STIX COA mini group call 5/8/2017 - meeting minutes

["Jyoti Verma (jyoverma)" <jyoverma@cisco.com>]

Hi,

Below are the consolidated notes from the meeting today. Please chime in if I captured something incorrectly. Also, please let me know if I missed your attendance.

Participants

Jyoti Verma, Sam Zargar, Allan Thomson, Ben Sooter, Bret Jordan, Gary, John-Mark, John Wunder, Sourabh Satish, Henry, Jefferey Mates, Duncan Sparrel, Nicolas

 

Minutes:

1. We went over the use case that Jeff shared and started building out the COA object using the example
2. We should also have post conditions (on_success, on_failure) along with preconditions (requires_success, requires_failure) - Allan
3. The action details could be captured in a property of it own eg. "openc2" and this could be a blob - Bret
4. No need for a "type" attribute to capture the action type - John–Mark
5. We could represent the action in cybox observable style - John–Mark
6. The “start_index” field could capture which action to start with
7. We went over different options for linking the different actions as called out below 

 

 

Open Questions and Options to think about (thanks Bret):

1. Should linkages between atomic COA elements be linked with an 'integer' or should they be linked via a text `string`?
2. Should the atomic COA elements look like STIX elements or Cyber Observable elements?  Namely, should the name/id be inside the object or should it be a map

 

Option 1: using id to map the linkage - STIX style

{

  "type": "course-of-action",

  "id": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",

  "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",

  "created": "2016-04-06T20:03:48.000Z",

  "modified": "2016-04-06T20:03:48.000Z",

  "name": "Some top level name for the COA",

  "description": "Some top level description for the COA".

  "actions": [

    {

      "action_id": 1,

      "name": "name of COA action",

      "description": "some description or human course of action",

      "on_success": [2],

      "on_failure": [3],

      "requires_success": [],

      "requires_failure": [],

      "openc2": "some openc2 command"

    },

    {

      "action_id": 2,

      "name": "name of COA action",

      "description": "some description or human course of action",

      "on_success": [4],

      "on_failure": [3],

      "requires_success": [1],

      "requires_failure": [],

      "openc2": "some openc2 command"

    }

  ]

}

 

Option 2 : using names to map the linkage – STIX style

{

  "type": "course-of-action",

  "id": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",

  "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",

  "created": "2016-04-06T20:03:48.000Z",

  "modified": "2016-04-06T20:03:48.000Z",

  "name": "Some top level name for the COA",

  "description": "Some top level description for the COA".

  "actions": [

    {

      "name": "some name 1",

      "description": "some description or human course of action",

      "on_success": ["some name 2"],

      "on_failure": ["some name 3"],

      "requires_success": [],

      "requires_failure": [],

      "openc2": "some openc2 command"

    },

    {

      "name": "some name 2",

      "description": "some description or human course of action",

      "on_success": ["some name 4"],

      "on_failure": ["some name 3"],

      "requires_success": ["some name 1"],

      "requires_failure": [],

      "openc2": "some openc2 command"

    }

  ]

}

 

Another thing we talked about was how to have the keys be determined.  The two examples above are in STIX like style.  The next two are Cyber Observable style

 

Option 3: using id to map the linkage - Cyber Observable style

{

  "type": "course-of-action",

  "id": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",

  "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",

  "created": "2016-04-06T20:03:48.000Z",

  "modified": "2016-04-06T20:03:48.000Z",

  "name": "Some top level name for the COA",

  "description": "Some top level description for the COA".

  "actions": {

    "1": {

      "name": "name of COA action",

      "description": "some description or human course of action",

      "on_success": [2],

      "on_failure": [3],

      "requires_success": [],

      "requires_failure": [],

      "openc2": "some openc2 command"

    },

    "2": {

      "name": "name of COA action",

      "description": "some description or human course of action",

      "on_success": [4],

      "on_failure": [3],

      "requires_success": [1],

      "requires_failure": [],

      "openc2": "some openc2 command"

    }

  }

}

 

Option 4: using names to map the linkage - Cyber observable style

{

  "type": "course-of-action",

  "id": "course-of-action--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",

  "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff",

  "created": "2016-04-06T20:03:48.000Z",

  "modified": "2016-04-06T20:03:48.000Z",

  "name": "Some top level name for the COA",

  "description": "Some top level description for the COA".

