OASIS Cyber Threat Intelligence (CTI) TC

CTI TC - Please find attached an updated STIX extension proposal that the mini-group worked with IBM (Jason/Emily) to incorporate an acceptable compromise to their concerns. In summary: 1) Previously presented extension proposal is maintained and has been named sub-component extension to clarify the distinction between when it would/should be used vs the additional mechanism added for top-level extension. 2) Added the concept of Top-Level object extension to allow extension properties directly with existing STIX standard objects. 3) Clarified language/definitions around use for both aspects. The google doc containing the specification changes are here:  https://docs.google.com/document/d/1TkXv1btieo33BAEcVsprgbVob5qeHOHVAQU0bg9AK-c/edit#heading=h.y2hw6f789m5b This proposal represents the agreement by all mini-group participants. We would like to encourage the TC to consider this proposal and incorporate the changes to the STIX standard. Allan Thomson Attachment: stix-enhancement-proposal-07-2020.pptx Description: application/vnd.openxmlformats-officedocument.presentationml.presentation

While I m a fan of the approach, I d like to make a few suggestions:
 

Why not make STIX Extension a Metaobject, like Language Content, rather than an SDO.  The STIX Extension object actually contains metadata about extensions to a SO.  In addition,
it shares a lot of the same behaviors as the other Metaobjects:

not being able to be the source or target of a Relationship restricted set of common properties; but unlike the Language Content and Marking Definition objects, a STIX Extension object is prohibited from having an extensions property to avoid the nesting of
extensions. 
 
This would make the table of common properties reflect the following :
 




 


STIX Core Objects


STIX Helper Object




Property Name


SDOs


SROs


SCO


Extension


Language


Markings


Bundle




type


Required


Required


Required


Required


Required


Required


Required




spec_version


Required


Required


Optional


Required


Required


Required


N/A




id


Required


Required


Required


Required


Required


Required


Required




created_by_ref


Optional


Optional


N/A


Optional


Optional


Optional


N/A




created


Required


Required


N/A


Required


Required


Required


N/A




modified


Required


Required


N/A


Required


Required


N/A


N/A




revoked


Optional


Optional


N/A


N/A


Optional


N/A


N/A




labels


Optional


Optional


N/A


N/A


Optional


N/A


N/A




confidence


Optional


Optional


N/A


N/A


Optional


N/A


N/A




lang


Optional


Optional


N/A


N/A


N/A


N/A


N/A




external_references


Optional


Optional


N/A


N/A


Optional


Optional


N/A




object_marking_refs


Optional


Optional


Optional


N/A


Optional


Optional


N/A




granular_markings


Optional


Optional


Optional


N/A


Optional


Optional


N/A




defanged


N/A


N/A


Optional


N/A


N/A


N/A


N/A




extensions


Optional


Optional


Optional


N/A


Optional


Optional


N/A




 

In the Google doc sections on Modification #1 and Modification #2, remove the last paragraph which discuss use of Extensions with playbooks as playbooks are NOT part of STIX at this
time. The schema property of the STIX Extension has duel semantics: it could be human-readable document, or it could be a reference to a JSON schema. Recommend splitting these into two
separate properties so that the semantics are clear, using schema property to reference a JSON schema.  This would allow a tool to programmatically know where it could get a JSON schema that actually describes the datatype and restrictions of the property,
such as cardinality and range limits.  Consider using external_references for documentation/human-readable descriptions The description of extends_so_defintion needs to state that when the property is set to true, the extensions properties MUST, not should, include one or more property names. SUGGESTION: For custom object support, why not add the is_extension_object property to the STIX Extension object, to promote a common processing pattern: for each STIX Extension
in extensions property, locate the STIX Extension object and determine if it s a custom object by the value of the is_extension_object property, and if not, then look at the extends_so_definition to understand how the properties are applied.  If is_extension_object
is true, then all properties are custom and MUST be treated the same as if the extends_so_definition were set to true.  This way if a custom object has been extended by another extension, one would know which properties come from which extension. Since this is breaking the rule of provide one and only one way of doing things , there needs to be a description section in Customizing STIX that explains both approaches, when
to use which approach, and what are the pros and cons.
 
 
Paul Patrick
DarkLight, Inc.
 

From:
<cti@lists.oasis-open.org> on behalf of aa tt <atcyber1000@gmail.com>
Date: Wednesday, August 5, 2020 at 11:28 AM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Updated Extension Proposal


 


CTI TC -

 


Please find attached an updated STIX extension proposal that the mini-group worked with IBM (Jason/Emily) to incorporate an acceptable compromise to their concerns.


 


In summary:


 


1) Previously presented extension proposal is maintained and has been named sub-component extension to clarify the distinction between when it would/should be used vs the additional mechanism added for top-level
extension.


2) Added the concept of Top-Level object extension to allow extension properties directly with existing STIX standard objects.


3) Clarified language/definitions around use for both aspects.


 


The google doc containing the specification changes are here: 


https://docs.google.com/document/d/1TkXv1btieo33BAEcVsprgbVob5qeHOHVAQU0bg9AK-c/edit#heading=h.y2hw6f789m5b


 


This proposal represents the agreement by all mini-group participants. We would like to encourage the TC to consider this proposal and incorporate the changes to the STIX standard.


 


Allan Thomson


 




 

Paul - thanks for the thoughtful response and feedback. Here s my input. 1) Extension as a meta-object vs SDO. AT: I could support it being classified as a meta-object provided we allow the following fields  a) revoked  - used for revoking extension use b) labels  - useful for categorization of extension purposes and helps describe them/differentiate them c) external_referneces - useful for additional background on spec of extension d) object_marking_refs - useful for copyright and other markings associated with extensions (not just data treatment) By the time you include the options of these 4 properties then it starts to look more like a SDO again than a meta-object. So I lean towards keeping as SDO but the TC should debate. 2) Google doc. AT: Agreed. 3) Splitting schema property into 2 (human readable & machine-readable). AT: Could support if others do. 4) extends_so_definition description fix. AT: An extension may introduce only new objects not new properties and therefore this can *not* mandate that you provide a list of properties as the extension may encompass more than a single list of properties to a single object. 5) custom object extension. AT: Agreed. That was the intention to make sure that this was clear in the spec once incorporated. 6) Two ways of doing things. AT: I disagree with this assessment but agree that the language and guidance should be clear on when to use top-level vs sub-component. The paragraph early in the google document attempted to make this clear. We would refine once incorporated into the STIX spec. regards allan On Aug 5, 2020, at 3:49 PM, Paul Patrick < ppatrick@darklight.ai > wrote: While I m a fan of the approach, I d like to make a few suggestions:   Why not make STIX Extension a Metaobject, like Language Content, rather than an SDO.  The STIX Extension object actually contains metadata about extensions to a SO.  In addition, it shares a lot of the same behaviors as the other Metaobjects: not being able to be the source or target of a Relationship restricted set of common properties; but unlike the Language Content and Marking Definition objects, a STIX Extension object is prohibited from having an extensions property to avoid the nesting of extensions.      This would make the table of common properties reflect the following :     STIX Core Objects STIX Helper Object Property Name SDOs SROs SCO Extension Language Markings Bundle type Required Required Required Required Required Required Required spec_version Required Required Optional Required Required Required N/A id Required Required Required Required Required Required Required created_by_ref Optional Optional N/A Optional Optional Optional N/A created Required Required N/A Required Required Required N/A modified Required Required N/A Required Required N/A N/A revoked Optional Optional N/A N/A Optional N/A N/A labels Optional Optional N/A N/A Optional N/A N/A confidence Optional Optional N/A N/A Optional N/A N/A lang Optional Optional N/A N/A N/A N/A N/A external_references Optional Optional N/A N/A Optional Optional N/A object_marking_refs Optional Optional Optional N/A Optional Optional N/A granular_markings Optional Optional Optional N/A Optional Optional N/A defanged N/A N/A Optional N/A N/A N/A N/A extensions Optional Optional Optional N/A Optional Optional N/A   In the Google doc sections on Modification #1 and Modification #2, remove the last paragraph which discuss use of Extensions with playbooks as playbooks are NOT part of STIX at this time. The schema property of the STIX Extension has duel semantics: it could be human-readable document, or it could be a reference to a JSON schema. Recommend splitting these into two separate properties so that the semantics are clear, using schema property to reference a JSON schema.  This would allow a tool to programmatically know where it could get a JSON schema that actually describes the datatype and restrictions of the property, such as cardinality and range limits.  Consider using external_references for documentation/human-readable descriptions The description of extends_so_defintion needs to state that when the property is set to true, the extensions properties MUST, not should, include one or more property names. SUGGESTION: For custom object support, why not add the is_extension_object property to the STIX Extension object, to promote a common processing pattern: for each STIX Extension in extensions property, locate the STIX Extension object and determine if it s a custom object by the value of the is_extension_object property, and if not, then look at the extends_so_definition to understand how the properties are applied.  If is_extension_object is true, then all properties are custom and MUST be treated the same as if the extends_so_definition were set to true.  This way if a custom object has been extended by another extension, one would know which properties come from which extension. Since this is breaking the rule of provide one and only one way of doing things , there needs to be a description section in Customizing STIX that explains both approaches, when to use which approach, and what are the pros and cons.     Paul Patrick DarkLight, Inc.   From:   < cti@lists.oasis-open.org > on behalf of aa tt < atcyber1000@gmail.com > Date:   Wednesday, August 5, 2020 at 11:28 AM To:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   [cti] Updated Extension Proposal   CTI TC -     Please find attached an updated STIX extension proposal that the mini-group worked with IBM (Jason/Emily) to incorporate an acceptable compromise to their concerns.   In summary:   1) Previously presented extension proposal is maintained and has been named sub-component extension to clarify the distinction between when it would/should be used vs the additional mechanism added for top-level extension. 2) Added the concept of Top-Level object extension to allow extension properties directly with existing STIX standard objects. 3) Clarified language/definitions around use for both aspects.   The google doc containing the specification changes are here:  https://docs.google.com/document/d/1TkXv1btieo33BAEcVsprgbVob5qeHOHVAQU0bg9AK-c/edit#heading=h.y2hw6f789m5b   This proposal represents the agreement by all mini-group participants. We would like to encourage the TC to consider this proposal and incorporate the changes to the STIX standard.   Allan Thomson

I would agree with including revoked, labels, and suggested using external_references as the means to point to human-readable content thus reserving the schema property to be used for exactly that: a URL to a JSON schema.
 
I didn t include object_marking_refs as it made more sense to mark the added property in the object itself than in the stix-extension object, since it s more likely the it s the value not the property that needs different markings.  This
keeps the marking process consistent with what is there today.  But I could go either way on this.
 
I get and can see value in the two different models: top-level vs sub-component.  So, I can go along with reasons for supporting both.
 
Paul Patrick
 
 

From:
<cti@lists.oasis-open.org> on behalf of aa tt <atcyber1000@gmail.com>
Date: Thursday, August 6, 2020 at 11:41 AM
To: Paul Patrick <ppatrick@darklight.ai>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Updated Extension Proposal


 

Paul - thanks for the thoughtful response and feedback.

 


Here s my input.


 


1) Extension as a meta-object vs SDO.


 


AT: I could support it being classified as a meta-object provided we allow the following fields 


 


a) revoked 


- used for revoking extension use


 


b) labels 


- useful for categorization of extension purposes and helps describe them/differentiate them


 


c) external_referneces


- useful for additional background on spec of extension


 


d) object_marking_refs


- useful for copyright and other markings associated with extensions (not just data treatment)


 


By the time you include the options of these 4 properties then it starts to look more like a SDO again than a meta-object. So I lean towards keeping as SDO but the TC should debate.


 


2) Google doc.


 


AT: Agreed.


 


3) Splitting schema property into 2 (human readable & machine-readable).


 


AT: Could support if others do.


 


4) extends_so_definition description fix.


 


AT: An extension may introduce only new objects not new properties and therefore this can *not* mandate that you provide a list of properties as the extension may encompass more than a single list of properties
to a single object.


 


5) custom object extension.


 


AT: Agreed. That was the intention to make sure that this was clear in the spec once incorporated.


 


6) Two ways of doing things.


 


AT: I disagree with this assessment but agree that the language and guidance should be clear on when to use top-level vs sub-component. The paragraph early in the google document attempted to make this clear. We
would refine once incorporated into the STIX spec.


 


regards


 


allan


 








On Aug 5, 2020, at 3:49 PM, Paul Patrick < ppatrick@darklight.ai > wrote:

 


While I m a fan of the approach, I d like to make a few suggestions:


 


1.       
Why not make STIX Extension a Metaobject, like Language Content, rather than an SDO.  The STIX Extension object actually contains metadata about extensions to a SO.  In addition, it shares a lot of the same behaviors as the other Metaobjects:

        
not being able to be the source or target of a Relationship

        
restricted set of common properties; but unlike the Language Content and Marking Definition objects, a STIX Extension object is prohibited from having an extensions property to avoid the nesting of extensions.   

 


This would make the table of common properties reflect the following :


 






 




STIX Core Objects



STIX Helper Object





Property Name




SDOs




SROs




SCO




Extension




Language




Markings




Bundle






type




Required




Required




Required




Required




Required




Required




Required






spec_version




Required




Required




Optional




Required




Required




Required




N/A






id




Required




Required




Required




Required




Required




Required




Required






created_by_ref




Optional




Optional




N/A




Optional




Optional




Optional




N/A






created




Required




Required




N/A




Required




Required




Required




N/A






modified




Required




Required




N/A




Required




Required




N/A




N/A






revoked




Optional




Optional




N/A




N/A




Optional




N/A




N/A






labels




Optional




Optional




N/A




N/A




Optional




N/A




N/A






confidence




Optional




Optional




N/A




N/A




Optional




N/A




N/A






lang




Optional




Optional




N/A




N/A




N/A




N/A




N/A






external_references




Optional




Optional




N/A




N/A




Optional




Optional




N/A






object_marking_refs




Optional




Optional




Optional




N/A




Optional




Optional




N/A






granular_markings




Optional




Optional




Optional




N/A




Optional




Optional




N/A






defanged




N/A




N/A




Optional




N/A




N/A




N/A




N/A






extensions




Optional




Optional




Optional




N/A




Optional




Optional




N/A






 


2.       
In the Google doc sections on Modification #1 and Modification #2, remove the last paragraph which discuss use of Extensions with playbooks as playbooks are NOT part of STIX at this time.

3.       
The schema property of the STIX Extension has duel semantics: it could be human-readable document, or it could be a reference to a JSON schema. Recommend splitting these into two separate properties so that the semantics are clear, using
schema property to reference a JSON schema.  This would allow a tool to programmatically know where it could get a JSON schema that actually describes the datatype and restrictions of the property, such as cardinality and range limits.  Consider using external_references
for documentation/human-readable descriptions

4.       
The description of extends_so_defintion needs to state that when the property is set to true, the extensions properties MUST, not should, include one or more property names.

5.       
SUGGESTION: For custom object support, why not add the is_extension_object property to the STIX Extension object, to promote a common processing pattern: for each STIX Extension in extensions property, locate the STIX Extension object
and determine if it s a custom object by the value of the is_extension_object property, and if not, then look at the extends_so_definition to understand how the properties are applied.  If is_extension_object is true, then all properties are custom and MUST
be treated the same as if the extends_so_definition were set to true.  This way if a custom object has been extended by another extension, one would know which properties come from which extension.

6.       
Since this is breaking the rule of provide one and only one way of doing things , there needs to be a description section in Customizing STIX that explains both approaches, when to use which approach, and what are the pros and cons.

 


 


Paul Patrick


DarkLight, Inc.


 



From:   < cti@lists.oasis-open.org > on behalf of
aa tt < atcyber1000@gmail.com >
Date:   Wednesday, August 5, 2020 at 11:28 AM
To:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
Subject:   [cti] Updated Extension Proposal




 




CTI TC -  



 




Please find attached an updated STIX extension proposal that the mini-group worked with IBM (Jason/Emily) to incorporate an acceptable compromise to their concerns.




 




In summary:




 




1) Previously presented extension proposal is maintained and has been named sub-component extension to clarify the distinction between when it would/should be used vs the additional mechanism added for top-level
extension.




2) Added the concept of Top-Level object extension to allow extension properties directly with existing STIX standard objects.




3) Clarified language/definitions around use for both aspects.




 




The google doc containing the specification changes are here: 




https://docs.google.com/document/d/1TkXv1btieo33BAEcVsprgbVob5qeHOHVAQU0bg9AK-c/edit#heading=h.y2hw6f789m5b




 




This proposal represents the agreement by all mini-group participants. We would like to encourage the TC to consider this proposal and incorporate the changes to the STIX standard.




 




Allan Thomson






 

To reflect recent conversations, I ve attempted to update the table of common properties :
 




 


STIX Core Objects


STIX Helper Object




Property Name


SDOs


SROs


SCO


Extension


Language


Markings


Bundle




type


Required


Required


Required


Required


Required


Required


Required




spec_version


Required


Required


Optional


Required


Required


Required


N/A




id


Required


Required


Required


Required


Required


Required


Required




created_by_ref


Optional


Optional


N/A


Optional


Optional


Optional


N/A




created


Required


Required


N/A


Required


Required


Required


N/A




modified


Required


Required


N/A


Required


Required


N/A


N/A




revoked


Optional


Optional


N/A


Optional


Optional


N/A


N/A




labels


Optional


Optional


N/A


Optional


Optional


N/A


N/A




confidence


Optional


Optional


N/A


N/A


Optional


N/A


N/A




lang


Optional


Optional


N/A


N/A


N/A


N/A


N/A




external_references


Optional


Optional


N/A


Optional


Optional


Optional


N/A




object_marking_refs


Optional


Optional


Optional


N/A


Optional


Optional


N/A




granular_markings


Optional


Optional


Optional


N/A


Optional


Optional


N/A




defanged


N/A


N/A


Optional


N/A


N/A


N/A


N/A




extensions


Optional


Optional


Optional


N/A


Optional


Optional


N/A




 
In addition, while attempting to utilize the existing proposal in an effort to transform the existing STIX mapping for MITRE s ATT&CK I came up with a recommendation that I d like to present for consideration.  I d like to suggest for consideration
the following modifications to the STIX Extension object as defined in the proposal:

Adding is_extension_object as an OPTIONAL property to indicate whether the STIX Extension is for a custom object or just custom properties.  If true, indicates the extension is for a custom
object; if false, the extension is for custom properties Restrict the schema property to be used only to provide a URL to the JSON schema for the extension; as suggested earlier, utilize the
external_references common property to specify a reference the location of human-readable documentation for the STIX Extension Remove the extension_properties from the STIX Extension object and instead have it become a REQUIRED property of the extension specified for the STIX object when the
extends_so_definition property is set as true.
To aid in visualizing this suggestion, I ve provided an update STIX Extension object description and a sample:
 




Required Comm on Properties




type, spec_version, id, created_modified




Optional Common Properties




created_by_ref, revoked, labels, external_references




Not Applicable Common Properties




confidence, object_marking_refs, granular_markings, lang, defanged, extensions




STIX Extension Specific Properties




name, description, schema, version, is_extension_object, extension_so_definition




Property Name


Required


Type


Details




type


Y


string


The type property identifies the type of object.  The value of this property
MUST be stix-extension .




name


Y


string


The name property specifies a name used for display purposes during execution, development or troubleshooting




description


N


string


The description property specified a description that provides more details and context about the STIX Extension, potentially containing an explanation about what this extension does and accomplishes.




schema


Y


string


The schema property specifies a URL reference to the JSON schema for this extension.




version


N


string


The version property specifies the version of this extension.  Producers of STIX extensions are encouraged to follow standard semantic versioning procedures where the version number follows the pattern MAJOR.MINOR.PATCH.  This will
allow consumers to distinguish between the three different levels of compatibility typically identified by such versioning string




is_extension_object


N


boolean


The is_extension_object property indicates whether the STIX Extension is for a custom object (true) or custom properties on an existing STIX object (false).




extends_so_definition


N


boolean


The extends_so_definition property indicates whether the extension properties are defined at the same level as other STIX object properties (true) or as sub-components (false).
 
When set to true, the extension specified for the object
MUST contain the extension_properties property which contains the list of custom property names that are usable at the same level as the other STIX object properties.
 
When set to false, the extension specified for the object
MUST only contain the custom property names and corresponding values.




 
        {
           
"type" :
"stix-extension" ,
           
"spec_version" :
"2.1.1" ,
           
"id" :
"stix-extension--0b5be446-2c34-4c4a-b564-2edbf919a2d5" ,
           
"created_by_ref" :
"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" ,
           
"created" :
"2020-08-08T19:04:585Z" ,
           
"modified" :
"2020-08-08T19:04:585Z" ,
           
"revoked" :
false ,
           
"labels" : [ "mitre-attack" ],
           
"external_references" : [
                {
                   
"source_name" :
"mitre-attack" ,
                   
"description" :
"Extensions of the STIX spec" ,
                   
"url" :
"https://github.com/mitre/cti/blob/master/USAGE.md#extensions-of-the-stix-spec" ,
                     "hashes" :
{
                       
"MD5" :
"f41fb12dd57a931339be614c08224f45" ,
                       
"SHA-1" :
"7eefefd325230072fc941b848efa4384f8ad0453" ,
                       
"SHA-256" :
"0db74c60d4ed4d02f4e67cede0341932f31c4b2ac1e99e6a857c2b987c1bf7e3"
                    }
                }
            ],
           
"name" :
"MITRE ATT&CK Pattern extensions as Top-Level Properties" ,
           
"description" :
"This extension adds MITRE ATT&CK pattern extensions to adding the Tactic, and Matrix objects" ,
           
"schema" :
"https://github.com/mitre/cti/blob/master/schemas/stix-attack-extensions.json" ,
           
"version" :
"1.0" ,
           
"is_extension_object" :
true ,   
// OPTIONAL: indicates if the extension is for a custom object; default: false
           
"extends_so_definitions" :
true  
// OPTIONAL: indicates if properties are top-level; default: false
        },
        {
           
"type" :
"x-mitre-matrix" ,
           
"spec_version" :
"2.1.1" ,
           
"id" :
"x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a89c88cc" ,
           
"created_by_ref" :
"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" ,
           
"created" :
"2018-10-17T00:14:20.652Z" ,
           
"modified" :
"2020-07-02T14:18:03.651Z" ,
           
"extensions" : {
               
"stix-extension--0b5be446-2c34-4c4a-b564-2edbf919a2d5" : {
                   
"extension_properties" : [      
// REQUIRED because extends_so_definitions is true; no other properties permitted
                       
"name" ,
                       
"description" ,
                       
"tactic_refs"
                    ]       

                }
            },
           
"external_references" : [
                {
                   
"external_id" :
"enterprise-attack" ,
                   
"source_name" :
"mitre-attack" ,
                   
"url" :
"https://attack.mitre.org/matrices/enterprise"
                }
            ],
           
"object_marking_refs" : [
               
"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
           
"name" :
"Enterprise ATT&CK" ,
           
"description" :
"Below are the tactics and technique representing the MITRE ATT&CK Matrix for Enterprise. The Matrix contains information for the following platforms: Windows, macOS, Linux, AWS, GCP, Azure,
Azure AD, Office 365, SaaS." ,
           
"tactic_refs" : [
               
"x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca" ,
               
"x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5" ,
               
"x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92" ,
               
"x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd" ,
               
"x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a" ,
               
"x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263" ,
               
"x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9" ,
               
"x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e" ,
               
"x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe" ,
               
"x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813" ,
               
"x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462" ,
               
"x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8"
            ],
        }
 
 

From:
<cti@lists.oasis-open.org> on behalf of aa tt <atcyber1000@gmail.com>
Date: Thursday, August 6, 2020 at 11:41 AM
To: Paul Patrick <ppatrick@darklight.ai>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Updated Extension Proposal


 

Paul - thanks for the thoughtful response and feedback.

