FYI on STIX COA Roadmap and relation to Lang Spec Roadmap

-------- Original Message --------
Subject: [cti-stix] STIX COA Roadmap
From: "Jyoti Verma (jyoverma)" <jyoverma@cisco.com>
Date: Thu, September 21, 2017 2:16 am
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>

CTI TC,

The COA mini group has been meeting on a weekly basis since a couple of weeks and we’ve put together a roadmap for the goals/features that we would like to address across 3 STIX releases. The mini group gave a readout on the Sept 19^th working call and the slides we presented are here – https://docs.google.com/presentation/d/1be_i8zcIlsmo_sStB8jeAp33sah-z7SgVGw_eRm1omc/edit?usp=sharing

In the first release, we would be solving the following 5 features for manual/automated COAs. For automated COAs, the group discussed using OpenC2 if the timelines align. More details on the complete roadmap and use cases can be found in the working draft here - https://docs.google.com/document/d/1zXV5WEmyLUbKiSpuHgywu5-LLrJVd91d7OP3nQBB7qM/edit#.

Feature	Description	Example
Preventative Static COAs	Literal COAs tied to indicator or other objects. No need to wait for anything to fire.	SANS Top 20 controls or blacklist domains
Mitigative or Remediative Static COAs	All information to take the action is statically configured and known a-priori.	Block evildomain.com Deny traffic to and from 10.0.0.1 Delete Registry key
Accommodating multiple actions	Single COA representing multiple steps	Cleaning up malware from Windows Desktop - safe mode, kill process, delete key, delete file, etc.
Basic Sequencing	The order in which COAs should be executed	1->2->3->4
Allow parallel processing	Allow the actions to define if they can be done in parallel or if they need to be done one at a time	1->2 3->4

If there are objections to this list, please let us know within 14 days. You can send your comments by replying to this email or in the COA channel on Slack.

Thanks,

STIX COA mini group

openc2-lang message