CTI-TC NCCoE F2F Meeting Notes - OASIS … · CTI-TC NCCoE F2F Meeting Notes Meeting Date: May 24,...

CTI-TC NCCoE F2F Meeting Notes

Meeting Date: May 24, 2017 – Day 2

Time: 9:00 a.m. to 5:15 p.m.

Purpose: F2F @NCCoE – Rockville, MD

Attendees:

Same as Day 1 – With the following additional people:

Emmanuelle Vargas-Gonzalez Mitre

Chris Lenk Mitre

Ron Williams IBM

Paul McKitrick FIRST-SIG (Presenter)

Agenda:

Meeting Notes Richard Welcome to all Let’s prioritize 2.1 objects Thanks for Daniel and NewContext for sponsoring our lunches and coffee breaks Let’s go on with Lightening Talks

OASIS CTI-TC Working Session

***Digital Signatures***

John-Mark Went over the key Use Cases – Described the need for ensuring authenticity Gary Are we signing the objects or the Relationships? John-Mark The objects. Gary Described how difficult it was to implement digital signatures with STIX 1.x John-Mark That is a problem in other implementations, too. Gave an example of JSON signing issues As with all cryptographic implementations – we need a crypto review Richard Outlined another issue with implementation Allan Gave an example of another implementation – Suggested a problem with MiTM attacks I understand that some people need a feature – As long as it is optional Not Mandatory As long as I don’t have to care about it – I don’t care I don’t understand why we need it right now – there is a long review process For being in a sharing community Bret Gave example of when his company were setting up a feed with Sohos and Cisco For MRTI – When you integrate the COA – You want to integrate across 1,000,000 Employees – You need some way to know if someone pollutes the feed We have to have Digital Signatures – Going forward, we really need it Daniel I’m going to build on what Bret has said – Hopefully the standards body will be Successful – I want to see COA in an automated fashion Trey I want to make clear that the reason this is a lightening talk – it is early in the process Some people care, and others don’t – Gave example of using PGP signatures Gary Gave example of signing a Bundle John-Mark From my POV, you really need to be signing the individual Objects Gary That is where I would disagree John-Mark The bundle may contain Objects authored by different people It is easy to sign a stream of bytes, then white space gets messed up with another round Gary Made argument that it would be easier to implement if sign only at the Bundle level


John-Mark I see the difficulty Nathan Asked about Group signing - John-Mark Explained how we might be able to implement that Use Case Bret Outlined some of the implementation problems for wrapping signed objects in a Bundle Rich +1 for what Bret said Where we truly add value is with MRTI – Digital Mark A great thing – but high risk – We tried with XML signatures and ran into problems I think you have a working version John-Mark I have a working version Nathan

Are we going to be doing any threat modeling? It would be great to address the types of attacks that are possible and what we are trying to mitigate.

John-Mark It follows push end-to-end encryption – TLS does that for standard web browser to web But in a CTI sharing community – Need assurances about COA in this context Allan If I was a bad actor I would steal the guys credentials – You wouldn’t be able to tell If I was doing it John-Mark That is a higher bar than no DS Bret John-Mark has done a great job – I’d like to propose that this become its Own subcommittee – We as a TC should take that decision John-Mark That makes sense – as with all DSs, they are bolted on Chris Asked for clarification of the implementation scenario John-Mark Talked about verification of Public Key – DNSSEC – Proposals for C.A. Or manual verification WOT – with fingerprint - Daniel I want to accent the point that Allan said – we want to use the digital fingerprint To track down the threat actor John-Mark Described how that could happen – How to track the compromised TAXII server Allan Took issue, then acquiesced John-Mark Pointed out some of the issues with DSs for TLP


Ron This is crossing the line into using TLP as an access control mechanism, which strictly, it is not. At least today.

