OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Action items and topics, 6/6 Working Call


Jane will send the official complete notes once they’re finalized (she’s waiting on something from me). I just wanted to get this brief (well, briefer) writeup on action items and current status out there.

 

John

 

Status Updates and Items to Review

Current motions

Review Aharon’s e-mail on the motion to approve the text for Boolean, List, Number, IDs and References, and Object Creator. That was initially sent the morning of 6/3 with a 5 business day review period, so will be accepted on 6/10 if there are no objections. If accepted, those sections will be marked “Consensus”.

 

Bundle: https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.c9oxowopqs2

Haven’t heard any objections to accepting as-is, so I’ll make a motion to accept this item on Thursday morning. Note: ID is currently present as a required field and most_restrictive_markings are removed. Also, bundle currently contains lists of TLOs. As we accept new TLOs as MVP we’ll keep that field list up to date. If you don’t see your favorite TLO there, you can be assured that it will be as soon as we accept it for inclusion in MVP.

 

Campaign: https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.pcpvfz4ik6d6

Haven’t heard any objections to accepting as-is, so I’ll make a motion to accept this item on Thursday morning.

 

Object Level Markings: https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.f3dx2rhc3vl

Haven’t heard any objections to accepting as-is, so I’ll make a motion to accept this item on Thursday morning.

 

External IDs: https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.cez46v5quobo

Still a bit of cleanup, but should be very close. I’m moving this to the “Review” phase.

 

Kill Chains: https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.i4tjv75ce50h

We seem to be reaching consensus here and have a defined structure, so I’m moving this topic to the “Review” phase.

 

Report: https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.n8bjzg1ysgdq

Still an open conversation on published_date.

 

 

Intrusion Set, Infrastructure

Gary is working on these objects, will have proposals shortly.

 

Discussion Topics

Status Updates

DHS/MITRE have committed people to sending regular status updates and actually keeping the STIX 2.0 development page up to date.

 

Add Agenda item for XMPP Grid in TAXII

We will add this topic to the agenda for next week.

 

PII Fields in CybOX

Allan talked through his proposal for matching PII fields in CybOX. There was general agreement that it was an important capability that CybOX needs to provide an ability for. Jason and Ivan felt that the current patterning proposal in combination with the Artifact and Network Connection/Flow objects could support the capability. Ivan will put together an example demonstrating this and work through it offline.

 

Malware, Malicious Tool, Tool

A large group talked through several alternatives. Jason suggested an approach where there’s a “weapon” object, capturing both malware and malicious-tool, as well as a tool object. The combination of those objects seemed to support most use cases and models. John will put together some text on this and some examples of how it will work, working on Slack and presenting the results to the list.

 

Encoding issues

Eric Burger was able to be on the call and outlined his reasoning for removing it. Others agreed, including Mark Davidson, who would like to remove it for now from the drafts, evaluate how tools use it, and then figure out what statements we need. Jason pointed out that it could be solved by a response type in TAXII saying the entity was too big. Terry was concerned about attacks (sending huge documents). The decision was made to suggest removing all normative statements regarding string length from the documents and, if that has objections, holding a ballot.

 

Calls for Volunteers

Several new topics need to be kicked off:

-          Identity, Target, Threat Actor (very interdependent because they include identity info)

-          Course of Action

-          Incident and Asset

 

Note: just because those items are now on the list doesn’t mean they’ll be added as TLOs. We need people who are interested in them to work through the issues and propose ideas. If you’d like to work in the early concept development phase of any of those issues please respond on the list or slack.

 

Thanks everyone,

John



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]