The Call for Comments on the Threat Actor Context (TAC) TC is still open until 23:59 on 18 October. The co-proposers have been responding to the comments that have been submitted so far. The comments have helped us toward a better charter.
The draft charter has been updated with our current resolutions. You may wish to revisit the document to see if we addressed your issues.
The window of opportunity to comment is still open! I encourage any of you who have an interest in consuming, contributing, sharing, or creating threat intelligence about Threat Actors to review and comment!
Thanks again to all of you who have commented thus far, it is greatly appreciated!
For your convenience the Call for Comments is available as a Google Doc. See
Ryan E. Hohimer
Mobile: (509) 430-6890
710 George Washington Way, Suite A
Richland, Washington 99352
This e-mail (including any attachments) may contain information that is private, confidential, or protected by attorney-client or other privilege. If you received
this e-mail in error, please delete it from your system without copying it and notify sender by reply e-mail so our records can be corrected.
From: Chet Ensign <email@example.com>
Sent: Friday, October 4, 2019 10:14 AM
To: firstname.lastname@example.org; email@example.com; OASIS Charter Discuss List <firstname.lastname@example.org>; OASIS TAB <email@example.com>
Cc: Ryan Hohimer <firstname.lastname@example.org>; Jane Ginn <email@example.com>; Joerg Eschweiler <firstname.lastname@example.org>; Javier Garcia Robles <email@example.com>; Bret Jordan <firstname.lastname@example.org>; Anuj Goel <email@example.com>; Avkash Kathiriya
<firstname.lastname@example.org>; Shawn Riley <email@example.com>; Robert Keith <Robert_Keith@symantec.com>; Alexander Applegate <firstname.lastname@example.org>; Ben Ottoman <email@example.com>; David Powell <firstname.lastname@example.org>; Rob Arnold <email@example.com>; Andreas Sfakianakis
<firstname.lastname@example.org>; Carol Geyer <email@example.com>
Subject: Call for Comment: proposed Charter for Threat Actor Context (TAC) TC
To OASIS Members:
A draft TC charter has been submitted to establish the Threat Actor Context (TAC) TC. In accordance with the OASIS TC Process Policy section 2.2: (https://www.oasis-open.org/policies-guidelines/tc-process#formation),
the proposed charter is hereby submitted for comment. The comment period shall remain open until 23:59 GMT on 18 October 2019.
This call for comment is also available as a Google Doc. See
https://docs.google.com/document/d/12EVhy3ppXlTvN8puNGKZiaNlLIobUN1nTDXQ3yUdLgk/edit#. Comments and suggestions may be left on that document.
OASIS maintains a mailing list for the purpose of submitting comments on proposed charters. Any OASIS member may post to this list by sending an email to
firstname.lastname@example.org. All messages will be publicly archived at
http://lists.oasis-open.org/archives/oasis-charter-discuss/. Members who wish to receive emails must join the group by selecting "join group" on the group home page:
http://www.oasis-open.org/apps/org/workgroup/oasis-charter-discuss/. Employees of organizational members do not require primary representative approval to join the oasis-charter-discuss
We encourage member comments and ask that you note the name of the proposed TC (TAC TC) in the subject line of your email message. Comments received will be reviewed by the proposers and a log of the comments and their resolution will be posted to the oasis-charter-discuss
mailing list before the telephone call with the convener.
A telephone conference will be held among the Convener, the OASIS TC Administrator, and those proposers who wish to attend no more than four days after the comment period closes. The announcement and call-in information will be noted on the OASIS Charter Discuss
If you wish to be listed as a co-proposer in the Call for Participation, please contact the convener Ryan Hohimer (email@example.com) no later than Tuesday, 22 October 2019. For representatives of OASIS organizational
members, a statement of support from their Primary Representative will be required.
Section 1: TC Charter
(1)(a) TC Name
Threat Actor Context (TAC) TC
(1)(b) Statement of Purpose
To establish a common knowledge framework that enables semantic interoperability of threat actor contextual information from across different sources and solutions to support organizing what is known and share information about Threat Actors, Intrusion Sets,
and the Campaigns they run across the strategic, operational, and tactical intelligence levels for use by public and private sector entities defending networks and endpoints. The TC will establish an Open Repository under the OASIS rules and each OASIS Member
and non-Member will be eligible only after signing either an Entity a Contributor License Agreement (CLA) or an Individual CLA per OASIS rules at
Organizations that currently share cyber threat intelligence (CTI) are confronted with multiple schema and share through multiple tools. This limits an organization's ability to strategically correlate and analyze attack data, leading to a better understanding
of their adversary's goals, capabilities, and trends in targeting and techniques.
This TAC TC would seek to harmonize all of the sharing schema within a single data store using the STIX 2.1 data model and a TAXII 2.1 transport mechanism thereby allowing for an aggregate data source for the CTI community. Contributors would be able to shape
the content descriptions and assertions regarding specific threat actors, campaigns and intrusion sets. User would gain access to a high-quality, harmonized data set that enables organizations to conduct a "competitive analysis" of their adversaries in order
to react more quickly to and possibly anticipate changes in the adversary activities. This would benefit decision-making for risk management as well as resource allocation.
The TAC Open Repository TC would allow for both OASIS Members and non-Members to contribute subject to the CLA terms and conditions.
The purpose of this TC is to create a knowledge framework that enables semantic interoperability of threat actor contextual information. In other words, the purpose of the TAC TC is to help the community have coherent conversations in the STIX language.