Gary I don’t disagree that this is needed – I just wonder if it is technically feasible Talked about problem with TLP-Red This is a larger problem – Need wider community Greg Greenfield development – Should it have a Derived_by relationship Gary Answered question Rich We might even want to capture these things – We have 15 minutes left We should be thinking about how to take this – Have a straw poll – 2.2 vs 2.1? John-Mark OLEP and IETF both tried to use SD with JSON – Described how they ran into problems Rich We can check with OASIS to see if there are any other TCs Bret

Options moving forward: 1) Side project within STIX 2) Propose another Subcommittee 3) Propose another TC within OASIS 4) Take to IETF or other technical committee This is one thing we cannot afford to get wrong – We need to bubble-up and and Get more crypto folks

I’ll support going in any other direction Gary I agree with Bret – but, it will take some time – so in the short term, Is there a value in being about to sign it at the Bundle level? John-Mark I can see some people being satisfied with that Nathan If the threat model does not satisfy larger – then signing a Bundle would satisfy my Need Ron I would also add that it would it would fulfil an immediate need Marlon Signing at the Object, or more granular level, it would be better – Outlined Some of the longer-term objectives More trust at granular level – We need to look at that that Ron Two different things – Signing at TAXII level and at STIX – If you look at protocol stack Different things Gary Outlined a scenario of how someone would go back and look at a Bundle historically


John-Mark We still need a Straw Poll – Went quickly through Signature Canonicalization Gave example of how to do it in JSON Do people want to complete this work? Nathan This needs to be coordinated with Backwards Compatibility – If in 2.1, and we get it wrong This would be a problem John-Mark I don’t think that will be a problem Rich There is a clear consensus in the room that 2.1 is too early Let’s move onto next item ***Internationalization*** John Reviewed the approach after breakthrough at Google meeting One question that was not answered – optional or required for TLOs

1) We will strongly encourage using the ‘lang’ field 2) If we don’t strongly encourage – We run the risk that people will do it wrong 3) Make it suggested

Trey We should make it a “should” and rely on Interop – That is the obvious solution End discussion right there

Bret I think we need to consider the issues that Ryue has outlined – He co-Chaired the Mini-group – There was a compromise at last F2F – He compromised on So many points to get us to this point Making it optional and shifting burden to Interop Ryue outlined all of the ways this will break Greg Can we get that list – hard for us to judge unless we see the list Allan I don’t get the logic of how it would break – If you have ‘lang’ it could break parsers It is better to use carrots, not sticks Rich

I am always leery about trying to make people DO things – If required, who knows what they will do

Trey I was at Google – I spent 2 hours talking through some of the issues – Not a valid Argument to advance an argument when they are not here If we make it required, we may delay 2.0 Still not done… they are “this close” - If we have a solution, like Allan Has suggested – we should do it – We are a community Greg It is better to have no data, than wrong data – Default position


Ron We’re good with ‘Should,’ but internal standards will result in a virtual ‘must’ Gary I’ve mostly stayed out of this conversation – We don’t interact with this much That being said – I grew up in America, I speak English If I tell my programmers – one more field is not a big deal Stephan We care about the people that can’t be here – An explicit goal of this meeting is to discuss NOT make decisions

This is something that we take to the list It should be a remote list discussion John We can’t make this decision here ***Malware*** Ivan The current stub is not that useful – We need to go over some of the things To add for 2.1 We need to see if people have a direct need right now Indicator SDO is probably not too controversial Rich Is this Malware a nuisance-thing? Is it going to brick my machine? We need to Categorize – Use some Destructive vs. non-Destructive Ivan There are a couple of ways to do that – I will draw a lot of analogies to MAEC How do you characterize at a high-level and still have some categories? Outlined a starting point Marlon When using Malware for defense, that is when we use Patterning, right? I want to make sure that everybody keeps that in mind. That is when we go back to the actual Malware Object Ivan Right, that is the goal – There might be some overlap – Don’t use the Malware Object in place of the Indicator w/ Patterning Bret My hope is to get to an 80/20% - We don’t know where Malware came from We as a company cannot implement STIX because it does not have What we need From what I hear from our customers - They want us to tell them, is it me or others General or just me – They are asking to give that to them via STIX We need some way of documenting relationship Gary We need Infrastructure and a Tool object Jane Reaffirm what Gary said – Certain exploit kits leave a fingerprint –

WannaCry is a good example


Ivan What is this 80/20 line for the types of analysis we want to capture?

We need to have Actions Trey Explained the Wireshark example Ivan When people do abstraction for Malware analysis – Behavioral – Host data Sandbox artifacts Jason I’m trying to figure out how this meshes with Indicator SDO – What are the consumers Supposed to do? Are they looking for? I’m trying to see how to do this in an automated Way –

I still get very confused when we say we want to put the output of a malware sandbox on the malware object. Remember Indicator patterns operate on observations, not on malware objects.

Bret It is to provide the specific extra context Ivan It is sort of like Jason

But how do I get from malware to pattern without a human...or do I not/ It sounds like this is more of a documentation issue? Not for automation

Trey Joking – We will print out on a dot matrix on paper Allan I have some pigeons Trey Lots of people jumped up – I want to make sure your question is answered Ron Action could be ‘Take these Host IOC’s and investigate endpoint’ - which can be automated. Gary Gave an example of why it should be in a standard format Different type of observed_data Allan Being about to take a specific type of observed_data You can take some and automate – for humans to interpret Having a structured format that can be easily automated is really important Rich I want to make sure we are not talking at cross purposes We have some malware – we want to collect in some form – Now a reference Some organizations stop there Some will take it and use it and send it around So, what we need in STIX is to be able to document it in a standard format Trey So, what we have in observed_data is a way to characterize it – People use it


Bret Noted that Rich’s characterization was right – Added how the Malware Object is used for – That is something that we have Assessment of propagation Gave example: If some organization allows me to have access to their data – Then, we might be able to build Indicators Let’s not artificially limit this ecosystem Sarah I want to bring up an additional Use Case – a SOC SOC needs the context – How do I know if legitimately bad, they Need the context Ron

If we think of the IR Analyst, his job is to determine, for example, whether to send a malware report containing Host Indicators to his Ops team. Imagine we’ve identified the transfer of a High Threat file to and endpoint in our organization. - We can capture that, send it to BigFix, and launch a process on the endpoint to see if the malware has launched by whether those indicators exist. Next step would be automated remediation after the detection. Completely automated, completely skip the IR analyst. – From an actionability standpoint we need to do that – If context is captured

Ivan Described how most people process info if they see Malware Static files and Behavioral files – Trey I want to make sure we take care of some of the goals for 2.1 Can we punt on some of the behavioral issues later? Ron Having a canonical framework is really critical Bret I don’t know why we care – Let’s document it – then let the Market decide Ron +1 to Bret Ivan People are not going to be embedding a lot of information John

+1 to Ivan. I think our “stub” capability now actually fills a lot of CTI use cases (specifically, correlation across sets of reporting) (I’m not standing up to say that)

Gary I think we need analysis – More finished analysis – rather than raw We don’t want to encourage that So we want MAEC to do what it does Rich Think about if you submit a Hash to VirusTotal – You get back a STIX-formatted

Malware example I’d like to see a more concrete example of that I’d like us to understand what our To Do list is – I don’t think we are close yet


Bret Explained how he would have to take the material to his Product Managers And programmers Gary Outlined why the companies will need the more detailed Malware Object For their analysis Trey We have 3 questions – then we will go through what we have Then, let’s look at the level of maturity needed to address this… Jyoti Question about Malware SDO and the Relationships Will producers need to create the Malware Objects and links to the Indicator Trey We can’t answer that question today. But we know we have to Ivan Indicators have Patterns. Malware does not Jason We have to figure out how we are going to get there Gary I’m going to try to provide a quick answer – Out of scope – It is covered in Implementation [Gave example] So depending upon how good your tools are… is how that would work Nathan +1 to Gary’s comments Ivan Gave example of how Cuckoo handles this Allan Gave example of how the data from the Malware object could be used Made a distinction between static and behavioral data and how An automated Indicator could be created Jason

But these are multiple different organizations. the organization producing the malware object is not the one searching for it, they’re different…. this speaks to interoperability. Allan’s approach makes sense. But it really throws a wrench in automation.

