STIX 2.1 Profiles

[nor3th]

Dear STIX2 Team

I was wondering if there are plans of bringing the idea behind the STIX 1 Profiles (https://stixproject.github.io/documentation/profiles/) back?

I was recently talking to Chris O'Brien (@cobsec) about the idea to having a minimal subset of SROs/edges between SDOs/nodes as a template for cyber security concepts that require a composite of STIX objects. This attempt aims at fitting as much necessary information from an analysis like e.g an incident report into a graph representation (as STIX) and hence improving the consistency in STIX data modelling across providers and ability for reports to be shared and understood by consumers.

Overall this idea sounds very similar to the STIX 1 Profile idea, only I would like to throw the relationship template into a CTI platform like MISP or OpenCTI which would help the analyst develop the relevant relationships and increase the quality of the data set.

We could also develop the concept separately to the TC (since we are not members) and present it once the development is done if there's any interest?

Regards

[ejratl]

The STIX WG does not currently plan to work on profiles for STIX 2.1+. If you develop this idea independently and open source it, we would welcome you to bring it to the Community Corner in the CTI TC monthly meetings.

[ejratl]

The STIX Interoperability document defines producer and consumer personas, such as TIP, SIEM, TDS, TMS, etc. Would this concept cover what you are looking for with profiles? They are documented here: https://www.oasis-open.org/committees/document.php?document_id=69726&wg_abbrev=cti

[nor3th]

Unfortunately not, no. What I am looking for is a definition for developing an incident model/description using STIX. In a sense where STIX is the language, I need a grammar of how the language should be structured (which SDOs and SROs are minimum requirements) to properly describe the necessary information about an incident without 1) losing too much information compared to a "normal" textual report and 2) without each analyst ending up developing their own grammar for describing an incident.

[rpiazza]

@nor3th Are you aware of the work being done on a STIX extension for the Incident object? https://docs.google.com/document/d/1Isxk2VVDmgMOi-1GjC4fsraKJMnwN9_ad8Z8UKsySQw/

[rpiazza]

@nor3th We are reviewing open issues and wanted to know if this one is still something of interest to you.

I'm not exactly sure what you have in mind, but I think it is different then the STIX 1.x concept. In general, a profile was a way to defined a restriction of the number of allowed STIX 1 objects and properties in the content. Basically, an agreement between consumers and producers of a trust group.. It was implemented as an excel spreadsheet, and as far as I know, was just documentation. There is no intention to introduce this in STIX 2.

From what I understand of your proposal is that you want some way to describe the collection of SDO/SCO/SROs that can be used to define a higher level concept. This sounds like a good idea to explore, but I don't think profiles would be the answer.

Perhaps you can include an example so we can brainstorm?

[nor3th]

Hey @rpiazza

Thank you for your reply! @incident extension: no it's not what I am looking for (sorry for the late answer)

What I am looking for in a model similar to those a described by ANSSI on page 11 and 12 (https://www.ssi.gouv.fr/uploads/2019/10/anssi-doctrine_opencti-v1.0.pdf). The model I am imagining ideally includes all necessary SDOs, SCOs and SROs to describe what the TA did, how the TA did it and how the SCOs all play a part in it (like for an entire campaign or a single incident).

The reason why I referred to the STIX 1 profiles is as a possible point of reference, because it is somewhat similar to the model I am looking for. In the end it doesn't matter to me if the model is a STIX 2.1 profile or a mere best practice. The main objective is to have a common model ideally with a defined subset of required SROs for describing an entire incident or campaign (with all relevant SCOs and SDOs) and not just the incident/campaign SDOs. This would hopefully standardize the models in some way to preserve a high information quality instead of every company or analyst having their own model of what is necessary to include and what is not.

From what I understand of your proposal is that you want some way to describe the collection of SDO/SCO/SROs that can be used to define a higher level concept.

Exactly

Perhaps you can include an example so we can brainstorm?

Are the ANSSI models sufficient to brainstorm? Additionally to how the incident involves the targeted company and sectors, I would love to also include how all relevant SDOs, SROs and SCOs play a part in it. The final dataset should then be usable for technical analysts (for better defending against certain steps of the TA by understanding how the TA operates) as well as a cti analyst for understanding how the group operates and thus is better able to track it and cluster its activities.

It might be possible to also separate the model's data into two categories. 1) attack related (malware, ip, domains, tools) and 2) other relevant info (sector, victim, country). It could even go as far as describing every attack related technical step in sequential order (maybe via MITRE Attack Flow) like this, but I don't know if this would also then be an overkill.

Regards

[rpiazza]

Hi @nor3th,

I took a quick look at the link you sent (mostly looking at the diagrams). I think this idea has potential, but I thought the collection of STIX objects was very general. I could see these diagrams as a training tool - i.e., "this diagram represents the ideal way to model a campaign". The idea of a profile is to restrict the use of STIX object types and properties. It might be difficult to insist on this model for a campaign, since you may not have all of the details.

I was thinking it would be more specific - maybe your idea of modeling an attack flow makes more sense.

[nor3th]

Hey

The idea of a profile is to restrict the use of STIX object types and properties. It might be difficult to insist on this model for a campaign, since you may not have all of the details.

That's true, but after i.e. an incident, there'll always be something you don't know. I think the model should advise "If insight into the initial access exists, add it like this to the model" in those cases. To be fair, I don't have a concrete idea of how the model should be implemented. If it should be by using a profile (restricting the use of STIX objects), a kind of template (of recommended STIX objects) or something else. The end goal should be to have a structured representation of the knowledge gained from i.e. an incident.

I am completely aware, that the migration of unstructured information (i.e. a textual report) into a structured form (STIX) will lead to a certain reduction of available information. But the structured form should contain the most relevant information which then could be used for answering analytic questions for security engineers, cti analysts and alike.

By only consuming the structured form, this would save resources otherwise needed to disseminate the unstructured report in the first place. If need be one could always still have a look at the unstructured report and answer any open questions if there are any.

Ideally the process of transforming unstructured data into a structured form should require too much time either, otherwise it won't be used. I think the idea using the attack flow for the technical part would be great from a story telling point, I just don't know yet how this could be done efficiently. Something similar to the sandbox report tool Crowdstrike developed here might be a possible approach (https://www.crowdstrike.com/blog/sandbox-scryer-free-threat-hunting-tool/), but in cases where only the unstructured textual report is available some other approach would be needed.

Regards

[srrelitz2]

Profiles existed in STIX 1. Interop doc has personas which are related. Incident extension connection? Or Best Practice.