Re: [cti] Re: [EXT] Re: [cti] Summary of the working call

[Andras Iklody <andras.iklody@circl.lu>]

Hi Sarah,

Is there any way to get any insight on the progress / working documents
for these? Either I am missing something very obvious or there's a
painful lack of transparency going on in here.

Best regards,
Andras

On 25. aug. 2017 13:59, Sarah Kelley wrote:
> All,
> 
>  
> 
> Just to clarify my original email.
> 
>  
> 
> The conversation on the working call was to scope down what we were
> currently working on for the particular event object we /already/ had a
> proposal for in the working documents. This object was designed with the
> IR type of object in mind, so for our current understanding, and to make
> some forward progress on this object, we were suggesting to scope back
> the use cases for /that particular SDO/ to what it made sense for. We
> were NOT in any way suggesting that other use cases weren’t valid or
> that we wouldn’t fulfil them. In fact, there have been several
> discussions recently about how exactly how we can meet the needs of the
> use cases you’ve suggested. If this particular SDO isn’t going to work,
> we are currently in the process of creating alternatives that could
> fulfil these use case.
> 
>  
> 
> I hope this helps clarify what the intentions were in my original email
> regarding our discussions.
> 
>  
> 
> *Sarah Kelley*
> 
> *Senior Cyber Threat Analyst*
> 
> *Multi-State Information Sharing and Analysis Center
> (MS-ISAC)                   *
> 
> *31 Tech Valley Drive*
> 
> *East Greenbush, NY 12061*
> 
> * *
> 
> *sarah.kelley@cisecurity.org <mailto:sarah.kelley@cisecurity.org>*
> 
> *518-266-3493*
> 
> *24x7 Security Operations Center*
> 
> *SOC@cisecurity.org <mailto:SOC@cisecurity.org> - 1-866-787-4722*
> 
> * *
> 
> ** <https://msisac.cisecurity.org/>**
> 
> *       *** <https://www.facebook.com/CenterforIntSec>*    ***
> <https://twitter.com/CISecurity>*   ***
> <https://www.youtube.com/user/TheCISecurity>*    ***
> <https://www.linkedin.com/company/the-center-for-internet-security>
> 
>  
> 
> *From: *"cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf
> of Allan Thomson <athomson@lookingglasscyber.com>
> *Date: *Friday, August 25, 2017 at 6:26 AM
> *To: *Andras Iklody <andras.iklody@circl.lu>, "cti@lists.oasis-open.org"
> <cti@lists.oasis-open.org>
> *Subject: *Re: [cti] Re: [EXT] Re: [cti] Summary of the working call
> 
>  
> 
> 
> 
> 
> Bret/Andras – I wasn’t able to attend the working call but I would like
> to point out that the definition of the Event object in the “current”
> proposal has a relationship to Observed-Data object(s) as well as other
> new STIX 2.1 objects Intel-Note.
> 
> Therefore an event can describe a generic event that points to OSINT
> data (e.g. observed-data), CERT notification (e.g. intel-note),
> black-list (could be represented as a list of IPs as Observed-Data object).
> 
> Andras is asking for reasonable (we agree with them) use cases that the
> Event object should support.
> 
> So I would suggest that the current proposal on the table is closer to
> what is needed to support the MISP event use cases that is being suggested.
> 
> Certainly we agree that Event should *not* just be about an
> investigation and *should* represent various event use cases including
> the ones that Andras has suggested.
> 
> Allan Thomson
> CTO
> +1-408-331-6646
> LookingGlass Cyber Solutions <http://www.lookingglasscyber.com/>
> 
> On 8/25/17, 12:41 AM, "cti@lists.oasis-open.org on behalf of Andras
> Iklody" <cti@lists.oasis-open.org on behalf of andras.iklody@circl.lu>
> wrote:
> 
> Hello Bret,
> 
> We've just had a look at the event object
> (https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#
> - section 2.6 / 2.1.x???) and it is pretty far from our idea of a
> generic event, as it basically describes an incident/investigation/case
> instead of a generic event (which could be a collection of OSINT data
> even, CERT notifications, or even a shared black list). Most of its
> attributes don't align with what we're after
> (so basically we'd have to leave them unset) and it lacks some
> attributes that are blockers for us.
> 
> Our main goal with threat intel sharing is to give analysts a tool that
> allows them to exchange information that they find could be useful for
> their partners, based on a variety of sources (an actual incident, a