The scope of this TCâs efforts will include:
1. Hosting one or multiple repositories of Threat Actor information in STIX 2.1 format.
2. Defining and documenting concepts that remove ambiguity between STIX documents produced by different authors (e.g. Intrusion Set naming conventions)
3. Identify appropriate extensions that are need to operationalize STIX 2.1 threat information including but not limited to:
a. Strategic Context
b. Operational Context
c. Tactical Context
d. Motivational Context
The base data model for the TAC data store would stem from the STIX 2.1 Threat Actor STIX Domain Object (SDO), the Campaign SDO, the Intrusion Set SDO and the Indicator SDO (including patterning) at a minimum. This will provide a uniform interface for automated
integration of schema and content from multiple credible sources.
1. Committee Note on data store Design Specifications
2. Instructions for Participation in TAC Open Repositories
a. As Contributors
b. As Consumers
(1)(e) IPR Mode
The TC will operate under the Non-Assertion IPR mode as defined in the OASIS Intellectual Property Rights (IPR) Policy.
The OASIS Members of the TAC TC will be:
- Existing OASIS Members that seek to shape the dialogue on the schemas to be used for the content to be contributed to the Open Repository or Repositories;
- New OASIS Members that seek to shape the dialogue on Threat Actor context.
The Contributors and Consumers of the TAC Open Repository will be:
- Government agencies protecting their information assets
- Not-for-Profit and Non-Governmental Organizations (NGOs) protecting their information assets
- Companies protecting their information assets
- Academic institutions and think tanks conducting research on threat actors, campaigns and intrusion sets
- Students conducting research on patterns of behavior of threat actors
The primary language of the TAC TC will be English.
STIX 2.1 CSPRD01 (WD05) @
Section 2: Additional Information
(2)(a) Identification of Similar Work
The TAC TC builds upon the groundwork laid by the OASIS Cyber Threat Intelligence Technical Committee, the OpenC2 TC, and Collaborative Automated Course of Action Operations (CACAO) for Cyber Security Technical Committee.
(2)(b) First TC Meeting
The meeting time for the first meeting will be held in accordance with OASIS rules subject to our Call for Participation. We are planning for a virtual meeting date of Friday, November 22, 2019 at 1:00 pm (ET).
(2)(c) Ongoing Meeting Schedule
Meetings will be held monthly at a date and time which will work for the greatest number of members. It will be hosted by the primary convener or his designee. These monthly meetings will be subject to Voting Rights designation. Additional working sessions
NOT subject to Voting Rights designation will be considered based on participant interest.
(2)(d) TC Proposers
Ryan Hohimer, Darklight
Jane Ginn, Cyber Threat Intelligence Network (CTIN)
Joerg Eschweiler, Individual
Javier Garcia Robles, LookingGlass
Bret Jordan, Symantec
Anuj Goel, Cyware
Avkash Kathiriya, Cyware
Shawn Riley, Darklight
Robert Keith, Symantec
Alexander Applegate, LookingGlass
Ben Ottoman, CTIN
David Powell, CTIN
Rob Arnold, CTIN
Andreas Sfakianakis, CTIN
(2)(e) Primary Representatives' Support
Ryan Hohimer, Darklight,
âI, Ryan Hohimer, firstname.lastname@example.org, as OASIS primary representative for DarkLight, Inc., confirm our support for the proposed TAC TC charter and endorse our participants listed above.â
Jane Ginn, Cyber Threat Intelligence Network, Inc.,
âI, Jane Ginn, email@example.com as OASIS primary representative for Cyber Threat Intelligence Network, Inc., confirm our support for the proposed TAC TC charter and endorse our participants listed above.â
Allan Thomson, LookingGlass, firstname.lastname@example.org
âI, Allan Thomson, email@example.com, as OASIS primary representative for LookingGlass Cyber Solutions Inc., confirm our support for the proposed TAC TC charter and endorse our participants
Bret Jordan, Symantec, firstname.lastname@example.org
âI, Bret Jordan, email@example.com, as OASIS primary representative for Symantec Corp., confirm our support for the proposed TAC TC charter and endorse our participants listed above.â
Anuj Goel, Cyware Labs,
âI, Anuj Goel, firstname.lastname@example.org as OASIS primary representative for Cyware Labs, Inc., confirm our support for the proposed TAC TC charter and endorse our participants listed above.â
(2)(f) TC Convener
Ryan Hohimer, Darklight, email@example.com
(2)(g) OASIS Member Section
(2)(h) Anticipated Contributions
Casey, Timothy & Koeberl, Patrick & Vishik, Claire. (2011). Defining Threat Agents: Towards a More Complete Threat Analysis. 10.1007/978-3-8348-9788-6_21.
Casey, Timothy & Koeberl, Patrick & Vishik, Claire. (2010). Threat agents: A necessary component of threat analysis. ACM International Conference Proceeding Series. 10.1145/1852666.1852728.
(2)(i) FAQ Document
In our FAQ we will answer questions regarding the scope differentiators between this effort and other CTI community resources as well as details on the operations of the TAC TC. Our FAQ will also include details as given in the Open Repository FAQ as per:
(2)(j) Work Product Titles and Acronyms
1. TAC Open Repositories as per:
2. TAC TC Member Participation Guidelines
3. TAC Non-Member Participation Guidelines
In addition, there are three potential subcommittees for the TAC TC including: Strategic (S-TAC), Operational (O-TAC), and Tactical (T-TAC). There may be Work Products generated by these subcommittees.