OASIS Cyber Threat Intelligence (CTI) Technical Committee

The original Call For Participation for this TC may be found at https://lists.oasis-open.org/archives/cti/201505/msg00000.html

  1. Name of the TC

    OASIS Cyber Threat Intelligence (CTI) Technical Committee

  2. Statement of Purpose

    Traditional approaches for cyber security that focus inward on understanding and addressing vulnerabilities, weaknesses, and configurations are necessary but insufficient in today's dynamic cyber landscape. Effective defense against current and future threats also requires the addition of an outward focus on understanding the adversary's behavior, capability, and intent. Only through a balanced understanding of both the adversary and ourselves can we understand enough about the true nature of the threats we face to make intelligent defensive decisions. The development of this understanding is known as cyber threat intelligence (CTI).

    Cyber threat intelligence itself poses a challenge in that no single organization can have enough information to create and maintain accurate situational awareness of the threat landscape. This limitation is overcome by sharing of relevant cyber threat information among trusted partners and communities. Through information sharing, each sharing partner can achieve a more complete understanding of the threats they face and how to defeat them.

    The purpose of the Cyber Threat Intelligence (CTI) Technical Committee is to define a set of information representations and protocols to address the need to model, analyze, and share cyber threat intelligence. A composable set of information sharing services will be defined to enable peer-to-peer, hub and spoke, and source subscriber threat intelligence sharing models. These services will not dictate one architecture, but strive to allow for organizations to develop standards-based sharing architectures that meet their needs. Standardized representations will be developed for campaigns, threat actors, incidents, tactics techniques and procedures (TTPs), indicators, exploit targets, observables, and courses of action. These core components and their inter-relationships together will enable robust cyber threat analysis and intelligence sharing.

    The TC will base its efforts on the Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator Information (TAXII) specifications developed and contributed to the TC by U.S. Department of Homeland Security (DHS). Prior to creation of the CTI TC, the STIX and TAXII initiatives have been led by DHS through development based on open community collaboration. STIX and TAXII, as well as STIX's dependent specification of Cyber Observable Expression (CybOX), have already achieved significant international adoption among threat intelligence vendors, end-user organizations, and cyber threat information sharing communities. By building upon the success of these existing specifications, the CTI TC can offer immediate value as well as provide a solid foundation on which to base future development.

  3. Scope of Work

    In order to leverage existing value of STIX/TAXII/CybOX in the CTI community while working towards future capabilities and advancements, the OASIS CTI TC work will be divided into two phases: in phase one, existing input specifications contributed by the United States Department of Homeland Security (DHS) will be formally codified as OASIS specifications. In the second phase, continued development of STIX, TAXII, and CybOX will begin based on the needs identified by the CTI TC Members.

    Phase One Scope:

    • Specifications identified in Section (2)(h) (STIX 1.2, TAXII 1.1, and CybOX 2.1) will be contributed to the OASIS CTI TC by DHS
    • The TC will use these contributions as the basis for corresponding OASIS Standards Track Work Products. A key objective of the TC will be to limit changes to the input specifications in order to minimize impacts on existing implementations
    • The OASIS CTI TC will develop the specifications under the OASIS TC Process with the goal of submitting them at the appropriate time to the membership of the organization for consideration as OASIS Standards

    Other contributions will be accepted for consideration without any prejudice or restrictions and evaluated based on technical merit insofar as they conform to this charter.

    Phase Two Scope:

    Phase two will take the specifications defined in phase one and evolve them under the direction of the OASIS CTI TC. Further work related to information representations for codifying, analyzing, or sharing of cyber threat intelligence that was not included in the input specifications is also in scope.

    In addition to Standards Track Work Products, the OASIS CTI TC work products in both phase one and phase two may include supporting documentation, open source tooling, and any other materials deemed necessary to encourage the adoption of the TC's specifications.

  4. Deliverables

    The OASIS CTI TC will establish three Subcommittees to develop and refine the specifications and supporting materials of the TC:

    • The STIX Subcommittee
    • The TAXII Subcommittee
    • The CybOX Subcommittee

    In phase one, each Subcommittee will submit initial draft deliverables to the OASIS CTI TC for approval based on making minimal changes to the input specification as necessary conform to OASIS publication formats and support OASIS CTI TC design requirements:

    • The STIX Subcommittee will submit STIX 1.2.1
    • The TAXII Subcommittee will submit TAXII 1.1.1
    • The CybOX Subcommittee will submit CybOX 2.1.1

    In phase two, the OASIS CTI TC will make substantive additions and other changes to the specifications to correct errors and evolve capabilities based on requirements and capabilities identified by OASIS TC members. Deliverables will include updated versions of the specifications (STIX, TAXII, CybOX, and possibly others) as deemed appropriate by the Subcommittees and by the OASIS CTI TC as a whole.

    In addition to the specification deliverables, the OASIS CTI TC may deliver supporting documentation and open source tooling on an ongoing basis in support of the CTI TC's published standards.

  5. IPR Mode

    This TC will operate under the Non-Assertion IPR mode as defined in Section 10.3 of the OASIS IPR Policy document.

  6. Audience

    The anticipated audience for this work includes:

    • Vendors of products and services that produce, consume, or process cyber threat intelligence, in particular that which is expressed via STIX/CybOX and shared via TAXII
    • Organizations that produce or consume cyber threat intelligence, in particular that which is expressed via STIX or CybOX and shared via TAXII
    • Organizations that purchase or may purchase products that support STIX, TAXII, or CybOX
    • Information Sharing and Analysis Organizations (ISAOs), including Information Sharing and Analysis Centers (ISACs)
  7. Language

    TC business will be conducted in English. The output documents will be written in (US) English. Translations to other languages may be made based on interest and ability.