  "actions": {

    "some name 1": {

      "description": "some description or human course of action",

      "on_success": ["some name 2"],

      "on_failure": ["some name 3"],

      "requires_success": [],

      "requires_failure": [],

      "openc2": "some openc2 command"

    },

    "some name 2": {

      "description": "some description or human course of action",

      "on_success": ["some name 4"],

      "on_failure": ["some name 3"],

      "requires_success": ["some name 1"],

      "requires_failure": [],

      "openc2": "some openc2 command"

    }

  }

}

Agenda for next meeting:

1. Identify the option that will work for most use cases 
2. Go over Sarah’s use cases 
3. Discuss topics that didn’t get covered this time around
4. • Define relationship types for COAs
   • Should the STIX COA support time based sequencing?
   • Topics for F2F
   
   

Thanks,

Jyoti

Technical Leader

Office of the CTO, Security Business Group, Cisco Systems

From: <cti@lists.oasis-open.org> on behalf of OASIS Open <workgroup_mailer@lists.oasis-open.org>
Date: Friday, May 5, 2017 at 10:43 AM
To: <cti@lists.oasis-open.org>
Subject: [cti] STIX COA mini group call

Submitter's message
Follow on call for STIX COA
-- Ms. Jyoti Verma

Event Title: STIX COA mini group call

---

Date: Monday, 08 May 2017, 12:00pm to 01:00pm PDT
Location: Webex
Description

STIX COA working group follow on call

 

Join WebEx meeting   

Meeting number: 208 034 411  

Meeting password: tecePfxH (83237394 from phones)  

  

 

Join from a video conferencing system or application

Dial 208034411@cisco.webex.com  

From the Cisco internal network, dial *267* and the 9-digit meeting number. If you are the host, enter your PIN when prompted.   

  

  

If you are a host, go here to view host information.

 

Join by phone  

+1-866-432-9903 Call-in toll-free number (US/Canada)  

+1-408-525-6800 Call-in toll number (US/Canada)  

Access code: 208 034 411  

Global call-in numbers  |  Toll-free calling restrictions   

  

  

Can't join the meeting? Contact support.   

  

IMPORTANT NOTICE: Please note that this WebEx service allows audio and other information sent during the session to be recorded, which may be discoverable in a legal matter. By joining this session, you automatically consent to such recordings. If you do not consent to being recorded, discuss your concerns with the host or do not join the session..

---

Agenda

Agenda:

1. Discuss use cases
2. Define relationship types for COAs
3. Should the STIX COA support time based sequencing?
4.  How should STIX COA work with and make use of automated actions like OpenC2?
5. Topics for F2F

---

Owner: Ms. Jyoti Verma
Group: OASIS Cyber Threat Intelligence (CTI) TC
Sharing: This event is shared with the OASIS Open (General Membership), and General Public groups. Public Event Link

• Learn more about subscribing here.
• View the OASIS Cyber Threat Intelligence (CTI) TC calendar here.
• You may receive future notifications with updates to this event. Update the event on your calendar by accepting the changes.

STIX COA working group follow on call https://cisco.webex.com/ciscosales/j.php?MTID=m888a682f4e1cd5852c08b0371b0e9d42 Meeting number: 208 034 411 Meeting password: tecePfxH (83237394 from phones) Join from a video conferencing system or application Dial 208034411@cisco.webex.com From the Cisco internal network, dial *267* and the 9-digit meeting number. If you are the host, enter your PIN when prompted. If you are a host, https://cisco.webex.com/ciscosales/j.php?MTID=m5e2929ccb74bc31fbc8a35626cb60f47 to view host information. Join by phone +1-866-432-9903 Call-in toll-free number (US/Canada) +1-408-525-6800 Call-in toll number (US/Canada) Access code: 208 034 411 https://cisco.webex.com/ciscosales/globalcallin.php?serviceType=MC&ED=385072362&tollFree=1 | https://www.webex.com/pdf/tollfree_restrictions.pdf Can't join the meeting? https://cisco.webex.com/ciscosales/mc IMPORTANT NOTICE: Please note that this WebEx service allows audio and other information sent during the session to be recorded, which may be discoverable in a legal matter. By joining this session, you automatically consent to such recordings. If you do not consent to being recorded, discuss your concerns with the host or do not join the session.. Agenda: Agenda: Discuss use cases Define relationship types for COAs Should the STIX COA support time based sequencing? How should STIX COA work with and make use of automated actions like OpenC2? Topics for F2F Group: OASIS Cyber Threat Intelligence (CTI) TC Creator: Ms. Jyoti Verma --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php