itself






     



     










     



    Thanks,



     



    Bret




     



     



     




    Bret Jordan CISSP


    Director of Security Architecture and Standards Office of the CTO



    Blue Coat Systems




    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050



    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 










     




    On Feb 3, 2016, at 05:53, Wunder, John A. < jwunder@mitre.org > wrote:


     




    All,



     



    There’s a new topic to think about! As discussed at the face to face, each top-level object in STIX and CybOX will inherit from a core set of properties…things like ID, etc. We haven’t
    quite agreed on what all of those fields are, though.



     



    Take a look at this writeup:  https://github.com/STIXProject/specifications/wiki/Active-Issue:-IDable-Construct-Properties .
    It has a set of fields that we have general agreement on, a list of fields we haven’t really discussed, and then a couple proposals (from Sean and from the twigs team). Feel free to either add your own proposal to that wiki page or discuss on the mailing lists
    and slack. The key question to consider: what fields should be available on *all* top-level objects?



     



    John



     



    PS: The twigs team added our proposal to the writeup on source references. You can see it on the issue page ( https://github.com/STIXProject/specifications/wiki/Active-Issue:-Relating-Source )
    by scrolling down to Proposal 2. If you want to respond to that one via e-mail, make sure to make a separate thread.





























  • 9.  Re: [cti] Top-Level Object Properties

    Posted 02-04-2016 15:05




    +1 with Mark’s comment.


    I don’t care as much if its in the STIX pre-draft document or not, but without something concrete to comment on as its gets really hard to comment on and follow.  Seeing the Node and field description with normative text certainly makes it easier to make
    specific comments




    Paul Patrick
    Chief Architect
    iSIGHT Partners










    From: < cti@lists.oasis-open.org > on behalf of Mark Davidson < mdavidson@soltra.com >
    Date: Thursday, February 4, 2016 at 6:40 AM
    To: "Wunder, John A." < jwunder@mitre.org >, "Jordan, Bret" < bret.jordan@bluecoat.com >, "Piazza, Rich" < rpiazza@mitre.org >
    Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: Re: [cti] Top-Level Object Properties







    It would be much easier for me to comment on these topics if we had them in a living document and had the non-consensus items identified in some way (e.g., highlighted text). My opinion of certain fields will depend more on the normative text that surrounds
    them than the concept of them. 


    I’ve moved some text from the TWIGs document to the STIX pre-draft document [1] under the heading “Common Object Properties” and attempted to follow my own advice; non-consensus items are highlighted in yellow. I know we talked about doing this on the
    wiki, but the wiki makes my brain hurt and scream out for a better way of organizing the information (Does anyone else get the same thing? If it’s just me I’ll go along with the wiki). 


    Thank you.
    -Mark


    [1]  https://docs.google.com/document/d/1U48DOJzh2qELOEhhVWz_G6hL0Bazx1Y52wpOeR8jaVk/edit#















  • 10.  Re: [cti] Top-Level Object Properties

    Posted 02-04-2016 15:31





    I would concur with defining normative text for the proposals but would strongly disagree with putting this in the pre-draft spec.
    I believe that only consensus content should go into any spec docs (pre-draft, draft or otherwise). There is an inherent bias applied to anything placed in a “spec” document.
    We should discuss, debate and decide on consensus (which should include normative text) before it goes in an actual “spec” doc.


    sean









    From: < cti@lists.oasis-open.org > on behalf of " ppatrick@isightpartners.com " < ppatrick@isightpartners.com >
    Date: Thursday, February 4, 2016 at 10:04 AM
    To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: Re: [cti] Top-Level Object Properties






    +1 with Mark’s comment.


    I don’t care as much if its in the STIX pre-draft document or not, but without something concrete to comment on as its gets really hard to comment on and follow.  Seeing the Node and field description with normative text certainly makes it easier to make
    specific comments




    Paul Patrick
    Chief Architect
    iSIGHT Partners










    From: < cti@lists.oasis-open.org > on behalf of Mark Davidson < mdavidson@soltra.com >
    Date: Thursday, February 4, 2016 at 6:40 AM
    To: "Wunder, John A." < jwunder@mitre.org >, "Jordan, Bret" < bret.jordan@bluecoat.com >, "Piazza, Rich" < rpiazza@mitre.org >
    Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: Re: [cti] Top-Level Object Properties







    It would be much easier for me to comment on these topics if we had them in a living document and had the non-consensus items identified in some way (e.g., highlighted text). My opinion of certain fields will depend more on the normative text that surrounds
    them than the concept of them. 


