cti-stix message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Re: [cti-stix] Proposal: Addition of defined relationship from COA to Indicator
- From: "Jason Keirstead" <Jason.Keirstead@ca.ibm.com>
- To: John-Mark Gurney <jmg@newcontext.com>
- Date: Wed, 18 Jul 2018 10:02:50 -0300
I have had 3 agree - anyone against this
idea?
If not I will submit a change proposal
for this in CSD 02.
-
Jason Keirstead
Lead Architect - IBM Security Cloud
www.ibm.com/security
"Things may come to those who wait, but only the things left by those
who hustle." - Unknown
From:
John-Mark Gurney <jmg@newcontext.com>
To:
Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc:
cti-stix@lists.oasis-open.org
Date:
07/17/2018 08:29 PM
Subject:
Re: [cti-stix]
Proposal: Addition of defined relationship from COA to Indicator
Jason Keirstead wrote this message on Mon, Jul 16,
2018 at 10:13 -0300:
> Scenario: Lets say you want to have an indicator feed that you want
to
> provide to a DNS server, in order to either deny or sinkhole those
IP
> addresses and/or domains. As such, you want to provide Course of Action
> that are linked to those indicators, to tell the DNS server what to
do.
>
> Currently, COA only has "mitigates" relationships to Attack
Pattern,
> Malware, Tool, and Vulnerability.
>
> As such, one is forced to either
>
> (a) Create "dummy" empty Attack Pattern objects to create
this
> relationship
> (b) Make your own SRO for "mitigates" directly from COA
to Indicator
I support b... I tried to get this in a while back, but people didn't
seem to want it at the time...
>
> In this use case, there is no attack pattern, or any of these objects.
You
> simply want to be able to say "If you see X, do Y".
>
> I would like to request / suggest that we add a defined relationship
from
> COA to Indicator called "blocks", or "denies",
"mitigates", or something
> to that effect so that this use case can be standardized, as it is
> extremely common.
I'm fine w/ mitigates... I'd prefer not to use blocks or denies,
as that
implies a certain action, that may not be what the COA does..
--
John-Mark
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]