Recap of the Aug STIX SC Monthly Meeting call yesterday (with a few added details)

["Barnum, Sean D." <sbarnum@mitre.org>]

We wanted to thank everyone who was able to make the STIX SC Monthly meeting call yesterday.

For those who were not able to make the call we wanted to let you know about some of the discussion that occurred.

Below is a recap with some added detail fleshed in in some places.

STIX 1.2.1 status update

Work on the STIX 1.2.1 specifications is progressing.

• Worked with OASIS folks and now have OASIS document templates for all parts of STIX language specs

• STIX Version 1.2.1 Part 1: Overview. [URI]
• STIX Version 1.2.1 Part 2: Common. [URI]
• STIX Version 1.2.1 Part 3: Core. [URI]
• STIX Version 1.2.1 Part 4: Indicator. [URI]
• STIX Version 1.2.1 Part 5: TTP. [URI]
• STIX Version 1.2.1 Part 6: Incident. [URI]
• STIX Version 1.2.1 Part 7: Threat Actor. [URI]
• STIX Version 1.2.1 Part 8: Campaign. [URI]
• STIX Version 1.2.1 Part 9: Course of Action. [URI]
• STIX Version 1.2.1 Part 10: Exploit Target. [URI]
• STIX Version 1.2.1 Part 11: Report. [URI]
• STIX Version 1.2.1 Part 12: Extensions. [URI]
• STIX Version 1.2.1 Part 13: Data Marking. [URI]
• STIX Version 1.2.1 Part 14: Vocabularies. [URI]
• STIX Version 1.2.1 Part 15: UML Model. [URI]

• In process of migrating spec content from pre-OASIS form into the templates
  • Work being done by MITRE people who edited the original pre-OASIS documents
  • Drafts for Overview and Core documents are mostly done
  • Working through editing, formatting, policy details with OASIS
  • Estimate it will only take a few hours per document for the rest
• Estimated future timeline
  • It is estimated that all existing documents should be completely migrated to OASIS drafts sometime Aug 28 – Sep 4
  • Once the drafts are completed they will be posted to the STIXProject/specifications repository and the SC members will have 1 week to review before recommending them to the TC for consideration as a Committee Specification Public Review Draft. The short review window is due to the fact that the 1.2.1 version of the specs should have no substantive structural or semantic changes from the 1.2 version.
    • **At this point in the process, the STIX SC plans to initiate formal kickoff of the STIX 2.0 work product**
  • Once at the TC level, it is expected that it will be rapidly issued as a Committee Specification Public Review Draft with the requisite minimal public comment window of 30 days.
  • Once the public comment period is ended and all comments disposed of (due to the defined scope of the 1.2.1 release it is expected that any changes due to comments will be non-material in nature) the TC will move as quickly as possible to call for a TC Special Majority Vote to approve the documents as a Committee Specification.

STIX tools update

Work continues on maintaining and refining the various programmatic support resources (APIs, utilities, etc.) for STIX.

• An update for the OpenIOC->STIX tool was released with support for STIX 1.2
• An updated release is in process and soon forthcoming for the STIX2HTML tool with support for STIX 1.2
• An updated release is in process and soon forthcoming for the STIXviz tool with support for STIX 1.2

Ideas for HOW we do work

A discussion occurred around the tools and processes that we as an SC feel are needed/appropriate to support our ongoing work.

• Leveraging github for specification draft distribution, issue trackers, wikis, and potentially other capabilities
• Input is requested from SC members on any technical enabler gaps that may exist or ideas for potential solutions
• What does the SC think of establishing an official STIX SC Secretary? (feedback on call was mostly positive)
• The STIX SC work processes for developing work products was briefly discussed in the context of STIX 1.2.
  • Active discussions were encouraged but a reminder was given that such discussions are only informal until we officially kickoff the STIX 2.0 work product effort at which point we will need to follow a more formal deliberative process.
  • I will be sending out in a separate mail the proposed outline for our STIX 2.0 language specification development process
  • Explicit encouragement for contributions beyond just thoughts
    • As work product efforts are stood up, editors will be needed
    • Contributions of use cases, conceptual models, schema structures, normative or informative language suggestions, test data, etc. will be invaluable to collaborative progression
      • MITRE folks will continue to be involved but we will need a broader base of active contributors going forward

Use Cases

• The need for Use Cases has been repeatedly raised
  • Use cases have always been driving STIX/TAXII/CybOX but they have not been explicitly codified
  • Under formal governance we need to do this
  • This topic is being discussed across the SCs at the TC level not just for STIX
  • We need to capture comprehensive set of use cases for STIX
  • Suggestion: Initial capture and evolution in a github wiki
  • Suggestion: Identifying a volunteer to help coordinate this activity

Once again, we would like to thank all of those who were on the cal.

And for all of those who were not, we hope you can join next time and encourage you to ask questions or offer opinions on any of the above topics as a response to this thread on the discussion list.

Thank you,

Sean Barnum

CTI STIX SC Co-chair