Re: [cti] Re: [EXT] Re: [cti] Summary of the working call

Andras,

The discussions about what other objects we may need to create in order to accommodate these (non incident response related) use cases have just taken place over the last three days (since the working call). The current work being done on them is being done in the STIX playground. Most CTI-TC related documents should be linked from the cover page here: https://docs.google.com/document/d/1yvqWaPPnPW-2NiVCLqzRszcx91ffMowfT5MmE9Nsy_w/edit (including the playground). The particular work I’m referring to is in the STIX playground here: https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q0b5OxXCaCV14/edit#heading=h.94nf4i25htyn . I believe Rich Struse put some work in on this alternative object yesterday. It’s currently listed as a “collection” object (https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q0b5OxXCaCV14/edit#heading=h.n8bjzg1ysgdq)

This is very preliminary, so I wouldn’t in any way assume that this object will be finalized as is, as very few people have had a chance to look at it yet. I just wanted to make it clear that these non-IR related use cases are not being ignored. We just want to make sure that the objects work for the use cases they’re designed for, and we didn’t try to shoehorn too many things into one object, therefore making one object too broad or non-functional.

I hope this helps.

Sarah Kelley

Senior Cyber Threat Analyst

Multi-State Information Sharing and Analysis Center (MS-ISAC)

31 Tech Valley Drive

East Greenbush, NY 12061

sarah.kelley@cisecurity.org

518-266-3493

24x7 Security Operations Center

SOC@cisecurity.org - 1-866-787-4722

From: Andras Iklody <andras.iklody@circl.lu>
Date: Friday, August 25, 2017 at 8:10 AM
To: Sarah Kelley <Sarah.Kelley@cisecurity.org>, Allan Thomson <athomson@lookingglasscyber.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Re: [EXT] Re: [cti] Summary of the working call

Hi Sarah,

Is there any way to get any insight on the progress / working documents
for these? Either I am missing something very obvious or there's a
painful lack of transparency going on in here.

