CTI STIX Subcommittee

Hey all,
 
In an effort to kick-start the identity and threat actor discussion, a few of us got together yesterday and spent some time fleshing out a first shot at them. Please take a look in the document and see if
what we have will work for MVP:
 
Identity:
https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.ja9ea729i9rh

Threat Actor:
https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.m7vja8o49dq0
 
I know that Identity in particular probably doesn’t have all of the fields we eventually want to add. We included fields for usernames, addresses, and phone numbers as RESERVED so we can talk through them
for 2.1. Our worry was that if we tried to completely flesh out indicator for 2.0 we would either get it wrong or run out of time, so the set we have included now is intended to cover just the primary use cases.
 
John

Regarding Identity: While I could see an improvement (or good direction taken) in the information model through the relationships like "created_by_ref"... The properties, and properties' names seem coming from a design from scratch. (or is this the real intent of (over) simplification making it look 'childish'?) I can't see any design built on previous standards or specifications such as the previous version of CTI/STIX, OASIS CIQ, IODEF:contact (RID or CDXI, etc.) (Is that voluntary? Or is it purely not envisioned any reuse or effort for interoperability?) nor any foundations on classifications (not even US-centric like NAICS for sectors) (Is it just open for -some folks- to complete the [ISO Ref]... ?) Best regards 2016-07-01 15:21 GMT+03:00 Wunder, John A. <jwunder@mitre.org>: > Hey all, > > > > In an effort to kick-start the identity and threat actor discussion, a few > of us got together yesterday and spent some time fleshing out a first shot > at them. Please take a look in the document and see if what we have will > work for MVP: > > > > Identity: > https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.ja9ea729i9rh > > Threat Actor: > https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.m7vja8o49dq0 > > > > I know that Identity in particular probably doesn’t have all of the fields > we eventually want to add. We included fields for usernames, addresses, and > phone numbers as RESERVED so we can talk through them for 2.1. Our worry was > that if we tried to completely flesh out indicator for 2.0 we would either > get it wrong or run out of time, so the set we have included now is intended > to cover just the primary use cases. > > > > John

For Identity relationships it may be valuable to have relationships between Identities. i.e. Identity to identity. Such as 'owns' or 'works for' Not sure how in-depth we want to get in these types of relationships, but would value a discussion.
Original Message----- From: cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ] On Behalf Of Jerome Athias Sent: Friday, July 01, 2016 9:17 AM To: Wunder, John A. Cc: cti-stix@lists.oasis-open.org Subject: [Non-DoD Source] Re: [cti-stix] Threat Actor and Identity Regarding Identity: While I could see an improvement (or good direction taken) in the information model through the relationships like "created_by_ref"... The properties, and properties' names seem coming from a design from scratch. (or is this the real intent of (over) simplification making it look 'childish'?) I can't see any design built on previous standards or specifications such as the previous version of CTI/STIX, OASIS CIQ, IODEF:contact (RID or CDXI, etc.) (Is that voluntary? Or is it purely not envisioned any reuse or effort for interoperability?) nor any foundations on classifications (not even US-centric like NAICS for sectors) (Is it just open for -some folks- to complete the [ISO Ref]... ?) Best regards 2016-07-01 15:21 GMT+03:00 Wunder, John A. <jwunder@mitre.org>: > Hey all, > > > > In an effort to kick-start the identity and threat actor discussion, a > few of us got together yesterday and spent some time fleshing out a > first shot at them. Please take a look in the document and see if what > we have will work for MVP: > > > > Identity: > https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF > 24LvOQAsk/edit#heading=h.ja9ea729i9rh > > Threat Actor: > https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF > 24LvOQAsk/edit#heading=h.m7vja8o49dq0 > > > > I know that Identity in particular probably doesn’t have all of the > fields we eventually want to add. We included fields for usernames, > addresses, and phone numbers as RESERVED so we can talk through them > for 2.1. Our worry was that if we tried to completely flesh out > indicator for 2.0 we would either get it wrong or run out of time, so > the set we have included now is intended to cover just the primary use cases. > > > > John --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

That’s a good point. Maybe we can do some brainstorming during the call next Tuesday…in particular if people come prepared with some ideas. On 7/1/16, 11:42 AM, "Katz, Gary CTR DC3/DCCI" <Gary.Katz.ctr@dc3.mil> wrote: For Identity relationships it may be valuable to have relationships between Identities. i.e. Identity to identity. Such as 'owns' or 'works for' Not sure how in-depth we want to get in these types of relationships, but would value a discussion.
Original Message----- From: cti-stix@lists.oasis-open.org [ mailto:cti-stix@lists.oasis-open.org ] On Behalf Of Jerome Athias Sent: Friday, July 01, 2016 9:17 AM To: Wunder, John A. Cc: cti-stix@lists.oasis-open.org Subject: [Non-DoD Source] Re: [cti-stix] Threat Actor and Identity Regarding Identity: While I could see an improvement (or good direction taken) in the information model through the relationships like "created_by_ref"... The properties, and properties' names seem coming from a design from scratch. (or is this the real intent of (over) simplification making it look 'childish'?) I can't see any design built on previous standards or specifications such as the previous version of CTI/STIX, OASIS CIQ, IODEF:contact (RID or CDXI, etc.) (Is that voluntary? Or is it purely not envisioned any reuse or effort for interoperability?) nor any foundations on classifications (not even US-centric like NAICS for sectors) (Is it just open for -some folks- to complete the [ISO Ref]... ?) Best regards 2016-07-01 15:21 GMT+03:00 Wunder, John A. <jwunder@mitre.org>: > Hey all, > > > > In an effort to kick-start the identity and threat actor discussion, a > few of us got together yesterday and spent some time fleshing out a > first shot at them. Please take a look in the document and see if what > we have will work for MVP: > > > > Identity: > https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF > 24LvOQAsk/edit#heading=h.ja9ea729i9rh > > Threat Actor: > https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF > 24LvOQAsk/edit#heading=h.m7vja8o49dq0 > > > > I know that Identity in particular probably doesn’t have all of the > fields we eventually want to add. We included fields for usernames, > addresses, and phone numbers as RESERVED so we can talk through them > for 2.1. Our worry was that if we tried to completely flesh out > indicator for 2.0 we would either get it wrong or run out of time, so > the set we have included now is intended to cover just the primary use cases. > > > > John --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php