oasis-tcs / cti-stix2

OASIS CTI TC: Provides issue tracking and wiki pages for the STIX 2.x Work Products
https://github.com/oasis-tcs/cti-stix2
Other
24 stars 9 forks source link

Is a Self-Referential "created_by_ref" valid for an Identity?? #298

Open brettforbes opened 2 years ago

brettforbes commented 2 years ago

Hi,

Going through the certification tests for Stix 2.1, and it is clear that the system that produced the data was not Stix compliant.

Nevertheless, it produced many identity objects with self-referential "created_by_ref" fields, which has resulted in this issue being raised.

In our view a self-referential "created_by_ref" makes no sense in either a semantic context or a graph context, as one is effectively saying I am Brett, and Brett wrote this

i do not believe the standard has an opinion on self-referential "created_by_ref", and if one i using JSON databases this issue may easily slip through the cracks. We submit that prohibition of self-referential links for the purposes of asserting both identity and created by is a good idea. We plan to automatically delete these links in our parser (an extension of the Stix2 parser to suit ATT&CK and CACAO)

An example is as follows:

{
    "type": "identity",
    "id": "identity--826d4837-a92b-44a3-91c9-107ec7982c1d",
    "spec_version": "2.1",
    "identity_class": "organization",
    "name": "XYZA Corp, Inc.",
    "created": "2017-01-17T11:11:13.000Z",
    "modified": "2017-01-17T11:11:13.000Z",
    “created_by_ref’: "identity--826d4837-a92b-44a3-91c9-107ec7982c1d"
},

thanks

priamai commented 2 years ago

It surely makes no sense to me.

rpiazza commented 2 years ago

Actually, there is some support in the community for using a self-referential Identity to represent identity objects that are the "producers" of STIX content. Then you would be able to distinguish an Identity that represents cyber security information - like a victim, or the identity of a threat actor, as opposed to metadata about an object creator.

Something to add to the next version of the Best Practices Guide :-)