CTI STIX Subcommittee

  • 1.  Targeting in STIX 2.0

    Posted 09-21-2015 16:58



    Hate to change the subject. Also, I hate thinking about new high level objects. Not every type of data should be high level object worthy, or else we risk STIX 2.0 having 30 of them and becoming more complex.


    I was looking at some proper STIX 1.0 last week. The documents were well formed, but at the same time they were MASSIVE and had tens of thousands of relationships. I wanted to provide some feedback to the author on how to reduce the complexity of the document
    while preserving the context that the document contained. That’s when it hit me. If targeting wasn’t included within the TTP object, the documents would have been dramatically smaller and easier to digest.


    Keep in mind that if we found a good home for targeting, we could use targeting in other concepts (like fraud for example).


    Questions:

    Do you agree that we should have open discussion regarding the removal of targeting from TTP in 2.x? If so, where would it go? A new top level object * sigh* ? Or maybe in another existing object?





    -- 


    Aharon Chernin
    CTO


    SOLTRA   An FS-ISAC
    & DTCC Company

    18301 Bermuda green Dr

    Tampa, fl 33647


    813.470.2173 achernin@soltra.com

    www.soltra.com









  • 2.  Re: [cti-stix] Targeting in STIX 2.0

    Posted 09-21-2015 17:11
    If you think this would make things easier and simpler to understand and make the overall sizes smaller, then absolutely.  Now that we are all getting real world experience with massive amounts of STIX data, we should have these types of discussions.  I know for us, we are only generating 200,000 STIX packages a day, with all of the CybOX and MAEC pieces and all of the related TTP stuff as best we can tie it all together, but each one of them is HUGE.  Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Sep 21, 2015, at 10:57, Aharon Chernin < achernin@soltra.com > wrote: Hate to change the subject. Also, I hate thinking about new high level objects. Not every type of data should be high level object worthy, or else we risk STIX 2.0 having 30 of them and becoming more complex. I was looking at some proper STIX 1.0 last week. The documents were well formed, but at the same time they were MASSIVE and had tens of thousands of relationships. I wanted to provide some feedback to the author on how to reduce the complexity of the document while preserving the context that the document contained. That’s when it hit me. If targeting wasn’t included within the TTP object, the documents would have been dramatically smaller and easier to digest. Keep in mind that if we found a good home for targeting, we could use targeting in other concepts (like fraud for example). Questions: Do you agree that we should have open discussion regarding the removal of targeting from TTP in 2.x? If so, where would it go? A new top level object * sigh* ? Or maybe in another existing object? --  Aharon Chernin CTO SOLTRA   An FS-ISAC & DTCC Company 18301 Bermuda green Dr Tampa, fl 33647 813.470.2173 achernin@soltra.com www.soltra.com Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail


  • 3.  Re: [cti-stix] Targeting in STIX 2.0

    Posted 09-21-2015 17:15



    What do you mean by targeting? Can you give a couple examples of how that would make the content smaller/better?


    Sorry, just having trouble picturing this.


    John



    On Sep 21, 2015, at 12:57 PM, Aharon Chernin < achernin@soltra.com > wrote:



    Hate to change the subject. Also, I hate thinking about new high level objects. Not every type of data should be high level object worthy, or else we risk STIX 2.0 having 30 of them and becoming more complex.


    I was looking at some proper STIX 1.0 last week. The documents were well formed, but at the same time they were MASSIVE and had tens of thousands of relationships. I wanted to provide some feedback to the author on how to reduce the complexity
    of the document while preserving the context that the document contained. That’s when it hit me. If targeting wasn’t included within the TTP object, the documents would have been dramatically smaller and easier to digest.


    Keep in mind that if we found a good home for targeting, we could use targeting in other concepts (like fraud for example).


    Questions:

    Do you agree that we should have open discussion regarding the removal of targeting from TTP in 2.x? If so, where would it go? A new top level object * sigh* ? Or maybe in another existing object?





    -- 


    Aharon Chernin
    CTO


    SOLTRA  
    An FS-ISAC & DTCC Company

    18301 Bermuda green Dr

    Tampa, fl 33647


    813.470.2173
    achernin@soltra.com

    www.soltra.com
















  • 4.  Re: [cti-stix] Targeting in STIX 2.0

    Posted 09-21-2015 17:57




    For example, a cyber intelligence feed that provides attack target URLS: TTP -> Victim Targeting -> Observable -> URL


    Which of my URLs are being attacked?


    Aharon










    From: < cti-stix@lists.oasis-open.org > on behalf of "Wunder, John A."
    Date: Monday, September 21, 2015 at 1:14 PM
    To: " cti-stix@lists.oasis-open.org "
    Subject: Re: [cti-stix] Targeting in STIX 2.0





    What do you mean by targeting? Can you give a couple examples of how that would make the content smaller/better?


    Sorry, just having trouble picturing this.


    John



    On Sep 21, 2015, at 12:57 PM, Aharon Chernin < achernin@soltra.com > wrote:



    Hate to change the subject. Also, I hate thinking about new high level objects. Not every type of data should be high level object worthy, or else we risk STIX 2.0 having 30 of them and becoming more complex.


