Re: [cti] Re: [EXT] Re: [cti] STIX 2.1 CSD02 Sponsorship?

Hi Allan,

What I’m trying to get at is whether the sponsored item requires interop text (including profile, examples, etc.) and working code or just working code. Some items, like deterministic IDs, seem like they’ll only require code while others will require both interop + code.

Discussing at the next working call sounds good to me.

Thanks,

Ivan

From: <cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Friday, August 30, 2019 at 8:34 AM
To: Ivan Kirillov <ikirillov@mitre.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Re: [EXT] Re: [cti] STIX 2.1 CSD02 Sponsorship?

Hi Ivan – not exactly sure what you mean by ‘type’ of sponsorship.

Do you mean what interop profile (i.e. DFP vs TIP vs TM ….etc) ?

Do you mean more examples that we want for SCO sponsorship verification?

Maybe we can add this discussion topic to the next weekly meeting.

Allan Thomson

CTO (+1-408-331-6646)

LookingGlass Cyber Solutions

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Kirillov, Ivan" <ikirillov@mitre.org>
Date: Friday, August 30, 2019 at 7:24 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Re: [EXT] Re: [cti] STIX 2.1 CSD02 Sponsorship?

That makes sense to me, Allan. Any other thoughts as to the “type” of sponsorship for the below items?

Thanks,

Ivan

From: <cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Friday, August 9, 2019 at 11:25 AM
To: Ivan Kirillov <ikirillov@mitre.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [EXT] Re: [cti] STIX 2.1 CSD02 Sponsorship?

Ivan – I would suggest that the user of SCO as top-level objects just needs to be conceptually verified.

A couple of real-world examples might suffice.

Malware SDO and/or Malware Analysis SDO referencing SCO artifacts
Observed Data referencing SCO artifacts as part of a sighting/observed-data/indicator trifecta.

Those 2 examples might be good enough.

Allan Thomson

CTO (+1-408-331-6646)

LookingGlass Cyber Solutions

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Kirillov, Ivan" <ikirillov@mitre.org>
Date: Friday, August 9, 2019 at 10:16 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] STIX 2.1 CSD02 Sponsorship?

All,

Now that STIX 2.1 CSD02 is out the door, we can begin the sponsorship process. However, one of the questions that we (MITRE/DHS) have is with regards to the “type” of sponsorship expected for each item – “full” (code + interop text) or just working code. If you recall from the last sponsorship period, certain things like confidence only required working code while others such as the Opinion & Note objects required interop text as well.

Here’s the list of items for sponsorship, along with my own thoughts as to the type of sponsorship:

COA: full
Grouping: full
Infrastructure: full
Malware: full
Malware Analysis: full
SCOs as top-level objects: full – however, the level of detail on this one is quite open. Maybe different sponsors can choose different SCOs to cover?
SCO relationships: working code
Deterministic IDs: working code

Also, I would suggest that we don’t formally start the sponsorship period until we get this question resolved, so that sponsors have a better understanding of what is expected.

-Ivan

cti message