Allan,
What you’ve proposed is similar to something we’ve implemented called “annotations”, but I’ve never thought about sharing those with external parties. Like you, we came to the same conclusion
that it needed to be an SDO so that a single “note” could point to a number of different entities.
Paul Patrick
From:
<cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Tuesday, December 13, 2016 at 9:32 AM
To: "mark.stephen.davidson@gmail.com" <mark.stephen.davidson@gmail.com>
Cc: Sarah Kelley <Sarah.Kelley@cisecurity.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Call for Volunteers / Topics for STIX 2.1
Mark – the ability to have multiple instances of an intel note is important even if the note is associated with a single SDO.
Secondly, the ability to version the note itself, ability to have different authors associate intel notes with the same SDO to collaborate intel notes with and
update without having to version the SDO its associated with is useful.
Ultimately having the full lifecycle of object creation, update and deletion associated with intel notes themselves is considered very useful.
So for a variety of ‘analyst workflow’ reasons it was felt that having it be a separate object itself was more useful.
It also then has the side benefit of being able to define a single intel note to multiple other SDOs for workflow reasons as useful. I could think of a couple of
use cases where this might come in handy. But this is a byproduct not the primary goal.
allan
From:
Mark Davidson <mark.stephen.davidson@gmail.com>
Date: Tuesday, December 13, 2016 at 4:56 AM
To: Allan Thomson <athomson@lookingglasscyber.com>
Cc: Sarah Kelley <Sarah.Kelley@cisecurity.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Call for Volunteers / Topics for STIX 2.1
Are there use cases where we'd want a single note associated with multiple SDOs? When I had first heard the concept, I'd thought of it as a common property across all SDOs.
I guess my question really is:
What factors (if any) went into deciding whether this should be it's own SDO vs. a common property across all SDOs?
On Mon, Dec 12, 2016 at 11:43 PM, Allan Thomson <athomson@lookingglasscyber.com> wrote:
Hi Sarah – sorry for the delay. Have been off the list for the last few working days due to other priorities.
Please find attached a proposed text changes to add Intel Notes to the STIX 2.0 spec. This doc was created back in Sept so it may rely on an older version of the base 2.0 standard than is current.
The primary intention is described in the document but if you feel that its not sufficiently clear then let me know.
Regards
allan
From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Sarah Kelley <Sarah.Kelley@cisecurity.org>
Date: Wednesday, December 7, 2016 at 12:26 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Call for Volunteers / Topics for STIX 2.1
Can I get a quick description of what Intel Notes is going to be? I don’t recall hearing about that piece before.
Sarah Kelley
Senior Cyber Threat Analyst
Center for Internet Security (CIS)
Integrated Intelligence Center (IIC)
Multi-State Information Sharing and Analysis Center (MS-ISAC)
1-866-787-4722 (7×24 SOC)
Email: cert@cisecurity.org<mailto:cert@cisecurity.org>
www.cisecurity.org<http://www.cisecurity.org/>
Follow us @CISecurity
From: <cti@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org>
Date: Wednesday, December 7, 2016 at 2:50 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Call for Volunteers / Topics for STIX 2.1
All,
I know that we’re still finalizing things in STIX 2.0, but with the face-to-face coming up in January and the need to keep making progress on important topics I’d like to start planning for STIX 2.1. In particular, I think we can be much more productive at
the face-to-face if we have 1 or more concrete proposals for each topic we discuss. That way we can evaluate real normative text and data structures rather than general ideas and theories.
To get there, I’d like to start putting together mini-groups for STIX 2.1 topics. Obviously we won’t work on all of these at the same time, but the complete list I have of somewhat major topics for 2.1:
1. Malware (it already exists, but it could use some fleshing out)
2. Infrastructure
3. Confidence
4. Location
5. Incident / Event
6. Course of Action / OpenC2 integration / Playbooks
7. Internationalization
8. Intel Notes
So my first request is, what’s missing? Are there any other major topics that we should tackle for 2.1?
My second request is for volunteers to work on some of those topics. I’m thinking that one of the first things we should do is build out more of our foundation in intel objects and concepts. That would mean tackling:
- Confidence
- Malware
- Infrastructure
- Location
Finishing off those objects and concepts will give us the building block SDOs and concepts that we need to tackle things like incident, COA, etc. As we finish off this first set, we can move on to major areas of effort like courses of action and incidents (and
related object).
Please send replies directly to me and I’ll coordinate, that way we can avoid spamming the list. Also I should say that if there’s a group of people that wants to start working on incident, COA, or any other topic now don’t let me hold you up. I just want to
make sure we can get in the more foundational things so we don’t have to re-write stuff later.
John
...
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
immediately and permanently delete the message and any attachments.
. . .
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited.
If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
|