CTI STIX Subcommittee

Hi All, As I've mentioned many times over the last year I firmly believe we need a way for third parties to agree or disagree with the threat intelligence they have received. If Org A has released a high confidence relationship between ActorX and Campaign G, and Org B knows that the relationship is wrong, then they need a way of signalling that to the community, so that community members don't blindly accept what Org A has released. Since late last year I've been suggesting we need an Opinion object. And today I took the step of writing up what that would look like. I would like to propose that we add this to the draft as proposal, and that we include it in the MVP release. 1.2.Opinion Type Name: opinion Status: Proposal MVP : Undecided The Opinion object is used to convey the Object creator's opinion about another object produced by a third-party. It will allow each organization to agree or disagree with another organization's assertions, and ultimately will enable consumers to collect and understand the collective opinions of the community about the quality of the threat intelligence they have received. This is the first step towards consumers being able to crowdsource the opinion of the community, which will help newcomers to the threat intelligence sharing groups better understand which threats have a high degree of third party agreement and which are contentious. 1.2.1.? Properties STIX TLO Common Properties type, id, created_by_ref, revision, created_time, modified_time, revoked, revision_comment, object_markings_refs, granular_markings Property Name Type Description type (required) string The value of this field MUST be opinion description (optional) string A description that provides the recipient with reasoning to back up the opinion identified in this Opinion object. object_ref (required) identifier The id of the object that the Opinion refers to. This id can be any other STIX TLO except another Opinion object. opinion (required) list of type controlled-vocab The opinion that the producer has about the object listed in the object_ref field. This is one of the following options: "strongly-agree" "agree" "neutral" "disagree" "strongly-disagree" "no-opinion" ?1.2.2.? Source Relationships These are the relationships defined between the Opinion Object and other objects. STIX TLO Common Relationships duplicate-of , related-to ? 1.2.3.? Destination Relationships These are the relationships defined between other objects and the Opinion Object. Kind of Relationship Source Type Description evidence-of observation Relates the Observation to an Opinion providing the evidence that the opinion was based on. This observation is evidence of why the organization formed the opinion it did about the threat intelligence contained within the object_ref field. Cheers Terry MacDonald   Chief Product Officer M:   +61-407-203-026 E:   terry.macdonald@cosive.com W:   www.cosive.com

Hi All, Can I take it that the lack of responses means that you all think this is a great idea? If so that's excellent, as it means it can drop straight into the MVP build as it doesn't require any modification :). Though seriously, if everyone is OK with the idea of this object which I've been banging on about for about a year then please speak up so we can get it added and allow people to have opinions about other's assertions. This object opens up the ability for people to effectively 'upvote' or 'downvote' a piece of threat intelligence. This will allow consumers to crowd-source how much they should trust the assertions made in that threat intelligence - which is a key enabler for consumers to effectively use the threat intelligence they receive. I passionately believe we need this object in MVP.  Use Case (bad intel): - Threat Intel Vendor A provides some high confidence threat intel saying that 8.8.8.8 (Google DNS) is a malicious asset.  - 30 other vendors, producers and generate Opinion objects that all strongly disagree with the intel that Vendor A released. - A consumer can now see that Vendor A's intel shouldn't be trusted to have a high confidence, and therefore shouldn't probably be used in production. OUTCOME: Confidence in the value of the threat intel is decreased Use Case (good intel): - Threat Intel Vendor B provides some low confidence threat intel saying that they think that www.compromisedsite.com has been compromised by Angler.  - Threat Intel Vendor C sends an Opinion Object strongly agreeing with Threat Intel Vendor C as they believe they are correct - A consumer can now see that Vendor B's intel is pretty good, and they can potentially increase their confidence in that intel, and maybe use it in production. OUTCOME: Confidence in the value of the threat intel is increased What say you STIX community? Cheers Terry MacDonald   Chief Product Officer M:   +61-407-203-026 E:   terry.macdonald@cosive.com W:   www.cosive.com On Thu, Jun 16, 2016 at 11:00 PM, Terry MacDonald < terry.macdonald@cosive.com > wrote: Hi All, As I've mentioned many times over the last year I firmly believe we need a way for third parties to agree or disagree with the threat intelligence they have received. If Org A has released a high confidence relationship between ActorX and Campaign G, and Org B knows that the relationship is wrong, then they need a way of signalling that to the community, so that community members don't blindly accept what Org A has released. Since late last year I've been suggesting we need an Opinion object. And today I took the step of writing up what that would look like. I would like to propose that we add this to the draft as proposal, and that we include it in the MVP release. 1.2.Opinion Type Name: opinion Status: Proposal MVP : Undecided The Opinion object is used to convey the Object creator's opinion about another object produced by a third-party. It will allow each organization to agree or disagree with another organization's assertions, and ultimately will enable consumers to collect and understand the collective opinions of the community about the quality of the threat intelligence they have received. This is the first step towards consumers being able to crowdsource the opinion of the community, which will help newcomers to the threat intelligence sharing groups better understand which threats have a high degree of third party agreement and which are contentious. 1.2.1.? Properties STIX TLO Common Properties type, id, created_by_ref, revision, created_time, modified_time, revoked, revision_comment, object_markings_refs, granular_markings Property Name Type Description type (required) string The value of this field MUST be opinion description (optional) string A description that provides the recipient with reasoning to back up the opinion identified in this Opinion object. object_ref (required) identifier The id of the object that the Opinion refers to. This id can be any other STIX TLO except another Opinion object. opinion (required) list of type controlled-vocab The opinion that the producer has about the object listed in the object_ref field. This is one of the following options: "strongly-agree" "agree" "neutral" "disagree" "strongly-disagree" "no-opinion" ?1.2.2.? Source Relationships These are the relationships defined between the Opinion Object and other objects. STIX TLO Common Relationships duplicate-of , related-to ? 1.2.3.? Destination Relationships These are the relationships defined between other objects and the Opinion Object. Kind of Relationship Source Type Description evidence-of observation Relates the Observation to an Opinion providing the evidence that the opinion was based on. This observation is evidence of why the organization formed the opinion it did about the threat intelligence contained within the object_ref field. Cheers Terry MacDonald   Chief Product Officer M:   +61-407-203-026 E:   terry.macdonald@cosive.com W:   www.cosive.com

