Re: [cti-stix] STIX 2.0 Specification Questions

["Jordan, Bret" <bret.jordan@bluecoat.com>]

I agree with Jason...  We really need a way to make sure the concept of a COA works, can be used, and can evolve over time.  I also think having them linked to a Playbook is probably the most correct way to do it.

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Aug 11, 2016, at 09:13, Craig Brozefsky <cbrozefs@cisco.com> wrote:

Allan Thomson <athomson@lookingglasscyber.com> writes:

I think its reasonable and a good idea that it could do both.

For me, COA should be very flexible so that someone can be very
specific if they want to and provide their own actions (outside of
openC2) if needed.

Playbooks strike me as being customer specific, and not something that
is exchanged.  It is an organizations instruction set for the IR team,
and it can include anything from "contact legal" to "nuke and pave the
host" and have all sorts of logic and decision making embodied in it.

Considering that, I'm not sure what role it plays in STIX as a intel
_expression_/exchange standard.  We are preferring to use a rather generic
and open-ended definition of CoA, and "run/reference playbook X" is just
a CoA for us.

--
Craig Brozefsky
Principal Engineer, AMP Threat Grid
Cisco Security Business Group
+1-773-469-8349

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail