Hi Ivan â Given that nature of deterministic IDs and the point that 2 vendors (if complying to the spec) should be able to produce the same SCO with the same deterministic ID and then see things merge correctly
when their intel is shared into a TIP or similar system that would see both intel providers then I think we should have interop rules and tests to verify that.
Similarly, if a vendor chooses to create SCO with their own ID creation algorithm then we need to make sure that this intel would co-exist in a ecosystem where we have both deterministic ID creation of SCO
with compliant algorithm vs vendor-specific algorithm and then all of those SCO are referenced by the same campaigns/attack patternsâ.etc.
So I think interop rules needs to be created for all these use cases. I can also think of more that will have a very tangible impact on anyone trying to use SCO from single or multi-vendors.
What Iâm trying to get at is whether the sponsored item requires interop text (including profile, examples, etc.) and working code or just working code. Some items, like deterministic IDs, seem like theyâll
only require code while others will require both interop + code.
Discussing at the next working call sounds good to me.
Hi Ivan â not exactly sure what you mean by âtypeâ of sponsorship.
Do you mean what interop profile (i.e. DFP vs TIP vs TM â.etc) ?
Do you mean more examples that we want for SCO sponsorship verification?
Maybe we can add this discussion topic to the next weekly meeting.
LookingGlass Cyber Solutions
That makes sense to me, Allan. Any other thoughts as to the âtypeâ of sponsorship for the below items?
Ivan â I would suggest that the user of SCO as top-level objects just needs to be conceptually verified.
A couple of real-world examples might suffice.
- Malware SDO and/or Malware Analysis SDO referencing SCO artifacts
- Observed Data referencing SCO artifacts as part of a sighting/observed-data/indicator trifecta.
Those 2 examples might be good enough.
LookingGlass Cyber Solutions
Now that STIX 2.1 CSD02 is out the door, we can begin the sponsorship process. However, one of the questions that we (MITRE/DHS) have is with regards to the âtypeâ of sponsorship expected for each item â âfullâ
(code + interop text) or just working code. If you recall from the last sponsorship period, certain things like confidence only required working code while others such as the Opinion & Note objects required interop text as well.
Hereâs the list of items for sponsorship, along with my own thoughts as to the type of sponsorship:
- COA: full
- Grouping: full
- Infrastructure: full
- Malware: full
- Malware Analysis: full
- SCOs as top-level objects: full â however, the level of detail on this one is quite open. Maybe different sponsors can choose different SCOs to cover?
- SCO relationships: working code
- Deterministic IDs: working code
Also, I would suggest that we donât formally start the sponsorship period until we get this question resolved, so that sponsors have a better understanding of what is expected.