Re: [cti-stix] STIX 2.0 Specification Questions

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

The Playbook would be an object, to which you could relationship to the OpenC2 actions in the Playbook (which are the semantic definition of "the content")

As to the argument that "organizations do not share their playbooks" - whether I agree with that specifically or not (not totally) - it doesn't matter because I can say that same thing about *a lot* of the things we are doing in STIX. STIX is about modeling cyber threat intelligence so that machines can produce and consume it and interact with eachother. These machines you want to consume your STIX may be outside your organizational boundary, or in many cases, may be internal. Also, some subsets of information will be shared, while others will not. Just because something is seen as "never being shared" does not mean that it is not critical to model.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Allan Thomson ---08/11/2016 12:27:57 PM---Hi Craig – I think Jason was suggesting sharing the name/id of the playbook not the actual content o

From: Allan Thomson <athomson@lookingglasscyber.com>
To: Craig Brozefsky <cbrozefs@cisco.com>
Cc: Jason Keirstead/CanEast/IBM@IBMCA, "Jordan, Bret" <bret.jordan@bluecoat.com>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 08/11/2016 12:27 PM
Subject: Re: [cti-stix] STIX 2.0 Specification Questions
Sent by: <cti-stix@lists.oasis-open.org>

---

Hi Craig – I think Jason was suggesting sharing the name/id of the playbook not the actual content of the playbook.

So I was thinking of it sharing an id that the other system would know how to look up that reference and determine what to do.

I agree attempting to define playbook content in STIX is not desired.

allan

On 8/11/16, 8:25 AM, "Craig Brozefsky" <cbrozefs@cisco.com> wrote:

    Allan Thomson <athomson@lookingglasscyber.com> writes:

    > Hi Craig – I generally agree but if we want to exchange between
    > systems within an organization across systems operated/owned by the
    > same org then having a construct to share the playbook name as part of
    > standard STIX would be useful.
    >
    > The fallback to that would be to have a custom object/attribute to
    > convey the information but I tend to think that where something that
    > is very common in many orgs (playbooks) then why would STIX not
    > support that.

    Playbooks may be common, but their structure, logic, and definition is
    not.  I've seen them range from text files and wiki pages, to
    spreadsheets, to python modules.  I think an exchange format for them is
    a ways off.

    PS: I'm sorry I didn't realize I can't post to the cti-stix list before
    responding, I'll get that remedied.

    --
    Craig Brozefsky
    Principal Engineer, AMP Threat Grid
    Cisco Security Business Group
    +1-773-469-8349