Rich I’d like to get this to a concrete discussion on how the current properties In the Spec Let’s see what we have, and what are missing Ivan I’m not going to go through all of the properties Rich In terms of context – help me prioritize – Targeting fields Ivan That is tied to Infrastructure – We’ll cover later Rich Gave concise summary of the Malware SDO


Ivan There is nothing that talks about files that are dropped Rich There is no temporal dimension in there Trey The reason we went through this – was to establish what fields are in scope Rich Are we missing anything? Gary The reason I got up is to ask a question – what is classification? Ivan The fields and names came from VirusTotal – we need to change some names Gary Embedded and dropped files are especially useful Hashes, registry keys… Ivan We don’t have registry keys … that is part of behavioral analysis Maybe we should look at Actions Bret Ivan and I went through VirusTotal – Everything is there – I want to know if We need other things Ivan Gave example of output from Cuckoo sandbox Rich I want to push back on something – We need Actions to understand temporal aspect We could have a property that represents that? Could we release this… without Actions as part of 2.1? Ivan We’ll need to deprecate some of the fields Rich I’m trying to get people to think concretely about what question we are trying To answer Allan When I looked at this I thought, OMG, it is way too verbose It seems like we are deconstructing how to represent this Why don’t we use Pattern? Trey We have a decision that lies before us – This is not mature – verbose If we want to mature this to describe Malware behavior – it adds a couple of months Allan Described the problems with having both Actions and Patterns in Spec Similar grammar, then it makes it easier for everyone Rich I was going to say the same thing, but better – I think this idea that the pattern Grammar works against observed_data is

something we need to think long and hard about It is about Metadata that is useful


We need to be able to Match against this vs., representing the underlying data John-Mark We had Pattern in 1.x that did not work well. It is the ability to create certain fields that that give it this Power If we had back-references… we could do it Gary The complexity of trying to develop Patterning is beyond what we can do If you say Patterning is the same – it is too complex John-Mark He said it better Nathan I’m concerned about readability and searchability – Some things to consider Process created this – as an Analyst – I’d like to be able to see Ivan Some of this you could address in a GUI Jason

Another thing I think we should be thinking about here is the COA sequencing and/or playbook sequencing. This is another place we are trying to encode sequences of events. We should make sure that these two things align so we don’t do sequences of events in two totally different ways.

Trey It would make sense to use the same grammar for COA Playbooks for Actions Bret OpenC2 has begun to address that – We’ll talk about later with COA To Gary’s point – Volume of data too much Are we trying to re-invent the wheel – Let’s find out what others do Them mimic it Rich Is there anyone here, that believes that we MUST have Actions Gary Need to, at least, have Embedded Rich We think about how we would talk about it in the Spec – so in the future we can add I still have not heard anyone in the room or online that states that we HAVE To have Actions for 2.1 We may have a candidate for inclusion – some of these types of things Rich suggested that we use some of the summaries of the Behavioral Analysis as properties from Cuckoo Nathan

What about having a files property and then there are Actions underneath for things like create, read, delete, etc. Then under each category for create, read, etc. we list the files. I’m not sure that I need to know the sequence of events.

Trey Can you join the working calls so we can flush this out Rich You already have this property called additional_analysis – Keep that. Use that.


Ivan Ok… we’ll need more Bret There are some of the companies in the TC that do this every day Trey There is an MOU that has been signed between FIRST and OASIS They are starting up a new Malware technical committee Bret We need to get more SMEs involved. Trey It sounds like we are close – we could probably tie a bow on this on a couple of weeks Jyoti Seems like the Actions in the malware could translate to investigative COA Actions Shawn I’m not up to speed of STIX format – I’ll take back to the team and provide some inputs Trey We need some specific examples Ivan Let’s make it a goal to take to the FIRST Conference – Trey So, we stop working on Actions for now Lunch Break ***Information Exchange Project***

Paul McKitrick – Icebrg Will introduce IEP as a sharing framework

- Discussed the legal implications of sharing - Noted that TLP framework is not right for threat info sharing - Introduced FIRST Framework – IEP-SIG

o Handling o Action o Sharing o Licensing

- Have a Definitions and JSON version Discussion on IEP Allan Their framework is developed – we can’t mandate what the market will do John We need to determine if we have overlap with our TLP – How handle in STIX Allan We should add to the STIX version Bret IEP supports 2 different ways of doing this. How are we going to handle in Conformance? We need to know how the full TC wants to handle IEP


Marlon Different sharing communities can use it – With STIX you must support TLP If we add a reference to IEP – Optional Rich Clarified that conforming STIX products must use TLP John Concerned about an explosion of markings – Since FIRST has decided on the IEP We should adopt it If we can decide what to do here – we could fix up the reference in 2.1 Gary We don’t want some communities to share out information that don’t know IEP We need to have some text on how to integrate it Allan It is an info sharing standard – not a policy – I don’t think it is our place to do that We should not do it – Make a general statement – Different markings Rich Should we have a straw poll As a global standard, should we include some language about this? Marlon Noted also AIS Chris It is most likely to become widely implemented

