Re: [cti-stix] STIX 2.0 Specification Questions

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

I have even an even more fundamental questions on the COA, as I posed on Slack.

Should the COA field in an Incident even point directly at COA *actions* at all, or should the COA be instead tied to a *Playboook* type of object, which may or may not be tied to one or more concrete actions? I think this would make sense. The "Playbook" is a named object, that has metadata, and also has relationships to a set of COA - this is where the OpenC2 comes in.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


"Jordan, Bret" ---08/10/2016 01:09:27 AM---The terms I have heard in the past are: 1. Mitigate - This is a tune to a temporary fix through a co

From: "Jordan, Bret" <bret.jordan@bluecoat.com>
To: Allan Thomson <athomson@lookingglasscyber.com>
Cc: "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 08/10/2016 01:09 AM
Subject: Re: [cti-stix] STIX 2.0 Specification Questions
Sent by: <cti-stix@lists.oasis-open.org>

---

The terms I have heard in the past are:

1. Mitigate - This is a tune to a temporary fix through a compensating control.  

2. Containment - This act can prevent the spread of the malware or stop it from progressing.  Some use mitigate and containment interchangeably, others view them as very different things.

3. Remediate - This is the real / permanent fix.  For example, removal of the malware from the machine.  For mitigation would be just preventing the malware from spreading by denying it at the firewall or proxy

4. Prevent - This is kind of a proactive step 

5. Investigate - The course of action is to investigate this thing.  


I know the OpenC2 has a series of Actions that they have assigned to a lot of different things..  It will be really interesting to see their proposal.  



Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

On Aug 9, 2016, at 17:53, Allan Thomson <athomson@lookingglasscyber.com> wrote:

Hi John –

Re: “Should we add “remediate” in as a distinct option from “mitigate”? Is the difference between those two terms well-understood, clean, and relevant for cyber threat intelligence sharing?”

I would say that remediate and mitigate are different terms and often are confused as the same thing when they are *not* the same thing.

Therefore, we should not use mitigate to mean both.

If the COA proposal has capability to do both then we should make it clear by using both terms. And therefore avoid ambiguity around these terms.

allan

[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]