OASIS Cyber Threat Intelligence (CTI) TC

  • 1.  Re: [cti] Are we following the F2F process?

    Posted 02-12-2016 20:03





    **BLUF: I think we are making good progress, have positively evolved our thinking due to recent conversations and are following the process we said we were going to follow.**




    My understanding is that at the f2f we agreed that we would use the TWIGS content as a starting point (rather than starting from scratch) for discussing the various issues that are in scope for STIX 2.0 and
    to some degree CybOX 3.0.
    These issues are the issues that have been identified in the tracker and have always been the basis of our scoping the work that needs to be done in a deliberative and tracked fashion.
    The current tranche based (product management style) plan we are following has broken down these in-scope issues into monthly tranches focused on particular areas of capability within STIX/CybOX/TAXII. From
    what I saw this plan and the current more detailed Indicator tranche plan covering its indicator-relevant issues seemed to get unanimous approval and support. Now the challenge is to actually progress through this very aggressive plan. ;-)


    I think we have been doing what we said we were going to do. Identifying each issue to be tackled at the current time (which week of which tranche), looking to see if/how TWIGS approached it, discussing it
    on the list and slack bringing up other ideas and revisions, iterating and discussing until we agree we have consensus, capturing it in normative text in the pre-draft spec docs (which mostly follow TWIGS style but also are adapting to what they need to be
    for TC), reviewing/commenting/revising until we have consensus, marking the issue as settled in the issue tracker and relevant wiki proposal pages and moving on to other issues. I believe that John, Bret and Mark have been actively carrying the TWIGS flag
    in this process.
    Some of the issue discussions and evolutions to consensus have been minor/localized like adding, deleting or renaming a property on a type while other issues (especially cross-cutting CTI Common ones) have evolved our picture of "how it all fits together”.
    This will continue to evolve as the pre-draft specs evolve.


    If you feel that the capture of consensus in proposed draft normative text is missing something key from TWIGS please call it out during discussions or during review of the draft normative text. We can then do our best to ensure it is addressed.
    I would really like to avoid framing our discourse in divisive terms labeling particular perspectives or inputs with names other than STIX/CybOX/TAXII. I believe it will be more productive to treat the TWIGS document as one set of collaboratively developed
    well thought-out existing input (with support from part of the community) into our discussions and deliberations on issues that is evolving into STIX 2.0, CybOX 3.0 and TAXII 2.0. I think the same can be said of other such collaboratively developed well thought
    out inputs with support from parts of the community. Let’s not start from scratch but lets also not presume that any of our holistic input is magically correct in its entirety. That goes for the “straw man” I worked with people to create as much as TWIGS so
    please don’t think I am throwing stones. I think to get the right answers we need to deliberatively think about each issue with input from as many though-out perspectives as possible.


    Are you okay with this?


    sean













    From: < cti@lists.oasis-open.org > on behalf of Terry MacDonald < terry@soltra.com >
    Date: Friday, February 12, 2016 at 1:42 AM
    To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: [cti] Are we following the F2F process?








    I have a question. I was thinking about this earlier today. I understood that the agreement at the last face-2-face meeting was that
    TWIGS was going to be used as the general basis for STIX v2.0, and that we would then go through the sections one by one to determine if there were improvements that could be made, and that we could reach consensus.  I cannot comment as I was unable to attend
    the F2F. Can anyone confirm my understanding is correct?
     
    If so, then this doesn’t appear to have been reflected in the proposed normative texts that I’ve seen. Don’t get me wrong – I believe
    that the recent progress has been excellent, but I am worried that the process to create the initial content of the current proposals we are seeing isn’t following this agreement.
     
    If TWIGS were going to be the base, wouldn’t we point to the section within the TWIGS document (so people can see how it all fits together
    in the whole context of TWIGS), move the TWIGS section over to the CTI/STIX document, convert it to normative statements, and then whomever wishes can propose whatever changes they would like to see to that normative text?
     
    If my understanding as to the agreement formed at the F2F is incorrect, please correct me and I’ll get back in my box
    J .
     
    Note: This is not directed at anyone in particular. This is directed at all of us in the community that produce proposals. I am
    only enquiring if as a group we are correctly following the process agreed at the F2F.

     
    Anyone have answers?
     
