Which to use? Indicator Composition, Observable Composition, or referenced Object?

[terrymacdonald]

PROBLEM

There are multiple ways that Indicators and Objects can be composed/related together as part of an Indicator. If a producer has discovered an Indicator of badness that describes an email with an attachment, there are a few different ways of describing that:
 
Too many ways to compose Indicators, Observables and Objects together

1. A composite indicator including two indicators, with the first referencing the email Observable with a single email object, and the other Indicator referencing the attachment Observable with a single attachment object
2. A single indicator including an Observable Composition, with the first Observable containing a single email object, and the 2nd Observable containing a single attachment object
3. A single indicator including a single Observable containing two Objects – the first Object describing the email, and it containing a Related_Object reference to the single attachment object.

This is multiple levels of variability, and very confusing for new users of STIX. There must be a way of making it simpler – or even better restricting it to the ‘one way to do it’.

POTENTIAL ANSWER

All three layers of variation may not be required. Anecdotally it seems most people are only really using Observable_Compositions. This may indicate that Indicator_Composition and Related_Objects are not required in STIX v2.0.

We should do a survey to see who is using what, and use that evidence as the basis for our future design.

Section 24- “Are CybOX IDs used in STIX?” has some details on the use of Object ID’s as there have been some questions whether Cybox:Objects actually need IDs at all. This topic and that topic are closely related.

[johnwunder]

Related to 200 in STIX tracker, top 10 number 9.

[treyka]

Based on my own observations, CybOX Observable Compositions are indeed (as Terry suggests) the most popular construct. If, however, we're serious about pulling all patterning up into the STIX (2.0) level, then we should eliminate CybOX Observable Compositions and make something like the current STIX Composite Indicator Expression the one way of doing it.

[MarkDavidson]

Reading the description of the problem leads me to the following:

• The proble, statement describes a single indicator, so indicator composition does not seem the benefit the problem statement.
• Items 2 and 3 might become the "same" depending on how refactoring in CybOX goes.

[terrymacdonald]

I'm leaning towards only using Observable Comparisons. The fact that they appear to be one of the main ways that grouping is shown within STIX 1.2 tells me that they make the most sense to people. I don't think I've ever seen an Indicator Composition within any data apart from the examples on the STIX website.

I really am not a fan of the Object level linking that is available within CybOX. I personally feel that if an object requires linking then it should be done at the next level up i.e. within MAEC, or within STIX. CybOX should provide the dictionary of building blocks that STIX/MAEC uses to build things with. Do changes like that to CybOX make sense? I think so.

Regarding Indicator Composition, I see this as being available for a very very rarely used construct. I firmly believe this confuses people as it is 'Yet Another Way To Do It', and I only see it being useful when someone wants to detect each indicator and then detect a group of those Indicators. That situation comes up very rarely. In most cases I envisage that a Threat Intelligence Analyst would want to know if one of the Indicators has alerted. They may have some additional alerting setup in their information repository to alert when Indicators from certain Threat Actors are detected, but they would likely want to alert on the first thing that is seen from them. Additionally, the 'alert on groups of indicators' is something that can be done in the SIEM alerting if required. If this functionality is required, it is likely required only by that specific organization, and is not something that would be necessarily useful to other organizations.

All of which sees me leaning towards just using the Observable Composition as the logical grouping mechanism.

[treyka]

My main concern is that there be One Obvious Way [tm] of asserting context between CybOX observables. Based on the conversations I've been privy to thus far, there seemed to be a clear consensus that we should pull all of the Boolean contextual stuff up into STIX and draw a clear tearline. My comment (speaking as a CybOX co-chair) was intended to support this notional tearline. It is true that what we see used in the field is like 99% Observable Compositions, but these results may well be skewed by the existing MITRE examples and idioms. Frankly, I could go either way. At the end of the day, all I want to see is the aforementioned One Obvious Way [tm] of dealing with observable context. ^_^

[johnwunder]

My point of view is this...

We should migrate all patterning and composition into STIX from CybOX. When that happens, Indicator_Composition and Observable_Composition should merge...what we call the new thing can be either one of those or something different, but the distinction should go away.

As for related objects...this requires more thought. If we could get it so that you can represent things like an e-mail with attachments without requiring related objects that would be ideal, but I'm not sure it's possible. I'm curious what Ivan thinks.

[terrymacdonald]

I'd have to agree with all you said John. I think moving the patterning
into STIX and only using observable composition makes sense.

Does CybOX 3 support nesting of objects? As in a PDF that contains an
executable? I've not really investigated before.

Cheers
Terry MacDonald
On 16/12/2015 11:36 am, "John Wunder" notifications@github.com wrote:

My point of view is this...

We should migrate all patterning and composition into STIX from CybOX.
When that happens, Indicator_Composition and Observable_Composition should
merge...what we call the new thing can be either one of those or something
different, but the distinction should go away.

As for related objects...this requires more thought. If we could get it so
that you can represent things like an e-mail with attachments without
requiring related objects that would be ideal, but I'm not sure it's
possible. I'm curious what Ivan thinks.

—
Reply to this email directly or view it on GitHub
#28 (comment).

[treyka]

@terrymacdonald Ivan and I haven't gotten that far along with CybOX 3 yet but my feeling is that we DO NOT want to support nesting objects.