Regarding the concept, it's a Yes for me On Friday, 24 June 2016, Terry MacDonald < terry.macdonald@cosive.com > wrote: Hi All, Can I take it that the lack of responses means that you all think this is a great idea? If so that's excellent, as it means it can drop straight into the MVP build as it doesn't require any modification :). Though seriously, if everyone is OK with the idea of this object which I've been banging on about for about a year then please speak up so we can get it added and allow people to have opinions about other's assertions. This object opens up the ability for people to effectively 'upvote' or 'downvote' a piece of threat intelligence. This will allow consumers to crowd-source how much they should trust the assertions made in that threat intelligence - which is a key enabler for consumers to effectively use the threat intelligence they receive. I passionately believe we need this object in MVP.  Use Case (bad intel): - Threat Intel Vendor A provides some high confidence threat intel saying that 8.8.8.8 (Google DNS) is a malicious asset.  - 30 other vendors, producers and generate Opinion objects that all strongly disagree with the intel that Vendor A released. - A consumer can now see that Vendor A's intel shouldn't be trusted to have a high confidence, and therefore shouldn't probably be used in production. OUTCOME: Confidence in the value of the threat intel is decreased Use Case (good intel): - Threat Intel Vendor B provides some low confidence threat intel saying that they think that www.compromisedsite.com has been compromised by Angler.  - Threat Intel Vendor C sends an Opinion Object strongly agreeing with Threat Intel Vendor C as they believe they are correct - A consumer can now see that Vendor B's intel is pretty good, and they can potentially increase their confidence in that intel, and maybe use it in production. OUTCOME: Confidence in the value of the threat intel is increased What say you STIX community? Cheers Terry MacDonald   Chief Product Officer M:   +61-407-203-026 E:   terry.macdonald@cosive.com W:   www.cosive.com On Thu, Jun 16, 2016 at 11:00 PM, Terry MacDonald < terry.macdonald@cosive.com > wrote: Hi All, As I've mentioned many times over the last year I firmly believe we need a way for third parties to agree or disagree with the threat intelligence they have received. If Org A has released a high confidence relationship between ActorX and Campaign G, and Org B knows that the relationship is wrong, then they need a way of signalling that to the community, so that community members don't blindly accept what Org A has released. Since late last year I've been suggesting we need an Opinion object. And today I took the step of writing up what that would look like. I would like to propose that we add this to the draft as proposal, and that we include it in the MVP release. 1.2.Opinion Type Name: opinion Status: Proposal MVP : Undecided The Opinion object is used to convey the Object creator's opinion about another object produced by a third-party. It will allow each organization to agree or disagree with another organization's assertions, and ultimately will enable consumers to collect and understand the collective opinions of the community about the quality of the threat intelligence they have received. This is the first step towards consumers being able to crowdsource the opinion of the community, which will help newcomers to the threat intelligence sharing groups better understand which threats have a high degree of third party agreement and which are contentious. 1.2.1.? Properties STIX TLO Common Properties type, id, created_by_ref, revision, created_time, modified_time, revoked, revision_comment, object_markings_refs, granular_markings Property Name Type Description type (required) string The value of this field MUST be opinion description (optional) string A description that provides the recipient with reasoning to back up the opinion identified in this Opinion object. object_ref (required) identifier The id of the object that the Opinion refers to. This id can be any other STIX TLO except another Opinion object. opinion (required) list of type controlled-vocab The opinion that the producer has about the object listed in the object_ref field. This is one of the following options: "strongly-agree" "agree" "neutral" "disagree" "strongly-disagree" "no-opinion" ?1.2.2.? Source Relationships These are the relationships defined between the Opinion Object and other objects. STIX TLO Common Relationships duplicate-of , related-to ? 1.2.3.? Destination Relationships These are the relationships defined between other objects and the Opinion Object. Kind of Relationship Source Type Description evidence-of observation Relates the Observation to an Opinion providing the evidence that the opinion was based on. This observation is evidence of why the organization formed the opinion it did about the threat intelligence contained within the object_ref field. Cheers Terry MacDonald   Chief Product Officer M:   +61-407-203-026 E:   terry.macdonald@cosive.com W:   www.cosive.com

On 24.06.2016 09:38:53, Terry MacDonald wrote: > > Can I take it that the lack of responses means that you all think > this is a great idea? If so that's excellent, as it means it can > drop straight into the MVP build as it doesn't require any > modification :). > Fine by me, Terry. I concur with your assessment and as the work appears to be basically ready to rock, I don't see any reason not to rope this into the MVP release. -- Cheers, Trey ++--------------------------------------------------------------------------++ Kingfisher Operations, sprl gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4 5B9B B30D DD6E 62C8 6C1D ++--------------------------------------------------------------------------++ -- "In protocol design, perfection has been reached not when there is nothing left to add, but when there is nothing left to take away." --RFC 1925 Attachment: signature.asc Description: Digital signature

