Re: [openc2-lang] FYI on STIX COA Roadmap and relation to Lang Spec Road

Hi Duncan – Several of the STIX TC are involved in both. Encouraging further collaboration across the groups is a good idea.

I personally believe that OpenC2 *should* be a COA supported mapping within STIX but have realistic/pragmatic reasons why it will not be the only COA language supported.

That said, we are a fan of making sure OpenC2 is a standard that can be used by STIX.

regards

Allan Thomson,

CTO, Lookingglass Cyber Solutions

This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential. The information in this message is intended only for use by the individual(s) to whom it is addressed. If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure, copying or distribution of the contents contained within is strictly prohibited

From: <openc2-lang@lists.oasis-open.org> on behalf of "duncan@sfractal.com" <duncan@sfractal.com>
Date: Thursday, September 21, 2017 at 6:46 AM
To: openc2-lang <openc2-lang@lists.oasis-open.org>
Subject: [openc2-lang] FYI on STIX COA Roadmap and relation to Lang Spec Roadmap

Attached is an email abourt the STIX Course of Action and how they may use OpenC2. Since the sentence "For automated COAs, the group discussed using OpenC2 if the timelines align" could be also be interpreted as "or not if they don't", I thought I would forward to LSC to help in our establishing a timeline ourselves.

I think we may want to send an official liaison from LSC to CTI STIX TC encouraging we work together and that they do use OpenC2 and ask what it is they need from us by when.

Duncan Sparrell

sFractal Consulting LLC

iPhone, iTypo, iApologize

-------- Original Message --------
Subject: [cti-stix] STIX COA Roadmap
From: "Jyoti Verma (jyoverma)" <jyoverma@cisco.com>
Date: Thu, September 21, 2017 2:16 am
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>

CTI TC,

The COA mini group has been meeting on a weekly basis since a couple of weeks and we’ve put together a roadmap for the goals/features that we would like to address across 3 STIX releases. The mini group gave a readout on the Sept 19^th working call and the slides we presented are here – https://docs.google.com/presentation/d/1be_i8zcIlsmo_sStB8jeAp33sah-z7SgVGw_eRm1omc/edit?usp=sharing

In the first release, we would be solving the following 5 features for manual/automated COAs. For automated COAs, the group discussed using OpenC2 if the timelines align. More details on the complete roadmap and use cases can be found in the working draft here - https://docs.google.com/document/d/1zXV5WEmyLUbKiSpuHgywu5-LLrJVd91d7OP3nQBB7qM/edit#.

Feature

Description

Example

Preventative Static COAs

Literal COAs tied to indicator or other objects. No need to wait for anything to fire.

SANS Top 20 controls or blacklist domains

Mitigative or Remediative Static COAs

All information to take the action is statically configured and known a-priori.

Block evildomain.com

Deny traffic to and from 10.0.0.1

Delete Registry key

Accommodating multiple actions

Single COA representing multiple steps

Cleaning up malware from Windows Desktop - safe mode, kill process, delete key, delete file, etc.

Basic Sequencing

The order in which COAs should be executed

1->2->3->4

Allow parallel processing

Allow the actions to define if they can be done in parallel or if they need to be done one at a time

1->2

3->4

If there are objections to this list, please let us know within 14 days. You can send your comments by replying to this email or in the COA channel on Slack.

Thanks,

STIX COA mini group

--------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

openc2-lang message