RE: [Non-DoD Source] Re: [cti] RE: [EXT] Re: [cti] Possible Changes to Observed Data

["Katz, Gary CTR DC3/TSD" <Gary.Katz.ctr@dc3.mil>]

To Sarah's point, I would like to provide an overview of how Cyber Observables could be updated to support the new use cases.  These updates were based upon a discussion with Ivan and Jeff prior to being turned into a power point.  The power point was developed with the idea that someone would be speaking to the slides, so I apologize if anything is obtuse.  By making a couple of changes to the Cyber Observable object, we should be able to accommodate new use cases.  Obviously, as we continue to refine Infrastructure Malware, and Incident we will need to confirm that these changes do support their use cases but it looks like this would be a solution to meet Option 1.

Comments or questions welcome.
     -Gary

-----Original Message-----
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> On Behalf Of Trey Darley
Sent: Thursday, August 16, 2018 8:43 AM
To: Kelley, Sarah E. <skelley@mitre.org>
Cc: cti@lists.oasis-open.org
Subject: [Non-DoD Source] Re: [cti] RE: [EXT] Re: [cti] Possible Changes to Observed Data

On 16.08.2018 12:07:33, Kelley, Sarah E. wrote:
> Since the whole reason weâre contemplating changing how observed data 
> works is so that it fits for new use cases like malware and 
> infrastructure, Iâd like to suggest that we should hold off on making 
> a decision on how to change observed data until we know that it will 
> actually work with these new proposed objects. Since we pushed malware 
> from CSD01, and infrastructure was never in it, I think we should hold 
> off on making any changes to the observed data object until we can 
> work through these objects at the same time. Otherwise we could wind 
> up making changes now that ultimately will need to be changed again if 
> they donât work for malware/infrastructure, etc.
> 

That would be my preference, Sarah. We should back out the changes to Observed Data and issue draft-03.

As an editor, I understand the pressure to resolve comments and get drafts out for review promptly. However Bret's suggested changes to Observed Data were accepted into draft-02 without being adequately discussed. (Neither Ivan Kirillov nor myself were consulted; as the Cyber Observable co-chairs, at the very least this should have
happened.)

In fact, we *should* have discussed this on a TC working call. As you rightly point out, the TC needs to validate that these changes to Observed Data are adequate to address the needs of Malware and Infrastructure.

There are still a fair number of folks out on summer vacation. I recommend that we dedicate the entire working calls 11 & 18 September to discussing this with a larger audience. (The week of 03 September being US Labor Day holiday period, we'll likely have lower participation on the 04 September working call.)

As Ivan and I are the Cyber Observable co-chairs and as we led the work on Malware, we will happily lead this discussion. If the TC elects to go this route, Ivan and I will work with together the TC membership to assemble a set of questions which will allow us to validate that the changes we make to Observed Data are fit-to-purpose for Malware and Infrastructure, and that they do not negatively impact STIX Patterning.

--
Cheers,
Trey
++--------------------------------------------------------------------------++
Director of Standards Development, New Context gpg fingerprint: 3918 9D7E 50F5 088F 823F  018A 831A 270A 6C4F C338
++--------------------------------------------------------------------------++
--
"You know you have achieved perfection in design, not when you have nothing more to add, but when you have nothing more to take away."
--Antoine de Saint-ExupÃry

Attachment: Observed Data Presentation.pptx
Description: application/vnd.openxmlformats-officedocument.presentationml.presentation

Attachment: smime.p7s
Description: S/MIME cryptographic signature