CTI STIX Subcommittee

Re: [openc2-imple] RE: [Non-DoD Source] [openc2-imple] STIX COA Roadmap

  • 1.  Re: [openc2-imple] RE: [Non-DoD Source] [openc2-imple] STIX COA Roadmap

    Posted 09-22-2017 19:58




    I think I should clarify my statement
    “ For automated COAs, the group discussed using OpenC2 if the timelines align.“
     
    I meant that if STIX COA is being targeted for 2.1 which is being wrapped up soon, that timeline doesn’t align with OpenC2’s formal release. Having said that, as per the design being worked out in the google
    doc, the COA will still have an optional property for openc2 as a placeholder. Hope that clarifies.
     
    Thanks,
    Jyoti

    Technical Leader,
    CTO office Security Business Group,
    Cisco Systems Inc.
     

     
     

    From: <openc2-imple@lists.oasis-open.org> on behalf of "Kemp, David P" <dpkemp@radium.ncsc.mil>
    Date: Friday, September 22, 2017 at 7:26 AM
    To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "openc2-imple@lists.oasis-open.org" <openc2-imple@lists.oasis-open.org>
    Subject: [openc2-imple] RE: [Non-DoD Source] [openc2-imple] STIX COA Roadmap


     

    I have no objections to the list of 5 features to pursue.   It looks like a great list.
     
    Re Jyoti’s “ For automated COAs, the group discussed using OpenC2 if the timelines align.“:  
    I’d like to reiterate the discussion on OpenC2 IC SC slack – there is no inconsistency or mismatch between the capabilities of the current OpenC2 and the ability to support those 5 features, or any future set of COA features.   Those
    features can be supported whenever the evolving COA language (bash/python/etc near-term, potentially a to-be-developed COA-specific DSL longer term) can do so.  OpenC2 is used for the atomic M2M actions specified in the COA.  With a suitable “notification”
    actuator profile OpenC2 might also be used to support some non-automated actions, but that is not it’s primary focus.
     
    Dave
     
     


    From: openc2-imple@lists.oasis-open.org [mailto:openc2-imple@lists.oasis-open.org]
    On Behalf Of Duncan
    Sent: Friday, September 22, 2017 8:05 AM
    To: Bret Jordan <bret_jordan@symantec.com>; Jyoti Verma (jyoverma) <jyoverma@cisco.com>; cti-stix@lists.oasis-open.org
    Cc: openc2-imple@lists.oasis-open.org; openc2-committee-chairs@lists.oasis-open.org
    Subject: [Non-DoD Source] [openc2-imple] STIX COA Roadmap


     



    Bret, Jyoti,


    Re: "If no negative feedback is given we will take that as unanimous consent"


    I would like to give some negative feedback. Sorry to break your unanimity but I have a concern. 


     


    Bret said "OpenC2 might be an option. However, to date, the OpenC2 work has had a very narrow focus."


    Bret, you are co-chair of the OpenC2 SC that owns solving OpenC2 for Stix COA. Joyti is co-chair of the OpenC2 SC that owns defining what OpenC2 consumers do with OpenC2. For you to imply on a CTI mailing list that OpenC2 won't meet CTI
    needs seems odd to me. I am very concerned miscommunication is occurring. Shouldn't you as co-chair of the OpenC2 SC be answering that OpenC2 will at least try to meet CTI needs? Of course we need to walk before we fly but if there are schedule concerns, please
    voice them. I have been trying to speed up the process eg my request your OpenC2 SC meet more often than monthly. If we are going too slow, the answer is not to duplicate effort in CTI or form a new SC or TC to do what we already doing. Put those resources
    into OpenC2. 


     



    iPhone, iTypo, iApologize


     


    Duncan Sparrell


    sFractal Consulting, LLC


    The closer you look, the more you see









    On Thu, Sep 21, 2017 at 12:27 PM -0400, "Bret Jordan" < Bret_Jordan@symantec.com > wrote:



    SC,
     
    I would like to reiterate Jyoti's call for feedback over the next 14 days.  If no negative feedback is given we will take that as unanimous consent that the direction the COA mini group is going and the elements
    we are going to tackle for the first release are approved by this SC.
     
    Bret
     





    From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jyoti Verma (jyoverma) <jyoverma@cisco.com>
    Sent: Thursday, September 21, 2017 12:16:58 AM
    To: cti-stix@lists.oasis-open.org
    Subject: [EXT] [cti-stix] STIX COA Roadmap


     



    CTI TC,
     
    The COA mini group has been meeting on a weekly basis since a couple of weeks and we’ve put together a roadmap for the goals/features that we would like to address across 3 STIX releases. The mini group gave
    a readout on the Sept 19 th working call and the slides we presented are here –

    https://docs.google.com/presentation/d/1be_i8zcIlsmo_sStB8jeAp33sah-z7SgVGw_eRm1omc/edit?usp=sharing
     
    In the first release, we would be solving the following 5 features for manual/automated COAs. For automated COAs, the group discussed using OpenC2 if the timelines align. More details on the complete roadmap
    and use cases can be found in the working draft here -
    https://docs.google.com/document/d/1zXV5WEmyLUbKiSpuHgywu5-LLrJVd91d7OP3nQBB7qM/edit# .

     
     




    Feature


    Description


    Example




    Preventative Static COAs


    Literal COAs tied to indicator or other objects. No need to wait for anything to fire.



    SANS Top 20 controls or blacklist domains




    Mitigative or Remediative Static COAs


    All information to take the action is statically configured and known a-priori.


    Block evildomain.com
    Deny traffic to and from 10.0.0.1
    Delete Registry key




    Accommodating multiple actions


    Single COA representing multiple steps


    Cleaning up malware from Windows Desktop - safe mode, kill process, delete key, delete file, etc.




    Basic Sequencing


    The order in which COAs should be executed


    1->2->3->4




    Allow parallel processing


    Allow the actions to define if they can be done in parallel or if they need to be done one at a time


    1->2
    3->4




     
    If there are objections to this list, please let us know within 14 days. You can send your comments by replying to this email or in the COA channel on Slack.
     
    Thanks,
    STIX COA mini group