 


Here s my input.


 


1) Extension as a meta-object vs SDO.


 


AT: I could support it being classified as a meta-object provided we allow the following fields 


 


a) revoked 


- used for revoking extension use


 


b) labels 


- useful for categorization of extension purposes and helps describe them/differentiate them


 


c) external_referneces


- useful for additional background on spec of extension


 


d) object_marking_refs


- useful for copyright and other markings associated with extensions (not just data treatment)


 


By the time you include the options of these 4 properties then it starts to look more like a SDO again than a meta-object. So I lean towards keeping as SDO but the TC should debate.


 


2) Google doc.


 


AT: Agreed.


 


3) Splitting schema property into 2 (human readable & machine-readable).


 


AT: Could support if others do.


 


4) extends_so_definition description fix.


 


AT: An extension may introduce only new objects not new properties and therefore this can *not* mandate that you provide a list of properties as the extension may encompass more than a single list of properties
to a single object.


 


5) custom object extension.


 


AT: Agreed. That was the intention to make sure that this was clear in the spec once incorporated.


 


6) Two ways of doing things.


 


AT: I disagree with this assessment but agree that the language and guidance should be clear on when to use top-level vs sub-component. The paragraph early in the google document attempted to make this clear. We
would refine once incorporated into the STIX spec.


 


regards


 


allan


 








On Aug 5, 2020, at 3:49 PM, Paul Patrick < ppatrick@darklight.ai > wrote:

 


While I m a fan of the approach, I d like to make a few suggestions:


 


1.       
Why not make STIX Extension a Metaobject, like Language Content, rather than an SDO.  The STIX Extension object actually contains metadata about extensions to a SO.  In addition, it shares a lot of the same behaviors as the other Metaobjects:

        
not being able to be the source or target of a Relationship

        
restricted set of common properties; but unlike the Language Content and Marking Definition objects, a STIX Extension object is prohibited from having an extensions property to avoid the nesting of extensions.   

 


This would make the table of common properties reflect the following :


 






 




STIX Core Objects



STIX Helper Object





Property Name




SDOs




SROs




SCO




Extension




Language




Markings




Bundle






type




Required




Required




Required




Required




Required




Required




Required






spec_version




Required




Required




Optional




Required




Required




Required




N/A






id




Required




Required




Required




Required




Required




Required




Required






created_by_ref




Optional




Optional




N/A




Optional




Optional




Optional




N/A






created




Required




Required




N/A




Required




Required




Required




N/A






modified




Required




Required




N/A




Required




Required




N/A




N/A






revoked




Optional




Optional




N/A




N/A




Optional




N/A




N/A






labels




Optional




Optional




N/A




N/A




Optional




N/A




N/A






confidence




Optional




Optional




N/A




N/A




Optional




N/A




N/A






lang




Optional




Optional




N/A




N/A




N/A




N/A




N/A






external_references




Optional




Optional




N/A




N/A




Optional




Optional




N/A






object_marking_refs




Optional




Optional




Optional




N/A




Optional




Optional




N/A






granular_markings




Optional




Optional




Optional




N/A




Optional




Optional




N/A






defanged




N/A




N/A




Optional




N/A




N/A




N/A




N/A






extensions




Optional




Optional




Optional




N/A




Optional




Optional




N/A






 


2.       
In the Google doc sections on Modification #1 and Modification #2, remove the last paragraph which discuss use of Extensions with playbooks as playbooks are NOT part of STIX at this time.

3.       
The schema property of the STIX Extension has duel semantics: it could be human-readable document, or it could be a reference to a JSON schema. Recommend splitting these into two separate properties so that the semantics are clear, using
schema property to reference a JSON schema.  This would allow a tool to programmatically know where it could get a JSON schema that actually describes the datatype and restrictions of the property, such as cardinality and range limits.  Consider using external_references
for documentation/human-readable descriptions

4.       
The description of extends_so_defintion needs to state that when the property is set to true, the extensions properties MUST, not should, include one or more property names.

5.       
SUGGESTION: For custom object support, why not add the is_extension_object property to the STIX Extension object, to promote a common processing pattern: for each STIX Extension in extensions property, locate the STIX Extension object
and determine if it s a custom object by the value of the is_extension_object property, and if not, then look at the extends_so_definition to understand how the properties are applied.  If is_extension_object is true, then all properties are custom and MUST
be treated the same as if the extends_so_definition were set to true.  This way if a custom object has been extended by another extension, one would know which properties come from which extension.

6.       
Since this is breaking the rule of provide one and only one way of doing things , there needs to be a description section in Customizing STIX that explains both approaches, when to use which approach, and what are the pros and cons.

 


 


Paul Patrick


DarkLight, Inc.


 



From:   < cti@lists.oasis-open.org >
on behalf of aa tt < atcyber1000@gmail.com >
Date:   Wednesday, August 5, 2020 at 11:28 AM
To:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
Subject:   [cti] Updated Extension Proposal




 




CTI TC -  



 




Please find attached an updated STIX extension proposal that the mini-group worked with IBM (Jason/Emily) to incorporate an acceptable compromise to their concerns.




 




In summary:




 




1) Previously presented extension proposal is maintained and has been named sub-component extension to clarify the distinction between when it would/should be used vs the additional mechanism added for top-level
extension.




2) Added the concept of Top-Level object extension to allow extension properties directly with existing STIX standard objects.




3) Clarified language/definitions around use for both aspects.




 




The google doc containing the specification changes are here: 




https://docs.google.com/document/d/1TkXv1btieo33BAEcVsprgbVob5qeHOHVAQU0bg9AK-c/edit#heading=h.y2hw6f789m5b




 




This proposal represents the agreement by all mini-group participants. We would like to encourage the TC to consider this proposal and incorporate the changes to the STIX standard.




 




Allan Thomson






 

