OASIS Cyber Threat Intelligence (CTI) TC

  • 1.  Request for Public Comments on STIX 2.0

    Posted 03-16-2017 15:35
    Dear CTI TC member –   As I mentioned during the Monthly TC meeting this morning, we are in the midst of the public review and comment period on the STIX 2.0 CSD.  As CTI TC members, we’ve had the opportunity to develop and refine these specifications over the past eighteen months – now it is time for those outside of the CTI TC to have a chance to review and comment.  In order to maximize the usefulness of the comments we receive, we think it is essential that any and all reviewers understand the design and implementation decisions that we’ve adopted as a TC.  Most importantly, it is critical that reviewers understand that STIX 2.0 is intended to serve as a foundation for additional releases and therefore there are certain objects and features that have been intentionally deferred until a later release (e.g. STIX 2.1).  Therefore, the call for public comments below attempts to convey this information in as clear and consistent a manner as possible.    I encourage all TC members to forward the message below to individuals, organizations and/or communities that are not part of the CTI TC.  To avoid duplicate outreach, here are the organizations/communities that we’ve already reached out to: IETF MILE WG, IETF SACM WG, Forum of Incident Response and Security Teams (FIRST), National Council of ISACs (NCI), Defense Security Information Exchange (DSIE), Cyber Threat Alliance (CTA), Malware Information Sharing Platform (MISP) community, OpenC2 community   I would greatly appreciate it if you could let me know if/when you reach out to an organization/community so that we can keep track of exactly who we’ve asked to comment.  Please let me know if you have any questions and thanks in advance!   Regards, Rich   Dear Cybersecurity Community Member,   The OASIS Cyber Threat Intelligence Technical Committee ( CTI TC ) members have recently approved STIX 2.0 as a Committee Specification Draft (CSD) and submitted it for 30-day public review.  The public review started 08 March 2017 at 00:00 UTC and ends 06 April 2017 at 23:59 UTC .    This is an open invitation to comment . OASIS solicits feedback from potential users, developers and others, whether OASIS members or not, for the sake of improving the interoperability and quality of its technical work.   What is STIX? Structured Threat Information _expression_ (STIX) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIX enables organizations to share CTI with one another in a consistent and machine readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively. STIX is designed to improve many different capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more.  More information can be found here .   What’s New in STIX 2.0? STIX 2.0 represents a significant evolution in the design and implementation of STIX.  To date, STIX has been very successful in demonstrating that machine-readable cyber threat intelligence can be widely shared and used operationally. Both commercial and government threat intelligence feeds provide it and many threat intelligence tools produce and/or consume it.  As with anything, however, in developing and implementing STIX 1.x the community (both vendors and consumers) have found that it also had some shortcomings. These included excessive complexity and excessive flexibility. In addition, STIX 1.x used XML, which has fallen out of favor with much of the developer community.   STIX 2 is a redesign of STIX that has the same goals and builds on the same foundational concepts but in a way that addresses those shortcomings. It is not backwards-compatible but is intended to be a replacement for STIX 1.x.  STIX 2.0 is the first release of STIX 2 and is intended to be a framework on which future capabilities can be built. In fact, while STIX 2.0 is currently under review, the community is already working on additional capabilities to add in STIX 2.1. All of the releases in the STIX 2 series will build on each other such that upgrading from one version to the next should be easy (unlike the change from STIX 1 to STIX 2).  For more information, consult the FAQ .   STIX 2.0 Documents STIX Version 2.0 is a five-part specification. The prose documents and related files are available here:   Part # Title Links 1 STIX Core Concepts Editable Authoritative Source (DOCX) HTML PDF 2 STIX Objects Editable Authoritative Source (DOCX) HTML PDF 3 Cyber Observable Core Concepts Editable Authoritative Source (DOCX) HTML PDF 4 Cyber Observable Objects Editable Authoritative Source (DOCX) HTML PDF 5 STIX Patterning Editable Authoritative Source (DOCX) HTML PDF   For your convenience, OASIS also provides a complete package of the prose documents and related files in a ZIP distribution file. You can download the ZIP file here .   How To Comment on STIX 2.0 Comments on STIX 2.0 may be submitted to the TC by any person through the use of the OASIS TC Comment Facility .  Comments submitted by TC non-members for this work and for other work of this TC are publicly archived and can be viewed here .  Please submit any comments before the public comment period ends on April 6, 2017.   By submitting comments you implicitly agree to the terms of the OASIS Feedback License , which ensures that any alterations made to the specifications based upon your feedback are covered by the same IPR protections under which TC members operate.  In addition, in connection with this public review of STIX 2.0, we call your attention to the OASIS IPR Policy applicable to the work of this technical committee. While all members of the TC should already be familiar with this document (which may create obligations regarding the disclosure and availability of a member's patent, copyright, trademark and license rights that read on an approved OASIS specification), public reviewers who are not TC members are encouraged to review the OASIS IPR Policy.  OASIS invites any persons who know of any such claims to disclose these if they may be essential to the implementation of the above specification, so that notice of them may be posted to the notice page for this TC's work.   Invitation to Forward This Call for Comments OASIS and the CTI TC encourage widespread public review of the STIX 2.0 specifications.  Therefore, please feel free to forward this call for comments onto any and all interested parties. Thank you.   Regards,   Richard J. Struse  Chair, OASIS Cyber Threat Intelligence (CTI) Technical Committee   Chief Advanced Technology Officer National Cybersecurity and Communications Integration Center (NCCIC) Cyber Security & Communications U.S. Department of Homeland Security e-mail:  Richard.Struse@dhs.gov Phone:  202-527-2361   Attachment: smime.p7s Description: S/MIME cryptographic signature


