Bring back discovery_method of Ext - unrelated party

[blackfist]

I have seen a couple incidents where this might still be the best choice for discovery method.

For example, there was an incident where an insider was taking photographs of credit cards for ID theft purposes. The incident was reported to the victim company by the manager at the photo development place to which she took the photos for printing.

Another incident involved documents that were published to the website that had sensitive information in them. A concerned member of the community reported the publishing error to the victim organization.

[krmaxwell]

Previous related discussion (linked for reference, not passive-aggressiveness :eyes: ): https://github.com/vz-risk/veris/issues/46

[blackfist]

Here is an incident where an error was reported to an organization by a reporter that was not investigating an incident. http://www.theguardian.com/world/2014/may/26/identification-cia-station-chief-afghanistan-reporter

[whbaker]

I disagree with adding this back in. The reason is because it is bad schema dev to have a general category ("unrelated third party") along with more specific items under that category "unrelated 3rd party discovered suspicious network traffic." IOW, you shouldn't have "Mac" and "MacBook Pro" as two supposedly exclusive options in a single-select list. Instead of bringing back a very high-level category that we decided to split up into more specific options, create another option that captures what you're looking for.

[blackfist]

Like "Ext - other" or "Ext - concerned citizen"?

[whbaker]

let me ask this - what are we trying most to accomplish? Do you want a bucket for it to fit cleanly in, or is there an aspect of that particular discovery method that we want to track/learn from. For instance, we create “suspicious nw activity” because we observed it growing over time and wanted to track it individually.

If we’re not so concerned about that, then perhaps the “Ext - Other” category is fine. We already have that, right? Or is it “Ext - Unknown” that we have?

Wade Baker Verizon Enterprise Solutions +1 571.205.8239

From: Kevin Thompson notifications@github.com<mailto:notifications@github.com> Reply-To: vz-risk/veris reply@reply.github.com<mailto:reply@reply.github.com> Date: Tuesday, June 3, 2014 at 2:41 PM To: vz-risk/veris veris@noreply.github.com<mailto:veris@noreply.github.com> Cc: Wade Baker wade.baker@one.verizon.com<mailto:wade.baker@one.verizon.com> Subject: Re: [veris] Bring back discovery_method of Ext - unrelated party (#75)

Like "Ext - other" or "Ext - concerned citizen"?

— Reply to this email directly or view it on GitHubhttps://github.com/vz-risk/veris/issues/75#issuecomment-45003962.

[blackfist]

I think I don't want to code an incident with information that is not correct. So in the cases that I highlighted above I don't really feel like any of the existing enumerations are correct. So if I were to pick one then I would be creating noise in the data. Right now we do not have an Ext - Other enumeration, we only have Ext - Unknown for when we know that the discovery was external but we don't know how specifically it was discovered.

[whbaker]

What have you been selecting when, for instance, someone happens to find sensitive docs in a dumpster?

Wade Baker Verizon Enterprise Solutions

-----Original Message----- From: Kevin Thompson [notifications@github.commailto:notifications@github.com] Sent: Thursday, June 05, 2014 09:17 AM Eastern Standard Time To: vz-risk/veris Cc: Baker, Wade Subject: Re: [veris] Bring back discovery_method of Ext - unrelated party (#75)

I think I don't want to code an incident with information that is not correct. So in the cases that I highlighted above I don't really feel like any of the existing enumerations are correct. So if I were to pick one then I would be creating noise in the data. Right now we do not have an Ext - Other enumeration, we only have Ext - Unknown for when we know that the discovery was external but we don't know how specifically it was discovered.

— Reply to this email directly or view it on GitHubhttps://github.com/vz-risk/veris/issues/75#issuecomment-45217411.

[blackfist]

Until the 1.3 version I was selecting unrelated party.

[blackfist]

It could be that I was overusing the Unrelated party enumeration. Maybe I'm having a problem seeing better enumerations.

[whbaker]

Perhaps I’m thinking about it wrong. I see “unrelated party” as a high-level category, under which other things in the list exist. But I suppose that doesn’t have to be true. Just because we split stuff from it, doesn't necessarily mean they’re conflated. If we gave it a different definition than it’s had in the past, and remembered not to use it for stuff we have in the past (e.g., CSIRTs and netintel), it’d be ok.

So I’m softening my position.

Wade Baker Verizon Enterprise Solutions +1 571.205.8239

From: Kevin Thompson notifications@github.com<mailto:notifications@github.com> Reply-To: vz-risk/veris reply@reply.github.com<mailto:reply@reply.github.com> Date: Thursday, June 5, 2014 at 9:28 AM To: vz-risk/veris veris@noreply.github.com<mailto:veris@noreply.github.com> Cc: Wade Baker wade.baker@one.verizon.com<mailto:wade.baker@one.verizon.com> Subject: Re: [veris] Bring back discovery_method of Ext - unrelated party (#75)

It could be that I was overusing the Unrelated party enumeration. Maybe I'm having a problem seeing better enumerations.

— Reply to this email directly or view it on GitHubhttps://github.com/vz-risk/veris/issues/75#issuecomment-45218597.

[gdbassett]

added Ext - Other in [dev e3e4ff7]

[gdbassett]

Add external-other to 1.3.1

[gdbassett]

Added 'other' to 'discovery_method' for internal and external. Also made the partner other/unknown descriptions and case consistent. [v1_3_1 a99325a]

[gdbassett]

Added to conversion script in commit [v1_3_1 1ed0187]