Re: [openc2-imple] RE: [Non-DoD Source] [openc2-imple] STIX COA Roadmap

["Jyoti Verma (jyoverma)" <jyoverma@cisco.com>]

I think I should clarify my statement “For automated COAs, the group discussed using OpenC2 if the timelines align.“

 

I meant that if STIX COA is being targeted for 2.1 which is being wrapped up soon, that timeline doesn’t align with OpenC2’s formal release. Having said that, as per the design being worked out in the google doc, the COA will still have an optional property for openc2 as a placeholder. Hope that clarifies.

 

Thanks,

Jyoti

Technical Leader,

CTO office Security Business Group,

Cisco Systems Inc.

 

 

 

From: <openc2-imple@lists.oasis-open.org> on behalf of "Kemp, David P" <dpkemp@radium.ncsc.mil>
Date: Friday, September 22, 2017 at 7:26 AM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "openc2-imple@lists.oasis-open.org" <openc2-imple@lists.oasis-open.org>
Subject: [openc2-imple] RE: [Non-DoD Source] [openc2-imple] STIX COA Roadmap

 

I have no objections to the list of 5 features to pursue.   It looks like a great list.

 

Re Jyoti’s “For automated COAs, the group discussed using OpenC2 if the timelines align.“:   I’d like to reiterate the discussion on OpenC2 IC SC slack – there is no inconsistency or mismatch between the capabilities of the current OpenC2 and the ability to support those 5 features, or any future set of COA features.   Those features can be supported whenever the evolving COA language (bash/python/etc near-term, potentially a to-be-developed COA-specific DSL longer term) can do so.  OpenC2 is used for the atomic M2M actions specified in the COA.  With a suitable “notification” actuator profile OpenC2 might also be used to support some non-automated actions, but that is not it’s primary focus.

 

Dave

 

 

From: openc2-imple@lists.oasis-open.org [mailto:openc2-imple@lists.oasis-open.org] On Behalf Of Duncan
Sent: Friday, September 22, 2017 8:05 AM
To: Bret Jordan <bret_jordan@symantec.com>; Jyoti Verma (jyoverma) <jyoverma@cisco.com>; cti-stix@lists.oasis-open.org
Cc: openc2-imple@lists.oasis-open.org; openc2-committee-chairs@lists.oasis-open.org
Subject: [Non-DoD Source] [openc2-imple] STIX COA Roadmap

 

Bret, Jyoti,

Re: "If no negative feedback is given we will take that as unanimous consent"

I would like to give some negative feedback. Sorry to break your unanimity but I have a concern. 

 

Bret said "OpenC2 might be an option. However, to date, the OpenC2 work has had a very narrow focus."

Bret, you are co-chair of the OpenC2 SC that owns solving OpenC2 for Stix COA. Joyti is co-chair of the OpenC2 SC that owns defining what OpenC2 consumers do with OpenC2. For you to imply on a CTI mailing list that OpenC2 won't meet CTI needs seems odd to me. I am very concerned miscommunication is occurring. Shouldn't you as co-chair of the OpenC2 SC be answering that OpenC2 will at least try to meet CTI needs? Of course we need to walk before we fly but if there are schedule concerns, please voice them. I have been trying to speed up the process eg my request your OpenC2 SC meet more often than monthly. If we are going too slow, the answer is not to duplicate effort in CTI or form a new SC or TC to do what we already doing. Put those resources into OpenC2. 

 

iPhone, iTypo, iApologize

 

Duncan Sparrell

sFractal Consulting, LLC

The closer you look, the more you see

On Thu, Sep 21, 2017 at 12:27 PM -0400, "Bret Jordan" <Bret_Jordan@symantec.com> wrote:

SC,

 

I would like to reiterate Jyoti's call for feedback over the next 14 days.  If no negative feedback is given we will take that as unanimous consent that the direction the COA mini group is going and the elements we are going to tackle for the first release are approved by this SC.

 

Bret

 

---

From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jyoti Verma (jyoverma) <jyoverma@cisco.com>
Sent: Thursday, September 21, 2017 12:16:58 AM
To: cti-stix@lists.oasis-open.org
Subject: [EXT] [cti-stix] STIX COA Roadmap

 

CTI TC,

 

The COA mini group has been meeting on a weekly basis since a couple of weeks and we’ve put together a roadmap for the goals/features that we would like to address across 3 STIX releases. The mini group gave a readout on the Sept 19^th working call and the slides we presented are here – https://docs.google.com/presentation/d/1be_i8zcIlsmo_sStB8jeAp33sah-z7SgVGw_eRm1omc/edit?usp=sharing

 

In the first release, we would be solving the following 5 features for manual/automated COAs. For automated COAs, the group discussed using OpenC2 if the timelines align. More details on the complete roadmap and use cases can be found in the working draft here - https://docs.google.com/document/d/1zXV5WEmyLUbKiSpuHgywu5-LLrJVd91d7OP3nQBB7qM/edit#.

 

 

Feature	Description	Example
Preventative Static COAs	Literal COAs tied to indicator or other objects. No need to wait for anything to fire.	SANS Top 20 controls or blacklist domains
Mitigative or Remediative Static COAs	All information to take the action is statically configured and known a-priori.	Block evildomain.com Deny traffic to and from 10.0.0.1 Delete Registry key
Accommodating multiple actions	Single COA representing multiple steps	Cleaning up malware from Windows Desktop - safe mode, kill process, delete key, delete file, etc.
Basic Sequencing	The order in which COAs should be executed	1->2->3->4
Allow parallel processing	Allow the actions to define if they can be done in parallel or if they need to be done one at a time	1->2 3->4

 

If there are objections to this list, please let us know within 14 days. You can send your comments by replying to this email or in the COA channel on Slack.

 

Thanks,

STIX COA mini group