[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] Re: [EXT] Re: [cti] Summary of the working call
Hi Sarah, Is there any way to get any insight on the progress / working documents for these? Either I am missing something very obvious or there's a painful lack of transparency going on in here. Best regards, Andras On 25. aug. 2017 13:59, Sarah Kelley wrote: > All, > > > > Just to clarify my original email. > > > > The conversation on the working call was to scope down what we were > currently working on for the particular event object we /already/ had a > proposal for in the working documents. This object was designed with the > IR type of object in mind, so for our current understanding, and to make > some forward progress on this object, we were suggesting to scope back > the use cases for /that particular SDO/ to what it made sense for. We > were NOT in any way suggesting that other use cases weren’t valid or > that we wouldn’t fulfil them. In fact, there have been several > discussions recently about how exactly how we can meet the needs of the > use cases you’ve suggested. If this particular SDO isn’t going to work, > we are currently in the process of creating alternatives that could > fulfil these use case. > > > > I hope this helps clarify what the intentions were in my original email > regarding our discussions. > > > > *Sarah Kelley* > > *Senior Cyber Threat Analyst* > > *Multi-State Information Sharing and Analysis Center > (MS-ISAC) * > > *31 Tech Valley Drive* > > *East Greenbush, NY 12061* > > * * > > *sarah.kelley@cisecurity.org <mailto:sarah.kelley@cisecurity.org>* > > *518-266-3493* > > *24x7 Security Operations Center* > > *SOC@cisecurity.org <mailto:SOC@cisecurity.org> - 1-866-787-4722* > > * * > > ** <https://msisac.cisecurity.org/>** > > * *** <https://www.facebook.com/CenterforIntSec>* *** > <https://twitter.com/CISecurity>* *** > <https://www.youtube.com/user/TheCISecurity>* *** > <https://www.linkedin.com/company/the-center-for-internet-security> > > > > *From: *"cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf > of Allan Thomson <athomson@lookingglasscyber.com> > *Date: *Friday, August 25, 2017 at 6:26 AM > *To: *Andras Iklody <andras.iklody@circl.lu>, "cti@lists.oasis-open.org" > <cti@lists.oasis-open.org> > *Subject: *Re: [cti] Re: [EXT] Re: [cti] Summary of the working call > > > > > > > Bret/Andras – I wasn’t able to attend the working call but I would like > to point out that the definition of the Event object in the “current” > proposal has a relationship to Observed-Data object(s) as well as other > new STIX 2.1 objects Intel-Note. > > Therefore an event can describe a generic event that points to OSINT > data (e.g. observed-data), CERT notification (e.g. intel-note), > black-list (could be represented as a list of IPs as Observed-Data object). > > Andras is asking for reasonable (we agree with them) use cases that the > Event object should support. > > So I would suggest that the current proposal on the table is closer to > what is needed to support the MISP event use cases that is being suggested. > > Certainly we agree that Event should *not* just be about an > investigation and *should* represent various event use cases including > the ones that Andras has suggested. > > Allan Thomson > CTO > +1-408-331-6646 > LookingGlass Cyber Solutions <http://www.lookingglasscyber.com/> > > On 8/25/17, 12:41 AM, "cti@lists.oasis-open.org on behalf of Andras > Iklody" <cti@lists.oasis-open.org on behalf of andras.iklody@circl.lu> > wrote: > > Hello Bret, > > We've just had a look at the event object > (https://docs.google.com/document/d/15qD9KBQcVcY4FlG9n_VGhqacaeiLlNcQ7zVEjc8I3b4/edit# > - section 2.6 / 2.1.x???) and it is pretty far from our idea of a > generic event, as it basically describes an incident/investigation/case > instead of a generic event (which could be a collection of OSINT data > even, CERT notifications, or even a shared black list). Most of its > attributes don't align with what we're after > (so basically we'd have to leave them unset) and it lacks some > attributes that are blockers for us. > > Our main goal with threat intel sharing is to give analysts a tool that > allows them to exchange information that they find could be useful for > their partners, based on a variety of sources (an actual incident, a > collection of OSINT data, financial fraud details, the results of the > analysis of a reverse engineer, notifications shared by law enforcement > etc). > > The event