I can support this.  Sarah Kelley Senior CERT Analyst Center for Internet Security (CIS) Integrated Intelligence Center (IIC) Multi-State Information Sharing and Analysis Center (MS-ISAC) 1-866-787-4722 (7×24 SOC) Email:  cert@cisecurity.org www.cisecurity.org Follow us @CISecurity From: < cti-stix@lists.oasis-open.org > on behalf of Terry MacDonald < terry.macdonald@cosive.com > Date: Thursday, June 23, 2016 at 7:38 PM To: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Subject: [cti-stix] Re: Opinion Object Proposal Hi All, Can I take it that the lack of responses means that you all think this is a great idea? If so that's excellent, as it means it can drop straight into the MVP build as it doesn't require any modification :). Though seriously, if everyone is OK with the idea of this object which I've been banging on about for about a year then please speak up so we can get it added and allow people to have opinions about other's assertions. This object opens up the ability for people to effectively 'upvote' or 'downvote' a piece of threat intelligence. This will allow consumers to crowd-source how much they should trust the assertions made in that threat intelligence - which is a key enabler for consumers to effectively use the threat intelligence they receive. I passionately believe we need this object in MVP.  Use Case (bad intel): - Threat Intel Vendor A provides some high confidence threat intel saying that 8.8.8.8 (Google DNS) is a malicious asset.  - 30 other vendors, producers and generate Opinion objects that all strongly disagree with the intel that Vendor A released. - A consumer can now see that Vendor A's intel shouldn't be trusted to have a high confidence, and therefore shouldn't probably be used in production. OUTCOME: Confidence in the value of the threat intel is decreased Use Case (good intel): - Threat Intel Vendor B provides some low confidence threat intel saying that they think that www.compromisedsite.com has been compromised by Angler.  - Threat Intel Vendor C sends an Opinion Object strongly agreeing with Threat Intel Vendor C as they believe they are correct - A consumer can now see that Vendor B's intel is pretty good, and they can potentially increase their confidence in that intel, and maybe use it in production. OUTCOME: Confidence in the value of the threat intel is increased What say you STIX community? Cheers Terry MacDonald   Chief Product Officer M:   +61-407-203-026 E:   terry.macdonald@cosive.com W:   www.cosive.com On Thu, Jun 16, 2016 at 11:00 PM, Terry MacDonald < terry.macdonald@cosive.com > wrote: Hi All, As I've mentioned many times over the last year I firmly believe we need a way for third parties to agree or disagree with the threat intelligence they have received. If Org A has released a high confidence relationship between ActorX and Campaign G, and Org B knows that the relationship is wrong, then they need a way of signalling that to the community, so that community members don't blindly accept what Org A has released. Since late last year I've been suggesting we need an Opinion object. And today I took the step of writing up what that would look like. I would like to propose that we add this to the draft as proposal, and that we include it in the MVP release. 1.2.Opinion Type Name: opinion Status: Proposal MVP : Undecided The Opinion object is used to convey the Object creator's opinion about another object produced by a third-party. It will allow each organization to agree or disagree with another organization's assertions, and ultimately will enable consumers to collect and understand the collective opinions of the community about the quality of the threat intelligence they have received. This is the first step towards consumers being able to crowdsource the opinion of the community, which will help newcomers to the threat intelligence sharing groups better understand which threats have a high degree of third party agreement and which are contentious. 1.2.1.? Properties STIX TLO Common Properties type, id, created_by_ref, revision, created_time, modified_time, revoked, revision_comment, object_markings_refs, granular_markings Property Name Type Description type (required) string The value of this field MUST be opinion description (optional) string A description that provides the recipient with reasoning to back up the opinion identified in this Opinion object. object_ref (required) identifier The id of the object that the Opinion refers to. This id can be any other STIX TLO except another Opinion object. opinion (required) list of type controlled-vocab The opinion that the producer has about the object listed in the object_ref field. This is one of the following options: "strongly-agree" "agree" "neutral" "disagree" "strongly-disagree" "no-opinion" ?1.2.2.? Source Relationships These are the relationships defined between the Opinion Object and other objects. STIX TLO Common Relationships duplicate-of , related-to ? 1.2.3.? Destination Relationships These are the relationships defined between other objects and the Opinion Object. Kind of Relationship Source Type Description evidence-of observation Relates the Observation to an Opinion providing the evidence that the opinion was based on. This observation is evidence of why the organization formed the opinion it did about the threat intelligence contained within the object_ref field. Cheers Terry MacDonald   Chief Product Officer M:   +61-407-203-026 E:   terry.macdonald@cosive.com W:   www.cosive.com ... This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. . . .

I love the idea, but I do not think we should do this for the Summer release.  I see this being done in the Winter release.   The reason for that is this functionality is dependent on digitally signing content and that will NOT be ready for summer. Right it is being tracked as one of the primary things for the Winter release.   Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg.   On Jun 23, 2016, at 17:38, Terry MacDonald < terry.macdonald@cosive.com > wrote: Hi All, Can I take it that the lack of responses means that you all think this is a great idea? If so that's excellent, as it means it can drop straight into the MVP build as it doesn't require any modification :). Though seriously, if everyone is OK with the idea of this object which I've been banging on about for about a year then please speak up so we can get it added and allow people to have opinions about other's assertions. This object opens up the ability for people to effectively 'upvote' or 'downvote' a piece of threat intelligence. This will allow consumers to crowd-source how much they should trust the assertions made in that threat intelligence - which is a key enabler for consumers to effectively use the threat intelligence they receive. I passionately believe we need this object in MVP.  Use Case (bad intel): - Threat Intel Vendor A provides some high confidence threat intel saying that 8.8.8.8 (Google DNS) is a malicious asset.  - 30 other vendors, producers and generate Opinion objects that all strongly disagree with the intel that Vendor A released. - A consumer can now see that Vendor A's intel shouldn't be trusted to have a high confidence, and therefore shouldn't probably be used in production. OUTCOME: Confidence in the value of the threat intel is decreased Use Case (good intel): - Threat Intel Vendor B provides some low confidence threat intel saying that they think that www.compromisedsite.com has been compromised by Angler.  - Threat Intel Vendor C sends an Opinion Object strongly agreeing with Threat Intel Vendor C as they believe they are correct - A consumer can now see that Vendor B's intel is pretty good, and they can potentially increase their confidence in that intel, and maybe use it in production. OUTCOME: Confidence in the value of the threat intel is increased What say you STIX community? Cheers Terry MacDonald   Chief Product Officer <cosive_mail_signature.png> M:   +61-407-203-026 E:   terry.macdonald@cosive.com W:   www.cosive.com On Thu, Jun 16, 2016 at 11:00 PM, Terry MacDonald < terry.macdonald@cosive.com > wrote: Hi All, As I've mentioned many times over the last year I firmly believe we need a way for third parties to agree or disagree with the threat intelligence they have received. If Org A has released a high confidence relationship between ActorX and Campaign G, and Org B knows that the relationship is wrong, then they need a way of signalling that to the community, so that community members don't blindly accept what Org A has released. Since late last year I've been suggesting we need an Opinion object. And today I took the step of writing up what that would look like. I would like to propose that we add this to the draft as proposal, and that we include it in the MVP release. 1.2.Opinion Type Name: opinion Status: Proposal MVP : Undecided The Opinion object is used to convey the Object creator's opinion about another object produced by a third-party. It will allow each organization to agree or disagree with another organization's assertions, and ultimately will enable consumers to collect and understand the collective opinions of the community about the quality of the threat intelligence they have received. This is the first step towards consumers being able to crowdsource the opinion of the community, which will help newcomers to the threat intelligence sharing groups better understand which threats have a high degree of third party agreement and which are contentious. 1.2.1.? Properties STIX TLO Common Properties type, id, created_by_ref, revision, created_time, modified_time, revoked, revision_comment, object_markings_refs, granular_markings Property Name Type Description type (required) string The value of this field MUST be opinion description (optional) string A description that provides the recipient with reasoning to back up the opinion identified in this Opinion object. object_ref (required) identifier The id of the object that the Opinion refers to. This id can be any other STIX TLO except another Opinion object. opinion (required) list of type controlled-vocab The opinion that the producer has about the object listed in the object_ref field. This is one of the following options: strongly-agree agree neutral disagree strongly-disagree no-opinion ?1.2.2.? Source Relationships These are the relationships defined between the Opinion Object and other objects. STIX TLO Common Relationships duplicate-of , related-to ? 1.2.3.? Destination Relationships These are the relationships defined between other objects and the Opinion Object. Kind of Relationship Source Type Description evidence-of observation Relates the Observation to an Opinion providing the evidence that the opinion was based on. This observation is evidence of why the organization formed the opinion it did about the threat intelligence contained within the object_ref field. Cheers Terry MacDonald   Chief Product Officer <cosive_mail_signature.png> M:   +61-407-203-026 E:   terry.macdonald@cosive.com W:   www.cosive.com Attachment: signature.asc Description: Message signed with OpenPGP using GPGMail

