Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stix Difficulties: Cannot suggest hypotheses to a community through STIX #79

Open
terrymacdonald opened this issue Dec 2, 2015 · 0 comments

Comments

@terrymacdonald
Copy link

PROBLEM

There are no certainties in Threat Intelligence Gathering and Analysis. Everything bit of information you receive should be treated as the author’s assertion of the truth – it is not the truth.

Threat Analysts are looking for patterns; looking for commonality; looking for statistical outliers. And when they find something unusual they have a need to track it in some way for future use and investigation. They are effectively looking at the collection of data that they have received from others and themselves over a multitude of mechanisms, and trying to make sense out of it. They slice it, dice it and try to form new relationships between the objects within it - new 'hypothetical' relationships that range from nearly impossible to purely speculative.

We need to support the both ability to share these more hypothetical relationship possibilities to help the threat analysts speculate, yet we need to allow the incident responders at the coalface to only care about the immediate threats and provide them with the ability to defend their Organization from attack.

At the moment we have the ability to say 'we assert that Object A and Object B are related with low confidence', but we don't have the ability to say 'if Object A was related to Object B then that would mean Objects C, D and E are also related'. If we provided the ability to send out hypothesis and get agreements and disagreements with the hypothesis sent back to the originating Threat Analyst (à la indicator sightings) then they would enable the Threat Analysts to crowdsource 'what-if' scenarios amongst themselves, leading to potentially faster conclusions.

POTENTIAL ANSWER

This could be handled within the relationship object, by somehow acknowledging the hypothetical relationships are exactly that. Providing the mechanism for separating hypothetical relationships with real ‘production-level’ relationships will allow people to use only the production-level relationships in their security tools, yet still keep track of the hypothetical relationships and participate in community speculation.

This section goes hand-in-hand with the Investigation Object idea (section 18: Difficult to group 'possibly' related things during an investigation”).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant