I think I should clarify my statement
“ For automated COAs, the group discussed using OpenC2 if the timelines align.“
I meant that if STIX COA is being targeted for 2.1 which is being wrapped up soon, that timeline doesn’t align with OpenC2’s formal release. Having said that, as per the design being worked out in the google
doc, the COA will still have an optional property for openc2 as a placeholder. Hope that clarifies.
Thanks,
Jyoti
Technical Leader,
CTO office Security Business Group,
Cisco Systems Inc.
From: <
openc2-imple@lists.oasis-open.org> on behalf of "Kemp, David P" <
dpkemp@radium.ncsc.mil>
Date: Friday, September 22, 2017 at 7:26 AM
To: "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>, "openc2-imple@lists.oasis-open.org" <
openc2-imple@lists.oasis-open.org>
Subject: [openc2-imple] RE: [Non-DoD Source] [openc2-imple] STIX COA Roadmap
I have no objections to the list of 5 features to pursue. It looks like a great list.
Re Jyoti’s “ For automated COAs, the group discussed using OpenC2 if the timelines align.“:
I’d like to reiterate the discussion on OpenC2 IC SC slack – there is no inconsistency or mismatch between the capabilities of the current OpenC2 and the ability to support those 5 features, or any future set of COA features. Those
features can be supported whenever the evolving COA language (bash/python/etc near-term, potentially a to-be-developed COA-specific DSL longer term) can do so. OpenC2 is used for the atomic M2M actions specified in the COA. With a suitable “notification”
actuator profile OpenC2 might also be used to support some non-automated actions, but that is not it’s primary focus.
Dave
From:
openc2-imple@lists.oasis-open.org [mailto:
openc2-imple@lists.oasis-open.org]
On Behalf Of Duncan
Sent: Friday, September 22, 2017 8:05 AM
To: Bret Jordan <
bret_jordan@symantec.com>; Jyoti Verma (jyoverma) <
jyoverma@cisco.com>;
cti-stix@lists.oasis-open.org Cc:
openc2-imple@lists.oasis-open.org;
openc2-committee-chairs@lists.oasis-open.org Subject: [Non-DoD Source] [openc2-imple] STIX COA Roadmap
Bret, Jyoti,
Re: "If no negative feedback is given we will take that as unanimous consent"
I would like to give some negative feedback. Sorry to break your unanimity but I have a concern.
Bret said "OpenC2 might be an option. However, to date, the OpenC2 work has had a very narrow focus."
Bret, you are co-chair of the OpenC2 SC that owns solving OpenC2 for Stix COA. Joyti is co-chair of the OpenC2 SC that owns defining what OpenC2 consumers do with OpenC2. For you to imply on a CTI mailing list that OpenC2 won't meet CTI
needs seems odd to me. I am very concerned miscommunication is occurring. Shouldn't you as co-chair of the OpenC2 SC be answering that OpenC2 will at least try to meet CTI needs? Of course we need to walk before we fly but if there are schedule concerns, please
voice them. I have been trying to speed up the process eg my request your OpenC2 SC meet more often than monthly. If we are going too slow, the answer is not to duplicate effort in CTI or form a new SC or TC to do what we already doing. Put those resources
into OpenC2.
iPhone, iTypo, iApologize
Duncan Sparrell
sFractal Consulting, LLC
The closer you look, the more you see
On Thu, Sep 21, 2017 at 12:27 PM -0400, "Bret Jordan" <
Bret_Jordan@symantec.com > wrote:
SC,
I would like to reiterate Jyoti's call for feedback over the next 14 days. If no negative feedback is given we will take that as unanimous consent that the direction the COA mini group is going and the elements
we are going to tackle for the first release are approved by this SC.
Bret
From:
cti-stix@lists.oasis-open.org <
cti-stix@lists.oasis-open.org> on behalf of Jyoti Verma (jyoverma) <
jyoverma@cisco.com>
Sent: Thursday, September 21, 2017 12:16:58 AM
To:
cti-stix@lists.oasis-open.org Subject: [EXT] [cti-stix] STIX COA Roadmap
CTI TC,
The COA mini group has been meeting on a weekly basis since a couple of weeks and we’ve put together a roadmap for the goals/features that we would like to address across 3 STIX releases. The mini group gave
a readout on the Sept 19 th working call and the slides we presented are here –
https://docs.google.com/presentation/d/1be_i8zcIlsmo_sStB8jeAp33sah-z7SgVGw_eRm1omc/edit?usp=sharing In the first release, we would be solving the following 5 features for manual/automated COAs. For automated COAs, the group discussed using OpenC2 if the timelines align. More details on the complete roadmap
and use cases can be found in the working draft here -
https://docs.google.com/document/d/1zXV5WEmyLUbKiSpuHgywu5-LLrJVd91d7OP3nQBB7qM/edit# .
Feature
Description
Example
Preventative Static COAs
Literal COAs tied to indicator or other objects. No need to wait for anything to fire.
SANS Top 20 controls or blacklist domains
Mitigative or Remediative Static COAs
All information to take the action is statically configured and known a-priori.
Block evildomain.com
Deny traffic to and from 10.0.0.1
Delete Registry key
Accommodating multiple actions
Single COA representing multiple steps
Cleaning up malware from Windows Desktop - safe mode, kill process, delete key, delete file, etc.
Basic Sequencing
The order in which COAs should be executed
1->2->3->4
Allow parallel processing
Allow the actions to define if they can be done in parallel or if they need to be done one at a time
1->2
3->4
If there are objections to this list, please let us know within 14 days. You can send your comments by replying to this email or in the COA channel on Slack.
Thanks,
STIX COA mini group