    I’ve moved some text from the TWIGs document to the STIX pre-draft document [1] under the heading “Common Object Properties” and attempted to follow my own advice; non-consensus items are highlighted in yellow. I know we talked about doing this on the
    wiki, but the wiki makes my brain hurt and scream out for a better way of organizing the information (Does anyone else get the same thing? If it’s just me I’ll go along with the wiki). 


    Thank you.
    -Mark


    [1]  https://docs.google.com/document/d/1U48DOJzh2qELOEhhVWz_G6hL0Bazx1Y52wpOeR8jaVk/edit#

















  • 11.  Re: [cti] Top-Level Object Properties

    Posted 02-04-2016 15:25





    Sorry for the delayed response. I did not have my computer with me at the SANS CTI Summit yesterday.




    Bret, the structure for external_ids on the wiki page is what was presented during the STIX #2 time block at the F2F and had consensus from everyone present (no concerns or objections were raised).




    I would strongly assert that use cases for including external ids require more than just an array of strings. 

    Bare minimum you need the identifier itself and some characterization of the context for that identifier (without which you would have no idea what context the identifier comes from).
    I think your comment below about
    "Why does it need an “id”” is likely due to the field currently being named “id” on the wiki page and confusing it with a STIX id. 
    I agree this is confusing. I would suggest that this field name be changed to “exernal_identifier ” .
    The  “ url ”  field  should  likely
    similarly be renamed more specifically to  “ url_reference ” . This field capability is also something that has been  brought
    up in the use cases driving towards including an external_ids property. The intent being to provide an optional way to provide a resolvable way to access the content in it external context.


    >External_Ids are going to be populated by internal systems or vendor products.  These solutions will give a name like "malware foo xyz" for example, this is not a URL.


    I don’t think this is an accurate characterization of many of the use cases for external_ids. 
    The initial scenario that led to external_ids being included on Incident (its first use) was raised by US-CERT and some European CERTs and was basically that a STIX characterization of an Incident shared between parties and linked to other STIX content
    (TLOs) would likely be a subset of the full incident info held by the producer and it would be highly desirable to include the identifier for the incident within the producer’s context, a way to identify that context for the identifier and to provide a URL
    (likely representing an API call) to the incident within the producer’s system. If a consumer (internal or external to the producer’s environment) had permissions to access that incident in the producer’s system they could follow the URL and get access, and
    if they did not they would get an access error.
    Alternative_IDs was later added to Indicator by the community as they felt the above sort of use case pattern likely also applied to indicators.


    When we discussed normalizing these two structures to common naming and structure it was brought up that this sort of use case pattern also likely applies to almost any STIX content and so having the structure as a common property on all “top level” objects
    made sense. This is what led to the current proposal and the consensus that existed until you raised your objection.


    I believe this presumption of applicability across other STIX objects was confirmed during recent discussions on the Exploit_Target refactoring where it was suggested that the CVE_ID, OSVDB_ID, CWE_ID and similarly CAPEC_ID on TTP should likely just 
    be implemented using the external_ids structure rather than separate purpose built fields.
    Basically something like:


    “external_ids” : [{“external_identifier”: “CVE-2014-0160”, “defining_context”: “cve”, “url_reference”: " https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160” }, {“external_identifier”:
    “CVE-2014-0160”, “defining_context”: “nvd”, “url_reference”: " https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 "}]
    Notice that the external_identifer is the same but the defining contexts and url_references are different and correlated to different external data sources for this vulnerability.





    I believe that the above use cases raised by the community are valid and should be supported.
    I believe the proposed structure is clear (with renaming of “id” to “external_identifier” and “url” renamed to “url_reference”), consistent and simple.


    I do not see any way that these sub-properties can be merged in any practical way. “external_identifer”, “defining_context” and “url_reference” each serves a specific purpose and it would place undue burden on any consumer to parse
    and pull them apart if they were somehow merged. It is simpler to explicitly specify each in its own field.


    sean









    From: < cti@lists.oasis-open.org > on behalf of John Wunder < jwunder@mitre.org >
    Date: Wednesday, February 3, 2016 at 9:20 PM
    To: "Jordan, Bret" < bret.jordan@bluecoat.com >, Rich Piazza < rpiazza@mitre.org >
    Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: Re: [cti] Top-Level Object Properties







    So fwiw I like having the identity/source separate from the reference. I do kind of agree that we could merge the url, name, and ID fields though…it’s a distinction that probably doesn’t matter for the vast majority of cases. I could go either way.









