CTI STIX SC Monthly Meeting www.oasis-open.org CTI STIX SC Monthly Meeting September 30, 2015

Agenda STIX 1.2.1 specs STIX 2.0 Open discussion if time allows Status www.oasis-open.org Agenda STIX 1.2.1 specs Status Next Steps STIX 2.0 Use Cases Issue Trackers Open discussion if time allows

STIX 1.2.1 specification status Full multipart specification drafts completed and submitted for SC review – 9/24/15 SC review goals focused on SC member awareness of specification form and content SC member familiarity with OASIS format Identify editorial issues NOT focus on substantive issues STIX SC review period ends 10/2/15 STIX Version 1.2.1 Part 1: Overview. STIX Version 1.2.1 Part 2: Common. STIX Version 1.2.1 Part 3: Core. STIX Version 1.2.1 Part 4: Indicator. STIX Version 1.2.1 Part 5: TTP. STIX Version 1.2.1 Part 6: Incident. STIX Version 1.2.1 Part 7: Threat Actor. STIX Version 1.2.1 Part 8: Campaign. STIX Version 1.2.1 Part 9: Course of Action. STIX Version 1.2.1 Part 10: Exploit Target. STIX Version 1.2.1 Part 11: Report. STIX Version 1.2.1 Part 12: Extensions. STIX Version 1.2.1 Part 13: Data Marking. STIX Version 1.2.1 Part 14: Vocabularies. STIX Version 1.2.1 Part 15: UML Model. Uml Model Serialization XMI files Diagrams

STIX 1.2.1 specification next steps Review any SC review comments and make appropriate modifications Call a vote for SC approval of specification drafts Repackage and upload content to TC internal site Notify TC chair that specification drafts have been approved by SC TC chair calls a TC meeting so a vote can be held to approve them as a Committee Specification Public Review Draft TC will follow process for issuing as a Committee Specification Public Review Draft including 30 day public review period After 30 day public review period TC will dispose of any comments then call for a TC Special Majority Vote to approve the documents as a Committee Specification. At this point STIX 1.2.1 will be official TC will likely continue further progression as an OASIS Standard

STIX 2.0 Will officially kickoff once 1.2.1 specs handed off to TC (hopefully next week) We will need to select editors Deliberative process will begin Use Cases Issue Trackers

Use Cases Need for high-level use cases to understand and scope the domain we are looking to serve Need for more detailed use cases to understand specific information needs to drive to structural decisions Reality Check: the infosec domain relying on CTI is non-trivial and WILL involve a substantial number of use cases

Use Cases We will need everyone to be involved in identifying, fleshing out, discussing and deciding on use cases This will be done using the STIXProject/use-cases wiki on github Separate wiki page for each use case using simple template similar to one used across SCs

Use Case Template Use case title (replace with your title) Abstraction Level (High, Medium or Low): High (replace with your value) Related Use Cases: Related use case (replace with your content) Description: Use case objective and flow description (replace with your content) Stakeholders/Goals: Stakeholder: Stakeholder description (replace with your content) Goal: Goal description (replace with your content) Preconditions: Precondition description (replace with your content) Dependencies: Dependency description (replace with your content) Main Success Scenario: Scenario description (replace with your content)

Use Cases Wiki home page contains template as well as initial taxonomy of high-level use cases and more fleshed out taxonomy of more detailed use cases Current taxonomies are a starting point based on community identified use cases that have resulted in the current expressivity and capability that is in STIX today Caveat: the taxonomies are NOT complete. Please add as appropriate Caveat: the large majority of use cases in the taxonomy are currently only titles and need iteratively fleshed out When editing existing use cases please try to add your thoughts with attribution rather than just changing others content

Use Case Scoping Considerations Scoping decisions will likely be part of use case analysis Proposed additions Proposed removals We will need to agree on criteria for these decisions Proposal: Bias towards status quo Clear justification and rough consensus needed to add new considerations (work) Clear justification and strong consensus needed to remove existing capability (break things for people depending on these capabilities)

Issue Trackers Immediate need for SC members to conduct their own triage of current issue trackers Add new entries for desired issues not covered Add comments to existing issues Identify issues you think should be in scope for 2.0 Assert your prioritization of issues by importance After 2.0 kickoff we can analyze/normalize issues identify initial consensus scoping map to use cases prioritize based on importance and dependence focus on 1-3 issues at a time

Reminder of STIX SC work processes Under formal governance our work will need to be open, deliberative, ordered and tracked. Encourage ideas and discussion but caution that consensus and decisions will need to follow process. Please keep talking. :-) Encourage contributions beyond just thoughts As work product efforts are stood up, editors will be needed Contributions of use cases, conceptual models, schema structures, normative or informative language suggestions, test data, etc. will be invaluable to collaborative progression MITRE folks will continue to be involved but we will need a broader base of active contributors going forward

Next meeting Wednesday, October 21st @ 2:00pm EDT