For the same reason that other confidence information has been targeted post-MVP, I would say this proposal should wait until beyond the MVP. For example, there is *no* conveyance of confidence information currently in MVP by the original source of the intel but this proposal would be added so *other* people’s opinion’s would be conveyed? That makes no sense. allan From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com> Date: Friday, June 24, 2016 at 5:41 AM To: Terry MacDonald <terry.macdonald@cosive.com> Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: Re: [cti-stix] Opinion Object Proposal I love the idea, but I do not think we should do this for the Summer release. I see this being done in the Winter release. The reason for that is this functionality is dependent on digitally signing content and that will NOT be ready for summer. Right it is being tracked as one of the primary things for the Winter release. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." On Jun 23, 2016, at 17:38, Terry MacDonald <terry.macdonald@cosive.com< mailto:terry.macdonald@cosive.com >> wrote: Hi All, Can I take it that the lack of responses means that you all think this is a great idea? If so that's excellent, as it means it can drop straight into the MVP build as it doesn't require any modification :). Though seriously, if everyone is OK with the idea of this object which I've been banging on about for about a year then please speak up so we can get it added and allow people to have opinions about other's assertions. This object opens up the ability for people to effectively 'upvote' or 'downvote' a piece of threat intelligence. This will allow consumers to crowd-source how much they should trust the assertions made in that threat intelligence - which is a key enabler for consumers to effectively use the threat intelligence they receive. I passionately believe we need this object in MVP. Use Case (bad intel): - Threat Intel Vendor A provides some high confidence threat intel saying that 8.8.8.8 (Google DNS) is a malicious asset. - 30 other vendors, producers and generate Opinion objects that all strongly disagree with the intel that Vendor A released. - A consumer can now see that Vendor A's intel shouldn't be trusted to have a high confidence, and therefore shouldn't probably be used in production. OUTCOME: Confidence in the value of the threat intel is decreased Use Case (good intel): - Threat Intel Vendor B provides some low confidence threat intel saying that they think that www.compromisedsite.com< http://www.compromisedsite.com/ > has been compromised by Angler. - Threat Intel Vendor C sends an Opinion Object strongly agreeing with Threat Intel Vendor C as they believe they are correct - A consumer can now see that Vendor B's intel is pretty good, and they can potentially increase their confidence in that intel, and maybe use it in production. OUTCOME: Confidence in the value of the threat intel is increased What say you STIX community? Cheers Terry MacDonald Chief Product Officer <cosive_mail_signature.png> M: +61-407-203-026<tel:+61-407-203-026> E: terry.macdonald@cosive.com< mailto:terry.macdonald@cosive.com > W: www.cosive.com< https://www.cosive.com/ > On Thu, Jun 16, 2016 at 11:00 PM, Terry MacDonald <terry.macdonald@cosive.com< mailto:terry.macdonald@cosive.com >> wrote: Hi All, As I've mentioned many times over the last year I firmly believe we need a way for third parties to agree or disagree with the threat intelligence they have received. If Org A has released a high confidence relationship between ActorX and Campaign G, and Org B knows that the relationship is wrong, then they need a way of signalling that to the community, so that community members don't blindly accept what Org A has released. Since late last year I've been suggesting we need an Opinion object. And today I took the step of writing up what that would look like. I would like to propose that we add this to the draft as proposal, and that we include it in the MVP release. 1.2.Opinion Type Name: opinion Status: Proposal MVP: Undecided The Opinion object is used to convey the Object creator's opinion about another object produced by a third-party. It will allow each organization to agree or disagree with another organization's assertions, and ultimately will enable consumers to collect and understand the collective opinions of the community about the quality of the threat intelligence they have received. This is the first step towards consumers being able to crowdsource the opinion of the community, which will help newcomers to the threat intelligence sharing groups better understand which threats have a high degree of third party agreement and which are contentious. 1.2.1.? Properties STIX TLO Common Properties type, id, created_by_ref, revision, created_time, modified_time, revoked, revision_comment, object_markings_refs, granular_markings Property Name Type Description type (required) string The value of this field MUST be opinion description (optional) string A description that provides the recipient with reasoning to back up the opinion identified in this Opinion object. object_ref(required) identifier The id of the object that the Opinion refers to. This id can be any other STIX TLO except another Opinion object. opinion(required) list of type controlled-vocab The opinion that the producer has about the object listed in the object_ref field. This is one of the following options: * "strongly-agree" * "agree" * "neutral" * "disagree" * "strongly-disagree" * "no-opinion" ?1.2.2.? Source Relationships These are the relationships defined between the Opinion Object and other objects. STIX TLO Common Relationships duplicate-of, related-to ? 1.2.3.? Destination Relationships These are the relationships defined between other objects and the Opinion Object. Kind of Relationship Source Type Description evidence-of observation Relates the Observation to an Opinion providing the evidence that the opinion was based on. This observation is evidence of why the organization formed the opinion it did about the threat intelligence contained within the object_ref field. Cheers Terry MacDonald Chief Product Officer <cosive_mail_signature.png> M: +61-407-203-026<tel:+61-407-203-026> E: terry.macdonald@cosive.com< mailto:terry.macdonald@cosive.com > W: www.cosive.com< https://www.cosive.com/ > <<attachment: winmail.dat>>

