All,
After a copyediting pass by Iain Brown (thanks!) and some clarity suggestions from Terry MacDonald we’ve created STIX 2.0 RC2, otherwise known as STIX 2.0 Working Draft 2. The changes from RC1 are below, but the only substantive change was the addition of the normative text to relationship source_ref and target_ref that we agreed to on the list last week.
With this release the editors are comfortable with the TC approving RC2 as a Committee Draft Specification. With that in mind:
Note that this approval applies to this version of the document as-is. If approved with a full majority vote of the TC it will be published as a Committee Draft Specification without modification.
Prior to moving forward with this specification (bringing it up for public review) we’ll need to reformat it to the OASIS template, add a conformance section, and add normative and non-normative references. But for the time being, approving this version will help lock in much of the work we’ve done to date and move us forward.
Thanks,
John
Changelog:
- Addition of the normative text to relationship source and target as discussed on the e-mail list last week.
- Very minor copyediting fixes (things like contacting STIX Domain Objects to SDOs, etc.).
- Section 1.2.4:
o Before: Many STIX Objects contain properties whose values are strings drawn from generally-agreed upon sets of values such as industry sector names and attack motivations
o After: Many STIX Objects contain properties whose values can be selected from a defined set of values.
- Section 3.4:
o Before: The change to the revoked property to indicate that an object is revoked is an update to the object, and therefore its version and modified properties MUST be updated.
o After: The change to the revoked property to indicate that an object is revoked is considered an update to the object, and therefore its version and modified properties MUST be updated at the same time.
- Section 3.4.3, Example Consumer Workflow:
o Before: Consumer deletes example object, but keeps some metadata regarding the object.
o After: Consumer chooses to delete the example object, but keeps some metadata regarding the object.
- Section 3.5:
o Before: The following relationship types are defined for all STIX Domain Objects.
o After: The following common relationship types are defined for all STIX Domain Objects.
- Section 5:
o Before: Using the building blocks of SDOs along with STIX relationships, individuals can create and share broad and comprehensive cyber threat intelligence.
o After: Using SDOs and STIX relationships as building blocks, individuals can create and share broad and comprehensive cyber threat intelligence.
- Section 5.2.4: Corrected CAPEC identifier to 163, which is the ID for spear phishing.
- Section 5.5:
o Before: Indicators contain a pattern of suspicious or malicious cyber activity
o After: Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity.
- Section 5.11:
o Before: In STIX, tools are a type of TTP that are legitimate software that are used by threat actors to perform attacks.
o After: Tools are legitimate software that can be used by threat actors to perform attacks.