OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] STIX 2.0 Architecture - Relationships, Sightings, and Targeting


Mark, 

I agree that it makes sense for everyone to be aware of a range of specific identified issues that all deal with some architectural-level refactoring within STIX.
I do not think it is appropriate for us to try to tackle detailed discussion or proposed solutions to these issues all at once but understanding the range of proposed issues on the table will help us to identify potential dependencies and architectural significance factors in order to prioritize which we need to tackle first and which ones we should consider and revisit as we move through them.

So some of the key ones that I think we should all be aware of are:

Abstracting Relationships (#291)
Abstracting Sightings (#306)
Abstracting Victim to separate construct (#149)
Abstracting Asset to separate construct (#234)
Abstracting Source to separate construct (#233)
Creating new Actor(Identity) construct to act as basis for identity type constructs (Threat Actor, Source, Victim, new Defense Actor?, new 3rd Part Actor?) (#235)
Creating new IDable Construct (or some other name) construct to act as common basis for all IDable constructs (defining id, idref, timestamp, Title, Description, etc. properties in one place) (#372)

Clarify semantics of different types of TTPs as expressed in the TTP construct (#360)

Creating a new top-level Action construct to act as common basis for human-oriented actions or action decisions (#374)



I make no assertion that this is the complete list of such issues. 
If you know of another issue at this level that has an entry in the tracker already, please point it out by number. 
If you would like to propose another issue at this level that is not yet in the tracker, please create an new issue for it in the tracker and then point it out by number.

sean

From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of Mark Davidson <mdavidson@mitre.org>
Date: Monday, October 26, 2015 at 8:53 AM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] STIX 2.0 Architecture - Relationships, Sightings, and Targeting

As I followed the list traffic over the past week or so, I couldn’t help but feel like we’re at a level of abstraction lower than we need to be. Consider the very good IndicatorType / Vocabulary discussion – I spent some time thinking about how we’ll keep track of the discussion’s outcome and the many similarly scoped discussions (See: 154 open issues [1]) that will occur as we work toward the future. I think there’s such a volume of interdependent factors that we’ll have a hard time deciding any particular issue without also consider all other open issues – something that feels a bit insurmountable given the sheer volume of topics. (Note: This is in the context of STIX 2.0 - I feel that updating the vocab for STIX 1.2.1 is a separate discussion and I am not trying to make a statement about it).

 

With that in mind, I challenged myself to come up with a higher level topic that might help us move forward. I don’t particularly care if my topic gets picked or not, but I do think we need to be a level of abstraction higher to start. IMO, a good topic for discussion would be: What should the STIX 2.0 Architecture look like?

 

The architecture was touched on in a few of the earlier cti-stix discussions (Relationships, Sightings, Targeting), which IMO makes the architecture a good candidate for early discussion. I’ve thrown together a notional diagram containing STIX 1.2 components [2] and the top level objects that have been discussed so far (please let me know if I missed yours!).

 

 

My hope is that by raising this topic we can identify dependencies, preconditions, and differences of opinion. If we need to know more about relationships before we can move forward – what are those things? As with any early stage discussion, there will be open items that can only be resolved later on; my hope is that we can reach a common starting point.

 

Thank you.

-Mark

 

P.S. In terms of following the process stated in STIX SC call, please consider this message my vote for the STIX architecture being the highest priority topic to work through.

 

[1] https://github.com/STIXProject/schemas/issues

[2] http://stixproject.github.io/data-model/



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]