Stix Difficulties: No STIX-wide way to handle aliases #76
Description
PROBLEM
Different Organizations call different entities different things. It is often difficult to understand that two Objects with different names are actually the same thing. We currently don't have a way to track aliases that will apply to all STIX data objects. At present you can track Aliases in only a few objects – for example the Threat Actor Object via Related Identities. We need to be able to do this for all the Objects, such as TTPs, Campaigns and the like.
In many ways this is similar to the deduplication problem.
POTENTIAL ANSWER
There are a few ways this could be achieved:
- We could provide an Alias object, and have a relationship type of ‘also_known_as’ to allow certain specific objects to be known with other identifiers.
- We could use the ‘Investigation/Tag’ object as a label/tag facilitator, and use it to ‘group’ the objects that use the alias together.
- Another option is to just deal with it using the de-duplication processes mentioned earlier, and to directly relate the two Objects together as per section 3 – “Deduplication is difficult”.
It probably makes sense to use the last option as it reuses the relationship object to its fullest extent, and reduces the amount of extra Objects STIX needs to support..