Re: [cti] Re: [EXT] Re: [cti] Roadmap discussion and update

Just a heads-up. FireEye should have some constructive input on these issues regarding event/investigation/incident in the next week or two. We are pulling it together now while slaying other dragons.

This input is based on FireEye’s extensive practical experience in these areas, its own implementations and integrations across this space and the substantive work on these issues by the broader cyber investigation community over the last year and a half.

We believe that this input will address many of the open questions/issues (including MISP’s desire for a general contextual compilation object that they refer to as Event) and hopefully offer us a clearer path forward for this aspect of our bigger puzzle.

Sorry for the teaser. I just wanted you to know that there is some practical input on the way. ☺

sean

From: <cti@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Thursday, August 10, 2017 at 1:19 PM
To: Bret Jordan <Bret_Jordan@symantec.com>
Cc: Andras Iklody <andras.iklody@circl.lu>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, jg <jg@ctin.us>, "Wunder, John A." <jwunder@mitre.org>, "Sarah.Kelley@cisecurity.org" <Sarah.Kelley@cisecurity.org>
Subject: Re: [cti] Re: [EXT] Re: [cti] Roadmap discussion and update

I disagree, I think it aligns very well with report.

RE "A report has no concept of confidence on the relationships", I think this identifies a gap in report, actually. When an intelligence report is issued, one has to be able to communicate the confidence in the report as a unit - nothing is 100%.

That said, I don't think you need to go down to the individual relationship level - which it does not look like MISP is doing either from my understanding.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security

Without data, all you are is just another person with an opinion - Unknown

From: Bret Jordan <Bret_Jordan@symantec.com>
To: "Wunder, John A." <jwunder@mitre.org>, Andras Iklody <andras.iklody@circl.lu>, jg <jg@ctin.us>, "Sarah.Kelley@cisecurity.org" <Sarah.Kelley@cisecurity.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Date: 08/10/2017 01:37 PM
Subject: [cti] Re: [EXT] Re: [cti] Roadmap discussion and update
Sent by: <cti@lists.oasis-open.org>

The report object in STIX was designed to mimic a finished PDF report that an org sends out. What MISP is asking for is more like a mix of bundle and report??? A collection of things that might be related with some sort of confidence, right? So I do not think report would work well here. A report has no concept of confidence on the relationships, since they are embedded relationships (once again, because this was designed to be finished intel).

To me it seems like we could easily solve the MISP requirement by making a very small and very light-weight object that just had the generic related-to relationships. And you could relate anything to this "thing". Maybe there is a few meta-data fields on it. Using report would mean we would need to probably go back and allow external entities to add data to a report, which is something that we said we were not going to do. A report is someone's finished intel and no one should be able to add more data to it.

Can we just create something small for MISP?

Bret

From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Wunder, John A. <jwunder@mitre.org>
Sent: Thursday, August 10, 2017 7:19:41 AM
To: Andras Iklody; jg; Sarah.Kelley@cisecurity.org; cti@lists.oasis-open.org
Subject: [EXT] Re: [cti] Roadmap discussion and update

FWIW I think a MISP Event is much more similar to a Report than to what we’re currently talking about as Event. They aren’t necessarily related to the IR or SOC process at all…the example on the MISP website is a bunch of collected intelligence about a RAT (https://www.circl.lu/services/misp-malware-information-sharing-platform/).

So IMO the path forward is to figure out some solution other than Event, regardless of the timeline on Event. I just worry that even if Event were in it would not meet your use cases or, if it did, the definition would be very broad (either an Incident or a SOC event or some collection of intelligence). Maybe it’s a new “Collection” object that’s a clone of report but with the assumption that it will evolve over time, idk.

