There is no easy temporary way to temporarily relate possibly related items together. When one is conducting an investigation into a series of suspicious events prompted by your Organization’s monitoring processes, we often want to tag/relate these events together, without actually creating an official ‘Incident’ (as we’re not sure anything has actually happened yet – it could be a false positive).
It is currently possible to put that information inside an Incident object, but I view the Incident Object as somewhere where one would put the information when it is confirmed there is a problem. I believe we need a separate way of ‘tagging’ and ‘grouping’ potentially related items together in more of a throwaway fashion.
This may have a lot in common with section 20 “Cannot suggest hypotheses to a community through STIX”.
POTENTIAL ANSWER
There are a couple of ways of doing this.
Firstly we could just use the top-level relationship object to link potentially related objects together in as described in section 20 “Cannot suggest hypotheses to a community through STIX”. There could be some kind of marking within the relationship that would allow the relationship to have a type of ‘hypothesis’ (or similar), and the Incident could have a status of ‘Under Investigation’. This would allow the Incident Object to become the ‘tag’ that relates all the other objects together.
The downside to this design would be that the grouping mechanism (the Incident in this case) will only apply to the things that are can reference the Incident, potentially leaving out other objects that don’t have a direct relationship within the current data model. If we decide to allow relationships to occur from any STIX object to any STIX object then this mechanism could work.
A second way to accomplish this would be to create a ‘tag/label’ Object. This would solely be a grouping mechanism, allowing one to link (using top-level relationships) from that tag object to any other STIX Objects. One could link any Objects to the tag object, and keep that relationship for as long as required. It could be beneficial for grouping potentially related items together, and would allow for related items to have multiple labels at the same time. A STIX incident and exploit target could all be related to a ‘TorrentLocker’ tag object, an ‘Investigation#352’ object and a ‘weirdly formatted spam’ object all at the same time.
PROBLEM
There is no easy temporary way to temporarily relate possibly related items together. When one is conducting an investigation into a series of suspicious events prompted by your Organization’s monitoring processes, we often want to tag/relate these events together, without actually creating an official ‘Incident’ (as we’re not sure anything has actually happened yet – it could be a false positive). It is currently possible to put that information inside an Incident object, but I view the Incident Object as somewhere where one would put the information when it is confirmed there is a problem. I believe we need a separate way of ‘tagging’ and ‘grouping’ potentially related items together in more of a throwaway fashion.
This may have a lot in common with section 20 “Cannot suggest hypotheses to a community through STIX”.
POTENTIAL ANSWER
There are a couple of ways of doing this.
Firstly we could just use the top-level relationship object to link potentially related objects together in as described in section 20 “Cannot suggest hypotheses to a community through STIX”. There could be some kind of marking within the relationship that would allow the relationship to have a type of ‘hypothesis’ (or similar), and the Incident could have a status of ‘Under Investigation’. This would allow the Incident Object to become the ‘tag’ that relates all the other objects together.
The downside to this design would be that the grouping mechanism (the Incident in this case) will only apply to the things that are can reference the Incident, potentially leaving out other objects that don’t have a direct relationship within the current data model. If we decide to allow relationships to occur from any STIX object to any STIX object then this mechanism could work.
A second way to accomplish this would be to create a ‘tag/label’ Object. This would solely be a grouping mechanism, allowing one to link (using top-level relationships) from that tag object to any other STIX Objects. One could link any Objects to the tag object, and keep that relationship for as long as required. It could be beneficial for grouping potentially related items together, and would allow for related items to have multiple labels at the same time. A STIX incident and exploit target could all be related to a ‘TorrentLocker’ tag object, an ‘Investigation#352’ object and a ‘weirdly formatted spam’ object all at the same time.