OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti] Re: [EXT] Re: [cti] STIX 2.1 CSD02 Sponsorship?


Hi Ivan â Given that nature of deterministic IDs and the point that 2 vendors (if complying to the spec) should be able to produce the same SCO with the same deterministic ID and then see things merge correctly when their intel is shared into a TIP or similar system that would see both intel providers then I think we should have interop rules and tests to verify that.

 

Similarly, if a vendor chooses to create SCO with their own ID creation algorithm then we need to make sure that this intel would co-exist in a ecosystem where we have both deterministic ID creation of SCO with compliant algorithm vs vendor-specific algorithm and then all of those SCO are referenced by the same campaigns/attack patternsâ.etc.

 

So I think interop rules needs to be created for all these use cases. I can also think of more that will have a very tangible impact on anyone trying to use SCO from single or multi-vendors.

 

Allan Thomson

CTO (+1-408-331-6646)

LookingGlass Cyber Solutions

 

From: "Kirillov, Ivan" <ikirillov@mitre.org>
Date: Friday, August 30, 2019 at 8:22 AM
To: Allan Thomson <athomson@lookingglasscyber.com>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Re: [EXT] Re: [cti] STIX 2.1 CSD02 Sponsorship?

 

Hi Allan,

 

What Iâm trying to get at is whether the sponsored item requires interop text (including profile, examples, etc.) and working code or just working code. Some items, like deterministic IDs, seem like theyâll only require code while others will require both interop + code.

 

Discussing at the next working call sounds good to me.

 

Thanks,

Ivan

 

From: <cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Friday, August 30, 2019 at 8:34 AM
To: Ivan Kirillov <ikirillov@mitre.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Re: [EXT] Re: [cti] STIX 2.1 CSD02 Sponsorship?

 

Hi Ivan â not exactly sure what you mean by âtypeâ of sponsorship.


Do you mean what interop profile (i.e. DFP vs TIP vs TM â.etc) ?

 

Or

 

Do you mean more examples that we want for SCO sponsorship verification?

 

Maybe we can add this discussion topic to the next weekly meeting.

 

Allan Thomson

CTO (+1-408-331-6646)

LookingGlass Cyber Solutions

 

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Kirillov, Ivan" <ikirillov@mitre.org>
Date: Friday, August 30, 2019 at 7:24 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Re: [EXT] Re: [cti] STIX 2.1 CSD02 Sponsorship?

 

That makes sense to me, Allan. Any other thoughts as to the âtypeâ of sponsorship for the below items?

 

Thanks,

Ivan

 

From: <cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Date: Friday, August 9, 2019 at 11:25 AM
To: Ivan Kirillov <ikirillov@mitre.org>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [EXT] Re: [cti] STIX 2.1 CSD02 Sponsorship?

 

Ivan â I would suggest that the user of SCO as top-level objects just needs to be conceptually verified.

 

A couple of real-world examples might suffice.

 

  1. Malware SDO and/or Malware Analysis SDO referencing SCO artifacts
  2. Observed Data referencing SCO artifacts as part of a sighting/observed-data/indicator trifecta.

 

Those 2 examples might be good enough.

 

Allan Thomson

CTO (+1-408-331-6646)

LookingGlass Cyber Solutions

 

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Kirillov, Ivan" <ikirillov@mitre.org>
Date: Friday, August 9, 2019 at 10:16 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] STIX 2.1 CSD02 Sponsorship?

 

All,

 

Now that STIX 2.1 CSD02 is out the door, we can begin the sponsorship process. However, one of the questions that we (MITRE/DHS) have is with regards to the âtypeâ of sponsorship expected for each item â âfullâ (code + interop text) or just working code. If you recall from the last sponsorship period, certain things like confidence only required working code while others such as the Opinion & Note objects required interop text as well.

 

Hereâs the list of items for sponsorship, along with my own thoughts as to the type of sponsorship:

 

  • COA: full
  • Grouping: full
  • Infrastructure: full
  • Malware: full
  • Malware Analysis: full
  • SCOs as top-level objects: full â however, the level of detail on this one is quite open. Maybe different sponsors can choose different SCOs to cover?
  • SCO relationships: working code
  • Deterministic IDs: working code

 

Also, I would suggest that we donât formally start the sponsorship period until we get this question resolved, so that sponsors have a better understanding of what is expected.

 

-Ivan



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]