I would like to request the Implementation SC consider meeting more often than monthly. Or set up ad hoc meetings on the various topics before the SC. I believe use of OpenC2 for STIX COA is within the scope of the Implementation SC and it appears the CTI STIX SC is considering options other than OpenC2 if we don't get our act together (see attached email - I interpret "using OpenC2 if the timelines align" as "or not if they don't"). I think we need to understand what they need and work it as well as all the other issues before us (eg implementation of actuator api's over https, the recent pub/sub discussions, the open source repo's, etc). I think monthly is too slow a pace to accomplish all that needs doing.
I'm sending this as email to reach the entire SC but I assume much of the discussion can occur on slack/googledocs/wiki/etc. If you are interested in this topic and can't be on slack and/or googledocs and/or wiki, then please use email to let us know your thoughts. Otherwise please use slack/googledocs/wiki so we don't spam the people who are less interested.
Based on the discussions at yesterday's OpenC2 TC in the morning, the chatter on slack thruout the day, and the discussions at the evening OpenC2 TC, I did bring this topic up in evening TC. I say this in case anyone thinks the meeting schedule is a TC-level discussion. I believe it's up to the SC but the TC is 'officially' aware of the discussion (ie it should be in the notes of the meeting). And I believe our process is to work most issues at the SC level so I only sent to SC, not TC.
Duncan Sparrell
sFractal Consulting LLC
iPhone, iTypo, iApologize
-------- Original Message --------
Subject: FYI on STIX COA Roadmap and relation to Lang Spec Roadmap
From: <
duncan@sfractal.com>
Date: Thu, September 21, 2017 9:46 am
To: "openc2-lang" <
openc2-lang@lists.oasis-open.org>
Attached is an email abourt the STIX Course of Action and how they may use OpenC2. Since the sentence "For automated COAs, the group discussed using OpenC2 if the timelines align" could be also be interpreted as "or not if they don't", I thought I would forward to LSC to help in our establishing a timeline ourselves.
I think we may want to send an official liaison from LSC to CTI STIX TC encouraging we work together and that they do use OpenC2 and ask what it is they need from us by when.
Duncan Sparrell
sFractal Consulting LLC
iPhone, iTypo, iApologize
-------- Original Message --------
Subject: [cti-stix] STIX COA Roadmap
From: "Jyoti Verma (jyoverma)" <
jyoverma@cisco.com>
Date: Thu, September 21, 2017 2:16 am
To: "
cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
CTI TC,
| Feature | Description | Example |
| Preventative Static COAs | Literal COAs tied to indicator or other objects. No need to wait for anything to fire. | SANS Top 20 controls or blacklist domains |
| Mitigative or Remediative Static COAs | All information to take the action is statically configured and known a-priori. | Deny traffic to and from 10.0.0.1 Delete Registry key |
| Accommodating multiple actions | Single COA representing multiple steps | Cleaning up malware from Windows Desktop - safe mode, kill process, delete key, delete file, etc. |
| Basic Sequencing | The order in which COAs should be executed | 1->2->3->4 |
| Allow parallel processing | Allow the actions to define if they can be done in parallel or if they need to be done one at a time | 1->2 3->4 |
If there are objections to this list, please let us know within 14 days. You can send your comments by replying to this email or in the COA channel on Slack.
Thanks,
STIX COA mini group