Motion for Open Repository for the Common STIX objects

[Rich Piazza <rpiazza@mitre.org>]

Hi all,

 

As mentioned previously, MITRE has been asked by DHS/CISA to stand up a common object repository.  After much thought, we think that it would be best hosted as an OASIS Open Repository. 

This needs the approval of the TC.

 

We hope that others find it useful and will contribute to the project. 

 

See below for a detailed description of this proposed repository and some policy questions and answers.

 

 

I move that the TC approve by unanimous consent requesting OASIS to set up an OASIS Open Repository project named cti-stix-common-objects using the following pieces of information:

 

Purpose Statement: A repository of commonly used STIX objects that do not need to be created and shared by the CTI community.

 

Initial Maintainers: Rich Piazza, Chris Lenk

 

Open Source License: BSD-3-Clause License

 

GitHub Name: cti-stix-common-objects

 

Short Description: OASIS Common STIX Object Repository: a repository for commonly used STIX objects in order to avoid needless duplication

 

 

If there have been no objections before Monday March 1 at 21:00 UTC (5:00 PM EST), I will submit the form [1] to ask OASIS to create the repository. 

 

Thank you,

Rich Piazza

 

[1] https://www.oasis-open.org/resources/tc-admin-requests/open-repository-request

 

 

 

Rationale for the Repository

 

Having such a repository of common CTI objects has always been on the âwish listâ of members of the OASIS CTI-TC.

Many entities in cyber threat intelligence are common and having many duplicate STIX objects to represent the same concept has always been seen as wasteful and problematic. 

 

Initial Contents of the Repository

 

                The initial content was created via a script:

 

         Location objects

o    All countries (compiled from Python pycountry package)

o    All States (constant in script)

o    All Canadian Provinces (constant in script)

o    All regions from specification in region-ov

         Identity objects

o    One for the object creator (currently OASIS - identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a.json)

o    All sectors from specification in industry-sector-ov

         Vulnerability objects

o    All 148,032 âpublishedâ CVEs 

 

Other objects considered but rejected:

 

         ipv4-addr objects (too many â billions and billions)

         Data Markings

         Licenses â the text needs to be specific to the license holder, so no real common objects

• Software objects based on CPE (over 600,000 entries)
• Perhaps the more common Software can be determined

 

Policies

 

• Where would it be hosted?
• GitHub oasis-open web site.
• How is the content stored?  
• Same as mitre/cti (see https://github.com/mitre/cti)
• Directories for each object type.
• Each file contains one object within a Bundle
• Is it âfrontedâ by a TAXII server?
• Not at this time
• Who maintains it?  
• Initially MITRE will volunteer to be the Maintainers, to be replaced or added to with members from the TC
• Who decides what should be in the repository? 
• The maintainers, for now. Contributions are welcome â via merge requests
• How to use the repository?
• Download the content and incorporate it using the python-stix2 file system datastore

 

IP Issues

 

• All repositories on the GitHub oasis-open web site is MUST have a README file that contains a section on Governance. 

This is where licensing information is stated.  I assume that the default BSD-3-Clause License will be used

• Is there a copyright notice (via a data marking) needed on all objects?