    From: "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date: Wednesday, February 3, 2016 at 11:51 AM
    To: Rich Piazza < rpiazza@mitre.org >
    Cc: "Wunder, John A." < jwunder@mitre.org >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: Re: [cti] Top-Level Object Properties





    It should just be an Array of Strings and then the user can put in what every they want.  











    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On Feb 3, 2016, at 09:40, Piazza, Rich < rpiazza@mitre.org > wrote:




    url   is optional,
    you can use   name ,
    which is also optional – you just have to use one of them

     



    From:   cti@lists.oasis-open.org   [ mailto:cti@lists.oasis-open.org ]   On
    Behalf Of   Jordan, Bret
    Sent:   Wednesday, February 03, 2016 11:24 AM
    To:   Wunder, John A. < jwunder@mitre.org >
    Cc:   cti@lists.oasis-open.org
    Subject:   Re: [cti] Top-Level Object Properties



     

    Well then I do not think we have consensus on the external_ids object... I thought this was going to be just an array of string values.  Why does it need an "id" and why would we every make data field be a "url". 


     



    External_Ids are going to be populated by internal systems or vendor products.  These solutions will give a name like "malware foo xyz" for example, this is not a URL.



     










     



    Thanks,



     



    Bret




     



     



     




    Bret Jordan CISSP


    Director of Security Architecture and Standards Office of the CTO



    Blue Coat Systems




    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050



    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 










     




    On Feb 3, 2016, at 08:36, Wunder, John A. < jwunder@mitre.org > wrote:


     





    The syntax means that those fields are a sub-object nested under the parent. So that would be one of the keys within the objects in the external_ids array.




     



    From:   "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date:   Wednesday, February 3, 2016 at 10:00 AM
    To:   "Wunder, John A." < jwunder@mitre.org >
    Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject:   Re: [cti] Top-Level Object Properties



     




    I do not believe we have consensus on all of the items in the consensus section.  Namely, what are the "----" field all about?


     



    Example





    ----id (required)



    IDFormat



    The external ID itself






     



     










     



    Thanks,



     



    Bret




     



     



     




    Bret Jordan CISSP


    Director of Security Architecture and Standards Office of the CTO



    Blue Coat Systems




    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050



    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 










     




    On Feb 3, 2016, at 05:53, Wunder, John A. < jwunder@mitre.org > wrote:


     




    All,



     



    There’s a new topic to think about! As discussed at the face to face, each top-level object in STIX and CybOX will inherit from a core set of properties…things like ID, etc. We haven’t
    quite agreed on what all of those fields are, though.



     



    Take a look at this writeup:  https://github.com/STIXProject/specifications/wiki/Active-Issue:-IDable-Construct-Properties .
    It has a set of fields that we have general agreement on, a list of fields we haven’t really discussed, and then a couple proposals (from Sean and from the twigs team). Feel free to either add your own proposal to that wiki page or discuss on the mailing lists
    and slack. The key question to consider: what fields should be available on *all* top-level objects?



     



    John



     



    PS: The twigs team added our proposal to the writeup on source references. You can see it on the issue page ( https://github.com/STIXProject/specifications/wiki/Active-Issue:-Relating-Source )
    by scrolling down to Proposal 2. If you want to respond to that one via e-mail, make sure to make a separate thread.





























