CTI-TC. Monthly Meeting UPDATE ON MVP RELEASE FOR DRAFT SPECIFICATIONS. Session #1: 15:00:00 UTC July 21, 2016*

Transcription

1 Session #1: 15:00:00 UTC July 21, 2016* CTI-TC Monthly Meeting Session #2: 01:00:00 UTC July 22, 2016* UPDATE ON MVP RELEASE FOR DRAFT SPECIFICATIONS * Attendance at either Session #1 or Session #2 Counts Towards Voter Eligibility

2 CTI-TC July Meeting: Agenda Kick-off Session Richard Struse, Chair - Status on CybOX OASIS STIX Update John Wunder & Aharon Chernin Editor Notes Bret Jordan CybOX Update Ivan Kirillov & Trey Darley TAXII Update Bret Jordan & Mark Davidson Borderless Cyber Training Trey Darley Other Items?

3 STIX Update SCHEDULE FOR REVIEW OF PDF VERSION TRANSITION TO OASIS

4 Top Level Objects STIX 2.0

5 STIX Data Object (SDO) Summary (1 of 4)

6 SDO Summary (2 of 4)

7 SDO Summary (3 of 4)

8 SDO Summary (4 of 4)

9 Action Item: Review the Draft! If at all possible, review the drafts now! Review Guidelines: 1. Is it easy to understand how STIX works? 2. Could you create a STIX document after reading the specification? 3. Is the set of objects we included correct? 4. For each object, is the set of properties correct? 5. Is the set of relationships correct? 6. Could you implement a tool to produce and consume STIX? Get the drafts: Google Docs Word documents attached to PDFs attached to and uploaded to documents archive Talk to a co-chair or editor if you re having problems

10 STIX 2.0 Roadmap 18 July: STIX 2.0 Draft 1 Released (2 Week TC Comment Period) 25 July: (if necessary) STIX 2.0 Draft 2 Released (Continue Comment Period) 29 July: STIX 2.0 Documents Frozen; End of Comment Period 1-5 August: Documents moved to OASIS Templates Early August: Open ballot to approve STIX 2.0 as Draft Committee Specification 30 Day TC Comment Period Early September: Address comments and open ballot to approve STIX 2.0 as Committee Specification 30 Day Public Comment Period Oct-Nov: Approve STIX 2.0 as Committee Specification STIX 2.1+ August: Begin work on STIX 2.1

11 CybOX Update SCHEDULE FOR REVIEW OF PDF VERSION TRANSITION TO OASIS

12 CybOX Core Update Ready for review! Major recent changes IDs now defined in the CybOX Container Actions postponed to winter release Minor recent changes Lots of polishing and tweaking of text to be more normative Added section headings and numbering a la STIX Moved in Objects extension section from Objects spec { "type":"cybox-container", "spec_version":"3.0", "objects":{ "0":{ "type":"ipv4addr-object", "value":" " }, "1":{ "type":"network-connection-object", "dst_ref":"0" } } }

13 CybOX Objects Update Message Object moved out to post-mvp Message Object defined for July release Needs review! Network Objects review/refactoring Certain relationships moved to post-mvp redirects_to, resolves_to on URL and Domain Name Objects Ready for review! { "type":" -message-object", "header":{ "from_ref": "0", "subject" : "Open me!!!" } } Host-based Objects review/refactoring On-going, ETA July 22nd

14 CybOX Patterning Update Ready for review! Recent changes LOTS of cleaning up of text to make it more normative Addition of Implementation section Helps clarify that not ALL of the language has to be implemented by consumers Updated ANTLR grammar Now coincides with defined operator set Added more examples Slated to be a separate work product, versioned at 1.0, under the CybOX SC for the July MVP release artifact-object:mime-type = 'application/vnd.tcpdump.pcap' AND artifact-object:payload MATCHES /Zm9vYmFy/ POC pattern parsing and matching tool forthcoming

15 Post MVP-Release Activities Planned Winter release feature planning Which features that didn't make the cut for July should make it into the winter release? Objects? Actions? JSON schema development To be published on GitHub Future point release planning Focused on new CybOX Objects Mobile Objects Digital Forensics Objects SCADA Objects Etc.

16 TAXII Update SCHEDULE FOR REVIEW OF PDF VERSION TRANSITION TO OASIS

17 TAXII Protocol Status Key Features HTTP RESTful Design Optional DNS SRV Record Discovery Authentication Build In Support for Trust Groups Defined server Discovery URL

18 TAXII Protocol Status TAXII 2.0 support the TAXII 1.1 concepts of Data Collections and Data Feeds through: Request / Response Repository Publish / Subscribe Channels

19 Interoperability RSA2017 DEMO UPDATE & OASIS PLANS FOR INTEROP APPROACH

20 OASIS Plan for System-Wide Interop Self-Certification Program Plan Align with OASIS Uncontrolled Self-Certification Approach Minimal TC Test Material Set of Guidelines Candidates Post Results CTI TC Specific Guidelines OASIS TC Member References Defined Basic STIX & TAXII Capabilities High Level STIX Profile Support

21 OASIS CTI Training la limited number of places are still available for the OASIS Introduction to Cyber Threat Intel Sharing with STIX, TAXII, and CybOX one-day training course scheduled 06 September in Brussels. Terrific opportunity to get up and running with STIX 2.0, CybOX 3.0, and TAXII 2.0! Details available here: