Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is a Self-Referential "created_by_ref" valid for an Identity?? #298

Open
brettforbes opened this issue Oct 13, 2022 · 2 comments
Open

Is a Self-Referential "created_by_ref" valid for an Identity?? #298

brettforbes opened this issue Oct 13, 2022 · 2 comments

Comments

@brettforbes
Copy link

brettforbes commented Oct 13, 2022

Hi,

Going through the certification tests for Stix 2.1, and it is clear that the system that produced the data was not Stix compliant.

Nevertheless, it produced many identity objects with self-referential "created_by_ref" fields, which has resulted in this issue being raised.

In our view a self-referential "created_by_ref" makes no sense in either a semantic context or a graph context, as one is effectively saying
I am Brett, and Brett wrote this

i do not believe the standard has an opinion on self-referential "created_by_ref", and if one i using JSON databases this issue may easily slip through the cracks. We submit that prohibition of self-referential links for the purposes of asserting both identity and created by is a good idea. We plan to automatically delete these links in our parser (an extension of the Stix2 parser to suit ATT&CK and CACAO)

An example is as follows:

{
    "type": "identity",
    "id": "identity--826d4837-a92b-44a3-91c9-107ec7982c1d",
    "spec_version": "2.1",
    "identity_class": "organization",
    "name": "XYZA Corp, Inc.",
    "created": "2017-01-17T11:11:13.000Z",
    "modified": "2017-01-17T11:11:13.000Z",
    “created_by_ref’: "identity--826d4837-a92b-44a3-91c9-107ec7982c1d"
},

thanks

@priamai
Copy link

priamai commented Oct 13, 2022

It surely makes no sense to me.

@rpiazza
Copy link
Contributor

rpiazza commented Oct 13, 2022

Actually, there is some support in the community for using a self-referential Identity to represent identity objects that are the "producers" of STIX content. Then you would be able to distinguish an Identity that represents cyber security information - like a victim, or the identity of a threat actor, as opposed to metadata about an object creator.

Something to add to the next version of the Best Practices Guide :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants