Enhance OCSF object definitions - Anchoring definitions using the D3FEND Ontology

[netfl0]

Schemas and ontologies are related, but also serve quite different purposes. However (and ideally), they are complementary and compatible.

There is an opportunity to use D3FEND's ontology (a formal and semantic graph-like structure) to enhance the object definitions in the OCSF.

There is currently significant commonality between D3FEND classes and OCSF objects.

A simple example is these two identical concepts for File:

• https://schema.ocsf.io/objects/file
• https://next.d3fend.mitre.org/dao/artifact/d3f:File/

D3FEND includes an large taxonomy of File types and their associated definitions:

• https://next.d3fend.mitre.org/taxonomies/d3f:File/

With other taxonomies available as well:

• https://next.d3fend.mitre.org/taxonomies/

Proposed approach:
Identify shared elements, improve and adopt D3FEND definitions for the OCSF objects with a "defined by" link on the OCSF web pages, linking to the D3FEND Artifacts. Additionally, define a simple agile process to add new things to D3FEND as OCSF development continues so that this process does not impede any OCSF work or slow down progress.

We can envision many benefits of doing this:

• D3FEND and OCSF can eventually align on fields/properties/attributes of the D3FEND Classes and OCSF objects. D3FEND has not modeled the data properties on classes as we wanted to do this with a community, OCSF seems perfect for this.
• OCSF benefits from D3FEND ontological inference producing results for users and giving them more ideas on what analytics they could develop when looking at OCSF and pivoting to D3FEND web pages
  • For example, what types of attacks and defenses are available for a specific type of File, a Configuration File
  • etc.

D3FEND is licensed in order to be used in this way.

[pagbabian-splunk]

This is a great idea Peter - we can add the links and references to the schema server as I have seen prototyped by @rroupski . We may want to flesh out some details further and include in a 1.1 as schema references.

[netfl0]

That sounds great @pagbabian-splunk. Thank you. Here is a bit more discussion:

Creating a "defined by" relationship, perhaps a stronger one that just a reference, would be ideal. This would encourage both D3FEND and OCSF to create more precise definitions collaboratively where possible.

I believe with a proper process we can even do this without impeding OCSF schema development speed and flexibility. For example, OCSF will add objects at will, perhaps checking the D3FEND ontology to see if definitions exist. If not, create the new OCSF object and then we can add to D3FEND later, and potentially refine each in future releases. This will keep both models improving precision over time.

[JasonKeirstead]

Open question on why D3FEND vs the bunch of other cybersecurity ontologies in the wild. There are too many, and I would hardly say D3FEND is a de-facto leader here.

This is part of the work trying to be tackled at https://lists.oasis-open-projects.org/g/oca-ontology, although that group took a hiatus.

[netfl0]

@JasonKeirstead That's a fair question. The use case for an ontology is what drives its modeling approach, scope, and various design decisions.

I believe the use case for D3FEND (inferentially relating defense to offensive through a detailed architecture model) uniquely aligns with OCSF's schema objectives, which is why there is currently a lot of shared terminology between OCSF and D3FEND even now.

I'm happy to compare the D3FEND ontology to something else you may have in mind so let me know but it's hard to speak in generalities beyond my statement above.