Re: Storing the Incident extension definition in the OASIS CTI common ST

Since we’re (evidently) not going to try to address the global issue of representing Incidents as a top-level concept (at this time), then does it make sense to just create this extension (or create another) as a model of the DC3 ICF? Given the OMB ICF tie-in it needs to be an exact match.

Curious what the DC3 Team thinks.

Patrick Maroney
Principal - Cybersecurity
Chief Security Office
Office: 732.615.5287 | Cell: 609.678.5613 | Email: rx118r@att.com

From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Rich Piazza <rpiazza@mitre.org>
Date: Monday, August 9, 2021 at 3:46 PM
To: Mates, Jeffrey CIV DC3/TSD <Jeffrey.Mates@dc3.mil>
Cc: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
Subject: [cti] Storing the Incident extension definition in the OASIS CTI common STIX object repository

Hi Jeff,

You may have seen the email that is forwarded (below) about where to store extension definitions.

I was wondering if you could create a pull request for your Incident extension definition. As it says below, DHS/CISA is trying to encourage individuals/organizations who are creating extension definitions to store them in a common repository.

If you feel that your extension definition is just a draft, you may want to wait, but I don’t think there is any harm in “advertising” it now in the common repository. There is a version property on the extension definition object which would help deal with improvements to the draft.

Rich

Rich Piazza

Lead Cyber Security Engineer

The MITRE Corporation

781-271-3760

From: <cti@lists.oasis-open.org> on behalf of Rich Piazza <rpiazza@mitre.org>
Date: Monday, May 10, 2021 at 11:21 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Proposal for Housing Extension Definitions

Hi All,

With introduction of extensions in STIX 2.1, we are left with the issue of where to store extension definition objects, related schemas, and documentation. Previously we had the SEP repository, which would have been the location to store such information and “advertise” it to other community members.

What is being proposed in this email is NOT required of anyone defining extensions or producing and/or consuming content with extensions, but it is something like the SEP repository which would be useful to STIX users. We are not sure if this proposal needs to be voted on by the TC. However, we are looking for comments, suggestions, etc., to make this as useful as possible to the community.

The recently introduced OASIS CTI common object repository (https://github.com/oasis-open/cti-stix-common-objects) seems like a good place to store extension information. As part of AIS, DHS/CISA defined ACS data markings and it has been implemented as an extension. We will use it as an example of what we have in mind for storing extension information in that repository.

If you go to the repository, it contains a directory called objects. Within this directory are subdirectories for each STIX object type, which contain individual common objects of that object type. Each file contains one object. The format of the file is a bundle that contains the one object. A directory for extension objects would contain files who names are extension-definition-<id property of object>.json. See:

https://github.com/oasis-open/cti-stix-common-objects/tree/adding-extensions/objects/extensions

Here is the file contents for the ACS data marking extension definition:

{

"type": "bundle",

"id": "bundle--1d3fa741-e3bd-451a-acf5-b2f01d075ba7",

"objects": [

{

"id": "extension-definition--3a65884d-005a-4290-8335-cb2d778a83ce",

"type": "extension-definition",

"spec_version": "2.1",

"name": "isa-acs-3-0",

"description": "This schema adds ACS data markings",

"created": "2021-02-01T00:00:00.000000Z",

"modified": "2021-02-01T00:00:00.000000Z",

"created_by_ref": "identity--b3bca3c2-1f3d-4b54-b44f-dac42c3a8f01",

"schema": "https://github.com/oasis-open/cti-stix-common-objects/tree/main/extension-definition-specifications/acs-data-markings",

"version": "1.0.0",

"extension_types": [

"property-extension"

]

}

]

}

Notice the created_by_ref property. This is the id of a STIX identity object that DHS/CISA has chosen for itself.

In this repository (NOT a STIX spec requirement) , the name property of the extension definition must correspond with the name of the json schema file (which we will discuss next), assuming there is a json schema for the extension.

The schema property of that object contains a URL that refers to the directory that contains the json schema and documentation for the STIX representation of ACS data markings. These are stored in a different directory which is a sibling of the objects directory - extension-definition-specifications.

https://github.com/oasis-open/cti-stix-common-objects/tree/adding-extensions/extension-definition-specifications/acs-data-markings

Note: these URLs are “live” so you can see what is being proposed, but they are not final, as they exist on a branch in the GitHub repository (for instance, in the final URLs “adding-extensions” would be replace by “main”)

Since the name property of the extension definition is “isa-acs-3-0”, the json schema will be found in:

https://github.com/oasis-open/cti-stix-common-objects/blob/adding-extensions/extension-definition-specifications/acs-data-markings/isa-acs-3-0.json

Documentation for this extension is provided in the same directory. It should be in the same style as the STIX specification. Using Word is suggested.

If a JSON schema is included, another file is needed by the CTI STIX Validator. It must be named using the type of object that is being extended. For instance, since ACS data markings are an extension of the marking-definition type – the following file is needed:

https://github.com/oasis-open/cti-stix-common-objects/blob/adding-extensions/extension-definition-specifications/acs-data-markings/marking-definition.json

View that file to understand the concept. Some details of the contents of this file still need to be worked out to specify extensions so they are easy to incorporate into the validator.

Contributing Your Extension

Assuming this proposal is acceptable, the following guidelines would be used to add new extension definitions to the repository.

The maintainers will entertain contributions via a pull request.
The maintainers will do MINIMAL vetting before accepting the pull request. The contents of the pull request include:

A unique extension definition object in the objects/extensions directory

The name property must correspond to the name of the JSON schema file, if there is one
The created_by_ref property should be related to an Identity object representing the contributor

The specification, in the extension-definition-specifications directory

Written documentation is a must, however, its content will not be vetted.
A JSON schema is a should

If a JSON schema is included, another file related to the type being extended must be included.

Example files of the extension in use would be helpful

All contributions that satisfy the minimal vetting will be accepted. No attempt will be made the evaluate the usefulness of the extension.
Note: this acceptance criteria is unique to extensions. Any pull request to add other new common objects to this repository will be evaluated by the maintainers for its general utility to the community.
All extension contributions will probably be governed by the same IP rules as any other object in this repository (see the README). However, this is something to discuss within the TC and with OASIS.

Currently the maintainers of this repository are me and Chris Lenk (both of MITRE), but it would be preferable to have others from the TC involved.

Rich P.

Rich Piazza

Lead Cyber Security Engineer

The MITRE Corporation

781-271-3760

cti message