[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] STIX 2.0 Specification Questions
Hi Craig – I generally agree but if we want to exchange between systems within an organization across systems operated/owned by the same org then having a construct to share the playbook name as part of standard STIX would be useful.
The fallback to that would be to have a custom object/attribute to convey the information but I tend to think that where something that is very common in many orgs (playbooks) then why would STIX not support that.
allan
On 8/11/16, 8:13 AM, "Craig Brozefsky" <cbrozefs@cisco.com> wrote:
Allan Thomson <athomson@lookingglasscyber.com> writes:
> I think its reasonable and a good idea that it could do both.
>
> For me, COA should be very flexible so that someone can be very
> specific if they want to and provide their own actions (outside of
> openC2) if needed.
Playbooks strike me as being customer specific, and not something that
is exchanged. It is an organizations instruction set for the IR team,
and it can include anything from "contact legal" to "nuke and pave the
host" and have all sorts of logic and decision making embodied in it.
Considering that, I'm not sure what role it plays in STIX as a intel
expression/exchange standard. We are preferring to use a rather generic
and open-ended definition of CoA, and "run/reference playbook X" is just
a CoA for us.
--
Craig Brozefsky
Principal Engineer, AMP Threat Grid
Cisco Security Business Group
+1-773-469-8349
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]