Yeah, thanks for taking the time to put this together and suggest the ones to focus on for now.
From my perspective, two of the values you suggest in the top list made sense to me: suspicious-activity-event (of course) and malware-analysis. I can see how you wouldn’t necessarily have a parent object
you can relate things to in those cases, and so the grouping is important to pull the content together.
On the other hand, to be honest I have trouble seeing the value of grouping for indicator-sightings and object-relationships. I get that you need to answer the questions you listed (thanks for including use
cases), but if you return a bundle with all of the content and relationships I’m not sure why you need a grouping to indicate they’re all related, when the sighting/relationship objects natively say that.
So at this point I’m supportive of suspicious-activity-event and malware-analysis. I would prefer to hold off on the other two until we can discuss more after 2.1 (including this idea of putting the ID for
the object in the name of the grouping).
John
From: <
cti-stix@lists.oasis-open.org> on behalf of "Struse, Richard J." <
rjs@mitre.org>
Date: Friday, October 27, 2017 at 11:51 AM
To: Sean Barnum <
sean.barnum@FireEye.com>, "Katz, Gary CTR DC3DCCI" <
Gary.Katz.ctr@dc3.mil>, "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] RE: Initial stab at grouping-context-ov values based on real-world use cases
You did what we asked you to do - sorry if that wasn’t clear from my email.
Thanks,
Rich
From: Sean Barnum <
sean.barnum@FireEye.com>
Date: Friday, October 27, 2017 at 11:03 AM
To: Richard Struse <
rjs@mitre.org>, "Katz, Gary CTR DC3DCCI" <
Gary.Katz.ctr@dc3.mil>, "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] RE: Initial stab at grouping-context-ov values based on real-world use cases
That was the intent of breaking up the list of values.
Focus on the small first set for now while providing the broader set for consideration, discussion and potential future inclusion if real-world use demonstrates its value.
Sean Barnum
Principal Architect
FireEye
M: 703.473.8262
E:
sean.barnum@fireeye.com From: "Struse, Richard J." <
rjs@mitre.org>
Date: Thursday, October 26, 2017 at 5:13 PM
To: "Katz, Gary CTR DC3DCCI" <
Gary.Katz.ctr@dc3.mil>, Sean Barnum <
sean.barnum@FireEye.com>, "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] RE: Initial stab at grouping-context-ov values based on real-world use cases
Gary,
I share your view on this and depending on how other folks think I was wondering if we might focus on the handful of values like suspicious-activity-event for now and debate the relative merits of expanding
the vocabulary later on? This would allow us to move forward without rushing the discussion of the other values.
Thoughts?
Rich
From: <
cti-stix@lists.oasis-open.org> on behalf of "Katz, Gary CTR DC3DCCI" <
Gary.Katz.ctr@dc3.mil>
Date: Thursday, October 26, 2017 at 5:03 PM
To: Sean Barnum <
sean.barnum@FireEye.com>, "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: [cti-stix] RE: Initial stab at grouping-context-ov values based on real-world use cases
Hey Sean,
I’ve been thinking about your proposal these last couple of days and had some comments I wished to share. I’m interested in if I am thinking about this incorrectly or if there are others
that have a similar view.
In your email you state that the ‘Grouping object is to convey a specific set of STIX content shares some context.’ In my view, the fact that STIX content shares some context should be shown
through the relationship links that the content has to other content. i.e. If you are trying to show Malware analysis relationships, we have a malware analysis object and we have observable data that can be linked. Do we need a grouping object to further
connect it all together? Don’t the relationships in of themselves show that grouping? Similarly an objects-relationships grouping would just be shown by sending the core object, related objects and the links between them, we don’t need another object to
then encapsulate that information. Threat-actor-content, campaign-content, intrusion-set-content can all be explained similarly, just send the threat-actor, campaign, or intrusion-set, related objects and relationships and we’re good.
In my view this is a key distinction between the suspicious-activity-event and the other grouping types. For the other grouping types, we have ways to relate the data together, either through
a malware object, an intrusion set object, a campaign object, threat actor object, etc. In the case of the suspicious-activity-event, that IS the object to provide context and relate that data together.
Interested in everyone’s thoughts,
-Gary
From:
cti-stix@lists.oasis-open.org [mailto:
cti-stix@lists.oasis-open.org]
On Behalf Of Sean Barnum
Sent: Monday, October 23, 2017 3:43 PM
To:
cti-stix@lists.oasis-open.org Subject: [Non-DoD Source] [cti-stix] Initial stab at grouping-context-ov values based on real-world use cases
A couple of weeks ago on the working call I took an action item to provide an initial minimal stab at grouping-context-ov values based on real-world use cases.
