Subject: RE: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH



When we first started looking at this, it seems as if we went through similar options that you highlighted below. However, there seems to be a need for consumers/producers/collaborators of intelligence to have an object that allows for a free-text and evidence-free explanation of what their Agreement/Disagreement is for a particular entity or relationship. We did not want to remove the Opinion object – there is a need to be able to validate something on a sliding scale of Agreement. We also wanted to move away from adding additional properties to the 2.1 Opinion – as it seemed that we were diluting its concept and shoehorning to fit a particular mold.


Agree with Sarah’s points that a new entity, rather than an amended Opinion, could highlight the process of testing multiple hypotheses and proposed realities. I want to be able to see the evidence used to support/deny a set of hypotheses, and to be able to identify _which_ hypothesis scored highest from H1, H2, H3 across the available evidence.


I think this “new” object will work very well for analysts in some of the following ways:

1 – Analysts go this process regularly, but with no ability to structure it with STIX

2 – To be able to go through this process of testing hypotheses -  It might be N. Korea because X, It might be China because Y, and it might be Russia because Z – and highlight which hypothesis was most supported by the evidence available

3 – To be able to represent that analyst/teams’ scoring of a certain hypothesis

4 – To be able to incorporate other teams’ hypothesis testing with your own (??) Producer A thinks it is China for X reasons, but as an analyst I may look at that and think it is also China for X + Y reasons, where Y adds value to the original assessment


I think that it would not only works well for analysts who go through this process to create this structure, but also for teams who are consuming intelligence and need a way to identify and view others’ tested hypotheses.






From: Kelley, Sarah E. <skelley@mitre.org>
Sent: Wednesday, October 10, 2018 4:11 PM
To: Bret Jordan <Bret_Jordan@symantec.com>; Caitlin Huey <caitlin@eclecticiq.com>
Cc: cti-stix@lists.oasis-open.org
Subject: RE: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH




I would think that ACH and opinion are actually totally different concepts that are likely used by different people. I see an opinion object being used by the recipient of an object to say “I (dis)agree with what you’ve published”. I see an ACH as a way of people who are still in the process of doing analysis to have multiple possible options, and show the evidence for each. Picture the Olympic Destroyer malware. I heard three different competing hypotheses for who was behind it, each of which had its own evidence. That is the scenario this new object would allow you to convey. “It might be N. Korea because X, It might be China because Y, and it might be Russia because Z”.




From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> On Behalf Of Bret Jordan
Sent: Wednesday, October 10, 2018 9:47 AM
To: Caitlin Huey <caitlin@eclecticiq.com>
Cc: cti-stix@lists.oasis-open.org
Subject: [cti-stix] Re: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH




Let me rephrase my question a bit....


From what you are saying it sounds like the opinion object is just not going to work for analysts, at least at the level of specificity that we have currently defined.  


Does this mean that we:


1) Remove the Opinion object from 2.1 and replace it with your new object?


2) Take all of the new properties you have defined and add them to the Opinion object for the 2.1 release 


3) Or is there a use case for having both?  Keeping in mind that we like to avoid having two ways of doing something. 



From my initial skim of your document, it feels like 1 or 2 is the correct answer here. But I would like your take.





From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Caitlin Huey <caitlin@eclecticiq.com>
Sent: Wednesday, October 10, 2018 7:31:29 AM
To: Bret Jordan
Cc: cti-stix@lists.oasis-open.org
Subject: [cti-stix] RE: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH


Hey Brett,


I think we are thinking an entirely new object. At first, we were thinking of how we could use the Opinion, but it looks like the functionality is not quite there.


Problem areas we found in “doing” ACH this with the current 2.1 Opinion object:


- The current specification does not address how the community should use and apply the Opinion object

- One of the largest caveats of the Opinion object is that sharing communities are still encouraged to provide clear guidelines to their constituents regarding best practice for the use of Opinion objects. What this means is that there is still no fundamental agreement on when and how to best use this object

- The Opinion object does not apply any additional structure beyond the free-text  `explanation` as to why an author has an opinion in the first place

- There is no way to consistently track or see patterns in `explanations` for Opinions over time


I think the last limitation is super interesting and speaks to the need to have a way to structure the ACH process/outcomes of going through that process.





From: Bret Jordan <Bret_Jordan@symantec.com>
Sent: Wednesday, October 10, 2018 2:57 PM
To: Caitlin Huey <caitlin@eclecticiq.com>
Cc: cti-stix@lists.oasis-open.org
Subject: Re: [EXT] [cti-stix] Moving past 2.1 Opinion object - Structuring ACH


Thanks for working on this.  A clarifying question, is this a replacement for the new Opinion object or additions to that object, or does it need to be a totally new object. 



On Oct 10, 2018, at 4:31 AM, Caitlin Huey <caitlin@eclecticiq.com> wrote:

Hi all,


Wanted to share some work we’ve been doing about approaching the 2.1 Opinion object to structure the process of Analysis of Competing Hypotheses (ACH).  Working on language and prototypes, seems some of us on our team are in favor of moving past the STIX 2.1 Opinion object, noting that the Opinion object’s functionality to structure ACH is limited. Seems that a “new” object is needed to help structure and show this process of conducting ACH.


TL;DR: STIX 2.1 introduces the Opinion object to allow consumers and collaborators of intelligence to express agreement and disagreement on entities and relationships. The Opinion object is a STIX 2.1 entity that is closest to being able to provide a way to represent validation of an entity or a relationship between two entities. However, the Opinion object is limited in its application and flexibility. There is a need to move beyond the Opinion object and to introduce a new entity that would allow consumers/producers of intelligence to go beyond validating entities and to apply structure to evidence driven hypotheses. This new entity’s working name is the Hypothesis object.


Wanted to open up a dialogue about how and what this could look like, knowing that some assumptions have already been made about what this “new” object could look like. I have attached a working draft (work in progress!), and appreciate thoughts and feedback.


Feel free to reach out, am interested in talking to more people about this.



Caitlin Huey

EclecticIQ Fusion Center | Senior Threat Intelligence Analyst

Amsterdam, Netherlands



