This is a good question. A few general guidelines might be:
If you make a PDF or blog post out of it, it’s a Report If your Marketing/PR/management approves it, it’s a Report If it changes on a regular basis, it’s a Grouping.
I don’t think we should put that in the spec, but they seem like some general guidelines we could put in an FAQ or on the docs site.
John
From: <
cti-stix@lists.oasis-open.org> on behalf of "Ted Bedwell (tebedwel)" <
tebedwel@cisco.com>
Date: Wednesday, September 20, 2017 at 7:48 PM
To: John Wunder <
jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Re: [EXT] Re: [cti-stix] Updated report proposal
Lots of good viewpoints in this thread. I agree with the proposed solution. That said, as John mentioned, they are very similar. What guidance should we provide to implementers with respect to when to use
Report vs Grouping?
Thanks,
~ted
From: <
cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." <
jwunder@mitre.org>
Date: Wednesday, September 20, 2017 at 3:26 PM
To: "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Re: [EXT] Re: [cti-stix] Updated report proposal
I agree with this.
All, to sum up a long conversation we (myself, Bret, Andras, Alexandre, Sean, Jason) had on Slack…it seems like people are converging around the following option:
Add a new SDO called “Grouping” (two object approach) Grouping will not have a separate status or published field. Instead, we’ll have a label with the name “unverified”, and in the specification it will be explicitly
defined as unverified information that the producer considers too preliminary to automate on. No changes to Report
Thanks,
John
From: "Bret Jordan (CS)" <
Bret_Jordan@symantec.com>
Date: Wednesday, September 20, 2017 at 3:00 PM
To: Sean Barnum <
sean.barnum@FireEye.com>, Allan Thomson <
athomson@lookingglasscyber.com>, John Wunder <
jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: Re: [EXT] Re: [cti-stix] Updated report proposal
I think we need to stay more close to what the content creator is trying to say. I believe what the MISP people are saying is if the content is verified or unverified. is_automation_ready is trying to tell people
what to do or not do with the content, and that is data markings. Saying that content is not finished or not verified to be true, is different than trying to say you can or should not automate on it.
You may have groups that live at the edge and are willing to break things in every effort to block anything remotely bad, even if it has not yet been verified. But doing so, means you might break things. This
is why a verified and unverified seems to make more sense.
Bret
From:
cti-stix@lists.oasis-open.org <
cti-stix@lists.oasis-open.org> on behalf of Sean Barnum <
sean.barnum@FireEye.com>
Sent: Wednesday, September 20, 2017 9:09:07 AM
To: Allan Thomson; Wunder, John A.;
cti-stix@lists.oasis-open.org Subject: [EXT] Re: [cti-stix] Updated report proposal
I would agree with Allan that any STIX content is "automatable".
That is why I suggested "is_automation_ready" in an attempt to convey an assertion by the producer that it is ready. Maybe this still has the same issue though.
Get
Outlook for iOS
From:
cti-stix@lists.oasis-open.org <
cti-stix@lists.oasis-open.org> on behalf of Allan Thomson <
athomson@lookingglasscyber.com>
Sent: Wednesday, September 20, 2017 11:05:53 AM
To: Wunder, John A.;
cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Updated report proposal
Hi John – All CTI whether it’s this object or not is automatable (and often is).
I suggest we use a different term than that.
Will provide suggestions in the google doc.
Allan Thomson,
CTO,
Lookingglass Cyber Solutions
This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential. The information
in this message is intended only for use by the individual(s) to whom it is addressed. If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure, copying or distribution
of the contents contained within is strictly prohibited
From: "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org> on behalf of "Wunder, John" <
jwunder@mitre.org>
Date: Wednesday, September 20, 2017 at 8:01 AM
To: "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Updated report proposal
Hey everybody…a slight update to the proposal below. After talking to Andras and Sean, I updated the “Grouping” proposal to remove the published field and add an “automatable” property. When “automatable”
is true, consumers should assume that the content is finished enough to automate. When “automatable” is false, they should assume it’s preliminary and not take action.
John
From: <
cti-stix@lists.oasis-open.org> on behalf of John Wunder <
jwunder@mitre.org>
Date: Wednesday, September 20, 2017 at 9:57 AM
To: "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Updated report proposal
Hey everybody,
Thanks for weighing in. Given that we’re seeing some people changing their opinions here, I’d ask that if you have an opinion on this topic and haven’t yet weighed in over e-mail that you please do so. If
you think they should be two objects and haven’t yet responded here, please let us know. If you think it should be a single object, please let us know. If we get enough consensus over e-mail we can avoid a ballot, but having gone back and forth a few times
on this (I think I’ve developed 5-6 proposals for this topic) I’d like to have responses in e-mail rather than just on the working call.
Also, if we do end up going with two objects, I’d like to have a proposal prepared for the Grouping object. Rich and I had previously developed a “Collection” object to capture this data, I just renamed it
to Grouping and added it to the working concepts document. It has almost the same fields as Report, but the “published” property is optional (allowing the MISP team to indicate whether the report is published by either omitting or including that property)
and the description is different to allow for the different semantics. Please review it here:
https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.t56pn7elv6u7 (it’s right under Report). I believe that if we go with that approach we can dispense with the “status” vocabulary and other changes to the Report
object that have been discussed, given we’ll have the optional published property on Grouping and there hasn’t been a strong need identified for “status” on report other than to support this use case.
