Use Case: Sighting Analysis

Use Case: Sighting Analysis

Pre-1.2.1 Use Case (True/False): False

Relevant to which SCs (STIX/TAXII/CybOX): STIX

Abstraction Level (High, Medium or Low): High

Related Use Cases: replaces Indicator Sighting Analysis

Description: Within STIX v1.2 and earlier, Sightings are embedded within Indicators. The only way to issue new Sightings is to re-issue a new version of the Indicator, even if the Indicator itself hasn't changed. This is a lot of extra data being sent across the wire that doesn't need to be. This also doesn't work very well when STIX is used to alert others 'while the attack is still ongoing'. If an Organization is under a DDoS attack there could be a large amount of updates sent out as the victim organization tells others of it's plight. This just won't scale if an organization is required to republish Indicator updates every time they detect another DDoS participant.

In addition, many Organizations are unaware that Indicators can carry both things to look for, and things I've seen. Many Organizations seem to think of Indicators as only containing things to look for.

In an effort to clear up both of these problems, we propose in STIX v2.0 to move the Sighting functionality out of the Indicator object, and into it's own top-level object. This top level Sighting object would be similar in many ways to the Indicator Object, but would only contain things that have been observed or asserted.

This separation of duty would have the dual benefit of making STIX easier to understand for new users, and allowing additional Sightings to be generated without impacting the Indicator object.

Stakeholders/Goals:

• Stakeholder:
  1. Threat Intelligence Teams
  2. DFIR Teams
  3. National CERTs
  4. All STIX sharing groups
• Goal:
  1. Make Sightings independent of Indicators
  2. Ensure Sightings only contain 'things we have seen', and Indicators only contain 'things to look for'.
  3. Make it easier to understand STIX object functions

Preconditions:

1. None.

Dependencies:

1. Indicator changes: The indicator object would need to change to only contain 'things to look for' (observable patterns).

Main Success Scenario:

1. An Organization is under attack fro a DDoS. It sends out a STIX package containing the 30 Sighting objects it detected so far to the two threat sharing groups it is a member of, and requests some feedback on those objects. It receives a response back from a threat intelligence vendor mentioning that this attack is likely to be part of the DD4BC crew. 2 hours later the victim Organization sends out another 200 objects with the same telltale signs that indicates they are also part of the same DD4BC attack botnet, so the victim organization sends out the next 200 objects with links to the earlier reports send by the threat intelligence vendor. Now everyone in the threat sharing group is aware of the sightings relationship to the reports from the threat intelligence vendor, as well as any incident data the victim organization has produced.