  • 12.  Re: [cti] Top-Level Object Properties

    Posted 02-04-2016 16:28
    This makes more sense.   To prevent this type of confusion, we really need to move out of wiki land and move content to the pre-draft documents and normative text.  Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Feb 4, 2016, at 08:24, Barnum, Sean D. < sbarnum@mitre.org > wrote: Sorry for the delayed response. I did not have my computer with me at the SANS CTI Summit yesterday. Bret, the structure for external_ids on the wiki page is what was presented during the STIX #2 time block at the F2F and had consensus from everyone present (no concerns or objections were raised). I would strongly assert that use cases for including external ids require more than just an array of strings.  Bare minimum you need the identifier itself and some characterization of the context for that identifier (without which you would have no idea what context the identifier comes from). I think your comment below about Why does it need an “id”” is likely due to the field currently being named “id” on the wiki page and confusing it with a STIX id.  I agree this is confusing. I would suggest that this field name be changed to “exernal_identifier ” . The  “ url ”  field  should  likely similarly be renamed more specifically to  “ url_reference ” . This field capability is also something that has been  brought up in the use cases driving towards including an external_ids property. The intent being to provide an optional way to provide a resolvable way to access the content in it external context. >External_Ids are going to be populated by internal systems or vendor products.  These solutions will give a name like malware foo xyz for example, this is not a URL. I don’t think this is an accurate characterization of many of the use cases for external_ids.  The initial scenario that led to external_ids being included on Incident (its first use) was raised by US-CERT and some European CERTs and was basically that a STIX characterization of an Incident shared between parties and linked to other STIX content (TLOs) would likely be a subset of the full incident info held by the producer and it would be highly desirable to include the identifier for the incident within the producer’s context, a way to identify that context for the identifier and to provide a URL (likely representing an API call) to the incident within the producer’s system. If a consumer (internal or external to the producer’s environment) had permissions to access that incident in the producer’s system they could follow the URL and get access, and if they did not they would get an access error. Alternative_IDs was later added to Indicator by the community as they felt the above sort of use case pattern likely also applied to indicators. When we discussed normalizing these two structures to common naming and structure it was brought up that this sort of use case pattern also likely applies to almost any STIX content and so having the structure as a common property on all “top level” objects made sense. This is what led to the current proposal and the consensus that existed until you raised your objection. I believe this presumption of applicability across other STIX objects was confirmed during recent discussions on the Exploit_Target refactoring where it was suggested that the CVE_ID, OSVDB_ID, CWE_ID and similarly CAPEC_ID on TTP should likely just  be implemented using the external_ids structure rather than separate purpose built fields. Basically something like: “external_ids” : [{“external_identifier”: “CVE-2014-0160”, “defining_context”: “cve”, “url_reference”: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160” }, {“external_identifier”: “CVE-2014-0160”, “defining_context”: “nvd”, “url_reference”: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 }] Notice that the external_identifer is the same but the defining contexts and url_references are different and correlated to different external data sources for this vulnerability. I believe that the above use cases raised by the community are valid and should be supported. I believe the proposed structure is clear (with renaming of “id” to “external_identifier” and “url” renamed to “url_reference”), consistent and simple. I do not see any way that these sub-properties can be merged in any practical way. “external_identifer”, “defining_context” and “url_reference” each serves a specific purpose and it would place undue burden on any consumer to parse and pull them apart if they were somehow merged. It is simpler to explicitly specify each in its own field. sean From: < cti@lists.oasis-open.org > on behalf of John Wunder < jwunder@mitre.org > Date: Wednesday, February 3, 2016 at 9:20 PM To: Jordan, Bret < bret.jordan@bluecoat.com >, Rich Piazza < rpiazza@mitre.org > Cc: cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject: Re: [cti] Top-Level Object Properties So fwiw I like having the identity/source separate from the reference. I do kind of agree that we could merge the url, name, and ID fields though…it’s a distinction that probably doesn’t matter for the vast majority of cases. I could go either way. From: Jordan, Bret < bret.jordan@bluecoat.com > Date: Wednesday, February 3, 2016 at 11:51 AM To: Rich Piazza < rpiazza@mitre.org > Cc: Wunder, John A. < jwunder@mitre.org >, cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject: Re: [cti] Top-Level Object Properties It should just be an Array of Strings and then the user can put in what every they want.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Feb 3, 2016, at 09:40, Piazza, Rich < rpiazza@mitre.org > wrote: url   is optional, you can use   name , which is also optional – you just have to use one of them   From:   cti@lists.oasis-open.org   [ mailto:cti@lists.oasis-open.org ]   On Behalf Of   Jordan, Bret Sent:   Wednesday, February 03, 2016 11:24 AM To:   Wunder, John A. < jwunder@mitre.org > Cc:   cti@lists.oasis-open.org Subject:   Re: [cti] Top-Level Object Properties   Well then I do not think we have consensus on the external_ids object... I thought this was going to be just an array of string values.  Why does it need an id and why would we every make data field be a url .    External_Ids are going to be populated by internal systems or vendor products.  These solutions will give a name like malware foo xyz for example, this is not a URL.     Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.     On Feb 3, 2016, at 08:36, Wunder, John A. < jwunder@mitre.org > wrote:   The syntax means that those fields are a sub-object nested under the parent. So that would be one of the keys within the objects in the external_ids array.   From:   Jordan, Bret < bret.jordan@bluecoat.com > Date:   Wednesday, February 3, 2016 at 10:00 AM To:   Wunder, John A. < jwunder@mitre.org > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Top-Level Object Properties   I do not believe we have consensus on all of the items in the consensus section.  Namely, what are the ---- field all about?   Example ----id (required) IDFormat The external ID itself       Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.     On Feb 3, 2016, at 05:53, Wunder, John A. < jwunder@mitre.org > wrote:   All,   There’s a new topic to think about! As discussed at the face to face, each top-level object in STIX and CybOX will inherit from a core set of properties…things like ID, etc. We haven’t quite agreed on what all of those fields are, though.   Take a look at this writeup:  https://github.com/STIXProject/specifications/wiki/Active-Issue:-IDable-Construct-Properties . It has a set of fields that we have general agreement on, a list of fields we haven’t really discussed, and then a couple proposals (from Sean and from the twigs team). Feel free to either add your own proposal to that wiki page or discuss on the mailing lists and slack. The key question to consider: what fields should be available on *all* top-level objects?   John   PS: The twigs team added our proposal to the writeup on source references. You can see it on the issue page ( https://github.com/STIXProject/specifications/wiki/Active-Issue:-Relating-Source ) by scrolling down to Proposal 2. If you want to respond to that one via e-mail, make sure to make a separate thread. Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 13.  Re: [cti] Top-Level Object Properties