Best regards,
Andras

On 25. aug. 2017 13:59, Sarah Kelley wrote:
> All,
>
>
>
> Just to clarify my original email.
>
>
>
> The conversation on the working call was to scope down what we were
> currently working on for the particular event object we /already/ had a
> proposal for in the working documents. This object was designed with the
> IR type of object in mind, so for our current understanding, and to make
> some forward progress on this object, we were suggesting to scope back
> the use cases for /that particular SDO/ to what it made sense for. We
> were NOT in any way suggesting that other use cases weren’t valid or
> that we wouldn’t fulfil them. In fact, there have been several
> discussions recently about how exactly how we can meet the needs of the
> use cases you’ve suggested. If this particular SDO isn’t going to work,
> we are currently in the process of creating alternatives that could
> fulfil these use case.
>
>
>
> I hope this helps clarify what the intentions were in my original email
> regarding our discussions.
>
>
>
> *Sarah Kelley*
>
> *Senior Cyber Threat Analyst*
>
> *Multi-State Information Sharing and Analysis Center
> (MS-ISAC) *
>
> *31 Tech Valley Drive*
>
> *East Greenbush, NY 12061*
>
> * *
>
> *sarah.kelley@cisecurity.org <mailto:sarah.kelley@cisecurity.org>*
>
> *518-266-3493*
>
> *24x7 Security Operations Center*
>
> *SOC@cisecurity.org <mailto:SOC@cisecurity.org> - 1-866-787-4722*
>
> * *
>
> ** <https://clicktime.symantec.com/a/1/rnRMXp-CxWRGzUJiX8dbzr1a_p1EiT82D0ZHIhgDzbo=?d=diRsILX4I02LMExJt5SwD3190pmGWva9GmwGqxUOnAtsHELtT6302q3aKHeh8TUtvc-Lv7-9qVNak7JTlWEV5fCfX1-Pj9UHeCFK4ioAiSDfJ6FzJEzXAE7zXA7nPAKTL52PYM7iqWX6-uowzXZay71vd9CDts9h-S8F4nplDakJiEEueFGfDR9X5IF8aozUdGi_yAgxVCPl6doULhJcSkclyJo6IX4s7ImlFyslWJZnVUEXHsSV69k352mO4N7VqgcxdAOfv2A0_eBLzy8fwraE_CYs_35h_iPS-5GqjritOGBSSkXBm2MbcZafG7H4mf9t1-AY4_G8qGZqds2qBTkb3pl0IaLOSk4oOV3H2LHCd3C5n_qVCxI8QZ4SWZ0ogbkwBCEJaU97TAjb9RjKTEjxiXFBxKEuK5eA0OcOW5SbvnwcLiBZ5dDCKmErBXgqVHtqAU2X7nrEbRBk4mgP&u=https%3A%2F%2Fmsisac.cisecurity.org%2F%26gt%3B**
>
> * *** <https://www.facebook.com/CenterforIntSec>* ***
> <https://twitter.com/CISecurity>* ***
> <https://www.youtube.com/user/TheCISecurity>* ***
> <https://www.linkedin.com/company/the-center-for-internet-security>
>
>
>
> *From: *"cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf
> of Allan Thomson <athomson@lookingglasscyber.com>
> *Date: *Friday, August 25, 2017 at 6:26 AM
> *To: *Andras Iklody <andras.iklody@circl.lu>, "cti@lists.oasis-open.org"
> <cti@lists.oasis-open.org>
> *Subject: *Re: [cti] Re: [EXT] Re: [cti] Summary of the working call
>
>
>
>
>
>
> Bret/Andras – I wasn’t able to attend the working call but I would like
> to point out that the definition of the Event object in the “current”
> proposal has a relationship to Observed-Data object(s) as well as other
> new STIX 2.1 objects Intel-Note.
>
> Therefore an event can describe a generic event that points to OSINT
> data (e.g. observed-data), CERT notification (e.g. intel-note),
> black-list (could be represented as a list of IPs as Observed-Data object).
>
> Andras is asking for reasonable (we agree with them) use cases that the
> Event object should support.
>
> So I would suggest that the current proposal on the table is closer to
> what is needed to support the MISP event use cases that is being suggested.
>
> Certainly we agree that Event should *not* just be about an
> investigation and *should* represent various event use cases including
> the ones that Andras has suggested.
>
> Allan Thomson
> CTO
> +1-408-331-6646
> LookingGlass Cyber Solutions <http://www.lookingglasscyber.com/>
>
> On 8/25/17, 12:41 AM, "cti@lists.oasis-open.org on behalf of Andras
> Iklody" <cti@lists.oasis-open.org on behalf of andras.iklody@circl.lu>
> wrote:
>
> Hello Bret,
>
> We've just had a look at the event object
> (https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#
> - section 2.6 / 2.1.x???) and it is pretty far from our idea of a
> generic event, as it basically describes an incident/investigation/case
> instead of a generic event (which could be a collection of OSINT data
> even, CERT notifications, or even a shared black list). Most of its
> attributes don't align with what we're after
> (so basically we'd have to leave them unset) and it lacks some
> attributes that are blockers for us.
>
> Our main goal with threat intel sharing is to give analysts a tool that
> allows them to exchange information that they find could be useful for
