Thereâs a reason why a *group* of interested parties worked on the STIX COA updates to reflect the set of common requirements we needed.
Your suggestion was only one of multiple requirements that were identified. Since the original work, the current proposal for inclusion in STIX2.1 is already a subset of what the group felt was required.
My input is that we donât spend time solely on a single relationship but put energy into just adopting the STIX COA work.
Its clearly important as this thread helps show.
Allan
From: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Wednesday, July 18, 2018 at 6:43 AM
To: Allan Thomson <athomson@lookingglasscyber.com>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, John-Mark Gurney <jmg@newcontext.com>
Subject: Re: [cti-stix] Proposal: Addition of defined relationship from COA to Indicator
If COA makes a CSD, then it solves this I agree.
Its just unclear to me when that happens.
-
Jason Keirstead
Lead Architect - IBM Security Cloud
www.ibm.com/security
"Things may come to those who wait, but only the things left by those who hustle." - Unknown
From: Allan Thomson <athomson@lookingglasscyber.com>
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>, John-Mark Gurney <jmg@newcontext.com>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 07/18/2018 10:24 AM
Subject: Re: [cti-stix] Proposal: Addition of defined relationship from COA to Indicator
Sent by: <cti-stix@lists.oasis-open.org>
Jason â Although I agree somewhat I want to point out that the STIX COA proposal that is in the queue for STIX2.1 includes that change already and also includes more than that.
Hereâs the STIX COA document https://docs.google.com/document/d/1VVeXcXsKHbfjjdglLo-mFQlXpjUhyGbGUBPSBFnSERY/edit#heading=h.bozgtrnl1y6u
Take a look at page 4 for the complete set of relationships being proposed for COA to other SDOs.
I would prefer instead of choosing to adopt a single relationship change we just stick to the plan of record which was to adopt STIX COA in an upcoming 2.1 CSD. Maybe that was CSD2 anyway?
Allan Thomson
CTO (+1-408-331-6646)
LookingGlass Cyber Solutions
From: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Wednesday, July 18, 2018 at 6:02 AM
To: John-Mark Gurney <jmg@newcontext.com>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Proposal: Addition of defined relationship from COA to Indicator
I have had 3 agree - anyone against this idea?
If not I will submit a change proposal for this in CSD 02.
-
Jason Keirstead
Lead Architect - IBM Security Cloud
www.ibm.com/security
"Things may come to those who wait, but only the things left by those who hustle." - Unknown
From: John-Mark Gurney <jmg@newcontext.com>
To: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Cc: cti-stix@lists.oasis-open.org
Date: 07/17/2018 08:29 PM
Subject: Re: [cti-stix] Proposal: Addition of defined relationship from COA to Indicator
Jason Keirstead wrote this message on Mon, Jul 16, 2018 at 10:13 -0300:
> Scenario: Lets say you want to have an indicator feed that you want to
> provide to a DNS server, in order to either deny or sinkhole those IP
> addresses and/or domains. As such, you want to provide Course of Action
> that are linked to those indicators, to tell the DNS server what to do.
>
> Currently, COA only has "mitigates" relationships to Attack Pattern,
> Malware, Tool, and Vulnerability.
>
> As such, one is forced to either
>
> (a) Create "dummy" empty Attack Pattern objects to create this
> relationship
> (b) Make your own SRO for "mitigates" directly from COA to Indicator
I support b... I tried to get this in a while back, but people didn't
seem to want it at the time...
>
> In this use case, there is no attack pattern, or any of these objects. You
> simply want to be able to say "If you see X, do Y".
>
> I would like to request / suggest that we add a defined relationship from
> COA to Indicator called "blocks", or "denies", "mitigates", or something
> to that effect so that this use case can be standardized, as it is
> extremely common.
I'm fine w/ mitigates... I'd prefer not to use blocks or denies, as that
implies a certain action, that may not be what the COA does..
--
John-Mark