OASIS Cyber Threat Intelligence (CTI) TC

STIX WG members:   Now that the Incident extension is stable, we will turn our attention back to other topics. Please let us know if there is a topic or extension that you would like to lead.   We met last Friday to discuss priorities.  We will take a bit of a break in August due to vacations. There will be no meetings on Aug. 4 and Aug. 11.   This Friday we will pick up where we left off with the updates to the Extension Policy that Rich was spearheading.   Topics for future meetings include: COA Playbook Extension JSON Signing – we need someone to lead a minigroup on this topic Container extension Asset extension – we need someone to lead a minigroup on this Location extension – covid previously proposed extending the Location object with GeoJSON, we need someone to lead a minigroup on this topic There have been some requests to extend the Infrastructure object into the SCADA space. We need an expert to participate, if we are going to consider this. Best practices for modelling x509 certificates – we need someone to lead this topic Updates to the STIX Patterning Language to address the deprecation of embedded relationships   If you are interested in leading any of these topics, please reach out to the WG. We can use the Friday timeslot or schedule separate mini-group discussions.   Thanks,   Emily  

Hi all,


I'll be happy to lead the COA Playbook Extension. If more are interested in co-leading the effort with me and doing some preparatory work together, it would be great. We already have a lot of material with three different proposed approaches that I can
present in the first meeting. Then we can take it from there.


Best,


Vasileios Mavroeidis
Professor for Cybersecurity @ University of Oslo
Standards Architect @ sekoia.io


On 25 Jul 2023, at 17:33, Emily Ratliff <Emily.Ratliff@ibm.com> wrote:



STIX WG members:
 
Now that the Incident extension is stable, we will turn our attention back to other topics. Please let us know if there is a topic or extension that you would like to lead.
 
We met last Friday to discuss priorities.  We will take a bit of a break in August due to vacations. There will be no meetings on Aug. 4 and Aug. 11.
 
This Friday we will pick up where we left off with the updates to the Extension Policy that Rich was spearheading.
 
Topics for future meetings include:


COA Playbook Extension
JSON Signing we need someone to lead a minigroup on this topic
Container extension
Asset extension we need someone to lead a minigroup on this
Location extension covid previously proposed extending the Location object with GeoJSON, we need someone to lead a minigroup on this topic
There have been some requests to extend the Infrastructure object into the SCADA space. We need an expert to participate, if we are going to consider this.
Best practices for modelling x509 certificates we need someone to lead this topic
Updates to the STIX Patterning Language to address the deprecation of embedded relationships
 
If you are interested in leading any of these topics, please reach out to the WG. We can use the Friday timeslot or schedule separate mini-group discussions.
 
Thanks,
 
Emily

Hi Vasileios! This is great to hear! Thanks for volunteering.   Emily   From: Vasileios Mavroeidis <vasileim@ifi.uio.no> Date: Thursday, July 27, 2023 at 10:53 AM To: Emily Ratliff <Emily.Ratliff@ibm.com> Cc: cti@lists.oasis-open.org <cti@lists.oasis-open.org>, Frick, Charles K., Jr. <charles.frick@jhuapl.edu> Subject: [EXTERNAL] Re: [cti] STIX WG Hi all, I'll be happy to lead the COA Playbook Extension. If more are interested in co-leading the effort with me and doing some preparatory work together, it would be great. We already have a lot of material with three different proposed approaches ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization.      Report Suspicious     ? ZjQcmQRYFpfptBannerEnd Hi all,   I'll be happy to lead the COA Playbook Extension. If more are interested in co-leading the effort with me and doing some preparatory work together, it would be great. We already have a lot of material with three different proposed approaches that I can present in the first meeting. Then we can take it from there.   Best,   Vasileios Mavroeidis Professor for Cybersecurity @ University of Oslo Standards Architect @ sekoia.io On 25 Jul 2023, at 17:33, Emily Ratliff <Emily.Ratliff@ibm.com> wrote:   STIX WG members:   Now that the Incident extension is stable, we will turn our attention back to other topics. Please let us know if there is a topic or extension that you would like to lead.   We met last Friday to discuss priorities.  We will take a bit of a break in August due to vacations. There will be no meetings on Aug. 4 and Aug. 11.   This Friday we will pick up where we left off with the updates to the Extension Policy that Rich was spearheading.   Topics for future meetings include: COA Playbook Extension JSON Signing – we need someone to lead a minigroup on this topic Container extension Asset extension – we need someone to lead a minigroup on this Location extension – covid previously proposed extending the Location object with GeoJSON, we need someone to lead a minigroup on this topic There have been some requests to extend the Infrastructure object into the SCADA space. We need an expert to participate, if we are going to consider this. Best practices for modelling x509 certificates – we need someone to lead this topic Updates to the STIX Patterning Language to address the deprecation of embedded relationships   If you are interested in leading any of these topics, please reach out to the WG. We can use the Friday timeslot or schedule separate mini-group discussions.   Thanks,   Emily  

At some level I can help with the COA extension and the relationships that are needed to point to a CACAO Playbook. CACAO was designed to natively plug into the STIX graph. You can think of a CACAO playbook as an SDO that was defined by a different group. The only thing needed is a set of relationships that can point to it. But I agree that we may want additional functionality in COA as well. In regards to signing STIX and or TAXII JSON payloads, there is a spec going through ITU-T SG17 Q11 for this and one that already went through the IETF and has an RFC number. The signature stuff is called X.JSS and uses RFC 8785. X.JSS may go to determination at the next meeting in September. This is the method that CACAO is using. I would strongly suggest that we here in the CTI TC do not reinvent the wheel but use the upcoming proposed X.number from the ITU. Remember X.500, X.509 and all other X.numbers come from the ITU. Using something in STIX and TAXII from CACAO also has precedent since the whole extension mechanism that we now use in STIX comes from the work Allan and I did in CACAO. So using the same sort of digital signing solution makes a lot of sense. The solution defined in CACAO that uses X.JSS has already fleshed out all of the issues and includes things like counter-signing and multiple signatures. Bret On Thu, Jul 27, 2023 at 9:53 AM Vasileios Mavroeidis < vasileim@ifi.uio.no > wrote: Hi all, I'll be happy to lead the COA Playbook Extension. If more are interested in co-leading the effort with me and doing some preparatory work together, it would be great. We already have a lot of material with three different proposed approaches that I can present in the first meeting. Then we can take it from there. Best, Vasileios Mavroeidis Professor for Cybersecurity @ University of Oslo Standards Architect @ sekoia.io On 25 Jul 2023, at 17:33, Emily Ratliff < Emily.Ratliff@ibm.com > wrote: STIX WG members: Now that the Incident extension is stable, we will turn our attention back to other topics. Please let us know if there is a topic or extension that you would like to lead. We met last Friday to discuss priorities. We will take a bit of a break in August due to vacations. There will be no meetings on Aug. 4 and Aug. 11. This Friday we will pick up where we left off with the updates to the Extension Policy that Rich was spearheading. Topics for future meetings include: COA Playbook Extension JSON Signing we need someone to lead a minigroup on this topic Container extension Asset extension we need someone to lead a minigroup on this Location extension covid previously proposed extending the Location object with GeoJSON, we need someone to lead a minigroup on this topic There have been some requests to extend the Infrastructure object into the SCADA space. We need an expert to participate, if we are going to consider this. Best practices for modelling x509 certificates we need someone to lead this topic Updates to the STIX Patterning Language to address the deprecation of embedded relationships If you are interested in leading any of these topics, please reach out to the WG. We can use the Friday timeslot or schedule separate mini-group discussions. Thanks, Emily