Paul - Thanks for the updates. I think we need to talk about your changes related to extension_properties. It has issues from my perspective and suggest we discuss on a conference call/working call. CTI co-chairs - please advise next steps on this. Allan On Aug 8, 2020, at 8:07 PM, Paul Patrick < ppatrick@darklight.ai > wrote: To reflect recent conversations, I ve attempted to update the table of common properties :     STIX Core Objects STIX Helper Object Property Name SDOs SROs SCO Extension Language Markings Bundle type Required Required Required Required Required Required Required spec_version Required Required Optional Required Required Required N/A id Required Required Required Required Required Required Required created_by_ref Optional Optional N/A Optional Optional Optional N/A created Required Required N/A Required Required Required N/A modified Required Required N/A Required Required N/A N/A revoked Optional Optional N/A Optional Optional N/A N/A labels Optional Optional N/A Optional Optional N/A N/A confidence Optional Optional N/A N/A Optional N/A N/A lang Optional Optional N/A N/A N/A N/A N/A external_references Optional Optional N/A Optional Optional Optional N/A object_marking_refs Optional Optional Optional N/A Optional Optional N/A granular_markings Optional Optional Optional N/A Optional Optional N/A defanged N/A N/A Optional N/A N/A N/A N/A extensions Optional Optional Optional N/A Optional Optional N/A   In addition, while attempting to utilize the existing proposal in an effort to transform the existing STIX mapping for MITRE s ATT&CK I came up with a recommendation that I d like to present for consideration.  I d like to suggest for consideration the following modifications to the STIX Extension object as defined in the proposal: Adding   is_extension_object   as an OPTIONAL property to indicate whether the STIX Extension is for a custom object or just custom properties.  If true, indicates the extension is for a custom object; if false, the extension is for custom properties Restrict the schema property to be used only to provide a URL to the JSON schema for the extension; as suggested earlier, utilize the   external_references   common property to specify a reference the location of human-readable documentation for the STIX Extension Remove the   extension_properties   from the STIX Extension object and instead have it become a REQUIRED property of the extension specified for the STIX object when the   extends_so_definition   property is set as true. To aid in visualizing this suggestion, I ve provided an update STIX Extension object description and a sample:   Required Comm on Properties type, spec_version, id, created_modified Optional Common Properties created_by_ref, revoked, labels, external_references Not Applicable Common Properties confidence, object_marking_refs, granular_markings, lang, defanged, extensions STIX Extension Specific Properties name, description, schema, version, is_extension_object, extension_so_definition Property Name Required Type Details type Y string The   type   property identifies the type of object.  The value of this property   MUST   be   stix-extension . name Y string The   name   property specifies a name used for display purposes during execution, development or troubleshooting description N string The   description   property specified a description that provides more details and context about the STIX Extension, potentially containing an explanation about what this extension does and accomplishes. schema Y string The   schema   property specifies a URL reference to the JSON schema for this extension. version N string The   version   property specifies the version of this extension.  Producers of STIX extensions are encouraged to follow standard semantic versioning procedures where the version number follows the pattern MAJOR.MINOR.PATCH.  This will allow consumers to distinguish between the three different levels of compatibility typically identified by such versioning string is_extension_object N boolean The   is_extension_object   property indicates whether the STIX Extension is for a custom object (true) or custom properties on an existing STIX object (false). extends_so_definition N boolean The   extends_so_definition   property indicates whether the extension properties are defined at the same level as other STIX object properties (true) or as sub-components (false).   When set to true, the extension specified for the object   MUST   contain the   extension_properties property which contains the list of custom property names that are usable at the same level as the other STIX object properties.   When set to false, the extension specified for the object   MUST   only contain the custom property names and corresponding values.             {               type :   stix-extension ,               spec_version :   2.1.1 ,               id :   stix-extension--0b5be446-2c34-4c4a-b564-2edbf919a2d5 ,               created_by_ref :   identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 ,               created :   2020-08-08T19:04:585Z ,               modified :   2020-08-08T19:04:585Z ,               revoked :   false ,               labels : [ mitre-attack ],               external_references : [                 {                       source_name :   mitre-attack ,                       description :   Extensions of the STIX spec ,                       url :   https://github.com/mitre/cti/blob/master/USAGE.md#extensions-of-the-stix-spec ,                      hashes : {                           MD5 :   f41fb12dd57a931339be614c08224f45 ,                           SHA-1 :   7eefefd325230072fc941b848efa4384f8ad0453 ,                           SHA-256 :   0db74c60d4ed4d02f4e67cede0341932f31c4b2ac1e99e6a857c2b987c1bf7e3                     }                 }             ],               name :   MITRE ATT&CK Pattern extensions as Top-Level Properties ,               description :   This extension adds MITRE ATT&CK pattern extensions to adding the Tactic, and Matrix objects ,               schema :   https://github.com/mitre/cti/blob/master/schemas/stix-attack-extensions.json ,               version :   1.0 ,               is_extension_object :   true ,      // OPTIONAL: indicates if the extension is for a custom object; default: false               extends_so_definitions :   true     // OPTIONAL: indicates if properties are top-level; default: false         },         {               type :   x-mitre-matrix ,               spec_version :   2.1.1 ,               id :   x-mitre-matrix--eafc1b4c-5e56-4965-bd4e-66a6a89c88cc ,               created_by_ref :   identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 ,               created :   2018-10-17T00:14:20.652Z ,               modified :   2020-07-02T14:18:03.651Z ,               extensions : {                   stix-extension--0b5be446-2c34-4c4a-b564-2edbf919a2d5 : {                       extension_properties : [         // REQUIRED because extends_so_definitions is true; no other properties permitted                           name ,                           description ,                           tactic_refs                     ]                        }             },               external_references : [                 {                       external_id :   enterprise-attack ,                       source_name :   mitre-attack ,                       url :   https://attack.mitre.org/matrices/enterprise                 }             ],               object_marking_refs : [                   marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168             ],               name :   Enterprise ATT&CK ,               description :   Below are the tactics and technique representing the MITRE ATT&CK Matrix for Enterprise. The Matrix contains information for the following platforms: Windows, macOS, Linux, AWS, GCP, Azure, Azure AD, Office 365, SaaS. ,               tactic_refs : [                   x-mitre-tactic--ffd5bcee-6e16-4dd2-8eca-7b3beedf33ca ,                   x-mitre-tactic--4ca45d45-df4d-4613-8980-bac22d278fa5 ,                   x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92 ,                   x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd ,                   x-mitre-tactic--78b23412-0651-46d7-a540-170a1ce8bd5a ,                   x-mitre-tactic--2558fd61-8c75-4730-94c4-11926db2a263 ,                   x-mitre-tactic--c17c5845-175e-4421-9713-829d0573dbc9 ,                   x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e ,                   x-mitre-tactic--d108ce10-2419-4cf9-a774-46161d6c6cfe ,                   x-mitre-tactic--f72804c5-f15a-449e-a5da-2eecd181f813 ,                   x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462 ,                   x-mitre-tactic--5569339b-94c2-49ee-afb3-2222936582c8             ],         }     From:   < cti@lists.oasis-open.org > on behalf of aa tt < atcyber1000@gmail.com > Date:   Thursday, August 6, 2020 at 11:41 AM To:   Paul Patrick < ppatrick@darklight.ai > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Updated Extension Proposal   Paul - thanks for the thoughtful response and feedback.   Here s my input.   1) Extension as a meta-object vs SDO.   AT: I could support it being classified as a meta-object provided we allow the following fields    a) revoked  - used for revoking extension use   b) labels  - useful for categorization of extension purposes and helps describe them/differentiate them   c) external_referneces - useful for additional background on spec of extension   d) object_marking_refs - useful for copyright and other markings associated with extensions (not just data treatment)   By the time you include the options of these 4 properties then it starts to look more like a SDO again than a meta-object. So I lean towards keeping as SDO but the TC should debate.   2) Google doc.   AT: Agreed.   3) Splitting schema property into 2 (human readable & machine-readable).   AT: Could support if others do.   4) extends_so_definition description fix.   AT: An extension may introduce only new objects not new properties and therefore this can *not* mandate that you provide a list of properties as the extension may encompass more than a single list of properties to a single object.   5) custom object extension.   AT: Agreed. That was the intention to make sure that this was clear in the spec once incorporated.   6) Two ways of doing things.   AT: I disagree with this assessment but agree that the language and guidance should be clear on when to use top-level vs sub-component. The paragraph early in the google document attempted to make this clear. We would refine once incorporated into the STIX spec.   regards   allan   On Aug 5, 2020, at 3:49 PM, Paul Patrick < ppatrick@darklight.ai > wrote:   While I m a fan of the approach, I d like to make a few suggestions:   1.          Why not make STIX Extension a Metaobject, like Language Content, rather than an SDO.  The STIX Extension object actually contains metadata about extensions to a SO.  In addition, it shares a lot of the same behaviors as the other Metaobjects:            not being able to be the source or target of a Relationship            restricted set of common properties; but unlike the Language Content and Marking Definition objects, a STIX Extension object is prohibited from having an extensions property to avoid the nesting of extensions.      This would make the table of common properties reflect the following :     STIX Core Objects STIX Helper Object Property Name SDOs SROs SCO Extension Language Markings Bundle type Required Required Required Required Required Required Required spec_version Required Required Optional Required Required Required N/A id Required Required Required Required Required Required Required created_by_ref Optional Optional N/A Optional Optional Optional N/A created Required Required N/A Required Required Required N/A modified Required Required N/A Required Required N/A N/A revoked Optional Optional N/A N/A Optional N/A N/A labels Optional Optional N/A N/A Optional N/A N/A confidence Optional Optional N/A N/A Optional N/A N/A lang Optional Optional N/A N/A N/A N/A N/A external_references Optional Optional N/A N/A Optional Optional N/A object_marking_refs Optional Optional Optional N/A Optional Optional N/A granular_markings Optional Optional Optional N/A Optional Optional N/A defanged N/A N/A Optional N/A N/A N/A N/A extensions Optional Optional Optional N/A Optional Optional N/A   2.          In the Google doc sections on Modification #1 and Modification #2, remove the last paragraph which discuss use of Extensions with playbooks as playbooks are NOT part of STIX at this time. 3.          The schema property of the STIX Extension has duel semantics: it could be human-readable document, or it could be a reference to a JSON schema. Recommend splitting these into two separate properties so that the semantics are clear, using schema property to reference a JSON schema.  This would allow a tool to programmatically know where it could get a JSON schema that actually describes the datatype and restrictions of the property, such as cardinality and range limits.  Consider using external_references for documentation/human-readable descriptions 4.          The description of extends_so_defintion needs to state that when the property is set to true, the extensions properties MUST, not should, include one or more property names. 5.          SUGGESTION: For custom object support, why not add the is_extension_object property to the STIX Extension object, to promote a common processing pattern: for each STIX Extension in extensions property, locate the STIX Extension object and determine if it s a custom object by the value of the is_extension_object property, and if not, then look at the extends_so_definition to understand how the properties are applied.  If is_extension_object is true, then all properties are custom and MUST be treated the same as if the extends_so_definition were set to true.  This way if a custom object has been extended by another extension, one would know which properties come from which extension. 6.          Since this is breaking the rule of provide one and only one way of doing things , there needs to be a description section in Customizing STIX that explains both approaches, when to use which approach, and what are the pros and cons.     Paul Patrick DarkLight, Inc.   From:   < cti@lists.oasis-open.org > on behalf of aa tt < atcyber1000@gmail.com > Date:   Wednesday, August 5, 2020 at 11:28 AM To:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   [cti] Updated Extension Proposal   CTI TC -     Please find attached an updated STIX extension proposal that the mini-group worked with IBM (Jason/Emily) to incorporate an acceptable compromise to their concerns.   In summary:   1) Previously presented extension proposal is maintained and has been named sub-component extension to clarify the distinction between when it would/should be used vs the additional mechanism added for top-level extension. 2) Added the concept of Top-Level object extension to allow extension properties directly with existing STIX standard objects. 3) Clarified language/definitions around use for both aspects.   The google doc containing the specification changes are here:  https://docs.google.com/document/d/1TkXv1btieo33BAEcVsprgbVob5qeHOHVAQU0bg9AK-c/edit#heading=h.y2hw6f789m5b   This proposal represents the agreement by all mini-group participants. We would like to encourage the TC to consider this proposal and incorporate the changes to the STIX standard.   Allan Thomson

Hi Allan,
 
I might have missed some discussions, but

what are the relationships between

"11 Customizing STIX" of STIX 2.1 (custom properties,

custom objects, and custom extensions) and

this SEP proposal?

 
Regards,
 
Ryu
 


From: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
On Behalf Of aa tt
Sent: Thursday, August 6, 2020 12:28 AM
To: cti@lists.oasis-open.org
Subject: [cti] Updated Extension Proposal


 

CTI TC -

 


Please find attached an updated STIX extension proposal that the mini-group worked with IBM (Jason/Emily) to incorporate an acceptable compromise to their concerns.


 


In summary:


 


1) Previously presented extension proposal is maintained and has been named sub-component extension to clarify the distinction between when it would/should be used vs the additional mechanism added for top-level extension.


2) Added the concept of Top-Level object extension to allow extension properties directly with existing STIX standard objects.


3) Clarified language/definitions around use for both aspects.


 


The google doc containing the specification changes are here: 


https://docs.google.com/document/d/1TkXv1btieo33BAEcVsprgbVob5qeHOHVAQU0bg9AK-c/edit#heading=h.y2hw6f789m5b


 


This proposal represents the agreement by all mini-group participants. We would like to encourage the TC to consider this proposal and incorporate the changes to the STIX standard.


 


Allan Thomson


 




 

Hi Ryu - My personal feeling is that customization of STIX will remain in the standard as-is but industry best-practices will steer orgs towards using the extension proposal as the primary mechanism to change STIX. The rationale: JSON content can always be modified regardless of what the CTI TC decides and the customization language in the current specification can just remain as most people already have done customization in products. However, if the TC felt that it was better to remove the customization language and replace with this extension proposal then I would be supportive of that also. Other proponents of the extension proposal, as well as other TC members should speak up on this topic. regards allan On Aug 5, 2020, at 11:35 PM, masuoka.ryusuke@fujitsu.com wrote: Hi Allan,   I might have missed some discussions, but what are the relationships between 11 Customizing STIX of STIX 2.1 (custom properties, custom objects, and custom extensions) and this SEP proposal?   Regards,   Ryu   From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > On Behalf Of aa tt Sent: Thursday, August 6, 2020 12:28 AM To: cti@lists.oasis-open.org Subject: [cti] Updated Extension Proposal   CTI TC -   Please find attached an updated STIX extension proposal that the mini-group worked with IBM (Jason/Emily) to incorporate an acceptable compromise to their concerns.   In summary:   1) Previously presented extension proposal is maintained and has been named sub-component extension to clarify the distinction between when it would/should be used vs the additional mechanism added for top-level extension. 2) Added the concept of Top-Level object extension to allow extension properties directly with existing STIX standard objects. 3) Clarified language/definitions around use for both aspects.   The google doc containing the specification changes are here:  https://docs.google.com/document/d/1TkXv1btieo33BAEcVsprgbVob5qeHOHVAQU0bg9AK-c/edit#heading=h.y2hw6f789m5b   This proposal represents the agreement by all mini-group participants. We would like to encourage the TC to consider this proposal and incorporate the changes to the STIX standard.   Allan Thomson    

Ryu,
 
I generally agree with Allan in that I see the STIX Extension proposal as a candidate to replace the way customization of STIX 2.1 is done today.  Like Allan, I too would be
supportive of replacing the existing customization mechanism with this proposal but would recommend that the TC deprecate, not remove, the current approach until a future release.
 
To that end, I believe the section in the spec on Customizing STIX be updated to not only provide guidance on how to use the STIX Extension approach but provide guidance how
to use it IN PLACE OF the existing schema.  I can also imagine what an update to STIX Elevator could be to aid in stepping-up from STIX 2.1 to STIX 2.1.1 to make that transition easier for people to move to the new scheme.
 
Paul Patrick
DarkLight, Inc.
 
 

From:
<cti@lists.oasis-open.org> on behalf of aa tt <atcyber1000@gmail.com>
Date: Thursday, August 6, 2020 at 11:33 AM
To: "masuoka.ryusuke@fujitsu.com" <masuoka.ryusuke@fujitsu.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Updated Extension Proposal


 

Hi Ryu -

 


My personal feeling is that customization of STIX will remain in the standard as-is but industry best-practices will steer orgs towards using the extension proposal as the primary mechanism to change STIX.


 


The rationale: JSON content can always be modified regardless of what the CTI TC decides and the customization language in the current specification can just remain as most people already have done customization
in products.


 


However, if the TC felt that it was better to remove the customization language and replace with this extension proposal then I would be supportive of that also.


 


Other proponents of the extension proposal, as well as other TC members should speak up on this topic.


 


regards


 


allan








On Aug 5, 2020, at 11:35 PM,
masuoka.ryusuke@fujitsu.com wrote:

 


Hi Allan,
 
I might have missed some discussions, but

what are the relationships between

"11 Customizing STIX" of STIX 2.1 (custom properties,

custom objects, and custom extensions) and

this SEP proposal?

 
Regards,
 
Ryu
 


From:
cti@lists.oasis-open.org < cti@lists.oasis-open.org >
On Behalf Of aa tt
Sent: Thursday, August 6, 2020 12:28 AM
To: cti@lists.oasis-open.org
Subject: [cti] Updated Extension Proposal


 

CTI TC -


 


Please find attached an updated STIX extension proposal that the mini-group worked with IBM (Jason/Emily) to incorporate an acceptable compromise to their concerns.


