CTI-TC-01

All,

Last week saw another important milestone in the CTI TC – our first F2F! From the conversations I had with people it seems that those who participated felt it was a great success and most importantly, a good use of their time and resources. We had excellent turnout in person (approximately 50 including some members from across the pond) as well as another 10+ on the phone/WebEx (thanks Trey for the video!). A word of thanks to the folks at Soltra who arranged for the facility at USF and provided breakfast and lunch (and also for hosting our subcommittee co-chairs meeting on Tuesday and Wednesday). Thanks also to IBM and Soltra who sponsored the happy-hour and food on Thursday evening. In addition to the main agenda, we had two BoF sessions – one on the OASIS Emergency Management TC and another on the recently-passed US legislation on information sharing. We added lightning talks to the end of each day – six people gave five minute presentations on a topic of their choosing. Thank you to everyone who participated and in particular to those who presented during the F2F.

Our goal was to use the F2F for high-bandwidth technical discussions with an eye towards resolving as many open-issues as possible. To give you all a sense of just how much we were able to get done, here is a list of some the areas where we achieved consensus last week (we have more detail – this is just the “title” in most cases):

1. Set goal of defining a Minimally-Viable Product (MVP) for STIX, TAXII and CybOX

2. Set target date of 7/1/2016 for the draft STIX 2.0, TAXII 2.0 and CybOX 3.0 specifications

3. Use TWIGS as the starting point for STIX 2.0 specification development

4. CybOX 3.0 should include only those objects that are being used in the wild and that can be refactored if needed

5. Creation of CTI Common to contain objects shared by STIX and CybOX

6. STIX Relationship Object (high-level) approach

7. Controlled Vocabulary (high-level) approach

8. HTTPS as MTI transport for TAXII

9. IDs on all objects

10. Remove short descriptions

11. Flatten top level objects

12. Remove abstract base types

13. Refactor TTP into multiple top-level objects

14. Refactor ExploitTarget into multiple top-level objects

15. Two-level Data Markings

This doesn’t mean that all our work is done on these issues – it simply means that we’ve achieved consensus on a way forward. For example, there is still a discussion to be had on exactly how we refactor TTP and ExploitTarget and there are still open questions on Level 2 data markings. However, we now have a clear direction that we can pursue in each SC and as a TC.

We have already begun discussing future F2F meetings so please get back to me with any feedback you have on how we can make these even better. Thanks to everyone for all your hard work – together we are going to make STIX, TAXII and CybOX even better!

Regards,

Rich

Richard J. Struse

Chair, OASIS Cyber Threat Intelligence (CTI) Technical Committee

Chief Advanced Technology Officer

National Cybersecurity and Communications Integration Center (NCCIC) and

Stakeholder Engagement and Cyber Infrastructure Resiliency (SECIR)

Cyber Security & Communications

U.S. Department of Homeland Security

e-mail: Richard.Struse@dhs.gov
Phone: 202-527-2361

cti message