Rich To the extent that this is about Automation – this gets us closer Sarah What are the workload implications? John Small amount of work Bret About 4 hours working Some set-up for getting the camera to show the White Board ***Infrastructure*** Trey Let’s just go through the Infrastructure and brainstorm – start with a black board Rich Let’s frame this Trey We are just going to cover malicious Infrastructure Rich When do I use an Indicator? When an Infrastructure object? Used the discussion from morning about Malware to answer that question Ivan Getting to the distinction between Indicator and Infrastructure Sarah I’m one of the ones that thinks there is a lot of overlap


Bret You need a way to categorize it – It is a degree of fidelity that we need for the Analysts Change control that Threat Actors set-up and tear down Ivan Your point raises the question: What is the granularity? Bret If we have to use a Description field Ivan What is the range of granularity Chris I’ve got two Use Case that could be used Rich Who will be using the Infrastructure Object? Humans? Or Machines? How are consumers going to use it? My smart analysts in my SOC are going to click on that Trey This gets back to the Location object Ivan This provides that context – it goes on top of the cyber observables John We have a good suggestion from VirusTotal Sarah If my Indicator is a domain – What makes it unique from an Indicator I don’t see there is a lot of extra context on top of what this is already Provided Rich In a string with a Pattern Sarah Overlaps Greg This is a valid POV – From a grammar language standpoint – Here is how we did it You ask what it is But, there may be a case where they are using AWS Then, you capture that John-Mark An Indicator can be more than one Ivan The value of Infrastructure to me is correlation Bret What does an Indicator indicate without an Infrastructure Object? Sarah I would just point right to a Malware object or another SDO Trey What about when you work with the data – find false positives Then gave a scenario – started with a primitive of the Indicator Then you enrich it and correlate the data and throw it into an Infrastructure set


Bret Drew an image to illustrate how a Threat Actor uses Infrastructure Trey This is a classic case where we need something to show how things are done today Bret Is this how Analysts are thinking – or is it the limitation of the tools? Gary It is up to the specific analysts Bret Gave an example – Put on the white board Sarah Made point that parts of the diagram could be like Indicator Bret It is a User Interface issue Jane Made point that the grouping of the Infrastructure objects Allan This conversation the last 20 minutes – 3 years ago on STIX Gave overview of the Microsoft meeting – Every group had a different way Of Modelling I would suggest that we try to keep things simple Trey Why don’t we define in Relationships? Allan To me, simple is better right now. You’ll run into problems with people modelling Things a different way Simpler is better from my perspective Ivan I think we need some place to put this John I don’t think it is a good time to do this – when people model differently Bret I think that we can solve some of that problem by having a Spec that developers Work with Jason The challenge I have with using an Indication object to model this – Longest thing Trey You weren’t on the Patterning discussions External Jason I would be in favor of having a separate Infrastructure SDO That is exactly why we need this SDO Sarah Each thing is an Indicator Gary Right now – there is ways to do that What we are doing is CTI and we are trying to add context – that is why we need this


We have temporal information in our work flow All of that is useful Sarah I’m not opposed to it – I just want to make sure that it makes sense Don’t just make an object to make an object Trey Gave example of a C2 malicious infrastructure with a take-down Rich What I am hearing people – you can go to IdaPro and have Indicators I don’t hear anyone saying – One right and one wrong I’m the last one that have too many objects Gary That is different than what we did in 1.x Here, you can directly tie It is possible that you can avoid using if you don’t need it Rich Could provide some Use Cases about when you use Indicators vs. when you use Infrastructure Bret There are two sets of users: network defenders and the Threat Intel analysts Rich Argued that there should be both SDOs Sarah Asked a question Gary Is it possible to use Indicator without Patterning? Trey No Rich If you want to generally process a Patterning string If you want to harvest IP addresses – Use the Patterning language Trey Now we are making gross generalizations about the Patterning Spec Rich If you don’t expect that the Indicator is in the Pattern Allan Pattern grammars that can be handled by firewalls… depending upon The capability of the tool I want to respond to Sarah’s point… that she would deprecate an Indicator Revocation is that it is a bad Indicator It will break things John-Mark I agree with Allan – There is a first_seen and a last_seen Jane Tried to get clarification on two points that Allan made Sarah Discussed why she would revoke an Object – constrained by the tool