    Cheers
     

    Terry MacDonald
    Senior STIX Subject Matter Expert
    SOLTRA   An FS-ISAC and DTCC Company
    +61 (407) 203 206
    terry@soltra.com
     

     


    From:
    cti@lists.oasis-open.org [ mailto:cti@lists.oasis-open.org ]
    On Behalf Of Barnum, Sean D.
    Sent: Friday, 12 February 2016 2:18 AM
    To: cti@lists.oasis-open.org
    Subject: [cti] Proposed normative text available for Report object refactoring - (Goal: Reach official consensus by Monday)


     

    Refactoring of the Report object based on our breaking out of relationships is one of the issues that we seem to have general consensus on but have not yet agreed
    to normative text.


     


    Proposed normative text is now available for your review in the

    STIX 2.0 Specification Pre-draft document.


    It is fairly straightforward and should not take long to consider.


    Please review the normative text and add comments to the document for any concerns, questions or ideas you may have.


    If we do not see any significant concerns/objections to the normative text by Monday we will consider this issues to have officially achieved consensus and move
    on to others.


     


    For the quick convenience of anyone having difficulty accessing the live specification pre-draft document the relevant text is included below.


     


     


     



    Report Object
    The Report Object is a mechanism for relating a collection of STIX TLOs together according to some shared context.  

    Inherited Fields
    The Indicator object would inherit the

    CTI Core Properties and the
    CTI Descriptive Properties .

    Proposed Fields
     





    Property Name


    Type


    Description




    intents (required)


    array of type
    report-intent-type


    Specifies the intended purposes or uses of
    this Report.




    intents_ext
    (optional)


    array of type
    vocab-ext


    Specifies alternate intended purposes or uses of
    this Report.





     

    Example
    (using only created_by_ref for brevity)
    {
     "type": "package",
     "id": "package--44af6c39-c09b-49c5-9de2-394224b04982",
     "sources":
       {
         "type": "identity",
         "id": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
         "name": "Symantec",
       }
     ],
      "reports": [
       {
         "type": "report",   
         "id": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
         "created_at": "2015-12-21T19:59:11.000000+00:00",
         "title": "The Black Vine Cyberespionage Group",
         "description": "A simple report with an indicator, campaign and a relationship between them",
         "intents": ["Threat Report"],
         "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
       }
     ],
     "indicators": [
       {
         "type": "indicator",
         "id": "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
         "created_at": "2015-12-21T19:59:17.000000+00:00",
         "title": "Some indicator",
         "indicator_types": ["IP Watchlist"],
         "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
       }  
     ],
     "campaigns": [
       {
         "type": "campaign",
         "id": "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
         "created_at": "2015-12-21T19:59:17.000000+00:00",
         "title": "Some Campaign",
         "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
       }
     ],
     "relationships": [
       {
         "type": "relationship",
         "id": "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
         "created_at": "2015-12-21T19:59:17.000000+00:00",
         "from": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
         "to": "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
         "relationship_nature": "Report Contains",
         "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
       },
     
       {
         "type": "relationship",   
         "id": "relationship--72f666b6-f1db-4b2c-82e3-71ab49a84be1",
         "created_at": "2015-12-21T19:59:17.000000+00:00",
         "from": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
         "to": "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
         "relationship_nature": "Report Contains",
         "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
       },
       
       {
         "type": "relationship",
         "id": "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
         "created_at": "2015-12-21T19:59:17.000000+00:00",
         "from": "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
         "to": "campaign--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
         "relationship_nature": "Related Campaign",
         "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
       },
       
       {
         "type": "relationship",
         "id": "relationship--a05d8c6a-ccea-4a0a-a8e0-68dfe85fbfa9",
         "created_at":"2015-12-21T19:59:17.000000+00:00",
         "from": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
         "to": "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
         "relationship_nature": "Report Contains",
         "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
       },
     ]
    }















  • 2.  Re: [cti] Are we following the F2F process?

    Posted 02-15-2016 16:01




    I think we are close to alignment, however there are a few subtle differences between our current direction and the approach we agreed upon during the F2F. During the F2F we agreed to use TWIGs as the base for STIX 2.0. There are many positives to this
    approach:

    For new objects, and new concepts, we are not coming to the table with a blank slate. People can look at the TWIGs approach, comment on it, and move us forward. If there are no comments, we can simply move forward with what we have. For existing objects, and concepts, we would not be using STIX 1.x as a base. This would allow us to make changes without concern for the confines of the STIX 1.x.  By using a TWIGs base we have a json representation of the possible end state, regardless where we are in the tranche plan. Since most of us seem to think in JSON, and not normative text or models, this will allow people to quickly get up to speed with
    STIX 2.0 and increase participation in the tranche plan. We can update the json representation with community feedback as we go.
    A plan forward that incorporates Sean’s approach and the F2F approach:

    Merge the TWIGs document into the draft STIX 2.0 normative text. Using care to not over write areas where there is already community consensus.  Continue with the existing tranche plan as laid out by Sean. Continue to receive community feedback and updating the draft normative text.
    Worst case scenario, the community ends up disagreeing with the approach taken in the merged TWIGs content and replaces it during the tranche plan phases. Best case, we get decreased time to market and increased community participation. 