    Posted 02-04-2016 16:35
    Yes - It is a lot easier for participants to comment on the pre-draft documents simply because it is impossible to comment on things in the Github wiki. This reason alone makes me really dislike the wiki format for communicating proposals, and would rather have us move to the "living documents" as Mark mentions... there is no way to properly comment on the wiki, which makes it very difficult. It would be different if we had a Confluence wiki where you can enter comments, but we don't. With the current "living proposals", I can comment on the text easily - or even directly edit it and have others approve or reject my proposed changes. It makes collaborating much simpler and it also makes it much clearer what is really being proposed (and debated). - Jason Keirstead STSM, Product Architect, Security Intelligence, IBM Security Systems www.ibm.com/security www.securityintelligence.com Without data, all you are is just another person with an opinion - Unknown "Jordan, Bret" ---02/04/2016 12:27:54 PM---This makes more sense. To prevent this type of confusion, we really need to move out of wiki land From: "Jordan, Bret" <bret.jordan@bluecoat.com> To: "Barnum, Sean D." <sbarnum@mitre.org> Cc: "Wunder, John A." <jwunder@mitre.org>, "Piazza, Rich" <rpiazza@mitre.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> Date: 02/04/2016 12:27 PM Subject: Re: [cti] Top-Level Object Properties Sent by: <cti@lists.oasis-open.org> This makes more sense. To prevent this type of confusion, we really need to move out of wiki land and move content to the pre-draft documents and normative text. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." [attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]


  • 14.  Re: [cti] Top-Level Object Properties

    Posted 02-04-2016 16:39





    I think I’m OK with these properties, and I’m definitely OK with this general approach. Maybe someone could move it into the draft CTI Common doc for us all to see as normative text? In particular I’d like to see and argue about the definitions for the
    subfields to make sure they’re unambiguous (or at least, if they are ambiguous, that we do it on purpose).









    From: "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date: Thursday, February 4, 2016 at 11:27 AM
    To: Sean Barnum < sbarnum@mitre.org >
    Cc: "Wunder, John A." < jwunder@mitre.org >, Rich Piazza < rpiazza@mitre.org >, " cti@lists.oasis-open.org "
    < cti@lists.oasis-open.org >
    Subject: Re: [cti] Top-Level Object Properties





    This makes more sense.   To prevent this type of confusion, we really need to move out of wiki land and move content to the pre-draft documents and normative text. 











    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On Feb 4, 2016, at 08:24, Barnum, Sean D. < sbarnum@mitre.org > wrote:




    Sorry for the delayed response. I did not have my computer with me at the SANS CTI Summit yesterday.


