Re: [cti] STIX 2.0 Draft 3

["Jordan, Bret" <bret.jordan@bluecoat.com>]

That sounds like a great option.  It would be nice to have the COA object be more than just a stub.  I look forward to seeing your proposal.

Bret 

Sent from my Commodore 64

On Aug 8, 2016, at 9:21 PM, Jyoti Verma (jyoverma) <jyoverma@cisco.com> wrote:

Hi John, Bret,

The draft looks pretty complete other than the Course of Action object and I’d like to propose bringing in OpenC2 to fill in the gap. The OpenC2 group has made significant progress in defining the vocabularies (37 different types of action verbs), JSON schema and reference implementations for automated courses of action (http://www.openc2.org). The OpenC2 group can submit a formal proposal in the next week if it can be accommodated in STIX 2.0.

Conceptually OpenC2 action has the following form:

<OPENC2_ACTION> (

  <ACTION_TYPE>

  TARGET (

  type = <TARGET_TYPE>,

  [<target-specifier>]

  ),

  [ACTUATOR (

  type = <ACTUATOR_TYPE>,

  [<actuator-specifier>]

  )],

  [<modifiers>]

)

Given the Course of Action object in Draft 3.0, the OpenC2 action could be represented in 2 ways:

1. As a blob under course-of-action.action
2. As 3 additional properties with the course-of-action.action being the first OpenC2 property.

Thanks,

Jyoti

From: <cti@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com>
Date: Friday, August 5, 2016 at 1:40 PM
To: "Wunder, John A." <jwunder@mitre.org>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] STIX 2.0 Draft 3

As a reminder the docs are also located here:

Core: https://docs.google.com/document/d/1HJqhvzO35h62gQGPvghVRIAtQrZn3_J__0UcDAj-NXY/edit#heading=h.t32x0azc539r

Objects: https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.t32x0azc539r

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Aug 5, 2016, at 14:34, Wunder, John A. <jwunder@mitre.org> wrote:

All,

 

Thanks everyone for the great comments, feedback, and (especially) suggestions on STIX 2.0 drafts 1 and 2! As Rich Struse mentioned in his e-mail last week, we’ve had a TON of activity and the specification is significantly better as a result.

 

Now that comments have tapered off, the editors have decided to release STIX 2.0 Draft 3. Given the amount of feedback this will be a decent change from Draft 2:

 

-          Significant refactoring of the introduction

-          Update to marking definitions to remove versioning

-          Added the FIRST IEP marking definition as an option

-          Cleaned up Threat Actor, Intrusion Set, and Campaign

-          Cleaned up Sighting and Observed Data

-          Added Infrastructure object

-          Improved Malware object (some minor work remains)

-          Tightened fields/relationships on Incident object to a small stub

-          Improved vocabulary descriptions

-          Relationships tweaked and cleaned up

-          Miscellaneous editorial changes

-          Removed version_comment

 

Given our timeline, Draft 3 will be the final draft of STIX 2.0! To focus on the finish line, here’s a few guidelines for review:

1.       At this point we will not be considering any new additions to the specification. There’s just not enough time to discuss anything new.

2.       Focus your review on objects, properties, and relationships, rather than the text. We appreciate all of the text suggestions, but at this point we need a final review of the structured format itself to make sure it will work.

3.       Finally, please provide suggestions rather than simply comments. If something is broken, don’t just say it’s broken. Tell us how you want to fix it. This will make sure we keep moving forward.

 

Looking ahead, we hope to have received all comments on draft 3 by Friday, August 12 so that we can issue a release candidate on Monday, August 15. After the release candidate is issued we’ll remove suggestion access to Google Docs and require that all comments be made on the e-mail list. This will ensure that everyone has full awareness of what we’re changing.

 

Again, thanks everyone for all of your hard work on this. As I read through the specification and imagine using it I’m feeling very, very good about where we ended up. A couple other people I’ve talked to who have been less involved have said the same. We’ve done some great work already, so let’s keep that up next week and make a final push to finish this off.

 

Thanks,

John

 

<STIX2.0-draft3-core.docx><STIX2.0-draft3-objects.docx>
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that 
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php