Great catch Allan.  Yes, we need to do originator confidence before we do third party confidence. Bret  Sent from my Commodore 64 On Jun 24, 2016, at 7:32 AM, Allan Thomson < athomson@lookingglasscyber.com > wrote: For the same reason that other confidence information has been targeted post-MVP, I would say this proposal should wait until beyond the MVP.   For example, there is * no * conveyance of confidence information currently in MVP by the original source of the intel but this proposal would be added so * other * people’s opinion’s would be conveyed?   That makes no sense.   allan   From: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of "Jordan, Bret" < bret.jordan@bluecoat.com > Date: Friday, June 24, 2016 at 5:41 AM To: Terry MacDonald < terry.macdonald@cosive.com > Cc: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Subject: Re: [cti-stix] Opinion Object Proposal   I love the idea, but I do not think we should do this for the Summer release.  I see this being done in the Winter release.     The reason for that is this functionality is dependent on digitally signing content and that will NOT be ready for summer. Right it is being tracked as one of the primary things for the Winter release.     Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."    On Jun 23, 2016, at 17:38, Terry MacDonald < terry.macdonald@cosive.com > wrote:   Hi All,   Can I take it that the lack of responses means that you all think this is a great idea? If so that's excellent, as it means it can drop straight into the MVP build as it doesn't require any modification :).   Though seriously, if everyone is OK with the idea of this object which I've been banging on about for about a year then please speak up so we can get it added and allow people to have opinions about other's assertions. This object opens up the ability for people to effectively 'upvote' or 'downvote' a piece of threat intelligence. This will allow consumers to crowd-source how much they should trust the assertions made in that threat intelligence - which is a key enabler for consumers to effectively use the threat intelligence they receive.   I passionately believe we need this object in MVP.    Use Case (bad intel): - Threat Intel Vendor A provides some high confidence threat intel saying that 8.8.8.8 (Google DNS) is a malicious asset.  - 30 other vendors, producers and generate Opinion objects that all strongly disagree with the intel that Vendor A released. - A consumer can now see that Vendor A's intel shouldn't be trusted to have a high confidence, and therefore shouldn't probably be used in production. OUTCOME: Confidence in the value of the threat intel is decreased   Use Case (good intel): - Threat Intel Vendor B provides some low confidence threat intel saying that they think that www.compromisedsite.com has been compromised by Angler.  - Threat Intel Vendor C sends an Opinion Object strongly agreeing with Threat Intel Vendor C as they believe they are correct - A consumer can now see that Vendor B's intel is pretty good, and they can potentially increase their confidence in that intel, and maybe use it in production. OUTCOME: Confidence in the value of the threat intel is increased   What say you STIX community? Cheers   Terry MacDonald   Chief Product Officer   <cosive_mail_signature.png>   M:   +61-407-203-026 E:   terry.macdonald@cosive.com W:   www.cosive.com         On Thu, Jun 16, 2016 at 11:00 PM, Terry MacDonald < terry.macdonald@cosive.com > wrote: Hi All,   As I've mentioned many times over the last year I firmly believe we need a way for third parties to agree or disagree with the threat intelligence they have received. If Org A has released a high confidence relationship between ActorX and Campaign G, and Org B knows that the relationship is wrong, then they need a way of signalling that to the community, so that community members don't blindly accept what Org A has released.   Since late last year I've been suggesting we need an Opinion object. And today I took the step of writing up what that would look like.   I would like to propose that we add this to the draft as proposal, and that we include it in the MVP release. 1.2.Opinion Type Name: opinion Status: Proposal MVP : Undecided   The Opinion object is used to convey the Object creator's opinion about another object produced by a third-party. It will allow each organization to agree or disagree with another organization's assertions, and ultimately will enable consumers to collect and understand the collective opinions of the community about the quality of the threat intelligence they have received.   This is the first step towards consumers being able to crowdsource the opinion of the community, which will help newcomers to the threat intelligence sharing groups better understand which threats have a high degree of third party agreement and which are contentious. 1.2.1.? Properties STIX TLO Common Properties type, id, created_by_ref, revision, created_time, modified_time, revoked, revision_comment, object_markings_refs, granular_markings Property Name Type Description type (required) string The value of this field MUST be opinion description (optional) string A description that provides the recipient with reasoning to back up the opinion identified in this Opinion object. object_ref (required) identifier The id of the object that the Opinion refers to. This id can be any other STIX TLO except another Opinion object. opinion (required) list of type controlled-vocab The opinion that the producer has about the object listed in the object_ref field. This is one of the following options: "strongly-agree" "agree" "neutral" "disagree" "strongly-disagree" "no-opinion"   ?1.2.2.? Source Relationships These are the relationships defined between the Opinion Object and other objects. STIX TLO Common Relationships duplicate-of , related-to ? 1.2.3.? Destination Relationships These are the relationships defined between other objects and the Opinion Object. Kind of Relationship Source Type Description evidence-of observation Relates the Observation to an Opinion providing the evidence that the opinion was based on. This observation is evidence of why the organization formed the opinion it did about the threat intelligence contained within the object_ref field.   Cheers   Terry MacDonald   Chief Product Officer   <cosive_mail_signature.png>   M:   +61-407-203-026 E:   terry.macdonald@cosive.com W:   www.cosive.com          

Yeah this is a good point, I agree with waiting.
 

From:
<cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com>
Date: Friday, June 24, 2016 at 12:37 PM
To: Allan Thomson <athomson@lookingglasscyber.com>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Opinion Object Proposal


 




Great catch Allan.  Yes, we need to do originator confidence before we do third party confidence.


 


Bret 

Sent from my Commodore 64



On Jun 24, 2016, at 7:32 AM, Allan Thomson < athomson@lookingglasscyber.com > wrote:



For the same reason that other confidence information has been targeted post-MVP, I would say this proposal should wait until beyond the MVP.
 
For example, there is * no * conveyance of confidence information currently in MVP by the original source of the intel but this proposal would be added so * other * people’s opinion’s
would be conveyed?
 
That makes no sense.
 
allan
 

From:
" cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of "Jordan, Bret" < bret.jordan@bluecoat.com >
Date: Friday, June 24, 2016 at 5:41 AM
To: Terry MacDonald < terry.macdonald@cosive.com >
Cc: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
Subject: Re: [cti-stix] Opinion Object Proposal


 



I love the idea, but I do not think we should do this for the Summer release.  I see this being done in the Winter release.  

 


The reason for that is this functionality is dependent on digitally signing content and that will NOT be ready for summer. Right it is being tracked as one of the primary things for the Winter release.  







 


Thanks,


 


Bret



 


 


 



Bret Jordan CISSP

Director of Security Architecture and Standards Office of the CTO


Blue Coat Systems



PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









 



On Jun 23, 2016, at 17:38, Terry MacDonald < terry.macdonald@cosive.com > wrote:

 


Hi All,

 


Can I take it that the lack of responses means that you all think this is a great idea? If so that's excellent, as it means it can drop straight into the MVP build as it doesn't require any modification :).


 


Though seriously, if everyone is OK with the idea of this object which I've been banging on about for about a year then please speak up so we can get it added and allow people to have opinions about other's assertions. This object opens
up the ability for people to effectively 'upvote' or 'downvote' a piece of threat intelligence. This will allow consumers to crowd-source how much they should trust the assertions made in that threat intelligence - which is a key enabler for consumers to effectively
use the threat intelligence they receive.


 


I passionately believe we need this object in MVP. 


 


Use Case (bad intel):


- Threat Intel Vendor A provides some high confidence threat intel saying that 8.8.8.8 (Google DNS) is a malicious asset. 