Allan Two different things Rich Indicator is something used for detection – Infrastructure would create context Gave example of a business case where Infrastructure is semantically connected These are two different ways of using information that answers different questions Trey We had the Arglebargle discussion – this is similar When we had the last working call – we did the Tee Shirt discussion How long we have been having this heated discussion Rich Used an example of indicators that are part of a malicious Infrastructure Want it make it concrete Gary We don’t want to confuse the Analysts – We could use Infrastructure Set Then showed how could link Indicators or Infrastructure to an Intrusion Set Trey Gave example of how to do this with an SRO Bret Pointed to the example – I like this example – You might also have properties That further define A great example of using an observed_data container Ivan We might replace that to a Relationship to an observed data blob John-Mark We had this before and it is why we created the Patterning language Jason I worry about putting all of this in as observed_data Ivan So, you think that people will just put it in as observed_data without an Infrastructure Rich With text and examples, we could help people understand when to use the Infrastructure Object – I’ll work with some people to put together Some text and examples John I think we need to use some real examples Nathan I would like to see the sequence of events to when you create the infrastructure After you see the Malware Allan Outlined an approach to capturing this information – how to model You need metadata and instantiation data Bret +1 – I like that idea… I think that is a potential path forward – we have Relationships between these things – can have Sighting It did this funky thing for operational efficiency Further elaborated on Allan’s suggestion


Trey It sounds like for the next step we should create an SRO, not an SDO Bret You’d have an SDO for the Metadata Then an SRO for the Instances We might create a special Relationship Indicator is a way to indication – not to document Trey Couldn’t that that be an Indicator? Bret Described how an Infrastructure SRO and SDO together would document John Gave example of how he would see it working Referred to a diagram that Trey [More debate on how this would work] Bret Also developed an idea that Infrastructure as SRO + observed_data that would Transform after law enforcement is involved Jason I hear what Bret and John are saying – Gave example of a guy sitting in a SOC Observed_data is how you find things Bret No difference from any of the other SDOs [Outlined a series of steps] Jason That is a lot of manual steps Bret It does not have to be manual John From a Use Case perspective, what do I share? Observed_data is important to model, because it may not end up in STIX Bret We have ways of doing now – Boots on the ground Trey We have set a precedence that two objects can look alike but are different John Not all the Use Cases will use all of these elements Ivan Maybe we need to have a specific subset ***COA*** Jyoti Went through the Requirements and Open Question Chris If you want to programmatically act on it; then OpenC2 A lot of what we would like to use COA for would be to capture Yara Very few of the audience would be able to handle OpenC2 in the near future


John I get the difference between a single action in COA and a Playbook Bret COA is not going to be atomic Went through an example – asked Jyoti if she had any comments Jyoti This is a way that we represented some basic logic – then some preconditions Bret We don’t have some time valid fields – Jason has brought it up Greg I’m looking at this compared to A) SDOs and B) Bundled Relationships Question about Playbook Bret That won’t be a 2.1 or 2.2 timeframe Rich I am concerned… that we have just put Actions off to the future Is there an approach that would allow us to do this today? Without the temporal element If people say there is no value in having this without that logic Trey Gave a scenario of some firewall event – Is there a way to have control About what happens Bret Yes, there is a mediator Jyoti There is a controller Trey You did a meeting – it was a bad time for me – I’d like to see it in the future Bret After it officially kicks off on 7th Daniel I want to make sure we don’t get ahead of our skies… I am so happy to see this Bret I just want to make sure there is no breaking changes Nathan My comment is about the concept of the COA vs. the Playbook [Discussion about implementation issues] John-Mark We need to be able to take preventive action on these COA events Jyoti The Analyst who would issue the COA event John-Mark Gave example of what they are doing – reduce human in the loop Stephen We’d like to see OpenC2 integrated John STIX is a higher-level sharing – Would it be better to incorporate OpenC2