    I was looking at some proper STIX 1.0 last week. The documents were well formed, but at the same time they were MASSIVE and had tens of thousands of relationships. I wanted to provide some feedback to the author on how to reduce the complexity
    of the document while preserving the context that the document contained. That’s when it hit me. If targeting wasn’t included within the TTP object, the documents would have been dramatically smaller and easier to digest.


    Keep in mind that if we found a good home for targeting, we could use targeting in other concepts (like fraud for example).


    Questions:

    Do you agree that we should have open discussion regarding the removal of targeting from TTP in 2.x? If so, where would it go? A new top level object * sigh* ? Or maybe in another existing object?





    -- 


    Aharon Chernin
    CTO


    SOLTRA  
    An FS-ISAC & DTCC Company

    18301 Bermuda green Dr

    Tampa, fl 33647


    813.470.2173
    achernin@soltra.com

    www.soltra.com



















  • 5.  Re: [cti-stix] Targeting in STIX 2.0

    Posted 09-21-2015 18:06





    Target = Victim (or "Intermediary" who is both Victim and Attacker in a "MITM"/Supply Chain Attack TTP).  Plenty of legacy verbiage on why some of us argue that "Target" is a critical missing element/TLO in CTI (most recently when discussing CTI Charter).


    We can currently describe who's holding the spear, the attributes of the spear, and the "point" where the "pointy part" is headed/entered...but not the "pointee".









    From: < cti-stix@lists.oasis-open.org > on behalf of "Chernin, Aharon"
    Date: Monday, September 21, 2015 at 1:56 PM
    To: "Wunder, John A.", " cti-stix@lists.oasis-open.org "
    Subject: Re: [cti-stix] Targeting in STIX 2.0






    For example, a cyber intelligence feed that provides attack target URLS: TTP -> Victim Targeting -> Observable -> URL


    Which of my URLs are being attacked?


    Aharon










    From: < cti-stix@lists.oasis-open.org > on behalf of "Wunder, John A."
    Date: Monday, September 21, 2015 at 1:14 PM
    To: " cti-stix@lists.oasis-open.org "
    Subject: Re: [cti-stix] Targeting in STIX 2.0





    What do you mean by targeting? Can you give a couple examples of how that would make the content smaller/better?


    Sorry, just having trouble picturing this.


    John



    On Sep 21, 2015, at 12:57 PM, Aharon Chernin < achernin@soltra.com > wrote:



    Hate to change the subject. Also, I hate thinking about new high level objects. Not every type of data should be high level object worthy, or else we risk STIX 2.0 having 30 of them and becoming more complex.


    I was looking at some proper STIX 1.0 last week. The documents were well formed, but at the same time they were MASSIVE and had tens of thousands of relationships. I wanted to provide some feedback to the author on how to reduce the complexity
    of the document while preserving the context that the document contained. That’s when it hit me. If targeting wasn’t included within the TTP object, the documents would have been dramatically smaller and easier to digest.


    Keep in mind that if we found a good home for targeting, we could use targeting in other concepts (like fraud for example).


    Questions:

    Do you agree that we should have open discussion regarding the removal of targeting from TTP in 2.x? If so, where would it go? A new top level object * sigh* ? Or maybe in another existing object?