> collection of OSINT data, financial fraud details, the results of the
> analysis of a reverse engineer, notifications shared by law enforcement
> etc).
> 
> The event proposal that you suggested deals more with a collection of
> facts after an incident/investigation/case, which has different
> objectives and assumptions. It is great for a ticketing system used
> internally for example, but less so for threat intel sharing. I
> personally don't see how this is more relevant than what we're after
> when we consider that STIX is a standard built to exchange threat
> information, but we can't all have our ponies, I realise that.
> 
> However, this makes the proposed construct unusable for our use-case.
> 
> I hope this has managed to clear up some of the confusion and we can
> come to an agreement on how to proceed (hopefully using the proposed
> generic-event structure).
> 
> Best regards,
> Andras
> 
> On 23. aug. 2017 18:39, Bret Jordan wrote:
>> Alexandre,
>>
>>
>> If we added a "supporting_data" property to Event that contained a list
>> of IDs to other STIX objects, would that enable your use-case?
>>
>>
>> Bret
>>
>> ------------------------------------------------------------------------
>> *From:* cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of
>> Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu>
>> *Sent:* Wednesday, August 23, 2017 2:42:46 AM
>> *To:* cti@lists.oasis-open.org
>> *Subject:* [EXT] Re: [cti] Summary of the working call
>>
>> On 22/08/17 22:12, Sarah Kelley wrote:
>>> On today’s working call, we discussed the event object. We didn’t
> have someone taking full notes, but I’ll try to summarize what was
> discussed below.
>>>
>>>
>>> 1. The event object should be scoped down to just an IR type of
> event/incident. This would need to be clarified in the text, but that
> would then scope out some of our other use cases such as:
>>> * An ‘alert’ coming into your system
>>> * An ‘event’ such as a threat actor registering a domain
>>> * The MISP version of ‘event’
>>
>> As our past proposals (event and updated report) were rejected and
>> seeing how despite expectations the new event SDO won't accommodate the
>> requirements of many CERTs and considering that we need to
>> move on regarding this, we propose a new SDO called generic event to be
>> able to map MISP events to STIX.
>>
>>
> https://clicktime.symantec.com/a/1/KXXOt30L0Phy4XSBJfMef58Wt7mbKP8hq6iPJVbggCA=?d=aZFWp64AB6xw0IMyCZXL0Penlb_6iU6OgveRz1MnP5rZ9wxB3EfnQTTfyleQA_85xnxQ4G0tW-3mzxOSKk1ZRAeSkGz5Uk_0aPQYycvNcyEd8ji_tyMaKiVRV9LZPX9QWMpByAtKN1160Dz8pzikmWvm0SFVLHVA309anASuRu6zZIWfoBIdLmRQw-WVQy010_LhdsXjYEM-UscjJdtGhpFaPSlyn8sajyVZvtRf2DKg9jyYepCu2Rt7DmyHYx5Z5jlm5eo60yXUU7QuYoszYy6gKXOlHo9JUCI9Euvaux0dldytYQNnqpjF1iIAR6BljwZgq0OTmjNjS72rdbMO-Ki2Sdu1EX1s_yvIWbUoNls35fV1yGdy7YLa8z1z7nM_1VZZ8C-43itV5JB6WqnJUQBohXsItCeM8aFDSIxBoJTjjTC8&u=https%3A%2F%2Fwww.misp-project.org%2Fgeneric-event-proposal-STIX-2.1.pdf
>>
>> Thank you very much
>>
>> --
>> Alexandre Dulaunoy
>> CIRCL - Computer Incident Response Center Luxembourg
>> 41, avenue de la gare L-1611 Luxembourg
>> info@circl.lu - www.circl.lu <http://www.circl.lu>
> <http://www.circl.lu> - (+352) 247 88444
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail. Follow this link to all your TCs in OASIS at:
>>
> https://clicktime.symantec.com/a/1/TPo_dTV-pVxJ8S7TeISQ6XYZjfPzx28einI7H3nz6M0=?d=aZFWp64AB6xw0IMyCZXL0Penlb_6iU6OgveRz1MnP5rZ9wxB3EfnQTTfyleQA_85xnxQ4G0tW-3mzxOSKk1ZRAeSkGz5Uk_0aPQYycvNcyEd8ji_tyMaKiVRV9LZPX9QWMpByAtKN1160Dz8pzikmWvm0SFVLHVA309anASuRu6zZIWfoBIdLmRQw-WVQy010_LhdsXjYEM-UscjJdtGhpFaPSlyn8sajyVZvtRf2DKg9jyYepCu2Rt7DmyHYx5Z5jlm5eo60yXUU7QuYoszYy6gKXOlHo9JUCI9Euvaux0dldytYQNnqpjF1iIAR6BljwZgq0OTmjNjS72rdbMO-Ki2Sdu1EX1s_yvIWbUoNls35fV1yGdy7YLa8z1z7nM_1VZZ8C-43itV5JB6WqnJUQBohXsItCeM8aFDSIxBoJTjjTC8&u=https%3A%2F%2Fwww.oasis-open.org%2Fapps%2Forg%2Fworkgroup%2Fportal%2Fmy_workgroups.php
>>
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
> 
> 
> 
> 
> .....
> 
> This message and attachments may contain confidential information. If it
> appears that this message was sent to you by mistake, any retention,
> dissemination, distribution or copying of this message and attachments
> is strictly prohibited. Please notify the sender immediately and
> permanently delete the message and any attachments.
> 
> . . . . .