    Bret, the structure for external_ids on the wiki page is what was presented during the STIX #2 time block at the F2F and had consensus from everyone present (no concerns or objections
    were raised).


    I would strongly assert that use cases for including external ids require more than just an array of strings. 
    Bare minimum you need the identifier itself and some characterization of the context for that identifier (without which you would have no idea what context the identifier comes from).
    I think your comment below about
    "Why does it need an “id”” is likely due to the field currently being named “id” on the wiki page and confusing it with a STIX id. 
    I agree this is confusing. I would suggest that this field name be changed to “exernal_identifier ” .
    The  “ url ”  field  should  likely
    similarly be renamed more specifically to  “ url_reference ” . This field capability is also something that
    has been  brought up in the use cases driving towards including an external_ids property. The intent being to provide an optional way to provide a resolvable way to access the content in it external context.


    >External_Ids are going to be populated by internal systems or vendor products.  These solutions will give a name like "malware foo xyz" for example, this is not a URL.


    I don’t think this is an accurate characterization of many of the use cases for external_ids. 
    The initial scenario that led to external_ids being included on Incident (its first use) was raised by US-CERT and some European CERTs and was basically that a STIX characterization of an Incident shared between parties and linked to other STIX
    content (TLOs) would likely be a subset of the full incident info held by the producer and it would be highly desirable to include the identifier for the incident within the producer’s context, a way to identify that context for the identifier and to provide
    a URL (likely representing an API call) to the incident within the producer’s system. If a consumer (internal or external to the producer’s environment) had permissions to access that incident in the producer’s system they could follow the URL and get access,
    and if they did not they would get an access error.
    Alternative_IDs was later added to Indicator by the community as they felt the above sort of use case pattern likely also applied to indicators.


    When we discussed normalizing these two structures to common naming and structure it was brought up that this sort of use case pattern also likely applies to almost any STIX content and so having the structure as a common property on all “top
    level” objects made sense. This is what led to the current proposal and the consensus that existed until you raised your objection.


    I believe this presumption of applicability across other STIX objects was confirmed during recent discussions on the Exploit_Target refactoring where it was suggested that the CVE_ID, OSVDB_ID, CWE_ID and similarly CAPEC_ID on TTP should likely
    just 
    be implemented using the external_ids structure rather than separate purpose built fields.
    Basically something like:


    “external_ids” : [{“external_identifier”: “CVE-2014-0160”, “defining_context”: “cve”, “url_reference”: " https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160” }, {“external_identifier”:
    “CVE-2014-0160”, “defining_context”: “nvd”, “url_reference”: " https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 "}]
    Notice that the external_identifer is the same but the defining contexts and url_references are different and correlated to different external data sources for this vulnerability.





    I believe that the above use cases raised by the community are valid and should be supported.
    I believe the proposed structure is clear (with renaming of “id” to “external_identifier” and “url” renamed to “url_reference”), consistent and simple.


    I do not see any way that these sub-properties can be merged in any practical way. “external_identifer”, “defining_context” and “url_reference” each serves a specific purpose and it would place undue burden on any
    consumer to parse and pull them apart if they were somehow merged. It is simpler to explicitly specify each in its own field.


    sean








    From: < cti@lists.oasis-open.org > on behalf of John Wunder < jwunder@mitre.org >
    Date: Wednesday, February 3, 2016 at 9:20 PM
    To: "Jordan, Bret" < bret.jordan@bluecoat.com >, Rich Piazza < rpiazza@mitre.org >
    Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: Re: [cti] Top-Level Object Properties







    So fwiw I like having the identity/source separate from the reference. I do kind of agree that we could merge the url, name, and ID fields though…it’s a distinction that probably doesn’t matter for the vast majority of cases. I could go either
    way.









    From: "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date: Wednesday, February 3, 2016 at 11:51 AM
    To: Rich Piazza < rpiazza@mitre.org >
    Cc: "Wunder, John A." < jwunder@mitre.org >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: Re: [cti] Top-Level Object Properties





    It should just be an Array of Strings and then the user can put in what every they want.  











