Re: [cti] Re: [EXT] Re: [cti] STIX 2.1 CSD02 Sponsorship?

["Kirillov, Ivan A." <ikirillov@mitre.org>]

Hi Allan,

 

What Iâm trying to get at is whether the sponsored item requires interop text (including profile, examples, etc.) and working code or just working code. Some items, like deterministic IDs, seem like theyâll only require code while others will require both interop + code.

 

Discussing at the next working call sounds good to me.

 

Thanks,

Ivan

 

From: <cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Friday, August 30, 2019 at 8:34 AM
To: Ivan Kirillov <ikirillov@mitre.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Re: [EXT] Re: [cti] STIX 2.1 CSD02 Sponsorship?

 

Hi Ivan â not exactly sure what you mean by âtypeâ of sponsorship.

Do you mean what interop profile (i.e. DFP vs TIP vs TM â.etc) ?

 

Or

 

Do you mean more examples that we want for SCO sponsorship verification?

 

Maybe we can add this discussion topic to the next weekly meeting.

 

Allan Thomson

CTO (+1-408-331-6646)

LookingGlass Cyber Solutions

 

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Kirillov, Ivan" <ikirillov@mitre.org>
Date: Friday, August 30, 2019 at 7:24 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Re: [EXT] Re: [cti] STIX 2.1 CSD02 Sponsorship?

 

That makes sense to me, Allan. Any other thoughts as to the âtypeâ of sponsorship for the below items?

 

Thanks,

Ivan

 

From: <cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Friday, August 9, 2019 at 11:25 AM
To: Ivan Kirillov <ikirillov@mitre.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [EXT] Re: [cti] STIX 2.1 CSD02 Sponsorship?

 

Ivan â I would suggest that the user of SCO as top-level objects just needs to be conceptually verified.

 

A couple of real-world examples might suffice.

 

1. Malware SDO and/or Malware Analysis SDO referencing SCO artifacts
2. Observed Data referencing SCO artifacts as part of a sighting/observed-data/indicator trifecta.

 

Those 2 examples might be good enough.

 

Allan Thomson

CTO (+1-408-331-6646)

LookingGlass Cyber Solutions

 

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Kirillov, Ivan" <ikirillov@mitre.org>
Date: Friday, August 9, 2019 at 10:16 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] STIX 2.1 CSD02 Sponsorship?

 

All,

 

Now that STIX 2.1 CSD02 is out the door, we can begin the sponsorship process. However, one of the questions that we (MITRE/DHS) have is with regards to the âtypeâ of sponsorship expected for each item â âfullâ (code + interop text) or just working code. If you recall from the last sponsorship period, certain things like confidence only required working code while others such as the Opinion & Note objects required interop text as well.

 

Hereâs the list of items for sponsorship, along with my own thoughts as to the type of sponsorship:

 

• COA: full
• Grouping: full
• Infrastructure: full
• Malware: full
• Malware Analysis: full
• SCOs as top-level objects: full â however, the level of detail on this one is quite open. Maybe different sponsors can choose different SCOs to cover?
• SCO relationships: working code
• Deterministic IDs: working code

 

Also, I would suggest that we donât formally start the sponsorship period until we get this question resolved, so that sponsors have a better understanding of what is expected.

 

-Ivan