I got busy and did not follow through.
So, at the F2F last week we had a small side discussion where I provided an initial minimal stab at grouping-context-ov values based on real-world use cases that we see and then we discussed which ones we
might have consensus on as a small initial set, which ones might make longer term sense but not have consensus for an initial set and which ones might be considered a bit more esoteric and considerable for future versions if real-world use proved out their
value.
To reiterate for clarity, the purpose of the Grouping object is to convey that a specific set of STIX content shares some context.
It is not intended to be the first choice for sharing any set of related STIX content and is not intended to replace CTI domain-relevant objects.
It is the generalized last resort for specifying this sort of thing when there is no STIX domain-relevant object already available for the given type of context (e.g. STIX content that describes the structure
or behavior of a piece of malware would utilize the Malware object, STIX content that characterizes details of infrastructure would utilize the Infrastructure object, etc).
The context property of the Grouping object is intended to convey the nature of context that the referenced content shares.
The intent of the grouping-context-ov is to provide consistently defined values for common cases of Grouping context while also leaving open the option of specifying values not defined by the standard.
Values of grouping-context-ov fall below the threshold required (at least for now) for defining a new SDO for that sort of context but above the threshold for uncommon or highly specialized forms of grouping
context.
Here is the initial stab that resulted from the discussion at the F2F:
Suggested values
suspicious-activity-event
A set of STIX content related to a particular suspicious activity event.
(Answers question: what do we know about what happened in this suspicious activity/attack?)
indicator-sightings (name specifies Indicator id)
A set of STIX Sightings for a given Indicator.
(Answers question: what sightings are known for this indicator?)
object-relationships (name specifies object id)
A set of STIX objects related to a given object along with any relevant Relationship objects.
(Answers question: what objects are related to this specific object (embedded/external relationship from this object, embedded/external relationship to this object)?)
malware-analysis
A set of STIX content from a malware analysis action (sandbox execution, structural analysis, etc).
Common cases but possibly not consensus need in initial version of grouping-context-ov
malware-context (name specifies malware id)
A set of STIX content related to a given Malware object. **It should be noted that this is not details of the malware which would
be conveyed in a Malware object but rather other STIX content related to the Malware object
threat-actor-context (name specifies TA id)
A set of STIX content related to a given ThreatActor object. **It should be noted that this is not details of the threat actor which
would be conveyed in a ThreatActor object but rather other STIX content related to the ThreatActor object
campaign-context (name specifies Campaign id)
A set of STIX content related to a given Campaign object. **It should be noted that this is not details of the campaign which
would be conveyed in a Campaign object but rather other STIX content related to the Campaign object
intrusion-set-context (name specifies IntrusionSet id)
A set of STIX content related to a given IntrusionSet object. **It should be noted that this is not details of the intrusion set which
would be conveyed in a IntrusionSet object but rather other STIX content related to the IntrusionSet object
identity-context (name specifies Identity id)
A set of STIX content related to a given Identity object. **It should be noted that this is not details of the identity which
would be conveyed in an Identity object but rather other STIX content related to the Identity object
location-context (name specifies Location id)
A set of STIX content related to a given Location object. **It should be noted that this is not details of the location which
would be conveyed in a Location object but rather other STIX content related to the Location object
tool-context (name specifies Tool id)
A set of STIX content related to a given Tool object. **It should be noted that this is not details of the tool which
would be conveyed in a Tool object but rather other STIX content related to the Tool object
vulnerability-context (name specifies Vulnerability id)
A set of STIX content related to a given Vulnerability object. **It should be noted that this is not details of the vulnerability which
would be conveyed in a Vulnerability object but rather other STIX content related to the Vulnerability object
observable-context (name specifies observable)
A set of STIX content related to a given Observable object. **It should be noted that this is not details of the observable which
would be conveyed in an Observable object but rather other STIX content related to the Observable object
Outlier possibilities
temporal-activity-window (name specifies time window)
A set of STIX activity content that occurred within a given time window
temporal-creation-window (name specifies time window)
A set of STIX content created within a given time window
selector-result (name specifies selector)
A set of STIX content that matches a specific selector pattern
Please feel free to offer your thoughts.
Do you disagree with including any of these values?
Do you think that we should start with only the suggested values?
Do you think we should also include any/all of the “common case” or “outlier” values?
Sean Barnum
Principal Architect
FireEye
M: 703.473.8262
E:
sean.barnum@fireeye.com This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this
email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments
thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.