- 30 other vendors, producers and generate Opinion objects that all strongly disagree with the intel that Vendor A released.


- A consumer can now see that Vendor A's intel shouldn't be trusted to have a high confidence, and therefore shouldn't probably be used in production.


OUTCOME: Confidence in the value of the threat intel is decreased


 



Use Case (good intel):


- Threat Intel Vendor B provides some low confidence threat intel saying that they think that
www.compromisedsite.com has been compromised by Angler. 


- Threat Intel Vendor C sends an Opinion Object strongly agreeing with Threat Intel Vendor C as they believe they are correct



- A consumer can now see that Vendor B's intel is pretty good, and they can potentially increase their confidence in that intel, and maybe use it in production.


OUTCOME: Confidence in the value of the threat intel is increased


 


What say you STIX community?










Cheers


 



Terry MacDonald   Chief Product Officer


 


<cosive_mail_signature.png>


 


M:   +61-407-203-026


E:   terry.macdonald@cosive.com


W:   www.cosive.com


 



 


 






 

On Thu, Jun 16, 2016 at 11:00 PM, Terry MacDonald < terry.macdonald@cosive.com > wrote:


Hi All,

 


As I've mentioned many times over the last year I firmly believe we need a way for third parties to agree or disagree with the threat intelligence they have received. If Org A has released a high confidence relationship between ActorX and
Campaign G, and Org B knows that the relationship is wrong, then they need a way of signalling that to the community, so that community members don't blindly accept what Org A has released.


 


Since late last year I've been suggesting we need an Opinion object. And today I took the step of writing up what that would look like.


 


I would like to propose that we add this to the draft as proposal, and that we include it in the MVP release.



1.2.Opinion






Type Name:
opinion



Status:
Proposal
MVP :
Undecided





 

The Opinion object is used to convey the Object creator's opinion about another object produced by a third-party. It will allow each organization to agree or disagree with another organization's
assertions, and ultimately will enable consumers to collect and understand the collective opinions of the community about the quality of the threat intelligence they have received.

 

This is the first step towards consumers being able to crowdsource the opinion of the community, which will help newcomers to the threat intelligence sharing groups better understand which
threats have a high degree of third party agreement and which are contentious.



1.2.1.? Properties






STIX TLO Common Properties






type, id, created_by_ref, revision, created_time, modified_time, revoked, revision_comment, object_markings_refs, granular_markings






Property Name




Type




Description






type (required)




string




The value of this field
MUST be opinion






description (optional)




string




A description that provides the recipient with reasoning to back up the opinion identified in this Opinion object.






object_ref (required)




identifier




The
id of the object that the Opinion refers to. This
id can be any other STIX TLO except another Opinion object.






opinion (required)




list of type
controlled-vocab




The opinion that the producer has about the object listed in the object_ref field. This is one of the following options:



?         
"strongly-agree"



?         
"agree"



?         
"neutral"



?         
"disagree"



?         
"strongly-disagree"



?         
"no-opinion"






 

?1.2.2.? Source Relationships

These are the relationships defined between the Opinion Object and other objects.







STIX TLO Common Relationships






duplicate-of ,
related-to






?

1.2.3.? Destination Relationships

These are the relationships defined between other objects and the Opinion Object.







Kind of Relationship




Source Type




Description






evidence-of




observation




Relates the Observation to an Opinion providing the evidence that the opinion was based on. This observation is evidence of why the organization formed the opinion it did about the threat
intelligence contained within the object_ref field.






 










Cheers


 



Terry MacDonald   Chief Product Officer


 


<cosive_mail_signature.png>


 


M:   +61-407-203-026


E:   terry.macdonald@cosive.com


W:   www.cosive.com


 



 


 










 





 

Terry: This Opinion TLO proposal brings up a good point that I've been wanting to mention to the list. In traditional Intelligence there are well developed analytic techniques for discerning if a target or person of interest is using deceit and deception strategies as part of their mission. In cybersecurity intel we see this through the use of Avatars or Sock Puppets by Identities (Threat Actors), traversal through TOR and i2P, and through multi-layered fraud schemes like the use of money mules for money laundering operations. So in our field we could characterize the practice as denial, deceit, and obfuscation (DDO). As an analyst trying to make sense of the expanded STIX data model as it is evolving I've been trying to imagine how I would characterize DDO tactics for a trust partner I'm sharing intel with. Do I use the Identity (Threat Actor) TLO for an Avatar? How do I assert that I believe it is a persona? Do I use the CybOX Network Object for a TOR exit node characterzation? Do I need to assert any deductions I make about any connections to an Identity (Threat Actor) operating though TOR in this instance? And for the money mule example, I'm scratching my head on how to characterize that. Perhaps that is something we can drill down into when we get back to the TTP object post MVP release. With an Opinion TLO I can make assertions about my interpretation of various Identities, TTPs and other features that are part of a natural process when I am hunting for clues and climbing up the pyramid of pain. I strongly support the addition of an Opinion TLO for the Winter release, for all of the reasons noted by Allan and Bret. Jane Ginn, MSIA, MRP Cyber Threat Intelligence Network, Inc. jg@ctin.us
Original Message -------- From: "Wunder, John A." <jwunder@mitre.org> Sent: Friday, June 24, 2016 12:47 PM To: "Jordan, Bret" <bret.jordan@bluecoat.com>,Allan Thomson <athomson@lookingglasscyber.com> Subject: Re: [cti-stix] Opinion Object Proposal CC: Terry MacDonald <terry.macdonald@cosive.com>," cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>

Yeah this is a good point, I agree with waiting.
 

From:
<cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com>
Date: Friday, June 24, 2016 at 12:37 PM
To: Allan Thomson <athomson@lookingglasscyber.com>
Cc: Terry MacDonald <terry.macdonald@cosive.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Opinion Object Proposal


 




Great catch Allan.  Yes, we need to do originator confidence before we do third party confidence.


 


Bret 

Sent from my Commodore 64



On Jun 24, 2016, at 7:32 AM, Allan Thomson < athomson@lookingglasscyber.com > wrote:



For the same reason that other confidence information has been targeted post-MVP, I would say this proposal should wait until beyond the MVP.
 
For example, there is * no * conveyance of confidence information currently in MVP by the original source of the intel but this proposal would be added so * other * people’s opinion’s
would be conveyed?
 
That makes no sense.
 
allan
 

From:
" cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of "Jordan, Bret" < bret.jordan@bluecoat.com >
Date: Friday, June 24, 2016 at 5:41 AM
To: Terry MacDonald < terry.macdonald@cosive.com >
Cc: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org >
Subject: Re: [cti-stix] Opinion Object Proposal


 



I love the idea, but I do not think we should do this for the Summer release.  I see this being done in the Winter release.  