proposal that you suggested deals more with a collection of > facts after an incident/investigation/case, which has different > objectives and assumptions. It is great for a ticketing system used > internally for example, but less so for threat intel sharing. I > personally don't see how this is more relevant than what we're after > when we consider that STIX is a standard built to exchange threat > information, but we can't all have our ponies, I realise that. > > However, this makes the proposed construct unusable for our use-case. > > I hope this has managed to clear up some of the confusion and we can > come to an agreement on how to proceed (hopefully using the proposed > generic-event structure). > > Best regards, > Andras > > On 23. aug. 2017 18:39, Bret Jordan wrote: >> Alexandre, >> >> >> If we added a "supporting_data" property to Event that contained a list >> of IDs to other STIX objects, would that enable your use-case? >> >> >> Bret >> >> ------------------------------------------------------------------------ >> *From:* cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of >> Alexandre Dulaunoy <Alexandre.Dulaunoy@circl.lu> >> *Sent:* Wednesday, August 23, 2017 2:42:46 AM >> *To:* cti@lists.oasis-open.org >> *Subject:* [EXT] Re: [cti] Summary of the working call >> >> On 22/08/17 22:12, Sarah Kelley wrote: >>> On today’s working call, we discussed the event object. We didn’t > have someone taking full notes, but I’ll try to summarize what was > discussed below. >>> >>> >>> 1. The event object should be scoped down to just an IR type of > event/incident. This would need to be clarified in the text, but that > would then scope out some of our other use cases such as: >>> * An ‘alert’ coming into your system >>> * An ‘event’ such as a threat actor registering a domain >>> * The MISP version of ‘event’ >> >> As our past proposals (event and updated report) were rejected and >> seeing how despite expectations the new event SDO won't accommodate the >> requirements of many CERTs and considering that we need to >> move on regarding this, we propose a new SDO called generic event to be >> able to map MISP events to STIX. >> >> > https://clicktime.symantec.com/a/1/KXXOt30L0Phy4XSBJfMef58Wt7mbKP8hq6iPJVbggCA=?d=aZFWp64AB6xw0IMyCZXL0Penlb_6iU6OgveRz1MnP5rZ9wxB3EfnQTTfyleQA_85xnxQ4G0tW-3mzxOSKk1ZRAeSkGz5Uk_0aPQYycvNcyEd8ji_tyMaKiVRV9LZPX9QWMpByAtKN1160Dz8pzikmWvm0SFVLHVA309anASuRu6zZIWfoBIdLmRQw-WVQy010_LhdsXjYEM-UscjJdtGhpFaPSlyn8sajyVZvtRf2DKg9jyYepCu2Rt7DmyHYx5Z5jlm5eo60yXUU7QuYoszYy6gKXOlHo9JUCI9Euvaux0dldytYQNnqpjF1iIAR6BljwZgq0OTmjNjS72rdbMO-Ki2Sdu1EX1s_yvIWbUoNls35fV1yGdy7YLa8z1z7nM_1VZZ8C-43itV5JB6WqnJUQBohXsItCeM8aFDSIxBoJTjjTC8&u=https%3A%2F%2Fwww.misp-project.org%2Fgeneric-event-proposal-STIX-2.1.pdf >> >> Thank you very much >> >> -- >> Alexandre Dulaunoy >> CIRCL - Computer Incident Response Center Luxembourg >> 41, avenue de la gare L-1611 Luxembourg >> info@circl.lu - www.circl.lu <http://www.circl.lu> > <http://www.circl.lu> - (+352) 247 88444 >> >> --------------------------------------------------------------------- >> To unsubscribe from this mail list, you must leave the OASIS TC that >> generates this mail. Follow this link to all your TCs in OASIS at: >> > https://clicktime.symantec.com/a/1/TPo_dTV-pVxJ8S7TeISQ6XYZjfPzx28einI7H3nz6M0=?d=aZFWp64AB6xw0IMyCZXL0Penlb_6iU6OgveRz1MnP5rZ9wxB3EfnQTTfyleQA_85xnxQ4G0tW-3mzxOSKk1ZRAeSkGz5Uk_0aPQYycvNcyEd8ji_tyMaKiVRV9LZPX9QWMpByAtKN1160Dz8pzikmWvm0SFVLHVA309anASuRu6zZIWfoBIdLmRQw-WVQy010_LhdsXjYEM-UscjJdtGhpFaPSlyn8sajyVZvtRf2DKg9jyYepCu2Rt7DmyHYx5Z5jlm5eo60yXUU7QuYoszYy6gKXOlHo9JUCI9Euvaux0dldytYQNnqpjF1iIAR6BljwZgq0OTmjNjS72rdbMO-Ki2Sdu1EX1s_yvIWbUoNls35fV1yGdy7YLa8z1z7nM_1VZZ8C-43itV5JB6WqnJUQBohXsItCeM8aFDSIxBoJTjjTC8&u=https%3A%2F%2Fwww.oasis-open.org%2Fapps%2Forg%2Fworkgroup%2Fportal%2Fmy_workgroups.php >> >> > > --------------------------------------------------------------------- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. Follow this link to all your TCs in OASIS at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php > > > > > ..... > > This message and attachments may contain confidential information. If it > appears that this message was sent to you by mistake, any retention, > dissemination, distribution or copying of this message and attachments > is strictly prohibited. Please notify the sender immediately and > permanently delete the message and any attachments. > > . . . . .
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]