Action items from 6/21 Working Call

["Wunder, John A." <jwunder@mitre.org>]

All,

 

Jane will have more detailed notes, here are just the action items that I noted. Thanks for dialing in!

 

John

 

Object Markings

Leadership will open a ballot to approve this section as-is.

Action Item: When the ballot is opened, please vote

 

Report

There were a bunch of questions about the definition of published_date. The editors took a look and made a few changes:

-          Renamed published_date to published (it was weird to call it published_date since it was a timestamp)

-          Added a published_precision field, per our timestamp consensus

-          Given Allan’s objection and our thoughts, removed an addition from JMG saying that published date shouldn’t be updated.

 

Report is now ready for a motion, which I will send out in a separate e-mail. If anybody is unhappy with those changes and the result we can withdraw that motion and figure it out, but we’re pretty confident that it’s good.

 

Action Item:

1.       Review the published_time field on report, and report as a whole. Wait for motion to declare as consensus.

2.       Review and provide suggestions to the report intent vocab

 

Attack Pattern, Campaign, Vocab Fields, String, External References, and Kill Chains

I will make a motion on these in a separate e-mail. We cleaned up the text by removing normative statements on string length, and resolved a few comments on campaign and attack pattern. We also cleaned up some normative statements on external references and removed any direct ties to the LMCO kill chain from Kill Chains (due to IPR considerations). The items should all be ready for motions, which I’ll make in a separate e-mail.

 

Action Item:

1.       Review all of those sections in advance of or after the motion to declare as consensus.

2.       Review and provide suggestions to the motivation vocab (used by campaign)

 

Malware / Tool

Discussion seemed to align with what we talked about over e-mail, so I think we can move forward with the approach that’s been discussed. We moved the Tool TLO into the main TLOs document and added a labels field, as well as a tool-label-ov. We also did some general cleanup and removed open questions that had been resolved.

 

We will defer the MAEC topic until Ivan and Rich Struse are available, potentially beyond MVP.

 

Action Items:

1.       Add a definition for malware as a suggestion in the google doc

2.       Add a definition for tool as a suggestion in the google doc

3.       Review/expand malware-type-ov

4.       Create/review tool-type-ov

 

Asset / Infrastructure

We didn’t reach much consensus here. I will put together a writeup on the various proposals, with input on scenarios to consider for examples, and we can discuss on the lists and maybe the next call.

 

Action Item: Send me scenarios (preferably, links to CTI writups) describing assets & infrastructure

 

External References on all TLOs

We need to decide whether external references will be on all TLOs. There was mixed opinion on the call, with maybe a slight (very slight) preference for it being on all TLOs. I’ll respond to revive the threat and we can discuss further.

 

Action Item: Respond to e-mail that will come. I’ll try to make this an easy “yes” or “no”, could definitely use broader opinions on this one.

 

Labels on all TLOs

Deferred, I’ll send out a separate e-mail on this one to kick off the discussion prior to the next call.