John

From: <cti@lists.oasis-open.org> on behalf of Andras Iklody <andras.iklody@circl.lu>
Date: Thursday, August 10, 2017 at 9:11 AM
To: jg <jg@ctin.us>, "Sarah.Kelley@cisecurity.org" <Sarah.Kelley@cisecurity.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Roadmap discussion and update

Jane,

we've been trying to do just that, we've pointed our issues out back in May and linked to our wiki regarding deficiencies that we face with STIX 2.x when it comes to integration (https://github.com/MISP/MISP/wiki/NotesMISP-STIX2#how-to-represent-a-misp-event-in-stix-2), to which we were advised to come with a simple proposal to remedy the issues (which we did here - https://www.misp.software/Eventproposal-STIX2.1-1.pdf).
After discussions stemming from the above proposal, we were told that an alternate solution could be to enhance the report object with some of the missing meta-data fields that we need (in addition to clarifying that despite its current interpretation, reports don't have to be final published reports, but could be general containers for threat intel information similarly to the intent in STIX 1.2). A simple publish boolean flag on the report object would go a long way for us as a stop-gap solution for now to at least get started (as described here: https://www.misp.software/STIX2.1Reportproposal.pdf).
However this idea was shot down. So at the moment we're not really sure how we're left in limbo, eagerly awaiting a generic event SDO to finally be released. Seeing this crucial missing piece of the puzzle being pushed back is a massive disappointment for us.

Best regards,
Andras

On 10. aug. 2017 14:43, jg wrote:
Andras:
I would also add to what Sarah wrote by noting that having your regular input and participation might push us over the edge of having the confidence to push it through. We need the expertise of the IR community to make sure it is right.
Jane Ginn, MSIA, MRP
Secretary, CTI TC
OASIS
jg@ctin.us
In U.S.: +(928) 399-0509

-------- Original Message --------
From: Sarah Kelley <Sarah.Kelley@cisecurity.org>
Sent: Thursday, August 10, 2017 06:16 AM
To: Andras Iklody <andras.iklody@circl.lu>,"cti@lists.oasis-open.org " <cti@lists.oasis-open.org>
Subject: Re: [cti] Roadmap discussion and update

Andras,

Event/Incident has been on the schedule for the 2.1 release, but as we have started work on this object, the current feeling is that we don’t understand it enough to get the work done in time for a fall release. Work has been done on this object (https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.r4w2zhz8p29q) , but the topic is still being debated at length, and many people feel it will not be ready to be included in 2.1 if we still aim to get 2.1 out the door this fall. Hence, the discussion to push Event/Incident back to a 2.2 release, in order to make sure the object is correct and not done in a hurry.

This type of question is exactly why we posed the roadmap conversation to the list.

Does this help frame the conversation?

Sarah Kelley
STIX Co-Chair
Senior Cyber Threat Analyst
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061

sarah.kelley@cisecurity.org
518-266-3493
24x7 Security Operations Center
SOC@cisecurity.org- 1-866-787-4722

<https://msisac.cisecurity.org/>
<https://www.facebook.com/CenterforIntSec> <https://twitter.com/CISecurity> <https://www.youtube.com/user/TheCISecurity> <https://www.linkedin.com/company/the-center-for-internet-security>

On 8/10/17, 6:28 AM, "Andras Iklody" <cti@lists.oasis-open.org on behalf of andras.iklody@circl.lu>wrote:

Hi Trey,

Event/Incident postponed to 2.2? For the MISP community this is the Nr.1
blocker, I thought it was scheduled for 2.1...

Best regards,

Andras

On 09. aug. 2017 21:14, Trey Darley wrote:
> All -
>
> New Context supports an Autumn 2017 release of STIX 2.1 consisting of:
>
> * i18n
> * Confidence
> * Intel Note
> * Opinion
> * Location
> * Malware
> * IEP
> * DNS Request/Response
>
> It is understood that the following work items would be postponed to
> 2.2:
>
> * Event/Incident
> * Infrastructure
> * COA
> * STIX Patterning Extensions
>
> While it is unfortunate that the scope of work has expanded to exceed
> the time initially earmarked for STIX 2.1 development, that should
> come as no surprise to anyone with experience trying to put accurate
> time estimates on complex development efforts.
>
> The TC work items ready to ship for 2.1 are significant. It would be
> unconscionable to artificially delay the release of these extensions
> to the STIX data model and thereby prevent folks from solving
> real-world problems they confront *today* by binding ourselves to the
> mast of an idealistic, completionist definition of STIX 2.1.
>
> Sarah, thanks for the great summary of the crossroads we find
> ourselves at. ^_^
>

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .

cti message