[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Re: [EXT] Re: [cti-stix] Updated report proposal
This is a good question. A few general guidelines might be:
I don’t think we should put that in the spec, but they seem like some general guidelines we could put in an FAQ or on the docs site. John From: <cti-stix@lists.oasis-open.org> on behalf of "Ted Bedwell (tebedwel)" <tebedwel@cisco.com> Lots of good viewpoints in this thread. I agree with the proposed solution. That said, as John mentioned, they are very similar. What guidance should we provide to implementers with respect to when to use
Report vs Grouping? Thanks, ~ted From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org> I agree with this. All, to sum up a long conversation we (myself, Bret, Andras, Alexandre, Sean, Jason) had on Slack…it seems like people are converging around the following option:
Thanks, John From: "Bret Jordan (CS)" <Bret_Jordan@symantec.com> I think we need to stay more close to what the content creator is trying to say. I believe what the MISP people are saying is if the content is verified or unverified. is_automation_ready is trying to tell people
what to do or not do with the content, and that is data markings. Saying that content is not finished or not verified to be true, is different than trying to say you can or should not automate on it. You may have groups that live at the edge and are willing to break things in every effort to block anything remotely bad, even if it has not yet been verified. But doing so, means you might break things. This
is why a verified and unverified seems to make more sense. Bret From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Sean Barnum <sean.barnum@FireEye.com> I would agree with Allan that any STIX content is "automatable". That is why I suggested "is_automation_ready" in an attempt to convey an assertion by the producer that it is ready. Maybe this still has the same issue though. Get
Outlook for iOS From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com> Hi John – All CTI whether it’s this object or not is automatable (and often is). I suggest we use a different term than that.
Will provide suggestions in the google doc. Allan Thomson,
CTO,
Lookingglass Cyber Solutions This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential. The information
in this message is intended only for use by the individual(s) to whom it is addressed. If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure, copying or distribution
of the contents contained within is strictly prohibited From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John" <jwunder@mitre.org> Hey everybody…a slight update to the proposal below. After talking to Andras and Sean, I updated the “Grouping” proposal to remove the published field and add an “automatable” property. When “automatable”
is true, consumers should assume that the content is finished enough to automate. When “automatable” is false, they should assume it’s preliminary and not take action. John From: <cti-stix@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org> Hey everybody, Thanks for weighing in. Given that we’re seeing some people changing their opinions here, I’d ask that if you have an opinion on this topic and haven’t yet weighed in over e-mail that you please do so. If
you think they should be two objects and haven’t yet responded here, please let us know. If you think it should be a single object, please let us know. If we get enough consensus over e-mail we can avoid a ballot, but having gone back and forth a few times
on this (I think I’ve developed 5-6 proposals for this topic) I’d like to have responses in e-mail rather than just on the working call. Also, if we do end up going with two objects, I’d like to have a proposal prepared for the Grouping object. Rich and I had previously developed a “Collection” object to capture this data, I just renamed it
to Grouping and added it to the working concepts document. It has almost the same fields as Report, but the “published” property is optional (allowing the MISP team to indicate whether the report is published by either omitting or including that property)
and the description is different to allow for the different semantics. Please review it here:
https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.t56pn7elv6u7 (it’s right under Report). I believe that if we go with that approach we can dispense with the “status” vocabulary and other changes to the Report
object that have been discussed, given we’ll have the optional published property on Grouping and there hasn’t been a strong need identified for “status” on report other than to support this use case. John From: Allan Thomson <athomson@lookingglasscyber.com>
Allan Thomson,
CTO,
Lookingglass Cyber Solutions This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential. The information
in this message is intended only for use by the individual(s) to whom it is addressed. If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure, copying or distribution
of the contents contained within is strictly prohibited From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John" <jwunder@mitre.org> All, I wanted to re-up this since we just discussed it on the working call. The proposal is here:
https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.y3otj21tnvuj As a reminder, this topic is meant to address a need MISP brought up to share collections of threat intelligence (they call them “Events”) that are not at the level of a published report but need to be shared
as a cohesive set with some shared context (title, description, labels, etc.) We still have three open questions:
I think we’re VERY close to finally figuring this one out, so please let us know what you think. My opinions are:
Thanks! John
From: <cti-stix@lists.oasis-open.org> on behalf of John Wunder <jwunder@mitre.org> Sorry about that…somewhat ironically, after there were problems with finding all of the stuff we were working on, I moved it over to the Working Concepts doc later last week:
https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.y3otj21tnvuj John From: Sean Barnum <sean.barnum@FireEye.com> I don’t see any proposal in the linked doc. I would object to attempts to conflate these two objects together. I believe I have given clear reasoning for this position in the past. Sean Barnum Principal Architect FireEye M: 703.473.8262 E: sean.barnum@fireeye.com From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org> All, As I mentioned in an e-mail yesterday, based on the straw poll that we had on the August 29 working call (notes here:
https://www.oasis-open.org/committees/download.php/61462/OASIS-CTI-TC_WorkingSession_August29_2017.pdf) I put together a proposal to modify the report object to cover the concept of an evolving collection of content (i.e., the MISP use case). Proposal is here:
https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q0b5OxXCaCV14/edit#heading=h.n8bjzg1ysgdq
The changes are:
On the call most folks seemed to think that the best option was to modify the Report object, but we did have a couple open questions:
Thanks, John This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments
thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments
thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]