> their partners, based on a variety of sources (an actual incident, a
> collection of OSINT data, financial fraud details, the results of the
> analysis of a reverse engineer, notifications shared by law enforcement
> etc).
>
> The event proposal that you suggested deals more with a collection of
> facts after an incident/investigation/case, which has different
> objectives and assumptions. It is great for a ticketing system used
> internally for example, but less so for threat intel sharing. I
> personally don't see how this is more relevant than what we're after
> when we consider that STIX is a standard built to exchange threat
> information, but we can't all have our ponies, I realise that.
>
> However, this makes the proposed construct unusable for our use-case.
>
> I hope this has managed to clear up some of the confusion and we can
> come to an agreement on how to proceed (hopefully using the proposed
> generic-event structure).
>
> Best regards,
> Andras
>
> On 23. aug. 2017 18:39, Bret Jordan wrote:
>> Alexandre,
>>
>>
>> If we added a "supporting_data" property to Event that contained a list
>> of IDs to other STIX objects, would that enable your use-case?
>>
>>
>> Bret
>>
>> ------------------------------------------------------------------------
>> *From:* cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of
>> Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu>
>> *Sent:* Wednesday, August 23, 2017 2:42:46 AM
>> *To:* cti@lists.oasis-open.org
>> *Subject:* [EXT] Re: [cti] Summary of the working call
>>
>> On 22/08/17 22:12, Sarah Kelley wrote:
>>> On today’s working call, we discussed the event object. We didn’t
> have someone taking full notes, but I’ll try to summarize what was
> discussed below.
>>>
>>>
>>> 1. The event object should be scoped down to just an IR type of
> event/incident. This would need to be clarified in the text, but that
> would then scope out some of our other use cases such as:
>>> * An ‘alert’ coming into your system
>>> * An ‘event’ such as a threat actor registering a domain
>>> * The MISP version of ‘event’
>>
>> As our past proposals (event and updated report) were rejected and
>> seeing how despite expectations the new event SDO won't accommodate the
>> requirements of many CERTs and considering that we need to
>> move on regarding this, we propose a new SDO called generic event to be
>> able to map MISP events to STIX.
>>
>>
> https://clicktime.symantec.com/a/1/KXXOt30L0Phy4XSBJfMef58Wt7mbKP8hq6iPJVbggCA=?d=aZFWp64AB6xw0IMyCZXL0Penlb_6iU6OgveRz1MnP5rZ9wxB3EfnQTTfyleQA_85xnxQ4G0tW-3mzxOSKk1ZRAeSkGz5Uk_0aPQYycvNcyEd8ji_tyMaKiVRV9LZPX9QWMpByAtKN1160Dz8pzikmWvm0SFVLHVA309anASuRu6zZIWfoBIdLmRQw-WVQy010_LhdsXjYEM-UscjJdtGhpFaPSlyn8sajyVZvtRf2DKg9jyYepCu2Rt7DmyHYx5Z5jlm5eo60yXUU7QuYoszYy6gKXOlHo9JUCI9Euvaux0dldytYQNnqpjF1iIAR6BljwZgq0OTmjNjS72rdbMO-Ki2Sdu1EX1s_yvIWbUoNls35fV1yGdy7YLa8z1z7nM_1VZZ8C-43itV5JB6WqnJUQBohXsItCeM8aFDSIxBoJTjjTC8&u=https%3A%2F%2Fwww.misp-project.org%2Fgeneric-event-proposal-STIX-2.1.pdf
>>
>> Thank you very much
>>
>> --
>> Alexandre Dulaunoy
>> CIRCL - Computer Incident Response Center Luxembourg
>> 41, avenue de la gare L-1611 Luxembourg
>> info@circl.lu - www.circl.lu <http://www.circl.lu>
> <http://www.circl.lu> - (+352) 247 88444
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that
>> generates this mail. Follow this link to all your TCs in OASIS at:
>>
> https://clicktime.symantec.com/a/1/TPo_dTV-pVxJ8S7TeISQ6XYZjfPzx28einI7H3nz6M0=?d=aZFWp64AB6xw0IMyCZXL0Penlb_6iU6OgveRz1MnP5rZ9wxB3EfnQTTfyleQA_85xnxQ4G0tW-3mzxOSKk1ZRAeSkGz5Uk_0aPQYycvNcyEd8ji_tyMaKiVRV9LZPX9QWMpByAtKN1160Dz8pzikmWvm0SFVLHVA309anASuRu6zZIWfoBIdLmRQw-WVQy010_LhdsXjYEM-UscjJdtGhpFaPSlyn8sajyVZvtRf2DKg9jyYepCu2Rt7DmyHYx5Z5jlm5eo60yXUU7QuYoszYy6gKXOlHo9JUCI9Euvaux0dldytYQNnqpjF1iIAR6BljwZgq0OTmjNjS72rdbMO-Ki2Sdu1EX1s_yvIWbUoNls35fV1yGdy7YLa8z1z7nM_1VZZ8C-43itV5JB6WqnJUQBohXsItCeM8aFDSIxBoJTjjTC8&u=https%3A%2F%2Fwww.oasis-open.org%2Fapps%2Forg%2Fworkgroup%2Fportal%2Fmy_workgroups.php
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>
>
>
> .....
>
> This message and attachments may contain confidential information. If it
> appears that this message was sent to you by mistake, any retention,
> dissemination, distribution or copying of this message and attachments
> is strictly prohibited. Please notify the sender immediately and
> permanently delete the message and any attachments.
>
> . . . . .

.....

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .

cti message