Jyoti We have had this conversation – We decided to let STIX do it – Have done it well Ivan I’m not familiar with orchestrators – gave an example and asked how Remediation is done Bret We wrote an OpenC2 proxy to integrate with our orchestrator Translate into what our developers have developed with our API It is part of OpenC2 – I just focused on STIX Rich Like IEP – Important to work with What can we do today? We need a Patterning Roadmap and a COA Roadmap Trey Asked questions about which companies are involved with OpenC2 Allan People should join OpenC2 and provide comments there Gary Do we have the right people in the room – Bret I represent a company that is implementing this and Sophos and Cisco Marlon It seems valuable to have a description along with the other properties Bret I need to add to the examples I have a question If we are going to do this sequencing? Primitive Actions? Jyoti Also ask the room – do we need basic versioning for first version? VOTE: Yes => 9 No => 7 Abstain => 4 Bret Went over some of the properties in the Options in the read ahead Names – there are 4 options Stephen You have 7 days to join OpenC2 if you want voting rights Allan We want to go back to Compatibility issues 3 Options

1) Keep Stub Objects Cover in Interop

2) Remove stub objects – new versions in 2.1 VOTE: 1 => 18 2 => 5 Then 1a => 19 1b => 2


It could be a useful tool in the future By voting for 1a, with future changes – breaking Rich We need to do this at the TC level Allan That means a breaking change – What you have agreed Trey Pointed out that we have Design Principals – we should be guarded about Making backward-breaking change – to solve a problem We don’t want to make this decision lightly Bret I am ok with certain amount of minor breaking changes Stephen I agree with this – Mark I think that Stub Objects is a different class of Objects There is a bar across the entire Spec Stubs are different Rich We are not done Our goal is to give people a Roadmap for the next few F2Fs We will have a Winter one in a ski location Thanks to Trey for bringing the camera and making the Remote possible I’m going to make a bunch of assertions ROADMAP TAXII – Not do Channels in 2.1 Internationalization – We have way forward Malware – Way forward Event & Incident 2.1 Infrastructure – I’ll take lead – need to get done in 2 weeks COA & OpenC2 – Not a clear way forward IEP – Figure out - Embedded vs. Reference PassiveDNS – cover with existing framework Actions 2.2+ Location 2.1 Patterning 2.2+ Network Share 2.2+ TAXII 2.0 Action on Digital Signatures I think we were able to cover a lot of items for 2.1 – that we wanted to cover This was a huge accomplishment We are going to have to turn this into things for the full TC to look at I think we have some of the key influencers Rich When you say “release” – What do you mean by that?


Bret CSD Rich We should take some scenarios and model them – Nodes and Edges Then share this around – that way people can comment Maybe we should come up with a Template Marlon That is something I’ve already started working on John We had talked about making the 2.1 very stable – Some of the conversations Today seemed pretty early – We’d like to have something stable Bret I think 2.2 may be where we stabilize Trey If we were going to write an O’Riley book, we have to stop long enough to do it Bret So much in the backlog – we are not ready for a stable release Jon There were a lot of things that we didn’t understand in the Infrastructure Object Gary We have that now – we can collapse – Infrastructure Object container for observed_data Rich Other objects for 2.1 John I’m not sure Confidence and Intel Note are useful Bret You are right Rich, we need to do our due diligence John If things need to slip, then they slip Bret I’d like to flag things that are function – rather than data model Rich Zoom works well than anything else [More discussion on communications platform] Let’s try to consolidate on one Platform We are thinking notionally late-September – maybe Texas Then, Bret and Symantec will host a meeting in Utah in late January Bret Symantec will host – Wednesday Jan. 31 and Feb. 1 RSA will be in April this year - Hotels fill up fast Make reservations early - 2 to 3 feet of fresh snow in winter – common Rental cars get reserved well in advance – you have to have 4-wheel You can rent skis – no snowboarding Symantec will offer the facility and the catering Notice will go out from Rich soon Meeting Terminated *****************************************************************

CTI-TC NCCoE F2F Meeting Notes - OASIS … · CTI-TC NCCoE F2F Meeting Notes Meeting Date: May 24,...

Documents

Transcript of CTI-TC NCCoE F2F Meeting Notes - OASIS … · CTI-TC NCCoE F2F Meeting Notes Meeting Date: May 24,...