Hi!,
I would support this initiative, it is a good idea and simplifies the relationship between the two.
Regards,
Dean
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Jason Keirstead
Sent: Monday, 16 July 2018 11:13 PM
To: cti-stix@lists.oasis-open.org
Subject: [cti-stix] Proposal: Addition of defined relationship from COA to Indicator
Scenario: Lets say you want to have an indicator feed that you want to provide to a DNS server, in order to either deny or sinkhole those IP addresses
and/or domains. As such, you want to provide Course of Action that are linked to those indicators, to tell the DNS server what to do.
Currently, COA only has "mitigates" relationships to Attack Pattern, Malware, Tool, and Vulnerability.
As such, one is forced to either
(a) Create "dummy" empty Attack Pattern objects to create this relationship
(b) Make your own SRO for "mitigates" directly from COA to Indicator
In this use case, there is no attack pattern, or any of these objects. You simply want to be able to say "If you see X, do Y".
I would like to request / suggest that we add a defined relationship from COA to Indicator called "blocks", or "denies", "mitigates", or something to that effect so that this use case can be standardized,
as it is extremely common.
-
Jason Keirstead
Lead Architect - IBM Security Cloud
www.ibm.com/security
"Things may come to those who wait, but only the things left by those who hustle." - Unknown
"This e-mail and any attachments to it (the "Communication") is, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately
by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Australia
and New Zealand Banking Group Limited ABN 11 005 357 522, or any of its related entities including ANZ Bank New Zealand Limited (together "ANZ"). ANZ does not accept liability in connection with the integrity of or errors in the Communication, computer virus,
data corruption, interference or delay arising from or in respect of the Communication."
|