    If the community is OK/NOT-OK with this approach, can you please respond to let us know?


    Aharon








    From: < cti@lists.oasis-open.org > on behalf of "Barnum, Sean D." < sbarnum@mitre.org >
    Date: Friday, February 12, 2016 at 3:02 PM
    To: Terry MacDonald < terry@soltra.com >, " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: Re: [cti] Are we following the F2F process?







    **BLUF: I think we are making good progress, have positively evolved our thinking due to recent conversations and are following the process we said we were going to follow.**




    My understanding is that at the f2f we agreed that we would use the TWIGS content as a starting point (rather than starting from scratch) for discussing the various issues that are in scope for STIX 2.0 and
    to some degree CybOX 3.0.
    These issues are the issues that have been identified in the tracker and have always been the basis of our scoping the work that needs to be done in a deliberative and tracked fashion.
    The current tranche based (product management style) plan we are following has broken down these in-scope issues into monthly tranches focused on particular areas of capability within STIX/CybOX/TAXII. From
    what I saw this plan and the current more detailed Indicator tranche plan covering its indicator-relevant issues seemed to get unanimous approval and support. Now the challenge is to actually progress through this very aggressive plan. ;-)


    I think we have been doing what we said we were going to do. Identifying each issue to be tackled at the current time (which week of which tranche), looking to see if/how TWIGS approached it, discussing it
    on the list and slack bringing up other ideas and revisions, iterating and discussing until we agree we have consensus, capturing it in normative text in the pre-draft spec docs (which mostly follow TWIGS style but also are adapting to what they need to be
    for TC), reviewing/commenting/revising until we have consensus, marking the issue as settled in the issue tracker and relevant wiki proposal pages and moving on to other issues. I believe that John, Bret and Mark have been actively carrying the TWIGS flag
    in this process.
    Some of the issue discussions and evolutions to consensus have been minor/localized like adding, deleting or renaming a property on a type while other issues (especially cross-cutting CTI Common ones) have evolved our picture of "how it all fits together”.
    This will continue to evolve as the pre-draft specs evolve.


    If you feel that the capture of consensus in proposed draft normative text is missing something key from TWIGS please call it out during discussions or during review of the draft normative text. We can then do our best to ensure it is addressed.
    I would really like to avoid framing our discourse in divisive terms labeling particular perspectives or inputs with names other than STIX/CybOX/TAXII. I believe it will be more productive to treat the TWIGS document as one set of collaboratively developed
    well thought-out existing input (with support from part of the community) into our discussions and deliberations on issues that is evolving into STIX 2.0, CybOX 3.0 and TAXII 2.0. I think the same can be said of other such collaboratively developed well thought
    out inputs with support from parts of the community. Let’s not start from scratch but lets also not presume that any of our holistic input is magically correct in its entirety. That goes for the “straw man” I worked with people to create as much as TWIGS so
    please don’t think I am throwing stones. I think to get the right answers we need to deliberatively think about each issue with input from as many though-out perspectives as possible.


    Are you okay with this?


    sean













    From: < cti@lists.oasis-open.org > on behalf of Terry MacDonald < terry@soltra.com >
    Date: Friday, February 12, 2016 at 1:42 AM
    To: " cti@lists.oasis-open.org " < cti@lists.oasis-open.org >
    Subject: [cti] Are we following the F2F process?








    I have a question. I was thinking about this earlier today. I understood that the agreement at the last face-2-face meeting was that
    TWIGS was going to be used as the general basis for STIX v2.0, and that we would then go through the sections one by one to determine if there were improvements that could be made, and that we could reach consensus.  I cannot comment as I was unable to attend
    the F2F. Can anyone confirm my understanding is correct?
     
    If so, then this doesn’t appear to have been reflected in the proposed normative texts that I’ve seen. Don’t get me wrong – I believe
    that the recent progress has been excellent, but I am worried that the process to create the initial content of the current proposals we are seeing isn’t following this agreement.
     
    If TWIGS were going to be the base, wouldn’t we point to the section within the TWIGS document (so people can see how it all fits together
    in the whole context of TWIGS), move the TWIGS section over to the CTI/STIX document, convert it to normative statements, and then whomever wishes can propose whatever changes they would like to see to that normative text?
     
