[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [EXT] Re: [cti-stix] Updated report proposal
I think we need to stay more close to what the content creator is trying to say. I believe what the MISP people are saying is if the content is verified or unverified. is_automation_ready is trying to tell people what to do or not do with the content, and that is data markings. Saying that content is not finished or not verified to be true, is different than trying to say you can or should not automate on it.
You may have groups that live at the edge and are willing to break things in every effort to block anything remotely bad, even if it has not yet been verified. But doing so, means you might break things. This is why a verified and unverified seems to make more sense.
Bret From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Sean Barnum <sean.barnum@FireEye.com>
Sent: Wednesday, September 20, 2017 9:09:07 AM To: Allan Thomson; Wunder, John A.; cti-stix@lists.oasis-open.org Subject: [EXT] Re: [cti-stix] Updated report proposal I would agree with Allan that any STIX content is "automatable".
That is why I suggested "is_automation_ready" in an attempt to convey an assertion by the producer that it is ready. Maybe this still has the same issue though.
Get
Outlook for iOS
From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Sent: Wednesday, September 20, 2017 11:05:53 AM To: Wunder, John A.; cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Updated report proposal Hi John – All CTI whether it’s this object or not is automatable (and often is).
I suggest we use a different term than that.
Will provide suggestions in the google doc.
Allan Thomson, CTO, Lookingglass Cyber Solutions This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential. The information in this message is intended only for use by the individual(s) to whom it is addressed. If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure, copying or distribution of the contents contained within is strictly prohibited
From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John" <jwunder@mitre.org>
Hey everybody…a slight update to the proposal below. After talking to Andras and Sean, I updated the “Grouping” proposal to remove the published field and add an “automatable” property. When “automatable” is true, consumers should assume that the content is finished enough to automate. When “automatable” is false, they should assume it’s preliminary and not take action.
John
From: <cti-stix@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org>
Hey everybody,
Thanks for weighing in. Given that we’re seeing some people changing their opinions here, I’d ask that if you have an opinion on this topic and haven’t yet weighed in over e-mail that you please do so. If you think they should be two objects and haven’t yet responded here, please let us know. If you think it should be a single object, please let us know. If we get enough consensus over e-mail we can avoid a ballot, but having gone back and forth a few times on this (I think I’ve developed 5-6 proposals for this topic) I’d like to have responses in e-mail rather than just on the working call.
Also, if we do end up going with two objects, I’d like to have a proposal prepared for the Grouping object. Rich and I had previously developed a “Collection” object to capture this data, I just renamed it to Grouping and added it to the working concepts document. It has almost the same fields as Report, but the “published” property is optional (allowing the MISP team to indicate whether the report is published by either omitting or including that property) and the description is different to allow for the different semantics. Please review it here: https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.t56pn7elv6u7 (it’s right under Report). I believe that if we go with that approach we can dispense with the “status” vocabulary and other changes to the Report object that have been discussed, given we’ll have the optional published property on Grouping and there hasn’t been a strong need identified for “status” on report other than to support this use case.
John
From: Allan Thomson <athomson@lookingglasscyber.com>
Allan Thomson, CTO, Lookingglass Cyber Solutions This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential. The information in this message is intended only for use by the individual(s) to whom it is addressed. If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure, copying or distribution of the contents contained within is strictly prohibited
From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John" <jwunder@mitre.org>
All, I wanted to re-up this since we just discussed it on the working call. The proposal is here: https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.y3otj21tnvuj
As a reminder, this topic is meant to address a need MISP brought up to share collections of threat intelligence (they call them “Events”) that are not at the level of a published report but need to be shared as a cohesive set with some shared context (title, description, labels, etc.)
We still have three open questions:
I think we’re VERY close to finally figuring this one out, so please let us know what you think. My opinions are:
Thanks! John
From: <cti-stix@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org>
Sorry about that…somewhat ironically, after there were problems with finding all of the stuff we were working on, I moved it over to the Working Concepts doc later last week: https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.y3otj21tnvuj
John
From: Sean Barnum <sean.barnum@FireEye.com>
I don’t see any proposal in the linked doc.
I would object to attempts to conflate these two objects together. I believe I have given clear reasoning for this position in the past.
Sean Barnum Principal Architect FireEye M: 703.473.8262 E: sean.barnum@fireeye.com
From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org>
All,
As I mentioned in an e-mail yesterday, based on the straw poll that we had on the August 29 working call (notes here: https://www.oasis-open.org/committees/download.php/61462/OASIS-CTI-TC_WorkingSession_August29_2017.pdf) I put together a proposal to modify the report object to cover the concept of an evolving collection of content (i.e., the MISP use case).
Proposal is here: https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q0b5OxXCaCV14/edit#heading=h.n8bjzg1ysgdq
The changes are:
On the call most folks seemed to think that the best option was to modify the Report object, but we did have a couple open questions:
Thanks, John This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]