 


In summary:


 


1) Previously presented extension proposal is maintained and has been named
sub-component extension to clarify the distinction between when it would/should be used vs the additional mechanism added for top-level extension.


2) Added the concept of Top-Level object extension to allow extension properties directly with existing STIX standard objects.


3) Clarified language/definitions around use for both aspects.


 


The google doc containing the specification changes are here: 


https://docs.google.com/document/d/1TkXv1btieo33BAEcVsprgbVob5qeHOHVAQU0bg9AK-c/edit#heading=h.y2hw6f789m5b


 


This proposal represents the agreement by all mini-group participants. We would like to encourage the TC to consider this proposal and incorporate the changes to the STIX standard.


 


Allan Thomson


 




 






 

The reality is that people will always tack their own properties onto the JSON regardless of if it is an official customization mechanism of STIX or not. After all in some environments, simply the process of serializing and deserializing JSON can add fields.   All the fact that we have it in the STIX specification means, is that we are making a clear statement that adding new fields should not cause validation to fail (in JSON-schema parlance, that additionalProperties should be left alone at it's default in the schema, which is true ), and that fields should be preserved during the serialization/deserialization process.      Therefore I do not think we should remove it, although I would say we should definitely water down the language around it , and remove references to custom properties , instead pointing them at this new mechanism to encourage it.   - Jason Keirstead Chief Architect - IBM Security Threat Management www.ibm.com/security Co-Chair - Open Cybersecurity Alliance, Project Governing Board www.opencybersecurityalliance.org       ----- Original message ----- From: Paul Patrick <ppatrick@darklight.ai> Sent by: <cti@lists.oasis-open.org> To: aa tt <atcyber1000@gmail.com>, masuoka.ryusuke@fujitsu.com <masuoka.ryusuke@fujitsu.com> Cc: cti@lists.oasis-open.org <cti@lists.oasis-open.org> Subject: [EXTERNAL] Re: [cti] Updated Extension Proposal Date: Thu, Aug 6, 2020 12:47 PM   Ryu,   I generally agree with Allan in that I see the STIX Extension proposal as a candidate to replace the way customization of STIX 2.1 is done today.  Like Allan, I too would be supportive of replacing the existing customization mechanism with this proposal but would recommend that the TC deprecate, not remove, the current approach until a future release.   To that end, I believe the section in the spec on Customizing STIX be updated to not only provide guidance on how to use the STIX Extension approach but provide guidance how to use it IN PLACE OF the existing schema.  I can also imagine what an update to STIX Elevator could be to aid in stepping-up from STIX 2.1 to STIX 2.1.1 to make that transition easier for people to move to the new scheme.   Paul Patrick DarkLight, Inc.     From: <cti@lists.oasis-open.org> on behalf of aa tt <atcyber1000@gmail.com> Date: Thursday, August 6, 2020 at 11:33 AM To: masuoka.ryusuke@fujitsu.com <masuoka.ryusuke@fujitsu.com> Cc: cti@lists.oasis-open.org <cti@lists.oasis-open.org> Subject: Re: [cti] Updated Extension Proposal   Hi Ryu -   My personal feeling is that customization of STIX will remain in the standard as-is but industry best-practices will steer orgs towards using the extension proposal as the primary mechanism to change STIX.   The rationale: JSON content can always be modified regardless of what the CTI TC decides and the customization language in the current specification can just remain as most people already have done customization in products.   However, if the TC felt that it was better to remove the customization language and replace with this extension proposal then I would be supportive of that also.   Other proponents of the extension proposal, as well as other TC members should speak up on this topic.   regards   allan On Aug 5, 2020, at 11:35 PM, masuoka.ryusuke@fujitsu.com wrote:   Hi Allan,   I might have missed some discussions, but what are the relationships between 11 Customizing STIX of STIX 2.1 (custom properties, custom objects, and custom extensions) and this SEP proposal?   Regards,   Ryu   From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > On Behalf Of aa tt Sent: Thursday, August 6, 2020 12:28 AM To: cti@lists.oasis-open.org Subject: [cti] Updated Extension Proposal   CTI TC -   Please find attached an updated STIX extension proposal that the mini-group worked with IBM (Jason/Emily) to incorporate an acceptable compromise to their concerns.   In summary:   1) Previously presented extension proposal is maintained and has been named sub-component extension to clarify the distinction between when it would/should be used vs the additional mechanism added for top-level extension. 2) Added the concept of Top-Level object extension to allow extension properties directly with existing STIX standard objects. 3) Clarified language/definitions around use for both aspects.   The google doc containing the specification changes are here:  https://docs.google.com/document/d/1TkXv1btieo33BAEcVsprgbVob5qeHOHVAQU0bg9AK-c/edit#heading=h.y2hw6f789m5b   This proposal represents the agreement by all mini-group participants. We would like to encourage the TC to consider this proposal and incorporate the changes to the STIX standard.   Allan Thomson        

Agreed. Can we get the TC to agree that the latest extension proposal should be incorporated into the spec?  Do we need a vote? Or ask for any objections is sufficient. STIX chairs -> Please advise on next steps. allan On Aug 7, 2020, at 5:12 AM, Jason Keirstead < Jason.Keirstead@ca.ibm.com > wrote: The reality is that people will always tack their own properties onto the JSON regardless of if it is an official customization mechanism of STIX or not. After all in some environments, simply the process of serializing and deserializing JSON can add fields.   All the fact that we have it in the STIX specification means, is that we are making a clear statement that adding new fields should not cause validation to fail (in JSON-schema parlance, that additionalProperties should be left alone at it's default in the schema, which is true ), and that fields should be preserved during the serialization/deserialization process.      Therefore I do not think we should remove it, although I would say we should definitely water down the language around it , and remove references to custom properties , instead pointing them at this new mechanism to encourage it.   - Jason Keirstead Chief Architect - IBM Security Threat Management www.ibm.com/security Co-Chair - Open Cybersecurity Alliance, Project Governing Board www.opencybersecurityalliance.org       ----- Original message ----- From: Paul Patrick < ppatrick@darklight.ai > Sent by: < cti@lists.oasis-open.org > To: aa tt < atcyber1000@gmail.com >, masuoka.ryusuke@fujitsu.com < masuoka.ryusuke@fujitsu.com > Cc: cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject: [EXTERNAL] Re: [cti] Updated Extension Proposal Date: Thu, Aug 6, 2020 12:47 PM   Ryu,   I generally agree with Allan in that I see the STIX Extension proposal as a candidate to replace the way customization of STIX 2.1 is done today.  Like Allan, I too would be supportive of replacing the existing customization mechanism with this proposal but would recommend that the TC deprecate, not remove, the current approach until a future release.   To that end, I believe the section in the spec on Customizing STIX be updated to not only provide guidance on how to use the STIX Extension approach but provide guidance how to use it IN PLACE OF the existing schema.  I can also imagine what an update to STIX Elevator could be to aid in stepping-up from STIX 2.1 to STIX 2.1.1 to make that transition easier for people to move to the new scheme.   Paul Patrick DarkLight, Inc.     From: < cti@lists.oasis-open.org > on behalf of aa tt < atcyber1000@gmail.com > Date: Thursday, August 6, 2020 at 11:33 AM To: masuoka.ryusuke@fujitsu.com < masuoka.ryusuke@fujitsu.com > Cc: cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject: Re: [cti] Updated Extension Proposal   Hi Ryu -   My personal feeling is that customization of STIX will remain in the standard as-is but industry best-practices will steer orgs towards using the extension proposal as the primary mechanism to change STIX.   The rationale: JSON content can always be modified regardless of what the CTI TC decides and the customization language in the current specification can just remain as most people already have done customization in products.   However, if the TC felt that it was better to remove the customization language and replace with this extension proposal then I would be supportive of that also.   Other proponents of the extension proposal, as well as other TC members should speak up on this topic.   regards   allan On Aug 5, 2020, at 11:35 PM, masuoka.ryusuke@fujitsu.com wrote:   Hi Allan,   I might have missed some discussions, but what are the relationships between 11 Customizing STIX of STIX 2.1 (custom properties, custom objects, and custom extensions) and this SEP proposal?   Regards,   Ryu   From: cti@lists.oasis-open.org < cti@lists.oasis-open.org > On Behalf Of aa tt Sent: Thursday, August 6, 2020 12:28 AM To: cti@lists.oasis-open.org Subject: [cti] Updated Extension Proposal   CTI TC -   Please find attached an updated STIX extension proposal that the mini-group worked with IBM (Jason/Emily) to incorporate an acceptable compromise to their concerns.   In summary:   1) Previously presented extension proposal is maintained and has been named sub-component extension to clarify the distinction between when it would/should be used vs the additional mechanism added for top-level extension. 2) Added the concept of Top-Level object extension to allow extension properties directly with existing STIX standard objects. 3) Clarified language/definitions around use for both aspects.   The google doc containing the specification changes are here:  https://docs.google.com/document/d/1TkXv1btieo33BAEcVsprgbVob5qeHOHVAQU0bg9AK-c/edit#heading=h.y2hw6f789m5b   This proposal represents the agreement by all mini-group participants. We would like to encourage the TC to consider this proposal and incorporate the changes to the STIX standard.   Allan Thomson        

Hi Allan, Patrick,
 
Thank you for your input and sorry for my late response.
(I am back from my long summer (Obon) break.)
 
I too am supportive of replacing the existing customization mechanism with this proposal

and deprecating the current approach until a future release based on the following reasons.
 
- There should be only one way to do a certain thing.

  I understand this is one of the lessons the TC learned from STIX 1.x experiences.
 
- The current approach ("11 Customizing STIX" of STIX 2.1) says

  
  A consumer that receives STIX content containing Custom Properties, Objects or Extensions

  it does not understand
MAY refuse to process the content or MAY ignore those properties

  or objects and continue processing the content.
 
 and some STIX 2.x implementation actually raises errors when they see
 Custom Properties/Objects that it does not understand.
 When this happens, it is really difficult to use Custom Properties/Objects and
 it limits their utility/practicality. They can ignore what they do not understand, but

  I would like the implementations to process the STIX as long as it is conformant.

 
 I hope that SEP is going to be like "A consumer MAY ignore

  the STIX it does not understand, but MUST process the STIX as long as

  it is conformant (to SEP)." Am I right to expect that?
 
Regards,
 
Ryu
 


From: Paul Patrick <ppatrick@darklight.ai>

Sent: Friday, August 7, 2020 12:48 AM
To: aa tt <atcyber1000@gmail.com>; Masuoka, Ryusuke/ çå
çä <masuoka.ryusuke@fujitsu.com>
Cc: cti@lists.oasis-open.org
Subject: Re: [cti] Updated Extension Proposal


 
Ryu,
 
I generally agree with Allan in that I see the STIX Extension proposal as a candidate to replace the way customization of STIX 2.1 is done today.  Like Allan,
I too would be supportive of replacing the existing customization mechanism with this proposal but would recommend that the TC deprecate, not remove, the current approach until a future release.
 
To that end, I believe the section in the spec on Customizing STIX be updated to not only provide guidance on how to use the STIX Extension approach but provide
guidance how to use it IN PLACE OF the existing schema.  I can also imagine what an update to STIX Elevator could be to aid in stepping-up from STIX 2.1 to STIX 2.1.1 to make that transition easier for people to move to the new scheme.
 
Paul Patrick
DarkLight, Inc.
 
 

From:
<cti@lists.oasis-open.org> on behalf of aa tt <atcyber1000@gmail.com>
Date: Thursday, August 6, 2020 at 11:33 AM
To: "masuoka.ryusuke@fujitsu.com" <masuoka.ryusuke@fujitsu.com>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Updated Extension Proposal


 

Hi Ryu -

 


My personal feeling is that customization of STIX will remain in the standard as-is but industry best-practices will steer orgs towards using the extension proposal as the primary mechanism
to change STIX.


