Sharing to the broader group that I’m supportive that this is the right direction for COA within STIX.
One aspect that I don’t explicitly called out that we have talked in the COA mini-group is being able to convey COA based on a reference to other intel via a reference/variable instead of having to copy the
literal COA details.
Please confirm that this aspect is covered in one or more of the feature categories.
Allan Thomson,
CTO,
Lookingglass Cyber Solutions
This electronic message transmission contains information from LookingGlass Cyber Solutions, Inc. which may be attorney-client privileged, proprietary and/or confidential.
The information in this message is intended only for use by the individual(s) to whom it is addressed. If you believe that you have received this message in error, please contact the sender, delete this message, and be aware that any review, use, disclosure,
copying or distribution of the contents contained within is strictly prohibited
From: "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org> on behalf of Bret Jordan <
Bret_Jordan@symantec.com>
Date: Thursday, September 21, 2017 at 9:27 AM
To: "Jyoti Verma (jyoverma)" <
jyoverma@cisco.com>, "cti-stix@lists.oasis-open.org" <
cti-stix@lists.oasis-open.org>
Subject: [cti-stix] Re: [EXT] [cti-stix] STIX COA Roadmap
SC,
I would like to reiterate Jyoti's call for feedback over the next 14 days. If no negative feedback is given we will take that as unanimous consent that the direction the COA mini group is going and the elements
we are going to tackle for the first release are approved by this SC.
Bret
From:
cti-stix@lists.oasis-open.org <
cti-stix@lists.oasis-open.org> on behalf of Jyoti Verma (jyoverma) <
jyoverma@cisco.com>
Sent: Thursday, September 21, 2017 12:16:58 AM
To:
cti-stix@lists.oasis-open.org Subject: [EXT] [cti-stix] STIX COA Roadmap
CTI TC,
The COA mini group has been meeting on a weekly basis since a couple of weeks and we’ve put together a roadmap for the goals/features that we would like to address across 3 STIX releases. The mini group gave
a readout on the Sept 19 th working call and the slides we presented are here –
https://docs.google.com/presentation/d/1be_i8zcIlsmo_sStB8jeAp33sah-z7SgVGw_eRm1omc/edit?usp=sharing In the first release, we would be solving the following 5 features for manual/automated COAs. For automated COAs, the group discussed using OpenC2 if the timelines align. More details on the complete roadmap
and use cases can be found in the working draft here -
https://docs.google.com/document/d/1zXV5WEmyLUbKiSpuHgywu5-LLrJVd91d7OP3nQBB7qM/edit# .
Feature
Description
Example
Preventative Static COAs
Literal COAs tied to indicator or other objects. No need to wait for anything to fire.
SANS Top 20 controls or blacklist domains
Mitigative or Remediative Static COAs
All information to take the action is statically configured and known a-priori.
Block evildomain.com
Deny traffic to and from 10.0.0.1
Delete Registry key
Accommodating multiple actions
Single COA representing multiple steps
Cleaning up malware from Windows Desktop - safe mode, kill process, delete key, delete file, etc.
Basic Sequencing
The order in which COAs should be executed
1->2->3->4
Allow parallel processing
Allow the actions to define if they can be done in parallel or if they need to be done one at a time
1->2
3->4
If there are objections to this list, please let us know within 14 days. You can send your comments by replying to this email or in the COA channel on Slack.
Thanks,
STIX COA mini group