CTI-TC Weekly Working Sessions Meeting Date: December 6, 2016 Time: 15:00:00 UTC Purpose: Weekly CTI TC Joint Working Session Attendees: Jordan Darley Thomson Burger Taylor Jon Baker Laura [Last name not given] Davidson Kirillov Wunder Moderator Greg Back Stephen Banghart Sanjiv Kalkar Keirstead Piazza Masato Terada - Gurney Jane Ginn - Recorder Other unidentified guests Agenda: 1. Status update on bundle, versioning, and timestamp 2. Timestamp precision discussion 3. Patterning OTHERWISE operator 4. Topics / volunteers for STIX 2.1 and F2F a. Malware b. Infrastructure c. Confidence d. Location e. Incident f. COA g. Internationalization h. Others? Meeting Notes F2F Session coming up in January Please complete EventBrite Invite if you are going I ll send out the invite again Reviewed the status of Bundle, Versioning, Timestamps - Provided an alternative approach to Timestamp What would the default be? - Explained how it would work Asked how Leap-second would work with the proposal - Explained how it would work I don t see how this is relevant from operational point of view
Discussed how Observed Data on a pattern it might be relevant - Discussed why it would be important Low on the list of race conditions Is there anyone we have not heard from yet? What was the key point that made? I m in car Part of issue We are trying to have 1 way of representing time Two distinct pattern One in Pattern and one in Observation Explained how it would work with Pattern Other side, is I ve Observed These Events With these, we are in the realm of nanosecond Then may well care about this level of precision When you talk about STIX Observables People conflate the data model with SDO Some syslog or Netflow data that the pattern will be applied against I will leave that in my non-academic colleague s laps We may be artificially creating a problem where one does not exist If you care about a sequence of events It is possible that this level of granularity May be required, hopefully small The order of events is important the exact Timestamp does not matter I survived the first debate on Timestamp How bad would it be to leave things As they are? I thought we did this in January of last year, not this year I would be fine with leaving it the way it is It will make all parties equally unhappy Let s let people think about that Now let s talk about Timestamp Precision Do we need that field? Where do we need it? Right now it is on all Objects except first_seen and last_seen The only thing I understand from the original debate BTW, I hate the way We do that now I don t understand operationally how it will work It seems like this stems from a single Use Case It surprises me that this is not a solved problem From that perspective, does this belong on the Report object Page 2
Two Use Cases Delivered Obfuscation & Uncertainty in Granularity To rephrase what asked - Do we need it? It is easier to add then remove a field I don t personally have an opinion I believe it is optional a compromise Might be to reserve the term What is the scope? Part of the Core or part of all of the Objects? Cyber Observable layer does not use this level of precision Maybe what is proposing is the way to go I don t understand from a product does any TIP use this now? What are people doing now? How is this done, how is this used? I know this data is only accurate to the hour so I ll tag it What does the Consumer do with this? I can come up with some Use Cases, but it should be promoted by those that Need it I think it is important when you write the report I would say that people do care about that I can see this as a justification Created and modified, set by a machine In old version, we saw this as being crafted by hand In new version, we know when this is created Only Use Case for obfuscation These have to have analytical value No disrespect to any machines on the phone We have to consider these Use Cases Good point. Precision stuff is human oriented. Why not leave those fields? Blank and put it in the description By not putting it in a field that is meant to be parsed you are making explicit To put that in a description Explained how it would work When you talk about a machine parsing it You can only know if machine is accurate What choice do you have to bubble up to a human? There might be some other stuff but all zeroed out then retain what Is in the precision field Page 3
I think that feels there might be some value to this field Only on certain Objects Ok, I ll make a list where we have it now Proposed another alternative: Use as is today, 2 nd option to use a range, 3 rd otion Would be to break out the fields I don t really like those two solutions I m not saying I like them, I m trying to be complete I ll turn over to and Issue we found on STIX Patterning Called: along_with Gave example of file and registry key Separate observations With some cases you might need to look for a process We didn t have that ability to express these kinds of patterns So we added a new field called otherwise In section 4.1.2 Can you explain the difference between or and otherwise? Explained how that would work The main reason we could have kept and and or That is the rationale we used to specify these operators We thought it would be easier to explain in the Spec Gave an example Asked a question Clarified how the example would work We need to be able to and and or single objects Example 6-22 is a notional example of how this would work You need to use along with and Asked for clarification The granularity of and and or is single properties The granularity of otherwise is on an expression level Are we able to group? You can see that on the example Wrapped with () You could have represented this in two patterns before This gives you Page 4
The ability to do that. If we didn t have this it would limit authors You could create as two, or one As an author is that you should have that ability - I just wanted to clarify about how it would work Why are we using different terms? You also have followed_by - You have to have something to order against Do we really need different names? Or do we just need () and brackets It feels like the key differentiator is level of scope, or level of abstraction In implementation, it might be confusing In other patterning grammar does it it might be easier to get it wrong - If you leave them the same, there is a problem Gave example of Validator Is the MITRE tool wrong? Or does the tool need to be updated If I was developing a product -- used Splunk scripts as an example If I was a Product Manager I would follow a similar modality I see this as I don t care As an implementer, I can see confusion If it is a User Interface more difficult Other CLI-type behavior will people be able to understand Gave example of Firewall Rules If someone has a particular Use Case It seems like it is begging for confusion So you would prefer just and and or Explained why I could go other way With along_with there is some ordering I think that is why it was added We could use and_then for ordering A User Interface could help the User decide Page 5
I kind of like and_then - I don t like it too similar and lead to confusion I am still at a loss why we can t just use and and or You only have 3 operators - If so many people are opposed to it. Why was it not raised earlier? Only a few people on the calls We are always going to get more comments on these working calls We need to be open to taking feedback This happens it did happen with TAXII and now other Hey why wasn t that brought up sooner? We are rehashing the Timestamp debate of 2015 we all suffered through this We can t use that argument where were you then? Is the concern the terminology or the functionality? Is the main concern followed_by --- Otherwise Followed_by is not the same That was more of a secondary discussion I m getting a sense that the consensus is to go with and and or I believe that was the never-mind operator I had one more topic there is a bunch of topics we need to tackle It works better if a small group puts together a proposal Maybe we can talk about it next week We ll be looking for volunteers to do these topics We are in the home stretch let s put together some ideas for 2.1 I ll volunteer for Location and Intel Notes & Confidence and COA If anyone has any other comments, let s discuss on the list or Slack Meeting Terminated ***************************************************************** Page 6