    If my understanding as to the agreement formed at the F2F is incorrect, please correct me and I’ll get back in my box
    J .
     
    Note: This is not directed at anyone in particular. This is directed at all of us in the community that produce proposals. I am
    only enquiring if as a group we are correctly following the process agreed at the F2F.

     
    Anyone have answers?
     
    Cheers
     

    Terry MacDonald
    Senior STIX Subject Matter Expert
    SOLTRA   An FS-ISAC and DTCC Company
    +61 (407) 203 206
    terry@soltra.com
     

     


    From: cti@lists.oasis-open.org
    [ mailto:cti@lists.oasis-open.org ]
    On Behalf Of Barnum, Sean D.
    Sent: Friday, 12 February 2016 2:18 AM
    To: cti@lists.oasis-open.org
    Subject: [cti] Proposed normative text available for Report object refactoring - (Goal: Reach official consensus by Monday)


     

    Refactoring of the Report object based on our breaking out of relationships is one of the issues that we seem to have general consensus on but have not yet agreed
    to normative text.


     


    Proposed normative text is now available for your review in the

    STIX 2.0 Specification Pre-draft document.


    It is fairly straightforward and should not take long to consider.


    Please review the normative text and add comments to the document for any concerns, questions or ideas you may have.


    If we do not see any significant concerns/objections to the normative text by Monday we will consider this issues to have officially achieved consensus and move
    on to others.


     


    For the quick convenience of anyone having difficulty accessing the live specification pre-draft document the relevant text is included below.


     


     


     



    Report Object
    The Report Object is a mechanism for relating a collection of STIX TLOs together according to some shared context.  

    Inherited Fields
    The Indicator object would inherit the

    CTI Core Properties and the
    CTI Descriptive Properties .

    Proposed Fields
     





    Property Name


    Type


    Description




    intents (required)


    array of type
    report-intent-type


    Specifies the intended purposes or uses of
    this Report.




    intents_ext
    (optional)


    array of type
    vocab-ext


    Specifies alternate intended purposes or uses of
    this Report.





     

    Example
    (using only created_by_ref for brevity)
    {
     "type": "package",
     "id": "package--44af6c39-c09b-49c5-9de2-394224b04982",
     "sources":
       {
         "type": "identity",
         "id": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283",
         "name": "Symantec",
       }
     ],
      "reports": [
       {
         "type": "report",   
         "id": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
         "created_at": "2015-12-21T19:59:11.000000+00:00",
         "title": "The Black Vine Cyberespionage Group",
         "description": "A simple report with an indicator, campaign and a relationship between them",
         "intents": ["Threat Report"],
         "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
       }
     ],
     "indicators": [
       {
         "type": "indicator",
         "id": "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
         "created_at": "2015-12-21T19:59:17.000000+00:00",
         "title": "Some indicator",
         "indicator_types": ["IP Watchlist"],
         "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
       }  
     ],
     "campaigns": [
       {
         "type": "campaign",
         "id": "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
         "created_at": "2015-12-21T19:59:17.000000+00:00",
         "title": "Some Campaign",
         "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
       }
     ],
     "relationships": [
       {
         "type": "relationship",
         "id": "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
         "created_at": "2015-12-21T19:59:17.000000+00:00",
         "from": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
         "to": "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
         "relationship_nature": "Report Contains",
         "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
       },
     
       {
         "type": "relationship",   
         "id": "relationship--72f666b6-f1db-4b2c-82e3-71ab49a84be1",
         "created_at": "2015-12-21T19:59:17.000000+00:00",
         "from": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
         "to": "campaign--83422c77-904c-4dc1-aff5-5c38f3a2c55c",
         "relationship_nature": "Report Contains",
         "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
       },
       
       {
         "type": "relationship",
         "id": "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
         "created_at": "2015-12-21T19:59:17.000000+00:00",
         "from": "indicator--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
         "to": "campaign--26ffb872-1dd9-446e-b6f5-d58527e5b5d2",
         "relationship_nature": "Related Campaign",
         "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
       },
       
       {
         "type": "relationship",
         "id": "relationship--a05d8c6a-ccea-4a0a-a8e0-68dfe85fbfa9",
         "created_at":"2015-12-21T19:59:17.000000+00:00",
         "from": "report--84e4d88f-44ea-4bcd-bbf3-b2c1c320bcbd",
         "to": "relationship--f82356ae-fe6c-437c-9c24-6b64314ae68a",
         "relationship_nature": "Report Contains",
         "created_by_ref": "identity--a463ffb3-1bd9-4d94-b02d-74e4f1658283"
       },
     ]
    }