 


The reason for that is this functionality is dependent on digitally signing content and that will NOT be ready for summer. Right it is being tracked as one of the primary things for the Winter release.  







 


Thanks,


 


Bret



 


 


 



Bret Jordan CISSP

Director of Security Architecture and Standards Office of the CTO


Blue Coat Systems



PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050


"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 









 



On Jun 23, 2016, at 17:38, Terry MacDonald < terry.macdonald@cosive.com > wrote:

 


Hi All,

 


Can I take it that the lack of responses means that you all think this is a great idea? If so that's excellent, as it means it can drop straight into the MVP build as it doesn't require any modification :).


 


Though seriously, if everyone is OK with the idea of this object which I've been banging on about for about a year then please speak up so we can get it added and allow people to have opinions about other's assertions. This object opens
up the ability for people to effectively 'upvote' or 'downvote' a piece of threat intelligence. This will allow consumers to crowd-source how much they should trust the assertions made in that threat intelligence - which is a key enabler for consumers to effectively
use the threat intelligence they receive.


 


I passionately believe we need this object in MVP. 


 


Use Case (bad intel):


- Threat Intel Vendor A provides some high confidence threat intel saying that 8.8.8.8 (Google DNS) is a malicious asset. 


- 30 other vendors, producers and generate Opinion objects that all strongly disagree with the intel that Vendor A released.


- A consumer can now see that Vendor A's intel shouldn't be trusted to have a high confidence, and therefore shouldn't probably be used in production.


OUTCOME: Confidence in the value of the threat intel is decreased


 



Use Case (good intel):


- Threat Intel Vendor B provides some low confidence threat intel saying that they think that
www.compromisedsite.com has been compromised by Angler. 


- Threat Intel Vendor C sends an Opinion Object strongly agreeing with Threat Intel Vendor C as they believe they are correct



- A consumer can now see that Vendor B's intel is pretty good, and they can potentially increase their confidence in that intel, and maybe use it in production.


OUTCOME: Confidence in the value of the threat intel is increased


 


What say you STIX community?










Cheers


 



Terry MacDonald   Chief Product Officer


 


<cosive_mail_signature.png>


 


M:   +61-407-203-026


E:   terry.macdonald@cosive.com


W:   www.cosive.com


 



 


 






 

On Thu, Jun 16, 2016 at 11:00 PM, Terry MacDonald < terry.macdonald@cosive.com > wrote:


Hi All,

 


As I've mentioned many times over the last year I firmly believe we need a way for third parties to agree or disagree with the threat intelligence they have received. If Org A has released a high confidence relationship between ActorX and
Campaign G, and Org B knows that the relationship is wrong, then they need a way of signalling that to the community, so that community members don't blindly accept what Org A has released.


 


Since late last year I've been suggesting we need an Opinion object. And today I took the step of writing up what that would look like.


 


I would like to propose that we add this to the draft as proposal, and that we include it in the MVP release.



1.2.Opinion






Type Name:
opinion



Status:
Proposal
MVP :
Undecided





 

The Opinion object is used to convey the Object creator's opinion about another object produced by a third-party. It will allow each organization to agree or disagree with another organization's
assertions, and ultimately will enable consumers to collect and understand the collective opinions of the community about the quality of the threat intelligence they have received.

 

This is the first step towards consumers being able to crowdsource the opinion of the community, which will help newcomers to the threat intelligence sharing groups better understand which
threats have a high degree of third party agreement and which are contentious.



1.2.1.? Properties






STIX TLO Common Properties






type, id, created_by_ref, revision, created_time, modified_time, revoked, revision_comment, object_markings_refs, granular_markings






Property Name




Type




Description






type (required)




string




The value of this field
MUST be opinion






description (optional)




string




A description that provides the recipient with reasoning to back up the opinion identified in this Opinion object.






object_ref (required)




identifier




The
id of the object that the Opinion refers to. This
id can be any other STIX TLO except another Opinion object.






opinion (required)




list of type
controlled-vocab




The opinion that the producer has about the object listed in the object_ref field. This is one of the following options:



?         
"strongly-agree"



?         
"agree"



?         
"neutral"



?         
"disagree"



?         
"strongly-disagree"



?         
"no-opinion"






 

?1.2.2.? Source Relationships

These are the relationships defined between the Opinion Object and other objects.







STIX TLO Common Relationships






duplicate-of ,
related-to






?

1.2.3.? Destination Relationships

These are the relationships defined between other objects and the Opinion Object.







Kind of Relationship




Source Type




Description






evidence-of




observation




Relates the Observation to an Opinion providing the evidence that the opinion was based on. This observation is evidence of why the organization formed the opinion it did about the threat
intelligence contained within the object_ref field.






 










Cheers


 



Terry MacDonald   Chief Product Officer


 


<cosive_mail_signature.png>


 


M:   +61-407-203-026


E:   terry.macdonald@cosive.com


W:   www.cosive.com


 



 


 










 





 

