Re: [cti-stix] Re: [EXT] [cti-stix] STIX COA Roadmap

[Allan Thomson <athomson@lookingglasscyber.com>]

Sharing to the broader group that I’m supportive that this is the right direction for COA within STIX.

 

One aspect that I don’t explicitly called out that we have talked in the COA mini-group is being able to convey COA based on a reference to other intel via a reference/variable instead of having to copy the literal COA details.

 

Please confirm that this aspect is covered in one or more of the feature categories.

 

Allan Thomson,

CTO, Lookingglass Cyber Solutions

This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential. The information in this message is intended only for use by the individual(s) to whom it is addressed.  If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure, copying or distribution of the contents contained within is strictly prohibited

 

 

From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
Date: Thursday, September 21, 2017 at 9:27 AM
To: "Jyoti Verma (jyoverma)" <jyoverma@cisco.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Re: [EXT] [cti-stix] STIX COA Roadmap

 

SC,

 

I would like to reiterate Jyoti's call for feedback over the next 14 days.  If no negative feedback is given we will take that as unanimous consent that the direction the COA mini group is going and the elements we are going to tackle for the first release are approved by this SC.

 

Bret

 

---

From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jyoti Verma (jyoverma) <jyoverma@cisco.com>
Sent: Thursday, September 21, 2017 12:16:58 AM
To: cti-stix@lists.oasis-open.org
Subject: [EXT] [cti-stix] STIX COA Roadmap

 

CTI TC,

 

The COA mini group has been meeting on a weekly basis since a couple of weeks and we’ve put together a roadmap for the goals/features that we would like to address across 3 STIX releases. The mini group gave a readout on the Sept 19^th working call and the slides we presented are here – https://docs.google.com/presentation/d/1be_i8zcIlsmo_sStB8jeAp33sah-z7SgVGw_eRm1omc/edit?usp=sharing

 

In the first release, we would be solving the following 5 features for manual/automated COAs. For automated COAs, the group discussed using OpenC2 if the timelines align. More details on the complete roadmap and use cases can be found in the working draft here - https://docs.google.com/document/d/1zXV5WEmyLUbKiSpuHgywu5-LLrJVd91d7OP3nQBB7qM/edit#.

 

 

Feature	Description	Example
Preventative Static COAs	Literal COAs tied to indicator or other objects. No need to wait for anything to fire.	SANS Top 20 controls or blacklist domains
Mitigative or Remediative Static COAs	All information to take the action is statically configured and known a-priori.	Block evildomain.com Deny traffic to and from 10.0.0.1 Delete Registry key
Accommodating multiple actions	Single COA representing multiple steps	Cleaning up malware from Windows Desktop - safe mode, kill process, delete key, delete file, etc.
Basic Sequencing	The order in which COAs should be executed	1->2->3->4
Allow parallel processing	Allow the actions to define if they can be done in parallel or if they need to be done one at a time	1->2 3->4

 

If there are objections to this list, please let us know within 14 days. You can send your comments by replying to this email or in the COA channel on Slack.

 

Thanks,

STIX COA mini group