John
From: Allan Thomson <
athomson@lookingglasscyber.com>
Date: Wednesday, September 20, 2017 at 9:11 AM
To: John Wunder <
jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Updated report proposal
Originally, I had no strong opinion on single or separate objects. However, given the discussion/debate on the meaning of these objects on this thread alone
suggests to me that separate might be more easily understood once it goes beyond the TC to the broader community of orgs implementing this standard.
Prefer making sure the status-ov includes the additional status being called for by folks like MISP….etc and avoid having a published property timestamp at
all. As per 2) just update to include additional status.
Allan Thomson,
CTO,
Lookingglass Cyber Solutions
This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential. The information
in this message is intended only for use by the individual(s) to whom it is addressed. If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure, copying or distribution
of the contents contained within is strictly prohibited
From: "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org> on behalf of "Wunder, John" <
jwunder@mitre.org>
Date: Tuesday, September 19, 2017 at 1:14 PM
To: "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Updated report proposal
All, I wanted to re-up this since we just discussed it on the working call. The proposal is here:
https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.y3otj21tnvuj As a reminder, this topic is meant to address a need MISP brought up to share collections of threat intelligence (they call them “Events”) that are not at the level of a published report but need to be shared
as a cohesive set with some shared context (title, description, labels, etc.)
We still have three open questions:
Is doing this in the Report object the right approach, or do we need to add a new Grouping object? Consensus has been that we should do this in the Report object,
though Sean in particular has pointed out that FireEye believes it should be separate (as he said below). Given previous consensus across two working calls here I think we can assume that we’ll do it in Report unless we get a lot of feedback saying otherwise. Should we add a separate
status property to capture the status of the report (as in the proposal now), or should we just use the
labels property with pre-defined labels to enable automation. Consensus is mixed here, so please weigh in with your reasoning. MISP felt like to enable automation we needed a separate property, JMG and Bret pointed out that we’ve previously put values
meant to enable automation in labels . What values should go in that
status vocabulary, regardless of which property we end up putting it in? Right now we have a proposal from Allan Thomson for “initial-analysis”, “updated-analysis”, “final”, and “finished-product”. Are these correct? What new/changed values should there
be?
I think we’re VERY close to finally figuring this one out, so please let us know what you think. My opinions are:
Do it in Report. Honestly either way seems doable to me, but I lean towards a separate status field so you can easily separate out the status values from other stuff you might
put into report labels. I would keep “initial-analysis”, “final”, “finished-product”. I would remove “updated-analysis” because I think you can capture that semantic with the modified
property and a value of “initial-analysis” (maybe call them “working-analysis”, “final-analysis”, “finished-product”).
Thanks!
John
From: <
cti-stix@lists.oasis-open.org> on behalf of John Wunder <
jwunder@mitre.org>
Date: Monday, September 18, 2017 at 4:59 PM
To: Sean Barnum <
sean.barnum@FireEye.com>, "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Updated report proposal
Sorry about that…somewhat ironically, after there were problems with finding all of the stuff we were working on, I moved it over to the Working Concepts doc later last week:
https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit#heading=h.y3otj21tnvuj John
From: Sean Barnum <
sean.barnum@FireEye.com>
Date: Monday, September 18, 2017 at 4:56 PM
To: John Wunder <
jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Updated report proposal
I don’t see any proposal in the linked doc.
I would object to attempts to conflate these two objects together. I believe I have given clear reasoning for this position in the past.
Sean Barnum
Principal Architect
FireEye
M: 703.473.8262
E:
sean.barnum@fireeye.com From: <
cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." <
jwunder@mitre.org>
Date: Tuesday, September 12, 2017 at 8:36 AM
To: "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Updated report proposal
All,
As I mentioned in an e-mail yesterday, based on the straw poll that we had on the August 29 working call (notes here:
https://www.oasis-open.org/committees/download.php/61462/OASIS-CTI-TC_WorkingSession_August29_2017.pdf) I put together a proposal to modify the report object to cover the concept of an evolving collection of content (i.e., the MISP use case).
Proposal is here:
https://docs.google.com/document/d/1wiG6RoNEFaE2lrblfgjpu3RTAJZOK2q0b5OxXCaCV14/edit#heading=h.n8bjzg1ysgdq The changes are:
The description of the Report object was modified slightly to remove the reference to it being “published”. There were also some additional examples added. The
published property was made optional, to allow for cases where the report is not yet published. A new
status property was added, based on a suggestion from Allan that what we were describing as “published” or “not published” was not really a binary flag. The vocabulary is still somewhat TBD, right now I just put “ongoing-analysis” and “final” in as placeholders.
On the call most folks seemed to think that the best option was to modify the Report object, but we did have a couple open questions:
Now that you’ve seen the proposal, does this general approach seem acceptable? What are the possible values in the “status” vocabulary? The thought on the call was that there were more than two, but I couldn’t think of anything and I asked
on Slack and didn’t get anything either.
Thanks,
John
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments
thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments
thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.