  • 2.  work on Rec. ITU-T X.ucstix et al.

    Posted 04-07-2017 15:48
    Hi Rich, Now that this work is approved and underway, it should be a regular part of somebody's agenda and remit in CTI. Indeed, CTI should have an effective, structured and strategic roadmap for proactive outreach and continuing liaison with the multiple other community standards bodies that will be essential to adapting and scaling the CTI platforms. Even within the U.S., adapting the platforms to significant industry sector threat environments like robo/spoofed calls is important. See, e.g., http://www.circleid.com/posts/20170324_use_stix_to_block_robocalls/ Interested parties here - including OASIS - should file in the FCC proceeding, GC Docket 17-59 http://transition.fcc.gov/Daily_Releases/Daily_Business/2017/db0323/FCC-17-24A1.pdf Note the comment and reply comment dates. It has not yet been published in the Federal Register. The ITU-T action is in one of several important community standards bodies that includes ETSI, 3GPP, and GSMA in the telecom/ICT universe. The formal liaison material will course its way from the ITU's Telecommunications Standardization Bureau (TSB) support engineer, Ms. Xiaoya Yang, to the OASIS secretariat and into CTI. In the meantime it is useful to understand a little about the process and materials. The ITU-T project document site is at http://www.itu.int/itu-t/workprog/wp_item.aspx?isn=14109 I have attached both the current base text and what is known as the A.5 justification submitted to initiate the work. It is also worth noting that in addition to the Korean editors responsible for the work, Takeshi Takahashi was added as an editor. Takeshi is a well known cyber security information exchange community leader from Japan who also co-chairs the IETF MILE working group and has authored multiple useful structured information exchange specifications. To explain some of the institutional jargon here, the TAP designation means it will go out eventually for Traditional Approval Process balloting among ITU-T nation state members. That is presently planned for Sept. 2019. During the work item drafting period it will be designated X.ucstix and given a X.1500-series number as it moves to approval. The work also resides in what's known as Rapporteur Group Q4/17 (cybersecurity) within Study Group 17 (Security). The Q4/17 rapporteur is one of Japan's respected leaders in this field, Dr. Youki Kadobayashi. The ITU-T is the telecom standardisation body - one of several bodies within the only global intergovernmental organization in this field that has existed since 1850. OASIS needs to be continuously working with the editors here to help ensure that the ICT sector use cases mesh with the work. Getting this material published as an X-series Recommendation will get the CTI platforms evangelized among 193 Member nations and officially translated into four other major languages and made freely available for downloading. The official translations alone are worth the effort! best, tony (ETSI-OASIS liaison) Attachment: T17-SG17-170322-TD-PLEN-0266!R1!MSW-E.doc Description: MS-Word document Attachment: X.ucstix_A.5_justification.pdf Description: Adobe PDF document

    Attachment(s)