 


The rationale: JSON content can always be modified regardless of what the CTI TC decides and the customization language in the current specification can just remain as most people already have
done customization in products.


 


However, if the TC felt that it was better to remove the customization language and replace with this extension proposal then I would be supportive of that also.


 


Other proponents of the extension proposal, as well as other TC members should speak up on this topic.


 


regards


 


allan




 


On Aug 5, 2020, at 11:35 PM,
masuoka.ryusuke@fujitsu.com wrote:

 


Hi Allan,
 
I might have missed some discussions, but

what are the relationships between

"11 Customizing STIX" of STIX 2.1 (custom properties,

custom objects, and custom extensions) and

this SEP proposal?

 
Regards,
 
Ryu
 


From:
cti@lists.oasis-open.org < cti@lists.oasis-open.org >
On Behalf Of aa tt
Sent: Thursday, August 6, 2020 12:28 AM
To: cti@lists.oasis-open.org
Subject: [cti] Updated Extension Proposal


 

CTI TC -


 


Please find attached an updated STIX extension proposal that the mini-group worked with IBM (Jason/Emily) to incorporate an acceptable compromise to their concerns.


 


In summary:


 


1) Previously presented extension proposal is maintained and has been named
sub-component extension to clarify the distinction between when it would/should be used vs the additional mechanism added for top-level extension.


2) Added the concept of Top-Level object extension to allow extension properties directly with existing STIX standard objects.


3) Clarified language/definitions around use for both aspects.


 


The google doc containing the specification changes are here: 


https://docs.google.com/document/d/1TkXv1btieo33BAEcVsprgbVob5qeHOHVAQU0bg9AK-c/edit#heading=h.y2hw6f789m5b


 


This proposal represents the agreement by all mini-group participants. We would like to encourage the TC to consider this proposal and incorporate the changes to the STIX standard.


 


Allan Thomson


 




 






 

Hi Ryu - We re still waiting on the chairs/co-chairs to convene a specific TC working call to discuss the proposal. As soon as that call is scheduled we should include your points in that discussion.  However, I suggest that any language in the spec on things a consumer of STIX does not understand should not state MUST process . The definition of process' is ambiguous and therefore not testable without clarification. I would suggest we consider carefully the language used for compliance very carefully so that test specification may be written and easily checked against. This will become especially important for STIXPreferred if/when that gets updated for STIX2.1. If you take a look at how STIXPreferred currently expresses the interoperability of solutions handling custom properties/objects that might help guide any future changes to the spec when we are talking about handling content defined as an extension. regards Allan On Aug 21, 2020, at 1:09 AM, masuoka.ryusuke@fujitsu.com wrote: Hi Allan, Patrick,   Thank you for your input and sorry for my late response. (I am back from my long summer (Obon) break.)   I too am supportive of replacing the existing customization mechanism with this proposal and deprecating the current approach until a future release based on the following reasons.   - There should be only one way to do a certain thing.   I understand this is one of the lessons the TC learned from STIX 1.x experiences.   - The current approach ( 11 Customizing STIX of STIX 2.1) says      A consumer that receives STIX content containing Custom Properties, Objects or Extensions   it does not understand   MAY   refuse to process the content or MAY ignore those properties     or objects and continue processing the content.    and some STIX 2.x implementation actually raises errors when they see  Custom Properties/Objects that it does not understand.  When this happens, it is really difficult to use Custom Properties/Objects and  it limits their utility/practicality. They can ignore what they do not understand, but   I would like the implementations to process the STIX as long as it is conformant.    I hope that SEP is going to be like A consumer MAY ignore   the STIX it does not understand, but MUST process the STIX as long as   it is conformant (to SEP). Am I right to expect that?   Regards,   Ryu   From:   Paul Patrick < ppatrick@darklight.ai >   Sent:   Friday, August 7, 2020 12:48 AM To:   aa tt < atcyber1000@gmail.com >; Masuoka, Ryusuke/ çå   çä   < masuoka.ryusuke@fujitsu.com > Cc:   cti@lists.oasis-open.org Subject:   Re: [cti] Updated Extension Proposal   Ryu,   I generally agree with Allan in that I see the STIX Extension proposal as a candidate to replace the way customization of STIX 2.1 is done today.  Like Allan, I too would be supportive of replacing the existing customization mechanism with this proposal but would recommend that the TC deprecate, not remove, the current approach until a future release.   To that end, I believe the section in the spec on Customizing STIX be updated to not only provide guidance on how to use the STIX Extension approach but provide guidance how to use it IN PLACE OF the existing schema.  I can also imagine what an update to STIX Elevator could be to aid in stepping-up from STIX 2.1 to STIX 2.1.1 to make that transition easier for people to move to the new scheme.   Paul Patrick DarkLight, Inc.     From:   < cti@lists.oasis-open.org > on behalf of aa tt < atcyber1000@gmail.com > Date:   Thursday, August 6, 2020 at 11:33 AM To:   masuoka.ryusuke@fujitsu.com < masuoka.ryusuke@fujitsu.com > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Updated Extension Proposal   Hi Ryu -   My personal feeling is that customization of STIX will remain in the standard as-is but industry best-practices will steer orgs towards using the extension proposal as the primary mechanism to change STIX.   The rationale: JSON content can always be modified regardless of what the CTI TC decides and the customization language in the current specification can just remain as most people already have done customization in products.   However, if the TC felt that it was better to remove the customization language and replace with this extension proposal then I would be supportive of that also.   Other proponents of the extension proposal, as well as other TC members should speak up on this topic.   regards   allan   On Aug 5, 2020, at 11:35 PM,   masuoka.ryusuke@fujitsu.com   wrote:   Hi Allan,   I might have missed some discussions, but what are the relationships between 11 Customizing STIX of STIX 2.1 (custom properties, custom objects, and custom extensions) and this SEP proposal?   Regards,   Ryu   From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org >   On Behalf Of   aa tt Sent:   Thursday, August 6, 2020 12:28 AM To:   cti@lists.oasis-open.org Subject:   [cti] Updated Extension Proposal   CTI TC -     Please find attached an updated STIX extension proposal that the mini-group worked with IBM (Jason/Emily) to incorporate an acceptable compromise to their concerns.   In summary:   1) Previously presented extension proposal is maintained and has been named   sub-component extension   to clarify the distinction between when it would/should be used vs the additional mechanism added for top-level extension. 2) Added the concept of Top-Level object extension to allow extension properties directly with existing STIX standard objects. 3) Clarified language/definitions around use for both aspects.   The google doc containing the specification changes are here:  https://docs.google.com/document/d/1TkXv1btieo33BAEcVsprgbVob5qeHOHVAQU0bg9AK-c/edit#heading=h.y2hw6f789m5b   This proposal represents the agreement by all mini-group participants. We would like to encourage the TC to consider this proposal and incorporate the changes to the STIX standard.   Allan Thomson

Hi Allan,
 
I will wait for the conversation to begin before diving into the deep discussions.
 
Just quickly ...

I am open to the language as long as STIX 2.x implementations do not raise
errors when they encounter SEP contents that they do not understand.
We have given up on using Custom Objects and Properties due to this very concern.
I am afraid that this concern may hamper SEP's idea of the process of gradually

moving custom objects/properties into the standard.
STIXPreferred is for an org that produces or consumes custom objects/properties and

it does not cover other orgs that happen to receive custom objects/properties.
 
Regards,
 
Ryu
 
 


From: cti@lists.oasis-open.org <cti@lists.oasis-open.org>
On Behalf Of aa tt
Sent: Saturday, August 22, 2020 6:00 AM
To: Masuoka, Ryusuke/ çå
çä <masuoka.ryusuke@fujitsu.com>
Cc: Paul Patrick <ppatrick@darklight.ai>; cti@lists.oasis-open.org
Subject: Re: [cti] Updated Extension Proposal


 
Hi Ryu - We re still waiting on the chairs/co-chairs to convene a specific TC working call to discuss the proposal.

 


As soon as that call is scheduled we should include your points in that discussion. 


 


However, I suggest that any language in the spec on things a consumer of STIX does not understand should not state MUST process . The definition of process' is ambiguous and therefore not testable without clarification.
I would suggest we consider carefully the language used for compliance very carefully so that test specification may be written and easily checked against. This will become especially important for STIXPreferred if/when that gets updated for STIX2.1.


 


If you take a look at how STIXPreferred currently expresses the interoperability of solutions handling custom properties/objects that might help guide any future changes to the spec when we are talking about handling
content defined as an extension.


 


regards


 




Allan








On Aug 21, 2020, at 1:09 AM,
masuoka.ryusuke@fujitsu.com wrote:

 


Hi Allan, Patrick,


 


Thank you for your input and sorry for my late response.


(I am back from my long summer (Obon) break.)


 


I too am supportive of replacing the existing customization mechanism with this proposal


and deprecating the current approach until a future release based on the following reasons.


 


- There should be only one way to do a certain thing.


  I understand this is one of the lessons the TC learned from STIX 1.x experiences.


 


- The current approach ("11 Customizing STIX" of STIX 2.1) says


  


  A consumer that receives STIX content containing Custom Properties, Objects or Extensions


  it does not understand   MAY   refuse to process the
content or MAY ignore those properties  


  or objects and continue processing the content.


 


 and some STIX 2.x implementation actually raises errors when they see


 Custom Properties/Objects that it does not understand.


 When this happens, it is really difficult to use Custom Properties/Objects and


 it limits their utility/practicality. They can ignore what they do not understand, but


  I would like the implementations to process the STIX as long as it is conformant.


 


 I hope that SEP is going to be like "A consumer MAY ignore


  the STIX it does not understand, but MUST process the STIX as long as


  it is conformant (to SEP)." Am I right to expect that?


 


Regards,


 


Ryu


 




From:   Paul
Patrick < ppatrick@darklight.ai >  
Sent:   Friday, August 7, 2020 12:48 AM
To:   aa tt < atcyber1000@gmail.com >; Masuoka, Ryusuke/ çå   çä   < masuoka.ryusuke@fujitsu.com >
Cc:   cti@lists.oasis-open.org
Subject:   Re: [cti] Updated Extension Proposal




 


Ryu,


 


I generally agree with Allan in that I see the STIX Extension proposal as a candidate to replace the way customization of STIX 2.1 is done today.  Like Allan,
I too would be supportive of replacing the existing customization mechanism with this proposal but would recommend that the TC deprecate, not remove, the current approach until a future release.


 


To that end, I believe the section in the spec on Customizing STIX be updated to not only provide guidance on how to use the STIX Extension approach but provide
guidance how to use it IN PLACE OF the existing schema.  I can also imagine what an update to STIX Elevator could be to aid in stepping-up from STIX 2.1 to STIX 2.1.1 to make that transition easier for people to move to the new scheme.


 


Paul Patrick


DarkLight, Inc.


 


 



From:   < cti@lists.oasis-open.org > on behalf of aa tt < atcyber1000@gmail.com >
Date:   Thursday, August 6, 2020 at 11:33 AM
To:   " masuoka.ryusuke@fujitsu.com " < masuoka.ryusuke@fujitsu.com >
Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
Subject:   Re: [cti] Updated Extension Proposal




 



Hi Ryu -



 




My personal feeling is that customization of STIX will remain in the standard as-is but industry best-practices will steer orgs towards using the extension proposal as the primary mechanism to change STIX.




 




The rationale: JSON content can always be modified regardless of what the CTI TC decides and the customization language in the current specification can just remain as most people already have done customization in products.




 




However, if the TC felt that it was better to remove the customization language and replace with this extension proposal then I would be supportive of that also.




 




Other proponents of the extension proposal, as well as other TC members should speak up on this topic.