    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 











    On Feb 3, 2016, at 09:40, Piazza, Rich < rpiazza@mitre.org > wrote:




    url   is optional,
    you can use   name ,
    which is also optional – you just have to use one of them

     



    From:   cti@lists.oasis-open.org   [ mailto:cti@lists.oasis-open.org ]   On
    Behalf Of   Jordan, Bret
    Sent:   Wednesday, February 03, 2016 11:24 AM
    To:   Wunder, John A. < jwunder@mitre.org >
    Cc:   cti@lists.oasis-open.org
    Subject:   Re: [cti] Top-Level Object Properties



     

    Well then I do not think we have consensus on the external_ids object... I thought this was going to be just an array of string values.  Why does it need an "id" and why would we every make data field be a "url". 


     



    External_Ids are going to be populated by internal systems or vendor products.  These solutions will give a name like "malware foo xyz" for example, this is not a URL.



     










     



    Thanks,



     



    Bret




     



     



     




    Bret Jordan CISSP


    Director of Security Architecture and Standards Office of the CTO



    Blue Coat Systems




    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050



    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 










     




    On Feb 3, 2016, at 08:36, Wunder, John A. < jwunder@mitre.org > wrote:


     





    The syntax means that those fields are a sub-object nested under the parent. So that would be one of the keys within the objects in the external_ids array.




     



    From:   "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date:   Wednesday, February 3, 2016 at 10:00 AM
    To:   "Wunder, John A." < jwunder@mitre.org >
    Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject:   Re: [cti] Top-Level Object Properties



     




    I do not believe we have consensus on all of the items in the consensus section.  Namely, what are the "----" field all about?


     



    Example





    ----id (required)



    IDFormat



    The external ID itself






     



     










     



    Thanks,



     



    Bret




     



     



     




    Bret Jordan CISSP


    Director of Security Architecture and Standards Office of the CTO



    Blue Coat Systems




    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050



    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 










     




    On Feb 3, 2016, at 05:53, Wunder, John A. < jwunder@mitre.org > wrote:


     




    All,



     



    There’s a new topic to think about! As discussed at the face to face, each top-level object in STIX and CybOX will inherit from a core set of properties…things like ID, etc. We haven’t
    quite agreed on what all of those fields are, though.



     



    Take a look at this writeup:  https://github.com/STIXProject/specifications/wiki/Active-Issue:-IDable-Construct-Properties .
    It has a set of fields that we have general agreement on, a list of fields we haven’t really discussed, and then a couple proposals (from Sean and from the twigs team). Feel free to either add your own proposal to that wiki page or discuss on the mailing lists
    and slack. The key question to consider: what fields should be available on *all* top-level objects?



     



    John



     



    PS: The twigs team added our proposal to the writeup on source references. You can see it on the issue page ( https://github.com/STIXProject/specifications/wiki/Active-Issue:-Relating-Source )
    by scrolling down to Proposal 2. If you want to respond to that one via e-mail, make sure to make a separate thread.




































  • 15.  Re: [cti] Top-Level Object Properties

    Posted 02-04-2016 14:59




    First in defense of Sean, the majority of the proposals attributed to Sean are actually the result of collaboration of with a number of us that are in the threat intelligence business and actively do threat sharing.  So much like there is a TWIGS team,
    there is a team working with Sean in much the same manner (we just don’t have a catchy name), they’re not just Sean’s opinions.  @Sean – sounds like a high priority tasker is for us to create a catchy name ;-)


    With regards to external_ids, it does appear we don’t consensus YET, but I’m hopeful as I don’t see Proposal #1 and #2 that far apart with regards to the topic of external_ids.  If one looks around,  you'll find that everything doesn’t have a “well-known”
    id format (e.g., CVE) which could be used to indicate what well-know external system the entity is in.  In addition, there are other situations others where the external_id value requires context in which to allow the consumer to know how to use that ID, be
    it formatted or just plain-text as in Bret’s example or a reference to a document.  In those cases, it needs to be allowable to specify that additional context and include a reference in the form of a URL as an option.  So I don’t believe that we can just
    conclude that this field will always be a simple string.  This was the reason external_ids defined the way they were in both proposals.


    As I look at both proposals, I don’t see them that far off from one another.  To the point of proposal #2, perhaps a more appropriate field name should be something like ‘external_refs’, where a reference could be to a document, an id in an external system,
    etc.  In order to avoid confusion, perhaps ‘id’ in proposal #1 and ‘name’ in proposal #2 should be renamed to some different, like ‘identifier’.  ‘defining_context' and ‘type' are essentially attempting to provide the same notion except in proposal #2 the
    actually context in which the ‘identifier’ is valid can’t be expressed. In addition, we should continue to reserve the field name  ’type’ to specify the type of the object.  The remaining fields, ‘name’ and ‘url’ can be supported in both proposals.


