OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

openc2-lang message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: FYI on STIX COA Roadmap and relation to Lang Spec Roadmap

Attached is an email abourt the STIX Course of Action and how they may use OpenC2. Since the sentence "For automated COAs, the group discussed using OpenC2 if the timelines align" could be also be interpreted as "or not if they don't", I thought I would forward to LSC to help in our establishing a timeline ourselves.

I think we may want to send an official liaison from LSC to CTI STIX TC encouraging we work together and that they do use OpenC2 and ask what it is they need from us by when.

Duncan Sparrell
sFractal Consulting LLC
iPhone, iTypo, iApologize

-------- Original Message --------
Subject: [cti-stix] STIX COA Roadmap
From: "Jyoti Verma (jyoverma)" <jyoverma@cisco.com>
Date: Thu, September 21, 2017 2:16 am
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>

The COA mini group has been meeting on a weekly basis since a couple of weeks and we’ve put together a roadmap for the goals/features that we would like to address across 3 STIX releases. The mini group gave a readout on the Sept 19th working call and the slides we presented are here – https://docs.google.com/presentation/d/1be_i8zcIlsmo_sStB8jeAp33sah-z7SgVGw_eRm1omc/edit?usp=sharing
In the first release, we would be solving the following 5 features for manual/automated COAs. For automated COAs, the group discussed using OpenC2 if the timelines align. More details on the complete roadmap and use cases can be found in the working draft here - https://docs.google.com/document/d/1zXV5WEmyLUbKiSpuHgywu5-LLrJVd91d7OP3nQBB7qM/edit#.
Preventative Static COAs
Literal COAs tied to indicator or other objects. No need to wait for anything to fire.
SANS Top 20 controls or blacklist domains
Mitigative or Remediative Static COAs
All information to take the action is statically configured and known a-priori.
Deny traffic to and from
Delete Registry key
Accommodating multiple actions
Single COA representing multiple steps
Cleaning up malware from Windows Desktop - safe mode, kill process, delete key, delete file, etc.
Basic Sequencing
The order in which COAs should be executed
Allow parallel processing
Allow the actions to define if they can be done in parallel or if they need to be done one at a time
If there are objections to this list, please let us know within 14 days. You can send your comments by replying to this email or in the COA channel on Slack.
STIX COA mini group

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]