 




regards




 




allan





 



On Aug 5, 2020, at 11:35 PM,   masuoka.ryusuke@fujitsu.com   wrote:



 




Hi Allan,


 


I might have missed some discussions, but


what are the relationships between


"11 Customizing STIX" of STIX 2.1 (custom properties,


custom objects, and custom extensions) and


this SEP proposal?


 


Regards,


 


Ryu


 




From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org >   On
Behalf Of   aa tt
Sent:   Thursday, August 6, 2020 12:28 AM
To:   cti@lists.oasis-open.org
Subject:   [cti] Updated Extension Proposal




 



CTI TC -  



 




Please find attached an updated STIX extension proposal that the mini-group worked with IBM (Jason/Emily) to incorporate an acceptable compromise to their concerns.




 




In summary:




 




1) Previously presented extension proposal is maintained and has been named   sub-component extension   to
clarify the distinction between when it would/should be used vs the additional mechanism added for top-level extension.




2) Added the concept of Top-Level object extension to allow extension properties directly with existing STIX standard objects.




3) Clarified language/definitions around use for both aspects.




 




The google doc containing the specification changes are here: 




https://docs.google.com/document/d/1TkXv1btieo33BAEcVsprgbVob5qeHOHVAQU0bg9AK-c/edit#heading=h.y2hw6f789m5b




 




This proposal represents the agreement by all mini-group participants. We would like to encourage the TC to consider this proposal and incorporate the changes to the STIX standard.




 




Allan Thomson











 

Hi Ryu - I don t believe its practical nor possible to mandate what products do when they encounter custom content from an intel provider. In many cases, there are legitimate reasons why a particular product would *want* to display some warning or error when it fails to understand or import all of an intel provider s content. Whether those warnings or errors are shown in a log file or directly to the user is again a product choice. Not OASIS/standards choice. So I know the approach taken with STIXPreferred was to test that the software being verified for certification would not terminate or fail completely and the verification was done on ensuring non-fatal processing. But mandating that the product does not generate an error or warning is not possible. In some cases, a product may prompt the user for guidance on what to do with the intelligence given that in some cases its not possible to automate a decision at all. Allan On Aug 24, 2020, at 12:05 AM, masuoka.ryusuke@fujitsu.com wrote: Hi Allan,   I will wait for the conversation to begin before diving into the deep discussions.   Just quickly ... I am open to the language as long as STIX 2.x implementations do not raise errors when they encounter SEP contents that they do not understand. We have given up on using Custom Objects and Properties due to this very concern. I am afraid that this concern may hamper SEP's idea of the process of gradually moving custom objects/properties into the standard. STIXPreferred is for an org that produces or consumes custom objects/properties and it does not cover other orgs that happen to receive custom objects/properties.   Regards,   Ryu     From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org >   On Behalf Of   aa tt Sent:   Saturday, August 22, 2020 6:00 AM To:   Masuoka, Ryusuke/ çå   çä   < masuoka.ryusuke@fujitsu.com > Cc:   Paul Patrick < ppatrick@darklight.ai >;   cti@lists.oasis-open.org Subject:   Re: [cti] Updated Extension Proposal   Hi Ryu - We re still waiting on the chairs/co-chairs to convene a specific TC working call to discuss the proposal.   As soon as that call is scheduled we should include your points in that discussion.    However, I suggest that any language in the spec on things a consumer of STIX does not understand should not state MUST process . The definition of process' is ambiguous and therefore not testable without clarification. I would suggest we consider carefully the language used for compliance very carefully so that test specification may be written and easily checked against. This will become especially important for STIXPreferred if/when that gets updated for STIX2.1.   If you take a look at how STIXPreferred currently expresses the interoperability of solutions handling custom properties/objects that might help guide any future changes to the spec when we are talking about handling content defined as an extension.   regards   Allan On Aug 21, 2020, at 1:09 AM,   masuoka.ryusuke@fujitsu.com   wrote:   Hi Allan, Patrick,   Thank you for your input and sorry for my late response. (I am back from my long summer (Obon) break.)   I too am supportive of replacing the existing customization mechanism with this proposal and deprecating the current approach until a future release based on the following reasons.   - There should be only one way to do a certain thing.   I understand this is one of the lessons the TC learned from STIX 1.x experiences.   - The current approach ( 11 Customizing STIX of STIX 2.1) says      A consumer that receives STIX content containing Custom Properties, Objects or Extensions   it does not understand   MAY   refuse to process the content or MAY ignore those properties     or objects and continue processing the content.    and some STIX 2.x implementation actually raises errors when they see  Custom Properties/Objects that it does not understand.  When this happens, it is really difficult to use Custom Properties/Objects and  it limits their utility/practicality. They can ignore what they do not understand, but   I would like the implementations to process the STIX as long as it is conformant.    I hope that SEP is going to be like A consumer MAY ignore   the STIX it does not understand, but MUST process the STIX as long as   it is conformant (to SEP). Am I right to expect that?   Regards,   Ryu   From:   Paul Patrick < ppatrick@darklight.ai >   Sent:   Friday, August 7, 2020 12:48 AM To:   aa tt < atcyber1000@gmail.com >; Masuoka, Ryusuke/ çå   çä   < masuoka.ryusuke@fujitsu.com > Cc:   cti@lists.oasis-open.org Subject:   Re: [cti] Updated Extension Proposal   Ryu,   I generally agree with Allan in that I see the STIX Extension proposal as a candidate to replace the way customization of STIX 2.1 is done today.  Like Allan, I too would be supportive of replacing the existing customization mechanism with this proposal but would recommend that the TC deprecate, not remove, the current approach until a future release.   To that end, I believe the section in the spec on Customizing STIX be updated to not only provide guidance on how to use the STIX Extension approach but provide guidance how to use it IN PLACE OF the existing schema.  I can also imagine what an update to STIX Elevator could be to aid in stepping-up from STIX 2.1 to STIX 2.1.1 to make that transition easier for people to move to the new scheme.   Paul Patrick DarkLight, Inc.     From:   < cti@lists.oasis-open.org > on behalf of aa tt < atcyber1000@gmail.com > Date:   Thursday, August 6, 2020 at 11:33 AM To:   masuoka.ryusuke@fujitsu.com < masuoka.ryusuke@fujitsu.com > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Updated Extension Proposal   Hi Ryu -   My personal feeling is that customization of STIX will remain in the standard as-is but industry best-practices will steer orgs towards using the extension proposal as the primary mechanism to change STIX.   The rationale: JSON content can always be modified regardless of what the CTI TC decides and the customization language in the current specification can just remain as most people already have done customization in products.   However, if the TC felt that it was better to remove the customization language and replace with this extension proposal then I would be supportive of that also.   Other proponents of the extension proposal, as well as other TC members should speak up on this topic.   regards   allan   On Aug 5, 2020, at 11:35 PM,   masuoka.ryusuke@fujitsu.com   wrote:   Hi Allan,   I might have missed some discussions, but what are the relationships between 11 Customizing STIX of STIX 2.1 (custom properties, custom objects, and custom extensions) and this SEP proposal?   Regards,   Ryu   From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org >   On Behalf Of   aa tt Sent:   Thursday, August 6, 2020 12:28 AM To:   cti@lists.oasis-open.org Subject:   [cti] Updated Extension Proposal   CTI TC -     Please find attached an updated STIX extension proposal that the mini-group worked with IBM (Jason/Emily) to incorporate an acceptable compromise to their concerns.   In summary:   1) Previously presented extension proposal is maintained and has been named   sub-component extension   to clarify the distinction between when it would/should be used vs the additional mechanism added for top-level extension. 2) Added the concept of Top-Level object extension to allow extension properties directly with existing STIX standard objects. 3) Clarified language/definitions around use for both aspects.   The google doc containing the specification changes are here:  https://docs.google.com/document/d/1TkXv1btieo33BAEcVsprgbVob5qeHOHVAQU0bg9AK-c/edit#heading=h.y2hw6f789m5b   This proposal represents the agreement by all mini-group participants. We would like to encourage the TC to consider this proposal and incorporate the changes to the STIX standard.   Allan Thomson

One other thing to add. If the TC adopts the SEP proposal then STIXPreferred (or some other mechanism) can start to have defined tests for what it means to support a particular extension. That way, a vendor/org can submit their products for extension verification also as part of a certification process.  If an extension is created solely as part of an industry consortium, then that consortium can also define what tests are required to ensure interoperability of that extension. One requirement could be that  a) Software must first be certified STIXPreferred for personas X, Y, Z b) Software must first be certified STIXPreferred for optional categories for WW, TT optional tests. c) Software must test and prove they support SEP-EXT-ID-XXXX and associated interoperability tests. Or something similar. Allan On Aug 24, 2020, at 12:38 PM, aa tt < atcyber1000@gmail.com > wrote: Hi Ryu - I don t believe its practical nor possible to mandate what products do when they encounter custom content from an intel provider. In many cases, there are legitimate reasons why a particular product would *want* to display some warning or error when it fails to understand or import all of an intel provider s content. Whether those warnings or errors are shown in a log file or directly to the user is again a product choice. Not OASIS/standards choice. So I know the approach taken with STIXPreferred was to test that the software being verified for certification would not terminate or fail completely and the verification was done on ensuring non-fatal processing. But mandating that the product does not generate an error or warning is not possible. In some cases, a product may prompt the user for guidance on what to do with the intelligence given that in some cases its not possible to automate a decision at all. Allan On Aug 24, 2020, at 12:05 AM, masuoka.ryusuke@fujitsu.com wrote: Hi Allan,   I will wait for the conversation to begin before diving into the deep discussions.   Just quickly ... I am open to the language as long as STIX 2.x implementations do not raise errors when they encounter SEP contents that they do not understand. We have given up on using Custom Objects and Properties due to this very concern. I am afraid that this concern may hamper SEP's idea of the process of gradually moving custom objects/properties into the standard. STIXPreferred is for an org that produces or consumes custom objects/properties and it does not cover other orgs that happen to receive custom objects/properties.   Regards,   Ryu     From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org >   On Behalf Of   aa tt Sent:   Saturday, August 22, 2020 6:00 AM To:   Masuoka, Ryusuke/ çå   çä   < masuoka.ryusuke@fujitsu.com > Cc:   Paul Patrick < ppatrick@darklight.ai >;   cti@lists.oasis-open.org Subject:   Re: [cti] Updated Extension Proposal   Hi Ryu - We re still waiting on the chairs/co-chairs to convene a specific TC working call to discuss the proposal.   As soon as that call is scheduled we should include your points in that discussion.    However, I suggest that any language in the spec on things a consumer of STIX does not understand should not state MUST process . The definition of process' is ambiguous and therefore not testable without clarification. I would suggest we consider carefully the language used for compliance very carefully so that test specification may be written and easily checked against. This will become especially important for STIXPreferred if/when that gets updated for STIX2.1.   If you take a look at how STIXPreferred currently expresses the interoperability of solutions handling custom properties/objects that might help guide any future changes to the spec when we are talking about handling content defined as an extension.   regards   Allan On Aug 21, 2020, at 1:09 AM,   masuoka.ryusuke@fujitsu.com   wrote:   Hi Allan, Patrick,   Thank you for your input and sorry for my late response. (I am back from my long summer (Obon) break.)   I too am supportive of replacing the existing customization mechanism with this proposal and deprecating the current approach until a future release based on the following reasons.   - There should be only one way to do a certain thing.   I understand this is one of the lessons the TC learned from STIX 1.x experiences.   - The current approach ( 11 Customizing STIX of STIX 2.1) says      A consumer that receives STIX content containing Custom Properties, Objects or Extensions   it does not understand   MAY   refuse to process the content or MAY ignore those properties     or objects and continue processing the content.    and some STIX 2.x implementation actually raises errors when they see  Custom Properties/Objects that it does not understand.  When this happens, it is really difficult to use Custom Properties/Objects and  it limits their utility/practicality. They can ignore what they do not understand, but   I would like the implementations to process the STIX as long as it is conformant.    I hope that SEP is going to be like A consumer MAY ignore   the STIX it does not understand, but MUST process the STIX as long as   it is conformant (to SEP). Am I right to expect that?   Regards,   Ryu   From:   Paul Patrick < ppatrick@darklight.ai >   Sent:   Friday, August 7, 2020 12:48 AM To:   aa tt < atcyber1000@gmail.com >; Masuoka, Ryusuke/ çå   çä   < masuoka.ryusuke@fujitsu.com > Cc:   cti@lists.oasis-open.org Subject:   Re: [cti] Updated Extension Proposal   Ryu,   I generally agree with Allan in that I see the STIX Extension proposal as a candidate to replace the way customization of STIX 2.1 is done today.  Like Allan, I too would be supportive of replacing the existing customization mechanism with this proposal but would recommend that the TC deprecate, not remove, the current approach until a future release.   To that end, I believe the section in the spec on Customizing STIX be updated to not only provide guidance on how to use the STIX Extension approach but provide guidance how to use it IN PLACE OF the existing schema.  I can also imagine what an update to STIX Elevator could be to aid in stepping-up from STIX 2.1 to STIX 2.1.1 to make that transition easier for people to move to the new scheme.   Paul Patrick DarkLight, Inc.     From:   < cti@lists.oasis-open.org > on behalf of aa tt < atcyber1000@gmail.com > Date:   Thursday, August 6, 2020 at 11:33 AM To:   masuoka.ryusuke@fujitsu.com < masuoka.ryusuke@fujitsu.com > Cc:   cti@lists.oasis-open.org < cti@lists.oasis-open.org > Subject:   Re: [cti] Updated Extension Proposal   Hi Ryu -   My personal feeling is that customization of STIX will remain in the standard as-is but industry best-practices will steer orgs towards using the extension proposal as the primary mechanism to change STIX.   The rationale: JSON content can always be modified regardless of what the CTI TC decides and the customization language in the current specification can just remain as most people already have done customization in products.   However, if the TC felt that it was better to remove the customization language and replace with this extension proposal then I would be supportive of that also.   Other proponents of the extension proposal, as well as other TC members should speak up on this topic.   regards   allan   On Aug 5, 2020, at 11:35 PM,   masuoka.ryusuke@fujitsu.com   wrote:   Hi Allan,   I might have missed some discussions, but what are the relationships between 11 Customizing STIX of STIX 2.1 (custom properties, custom objects, and custom extensions) and this SEP proposal?   Regards,   Ryu   From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org >   On Behalf Of   aa tt Sent:   Thursday, August 6, 2020 12:28 AM To:   cti@lists.oasis-open.org Subject:   [cti] Updated Extension Proposal   CTI TC -     Please find attached an updated STIX extension proposal that the mini-group worked with IBM (Jason/Emily) to incorporate an acceptable compromise to their concerns.   In summary:   1) Previously presented extension proposal is maintained and has been named   sub-component extension   to clarify the distinction between when it would/should be used vs the additional mechanism added for top-level extension. 2) Added the concept of Top-Level object extension to allow extension properties directly with existing STIX standard objects. 3) Clarified language/definitions around use for both aspects.   The google doc containing the specification changes are here:  https://docs.google.com/document/d/1TkXv1btieo33BAEcVsprgbVob5qeHOHVAQU0bg9AK-c/edit#heading=h.y2hw6f789m5b   This proposal represents the agreement by all mini-group participants. We would like to encourage the TC to consider this proposal and incorporate the changes to the STIX standard.   Allan Thomson