    So as a ‘vendor’ who produces shared threat intelligence as a product, I need this level of capability because I need to provide my clients with as much context as I can so that they have the background necessary regardless if the object is being used
    at the tactical level and actioned by a machine, or included in something at the operational or strategic level which would involve humans (e.g., analysts).




    Paul Patrick
    Chief Architect
    iSIGHT Partners








    From: < cti@lists.oasis-open.org > on behalf of "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date: Wednesday, February 3, 2016 at 10:24 AM
    To: "Wunder, John A." < jwunder@mitre.org >
    Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: Re: [cti] Top-Level Object Properties






    Well then I do not think we have consensus on the external_ids object... I thought this was going to be just an array of string values.  Why does it need an "id" and why would we every make data field be a "url". 


    External_Ids are going to be populated by internal systems or vendor products.  These solutions will give a name like "malware foo xyz" for example, this is not a URL.














    Thanks,


    Bret











    Bret Jordan CISSP

    Director of Security Architecture and Standards Office of the CTO

    Blue Coat Systems

    PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
    "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 




















  • 16.  Re: [cti] Top-Level Object Properties

    Posted 02-04-2016 15:10





    We should also consider the use cases for this field vs. the “has source” and/or “derived from” relationships. It seems like there might be some overlap there?









    From: < cti@lists.oasis-open.org > on behalf of Paul Patrick < ppatrick@isightpartners.com >
    Date: Thursday, February 4, 2016 at 9:58 AM
    To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: Re: [cti] Top-Level Object Properties






    First in defense of Sean, the majority of the proposals attributed to Sean are actually the result of collaboration of with a number of us that are in the threat intelligence business and actively do threat sharing.  So much like there is a TWIGS team,
    there is a team working with Sean in much the same manner (we just don’t have a catchy name), they’re not just Sean’s opinions.  @Sean – sounds like a high priority tasker is for us to create a catchy name ;-)


    With regards to external_ids, it does appear we don’t consensus YET, but I’m hopeful as I don’t see Proposal #1 and #2 that far apart with regards to the topic of external_ids.  If one looks around,  you'll find that everything doesn’t have a “well-known”
    id format (e.g., CVE) which could be used to indicate what well-know external system the entity is in.  In addition, there are other situations others where the external_id value requires context in which to allow the consumer to know how to use that ID, be
    it formatted or just plain-text as in Bret’s example or a reference to a document.  In those cases, it needs to be allowable to specify that additional context and include a reference in the form of a URL as an option.  So I don’t believe that we can just
    conclude that this field will always be a simple string.  This was the reason external_ids defined the way they were in both proposals.


    As I look at both proposals, I don’t see them that far off from one another.  To the point of proposal #2, perhaps a more appropriate field name should be something like ‘external_refs’, where a reference could be to a document, an id in an external system,
    etc.  In order to avoid confusion, perhaps ‘id’ in proposal #1 and ‘name’ in proposal #2 should be renamed to some different, like ‘identifier’.  ‘defining_context' and ‘type' are essentially attempting to provide the same notion except in proposal #2 the
    actually context in which the ‘identifier’ is valid can’t be expressed. In addition, we should continue to reserve the field name  ’type’ to specify the type of the object.  The remaining fields, ‘name’ and ‘url’ can be supported in both proposals.


    So as a ‘vendor’ who produces shared threat intelligence as a product, I need this level of capability because I need to provide my clients with as much context as I can so that they have the background necessary regardless if the object is being used
    at the tactical level and actioned by a machine, or included in something at the operational or strategic level which would involve humans (e.g., analysts).




    Paul Patrick
    Chief Architect
    iSIGHT Partners








    From: < cti@lists.oasis-open.org > on behalf of "Jordan, Bret" < bret.jordan@bluecoat.com >
    Date: Wednesday, February 3, 2016 at 10:24 AM
    To: "Wunder, John A." < jwunder@mitre.org >
    Cc: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: Re: [cti] Top-Level Object Properties






    Well then I do not think we have consensus on the external_ids object... I thought this was going to be just an array of string values.  Why does it need an "id" and why would we every make data field be a "url". 


    External_Ids are going to be populated by internal systems or vendor products.  These solutions will give a name like "malware foo xyz" for example, this is not a URL.