Jane, Very valuable to have feedback from an Intelligence SME. Good point using the term "Assertion" (It has been already discussed some time ago. i.e. https://github.com/STIXProject/schemas/issues/386 ) A proper information model (with good hierarchy of the objects), and the "open relationships" approach would hopefully facilitate the characterization of your use cases. 2016-06-25 17:24 GMT+03:00 Jane Ginn - jg@ctin.us < jg@ctin.us > : Terry: This Opinion TLO proposal brings up a good point that I've been wanting to mention to the list. In traditional Intelligence there are well developed analytic techniques for discerning if a target or person of interest is using deceit and deception strategies as part of their mission. In cybersecurity intel we see this through the use of Avatars or Sock Puppets by Identities (Threat Actors), traversal through TOR and i2P, and through multi-layered fraud schemes like the use of money mules for money laundering operations. So in our field we could characterize the practice as denial, deceit, and obfuscation (DDO). As an analyst trying to make sense of the expanded STIX data model as it is evolving I've been trying to imagine how I would characterize DDO tactics for a trust partner I'm sharing intel with. Do I use the Identity (Threat Actor) TLO for an Avatar? How do I assert that I believe it is a persona? Do I use the CybOX Network Object for a TOR exit node characterzation? Do I need to assert any deductions I make about any connections to an Identity (Threat Actor) operating though TOR in this instance? And for the money mule example, I'm scratching my head on how to characterize that. Perhaps that is something we can drill down into when we get back to the TTP object post MVP release. With an Opinion TLO I can make assertions about my interpretation of various Identities, TTPs and other features that are part of a natural process when I am hunting for clues and climbing up the pyramid of pain. I strongly support the addition of an Opinion TLO for the Winter release, for all of the reasons noted by Allan and Bret. Jane Ginn, MSIA, MRP Cyber Threat Intelligence Network, Inc. jg@ctin.us
Original Message -------- From: "Wunder, John A." < jwunder@mitre.org > Sent: Friday, June 24, 2016 12:47 PM To: "Jordan, Bret" < bret.jordan@bluecoat.com >,Allan Thomson < athomson@lookingglasscyber.com > Subject: Re: [cti-stix] Opinion Object Proposal CC: Terry MacDonald < terry.macdonald@cosive.com >," cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Yeah this is a good point, I agree with waiting.   From: < cti-stix@lists.oasis-open.org > on behalf of "Jordan, Bret" < bret.jordan@bluecoat.com > Date: Friday, June 24, 2016 at 12:37 PM To: Allan Thomson < athomson@lookingglasscyber.com > Cc: Terry MacDonald < terry.macdonald@cosive.com >, " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Subject: Re: [cti-stix] Opinion Object Proposal   Great catch Allan.  Yes, we need to do originator confidence before we do third party confidence.   Bret  Sent from my Commodore 64 On Jun 24, 2016, at 7:32 AM, Allan Thomson < athomson@lookingglasscyber.com > wrote: For the same reason that other confidence information has been targeted post-MVP, I would say this proposal should wait until beyond the MVP.   For example, there is * no * conveyance of confidence information currently in MVP by the original source of the intel but this proposal would be added so * other * people’s opinion’s would be conveyed?   That makes no sense.   allan   From: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > on behalf of "Jordan, Bret" < bret.jordan@bluecoat.com > Date: Friday, June 24, 2016 at 5:41 AM To: Terry MacDonald < terry.macdonald@cosive.com > Cc: " cti-stix@lists.oasis-open.org " < cti-stix@lists.oasis-open.org > Subject: Re: [cti-stix] Opinion Object Proposal   I love the idea, but I do not think we should do this for the Summer release.  I see this being done in the Winter release.     The reason for that is this functionality is dependent on digitally signing content and that will NOT be ready for summer. Right it is being tracked as one of the primary things for the Winter release.     Thanks,   Bret       Bret Jordan CISSP Director of Security Architecture and Standards Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."    On Jun 23, 2016, at 17:38, Terry MacDonald < terry.macdonald@cosive.com > wrote:   Hi All,   Can I take it that the lack of responses means that you all think this is a great idea? If so that's excellent, as it means it can drop straight into the MVP build as it doesn't require any modification :).   Though seriously, if everyone is OK with the idea of this object which I've been banging on about for about a year then please speak up so we can get it added and allow people to have opinions about other's assertions. This object opens up the ability for people to effectively 'upvote' or 'downvote' a piece of threat intelligence. This will allow consumers to crowd-source how much they should trust the assertions made in that threat intelligence - which is a key enabler for consumers to effectively use the threat intelligence they receive.   I passionately believe we need this object in MVP.    Use Case (bad intel): - Threat Intel Vendor A provides some high confidence threat intel saying that 8.8.8.8 (Google DNS) is a malicious asset.  - 30 other vendors, producers and generate Opinion objects that all strongly disagree with the intel that Vendor A released. - A consumer can now see that Vendor A's intel shouldn't be trusted to have a high confidence, and therefore shouldn't probably be used in production. OUTCOME: Confidence in the value of the threat intel is decreased   Use Case (good intel): - Threat Intel Vendor B provides some low confidence threat intel saying that they think that www.compromisedsite.com has been compromised by Angler.  - Threat Intel Vendor C sends an Opinion Object strongly agreeing with Threat Intel Vendor C as they believe they are correct - A consumer can now see that Vendor B's intel is pretty good, and they can potentially increase their confidence in that intel, and maybe use it in production. OUTCOME: Confidence in the value of the threat intel is increased   What say you STIX community? Cheers   Terry MacDonald   Chief Product Officer   <cosive_mail_signature.png>   M:   +61-407-203-026 E:   terry.macdonald@cosive.com W:   www.cosive.com         On Thu, Jun 16, 2016 at 11:00 PM, Terry MacDonald < terry.macdonald@cosive.com > wrote: Hi All,   As I've mentioned many times over the last year I firmly believe we need a way for third parties to agree or disagree with the threat intelligence they have received. If Org A has released a high confidence relationship between ActorX and Campaign G, and Org B knows that the relationship is wrong, then they need a way of signalling that to the community, so that community members don't blindly accept what Org A has released.   Since late last year I've been suggesting we need an Opinion object. And today I took the step of writing up what that would look like.   I would like to propose that we add this to the draft as proposal, and that we include it in the MVP release. 1.2.Opinion Type Name: opinion Status: Proposal MVP : Undecided   The Opinion object is used to convey the Object creator's opinion about another object produced by a third-party. It will allow each organization to agree or disagree with another organization's assertions, and ultimately will enable consumers to collect and understand the collective opinions of the community about the quality of the threat intelligence they have received.   This is the first step towards consumers being able to crowdsource the opinion of the community, which will help newcomers to the threat intelligence sharing groups better understand which threats have a high degree of third party agreement and which are contentious. 1.2.1.? Properties STIX TLO Common Properties type, id, created_by_ref, revision, created_time, modified_time, revoked, revision_comment, object_markings_refs, granular_markings Property Name Type Description type (required) string The value of this field MUST be opinion description (optional) string A description that provides the recipient with reasoning to back up the opinion identified in this Opinion object. object_ref (required) identifier The id of the object that the Opinion refers to. This id can be any other STIX TLO except another Opinion object. opinion (required) list of type controlled-vocab The opinion that the producer has about the object listed in the object_ref field. This is one of the following options: ?          "strongly-agree" ?          "agree" ?          "neutral" ?          "disagree" ?          "strongly-disagree" ?          "no-opinion"   ?1.2.2.? Source Relationships These are the relationships defined between the Opinion Object and other objects. STIX TLO Common Relationships duplicate-of , related-to ? 1.2.3.? Destination Relationships These are the relationships defined between other objects and the Opinion Object. Kind of Relationship Source Type Description evidence-of observation Relates the Observation to an Opinion providing the evidence that the opinion was based on. This observation is evidence of why the organization formed the opinion it did about the threat intelligence contained within the object_ref field.   Cheers   Terry MacDonald   Chief Product Officer   <cosive_mail_signature.png>   M:   +61-407-203-026 E:   terry.macdonald@cosive.com W:   www.cosive.com