Hi Allan,
 
I think it would be better/quicker to delay further discussions
until online occasions. I just list two clarifications.

 
- I got your point on what products display for contents they do not understand.
 I am afraid, though, that I have misled you with "raise errors" phrase.
  The case I am talking about is where an implementation dismisses/drops the whole
  STIX file (as an error) when they see custom objects/properties they do not understand.

  I would like to see the valid part (that is what they understand) of the STIX

  gets through to the consumer even if the whole STIX has some unknown (to the consumer)
  custom objects/properties.
 
- The cases, where I thought Custom Objects/Properties or SEP will be used,

  includes communities like ISAC/ISAO other than Intel providers.

  The community members might be using different products.

  It would be difficult for the community to introduce

  community-specific custom contents if some of the products used in the community

  drop the whole STIX with some unknown custom contents.

 
Regards,
 
Ryu
 


From: aa tt <atcyber1000@gmail.com>

Sent: Tuesday, August 25, 2020 4:38 AM
To: Masuoka, Ryusuke/ çå
çä <masuoka.ryusuke@fujitsu.com>
Cc: Paul Patrick <ppatrick@darklight.ai>; cti@lists.oasis-open.org
Subject: Re: [cti] Updated Extension Proposal


 
Hi Ryu - I don t believe its practical nor possible to mandate what products do when they encounter custom content from an intel provider.

 


In many cases, there are legitimate reasons why a particular product would *want* to display some warning or error when it fails to understand or import all of an intel provider s content. Whether those warnings or errors
are shown in a log file or directly to the user is again a product choice. Not OASIS/standards choice.


 


So I know the approach taken with STIXPreferred was to test that the software being verified for certification would not terminate or fail completely and the verification was done on ensuring non-fatal processing. But
mandating that the product does not generate an error or warning is not possible. In some cases, a product may prompt the user for guidance on what to do with the intelligence given that in some cases its not possible to automate a decision at all.


 


Allan








On Aug 24, 2020, at 12:05 AM,
masuoka.ryusuke@fujitsu.com wrote:

 


Hi Allan,


 


I will wait for the conversation to begin before diving into the deep discussions.


 


Just quickly ...


I am open to the language as long as STIX 2.x implementations do not raise


errors when they encounter SEP contents that they do not understand.


We have given up on using Custom Objects and Properties due to this very concern.


I am afraid that this concern may hamper SEP's idea of the process of gradually


moving custom objects/properties into the standard.


STIXPreferred is for an org that produces or consumes custom objects/properties and


it does not cover other orgs that happen to receive custom objects/properties.


 


Regards,


 


Ryu


 


 




From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org >   On
Behalf Of   aa tt
Sent:   Saturday, August 22, 2020 6:00 AM
To:   Masuoka, Ryusuke/ çå   çä   < masuoka.ryusuke@fujitsu.com >
Cc:   Paul Patrick < ppatrick@darklight.ai >;   cti@lists.oasis-open.org
Subject:   Re: [cti] Updated Extension Proposal




 


Hi Ryu - We re still waiting on the chairs/co-chairs to convene a specific TC working call to discuss the proposal.



 




As soon as that call is scheduled we should include your points in that discussion. 




 




However, I suggest that any language in the spec on things a consumer of STIX does not understand should not state
MUST process . The definition of
process' is ambiguous and therefore not testable without clarification. I would suggest we consider carefully the language used for compliance very carefully so that test specification may be written and easily checked against. This
will become especially important for STIXPreferred if/when that gets updated for STIX2.1.




 




If you take a look at how STIXPreferred currently expresses the interoperability of solutions handling custom properties/objects that might help guide any future changes to the spec when we are talking about handling
content defined as an extension.




 




regards




 






Allan













On Aug 21, 2020, at 1:09 AM,   masuoka.ryusuke@fujitsu.com   wrote:



 




Hi Allan, Patrick,




 




Thank you for your input and sorry for my late response.




(I am back from my long summer (Obon) break.)




 




I too am supportive of replacing the existing customization mechanism with this proposal




and deprecating the current approach until a future release based on the following reasons.




 




- There should be only one way to do a certain thing.




  I understand this is one of the lessons the TC learned from STIX 1.x experiences.




 




- The current approach ("11 Customizing STIX" of STIX 2.1) says




  




  A consumer that receives STIX content containing Custom Properties, Objects or Extensions




  it does not understand   MAY   refuse to process the
content or MAY ignore those properties  




  or objects and continue processing the content.




 




 and some STIX 2.x implementation actually raises errors when they see




 Custom Properties/Objects that it does not understand.




 When this happens, it is really difficult to use Custom Properties/Objects and




 it limits their utility/practicality. They can ignore what they do not understand, but




  I would like the implementations to process the STIX as long as it is conformant.




 




 I hope that SEP is going to be like "A consumer MAY ignore




  the STIX it does not understand, but MUST process the STIX as long as




  it is conformant (to SEP)." Am I right to expect that?




 




Regards,




 




Ryu




 






From:   Paul
Patrick < ppatrick@darklight.ai >  
Sent:   Friday, August 7, 2020 12:48 AM
To:   aa tt < atcyber1000@gmail.com >; Masuoka, Ryusuke/ çå   çä   < masuoka.ryusuke@fujitsu.com >
Cc:   cti@lists.oasis-open.org
Subject:   Re: [cti] Updated Extension Proposal






 




Ryu,




 




I generally agree with Allan in that I see the STIX Extension proposal as a candidate to replace the way customization of STIX 2.1 is done today.  Like Allan,
I too would be supportive of replacing the existing customization mechanism with this proposal but would recommend that the TC deprecate, not remove, the current approach until a future release.




 




To that end, I believe the section in the spec on Customizing STIX be updated to not only provide guidance on how to use the STIX Extension approach but provide
guidance how to use it IN PLACE OF the existing schema.  I can also imagine what an update to STIX Elevator could be to aid in stepping-up from STIX 2.1 to STIX 2.1.1 to make that transition easier for people to move to the new scheme.




 




Paul Patrick




DarkLight, Inc.




 




 





From:   < cti@lists.oasis-open.org > on behalf of aa tt < atcyber1000@gmail.com >
Date:   Thursday, August 6, 2020 at 11:33 AM
To:   " masuoka.ryusuke@fujitsu.com " < masuoka.ryusuke@fujitsu.com >
Cc:   " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
Subject:   Re: [cti] Updated Extension Proposal






 





Hi Ryu -





 






My personal feeling is that customization of STIX will remain in the standard as-is but industry best-practices will steer orgs towards using the extension proposal as the primary mechanism to change STIX.






 






The rationale: JSON content can always be modified regardless of what the CTI TC decides and the customization language in the current specification can just remain as most people already have done customization in products.






 






However, if the TC felt that it was better to remove the customization language and replace with this extension proposal then I would be supportive of that also.






 






Other proponents of the extension proposal, as well as other TC members should speak up on this topic.






 






regards






 






allan






 




On Aug 5, 2020, at 11:35 PM,   masuoka.ryusuke@fujitsu.com   wrote:





 






Hi Allan,




 




I might have missed some discussions, but




what are the relationships between




"11 Customizing STIX" of STIX 2.1 (custom properties,




custom objects, and custom extensions) and




this SEP proposal?




 




Regards,




 




Ryu




 






From:   cti@lists.oasis-open.org   < cti@lists.oasis-open.org >   On
Behalf Of   aa tt
Sent:   Thursday, August 6, 2020 12:28 AM
To:   cti@lists.oasis-open.org
Subject:   [cti] Updated Extension Proposal






 





CTI TC -  





 






Please find attached an updated STIX extension proposal that the mini-group worked with IBM (Jason/Emily) to incorporate an acceptable compromise to their concerns.






 






In summary:






 






1) Previously presented extension proposal is maintained and has been named   sub-component extension   to
clarify the distinction between when it would/should be used vs the additional mechanism added for top-level extension.






2) Added the concept of Top-Level object extension to allow extension properties directly with existing STIX standard objects.






3) Clarified language/definitions around use for both aspects.






 






The google doc containing the specification changes are here: 






https://docs.google.com/document/d/1TkXv1btieo33BAEcVsprgbVob5qeHOHVAQU0bg9AK-c/edit#heading=h.y2hw6f789m5b






 






This proposal represents the agreement by all mini-group participants. We would like to encourage the TC to consider this proposal and incorporate the changes to the STIX standard.






 






Allan Thomson