EclecticIQ Blog
Published in

EclecticIQ Blog

Moving past the STIX 2.1 Opinion Object

Opinion Object in STIX 2.1
  • The inability to structure information from vendors testing competing hypotheses
  • The inability to identify which hypothesis was determined to score the strongest from the set of hypotheses being tested
  • The inability to separate an alternate/proposed reality from a confirmed reality
  • How can we identify patterns in authors’ assessments over time? (i.e. show me what the world looks like when PROVIDER A’s hypotheses are true.)
  • How can we identify evidence that is consistently being used to support multiple hypotheses over time? (i.e. exploiting CVE-X-X as an initial attack vector is used as evidence to support more than one hypothesis.)
  • How can we identify patterns or trends when undertaking threat actor attribution? (i.e. show me all hypotheses that support attribution of a Russian Advanced Persistent Threat or ‘APT’.)
  • How can we measure the predictability or the sophistication of a threat actor? (i.e. more than 80 per cent of our hypotheses on this threat actor were correct; or less than five per cent were correct, so clearly this threat actor changes tactics and is unpredictable.)
  • The current Opinion Object specification does not address how the community should use and apply the Opinion Object. As we have discovered, while STIX is very flexible, analysts from the same team may end up modelling the same dataset or intrusion set differently.
  • One of the largest caveats of the Opinion Object is that sharing communities are still encouraged to provide clear guidelines to their constituents regarding best practice for the use of the Opinion Object. This means there is no fundamental agreement on when and how to best use this Object.
  • The Opinion Object does not apply any additional structure beyond a free-text ‘explanation’ as to why an author has an opinion in the first place.
  • There is no way to consistently track or see patterns in ‘explanations’ for Opinions over time



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

EclecticIQ is a global threat intelligence, hunting and response technology provider. Its clients are some of the most targeted organizations, globally.