    -- 


    Aharon Chernin
    CTO


    SOLTRA  
    An FS-ISAC & DTCC Company

    18301 Bermuda green Dr

    Tampa, fl 33647


    813.470.2173
    achernin@soltra.com

    www.soltra.com





















  • 6.  Re: [cti-stix] Targeting in STIX 2.0

    Posted 09-21-2015 18:16
    I would agree with this. I think breaking out Victim to its own construct partially but not completely addresses this. I think that potentially also breaking out Identity to its own construct would even further address this issue and many others. With Identity broken out, you could define the identity of a party one time and under differing circumstances reference them as a victim, a source, a threat actor, etc. A lot of these issues and optimal solutions become WAY more clear when we start to model them semantically rather than just structurally/schematically. sean From: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of Patrick Maroney < Pmaroney@Specere.org > Date: Monday, September 21, 2015 at 2:05 PM To: Aharon Chernin < achernin@soltra.com >, John Wunder < jwunder@mitre.org >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Subject: Re: [cti-stix] Targeting in STIX 2.0 Target = Victim (or "Intermediary" who is both Victim and Attacker in a "MITM"/Supply Chain Attack TTP).  Plenty of legacy verbiage on why some of us argue that "Target" is a critical missing element/TLO in CTI (most recently when discussing CTI Charter). We can currently describe who's holding the spear, the attributes of the spear, and the "point" where the "pointy part" is headed/entered...but not the "pointee". From: < cti-stix@lists.oasis-open.org > on behalf of "Chernin, Aharon" Date: Monday, September 21, 2015 at 1:56 PM To: "Wunder, John A.", " cti-stix@lists.oasis-open.org " Subject: Re: [cti-stix] Targeting in STIX 2.0 For example, a cyber intelligence feed that provides attack target URLS: TTP -> Victim Targeting -> Observable -> URL Which of my URLs are being attacked? Aharon From: < cti-stix@lists.oasis-open.org > on behalf of "Wunder, John A." Date: Monday, September 21, 2015 at 1:14 PM To: " cti-stix@lists.oasis-open.org " Subject: Re: [cti-stix] Targeting in STIX 2.0 What do you mean by targeting? Can you give a couple examples of how that would make the content smaller/better? Sorry, just having trouble picturing this. John On Sep 21, 2015, at 12:57 PM, Aharon Chernin < achernin@soltra.com > wrote: Hate to change the subject. Also, I hate thinking about new high level objects. Not every type of data should be high level object worthy, or else we risk STIX 2.0 having 30 of them and becoming more complex. I was looking at some proper STIX 1.0 last week. The documents were well formed, but at the same time they were MASSIVE and had tens of thousands of relationships. I wanted to provide some feedback to the author on how to reduce the complexity of the document while preserving the context that the document contained. That’s when it hit me. If targeting wasn’t included within the TTP object, the documents would have been dramatically smaller and easier to digest. Keep in mind that if we found a good home for targeting, we could use targeting in other concepts (like fraud for example). Questions: Do you agree that we should have open discussion regarding the removal of targeting from TTP in 2.x? If so, where would it go? A new top level object * sigh* ? Or maybe in another existing object? --  Aharon Chernin CTO SOLTRA   An FS-ISAC & DTCC Company 18301 Bermuda green Dr Tampa, fl 33647 813.470.2173 achernin@soltra.com www.soltra.com


  • 7.  Re: [cti-stix] Targeting in STIX 2.0

    Posted 09-21-2015 18:30
    abstraction of this, following the semantic way, and interoperability in mind, and research for existing standardization effort, could lead you to something like the Asset Identification http://scap.nist.gov/specifications/ai/ 2015-09-21 21:15 GMT+03:00 Barnum, Sean D. <sbarnum@mitre.org>: > I would agree with this. > > I think breaking out Victim to its own construct partially but not > completely addresses this. > I think that potentially also breaking out Identity to its own construct > would even further address this issue and many others. > With Identity broken out, you could define the identity of a party one time > and under differing circumstances reference them as a victim, a source, a > threat actor, etc. > > A lot of these issues and optimal solutions become WAY more clear when we > start to model them semantically rather than just > structurally/schematically. > > sean > > From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on > behalf of Patrick Maroney <Pmaroney@Specere.org> > Date: Monday, September 21, 2015 at 2:05 PM > To: Aharon Chernin <achernin@soltra.com>, John Wunder <jwunder@mitre.org>, > "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> > > Subject: Re: [cti-stix] Targeting in STIX 2.0 > > Target = Victim (or "Intermediary" who is both Victim and Attacker in a > "MITM"/Supply Chain Attack TTP). Plenty of legacy verbiage on why some of > us argue that "Target" is a critical missing element/TLO in CTI (most > recently when discussing CTI Charter). > > We can currently describe who's holding the spear, the attributes of the > spear, and the "point" where the "pointy part" is headed/entered...but not > the "pointee". > > From: <cti-stix@lists.oasis-open.org> on behalf of "Chernin, Aharon" > Date: Monday, September 21, 2015 at 1:56 PM > To: "Wunder, John A.", "cti-stix@lists.oasis-open.org" > Subject: Re: [cti-stix] Targeting in STIX 2.0 > > For example, a cyber intelligence feed that provides attack target URLS: TTP > -> Victim Targeting -> Observable -> URL > > Which of my URLs are being attacked? > > Aharon > > > From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." > Date: Monday, September 21, 2015 at 1:14 PM > To: "cti-stix@lists.oasis-open.org" > Subject: Re: [cti-stix] Targeting in STIX 2.0 > > What do you mean by targeting? Can you give a couple examples of how that > would make the content smaller/better? > > Sorry, just having trouble picturing this. > > John > > On Sep 21, 2015, at 12:57 PM, Aharon Chernin <achernin@soltra.com> wrote: > > Hate to change the subject. Also, I hate thinking about new high level > objects. Not every type of data should be high level object worthy, or else > we risk STIX 2.0 having 30 of them and becoming more complex. > > I was looking at some proper STIX 1.0 last week. The documents were well > formed, but at the same time they were MASSIVE and had tens of thousands of > relationships. I wanted to provide some feedback to the author on how to > reduce the complexity of the document while preserving the context that the > document contained. That’s when it hit me. If targeting wasn’t included > within the TTP object, the documents would have been dramatically smaller > and easier to digest. > > Keep in mind that if we found a good home for targeting, we could use > targeting in other concepts (like fraud for example). > > Questions: > > Do you agree that we should have open discussion regarding the removal of > targeting from TTP in 2.x? > If so, where would it go? A new top level object *sigh*? Or maybe in another > existing object? > > > -- > Aharon Chernin > CTO > SOLTRA An FS-ISAC & DTCC Company > 18301 Bermuda green Dr > Tampa, fl 33647 > 813.470.2173 achernin@soltra.com > www.soltra.com > >