-
Notifications
You must be signed in to change notification settings - Fork 17
Proposal: Change multiplicity on Observable_Source to capture multiple observations (sightings) of a given Observable
Status: Closed
Comment Period Closes: 12/19/2013
Affects Backwards Compatibility: No
Relevant Issue: https://github.com/CybOXProject/schemas/issues/79
This proposal concerns CybOX observable instances and the ability to specify when, how and by whom they were observed. CybOX 2.0.1 currently provides the ability to do this for a single source (e.g. OrgA saw a file with this MD5 hash at this time and using this tool). A desire has been expressed from community stakeholders for an ability to easily specify “sightings” of a given observable instance from multiple sources.
The simple example given is that Orgs A-Z are part of a community sharing threat intelligence using a common intel repository where observations that are suspect or of interest are reported even before an indicator may have been specified. OrgA, OrgD and OrgT may all see and report seeing files with the exact same hash. Using CybOX 2.0.1 this would result in three separate Observables being captured (one from each Org). It would be possible to correlate these as the same entity using relationships between the underlying Object specifications but this would require extra logic and involve greater verbosity and complexity. These issues become significantly more pronounced as the size of the community and tempo of sharing increase.
STIX 1.0.1 has a SightingType structure that at a high conceptual level may sound like it serves the purpose intended here but in reality it is specifically intended for correlating a given observation to a specific Indicator that is being looked for. It currently supports specifying a source organization, a time of sighting, a reference link to the sighting source and a Confidence assertion that the sighting was actually of the enclosing Indicator. For STIX 1.1, a Related_Observables structure is proposed to be added which would enable direct specification of observable instances that were seen as part of the sighting. This addition would only further convolute the potential use of the SightingType within CybOX.
Change the multiplicity of the Observable_Source element within ObservableType from 0..1 to be 0..many. This would enable the attributed specification of multiple observations/sightings of a given Observable instance in a straightforward and concise manner. The MeasureSourceType used for Observable_Source is intended to capture exactly this sort of Observable observation/sighting detail and gives significantly more expressive capability for characterizing when, how and by whom the Observable was seen/sighted than the simple STIX SightingType does.
It would be preferable for clarity to enclose the Observable_Source multiplicity within an Observable_Sources enclosure but that would break backward compatibility at this time making this change ineligible for CybOX 2.1. Given the immediate need for this capability among the community, this simpler solution is proposed for 2.1 and it is further proposed that an issue be opened for adding this list enclosure element in 3.0 and the community can decide at that time if it desirable or not.
In order to better support the desired purpose, it is also proposed that a new sighting_count attribute be added to ObservableType and MeasureSourceType to enable specifying how many different identical instances of a given Observable may have been seen/sighted by a given reporting entity. Inclusion on a Observable_Source element can specify how many times a given entity saw it and inclusion on the Observable element can act as a roll-up of all observed sightings across sources.
Simple example content for the case described above giving only information on the sighting organization and time could look like:
<cybox:Observable id="example:Observable-9c132c3c-fc65-41c9-a0f9-ea146dc61cd0" sighting_count="9">
<cybox:Description>Observed suspect file</cybox:Description>
<cybox:Observable_Source sighting_count="1">
<cyboxCommon:Contributors>
<cyboxCommon:Contributor><cyboxCommon:Organization>OrgA</cyboxCommon:Organization></cyboxCommon:Contributor>
</cyboxCommon:Contributors>
<cyboxCommon:Time><cyboxCommon:Start_Time>2013-12-02T12:00:00+06:00</cyboxCommon:Start_Time></cyboxCommon:Time>
</cybox:Observable_Source>
<cybox:Observable_Source sighting_count="5">
<cyboxCommon:Contributors>
<cyboxCommon:Contributor><cyboxCommon:Organization>OrgD</cyboxCommon:Organization></cyboxCommon:Contributor>
</cyboxCommon:Contributors>
<cyboxCommon:Time><cyboxCommon:Start_Time>2013-12-04T08:00:00+03:00</cyboxCommon:Start_Time></cyboxCommon:Time>
</cybox:Observable_Source>
<cybox:Observable_Source sighting_count="3">
<cyboxCommon:Contributors>
<cyboxCommon:Contributor><cyboxCommon:Organization>OrgT</cyboxCommon:Organization></cyboxCommon:Contributor>
</cyboxCommon:Contributors>
<cyboxCommon:Time><cyboxCommon:Start_Time>2013-12-05T15:00:00+01:00</cyboxCommon:Start_Time></cyboxCommon:Time>
</cybox:Observable_Source>
<cybox:Object id="example:Object-3e6f7315-9591-4f84-ba51-7b8c44ce5d36">
<cybox:Properties xsi:type="FileObj:FileObjectType">
<FileObj:Hashes>
<cyboxCommon:Hash>
<cyboxCommon:Type xsi:type="cyboxVocabs:HashNameVocab-1.0">MD5</cyboxCommon:Type>
<cyboxCommon:Simple_Hash_Value>a7a0390e99406f8975a1895860f55f2f</cyboxCommon:Simple_Hash_Value>
</cyboxCommon:Hash>
</FileObj:Hashes>
</cybox:Properties>
</cybox:Object>
</cybox:Observable>
</cybox:Observables>There is no expected compatibility impact. These changes record additional information beyond what was possible to represent in previous versions of CybOX. Because the fields are optional, both producers and consumers who are not interested in the information contained in this field may ignore it.
- Is there value in expressing multiple sources on the same Observable?
- Is the MeasureSourceType structure adequate to convey this information?
- Is the addition of the
sighting_countattribute to ObservableType and MeasureSourceType useful?