August 17th 2023 Common Cloud Controls - Engage with MITRE Threat Catalogue

[mcleo-d]

Common Cloud Controls - Engage with MITRE Threat Catalogue

Date

August 17th 2023 - 10am ET / 3pm BST

Untracked attendees

• Fullname, Affiliation, (optional) GitHub username
• ...

Meeting notices

• FINOS Project leads are responsible for observing the FINOS guidelines for running project meetings. Project maintainers can find additional resources in the FINOS Maintainers Cheatsheet.

• All participants in FINOS project meetings are subject to the LF Antitrust Policy, the FINOS Community Code of Conduct and all other FINOS policies.

• FINOS meetings involve participation by industry competitors, and it is the intention of FINOS and the Linux Foundation to conduct all of its activities in accordance with applicable antitrust and competition laws. It is therefore extremely important that attendees adhere to meeting agendas, and be aware of, and not participate in, any activities that are prohibited under applicable US state, federal or foreign antitrust and competition laws. Please contact legal@finos.org with any questions.

• FINOS project meetings may be recorded for use solely by the FINOS team for administration purposes. In very limited instances, and with explicit approval, recordings may be made more widely available.

Agenda

• [x] Convene & roll call (5mins)
• [x] Display FINOS Antitrust Policy summary slide
• [ ] Introduce Problem Statement
• [ ] Discuss outcomes necessary for project success
• [ ] Identify volunteers to lead each outcome identified and assign work
• [x] https://github.com/finos/common-cloud-controls/issues/6
• [ ] AOB, Q&A & Adjourn (5mins)

Decisions Made

• [ ] TBD
• [ ]
• [ ] ...

Action Items

• [ ] TBD
• [ ]
• [ ] ...

Zoom info

Join Zoom Meeting https://zoom.us/j/98254617376?pwd=aGV6VzZQOTg3MHptY0tkZHRVSUsxUT09

Meeting ID: 982 5461 7376 Passcode: 305874

---

Dial by your location • +1 719 359 4580 US • +1 253 205 0468 US • +1 253 215 8782 US (Tacoma) • +1 301 715 8592 US (Washington DC) • +1 305 224 1968 US • +1 309 205 3325 US • +1 312 626 6799 US (Chicago) • +1 346 248 7799 US (Houston) • +1 360 209 5623 US • +1 386 347 5053 US • +1 507 473 4847 US • +1 564 217 2000 US • +1 646 558 8656 US (New York) • +1 646 931 3860 US • +1 669 444 9171 US • +1 669 900 6833 US (San Jose) • +1 689 278 1000 US • 855 880 1246 US Toll-free • 877 369 0926 US Toll-free • +1 438 809 7799 Canada • +1 587 328 1099 Canada • +1 647 374 4685 Canada • +1 647 558 0588 Canada • +1 778 907 2071 Canada • +1 780 666 0144 Canada • +1 204 272 7920 Canada • 855 703 8985 Canada Toll-free

Meeting ID: 982 5461 7376

Find your local number: https://zoom.us/u/acPjHdY2IO

[mcleo-d]

@git-hub-forwork1 👋🏻

Can the following question be added to the session AOB from #2 ...

• What's the potential for Citi examples being contributed to the CCC repo?

Many thanks.

James.

[mcleo-d]

James McLeod / FINOS

[AdrianHammond]

Hi All 😄 Adrian Hammond / Red Hat

[rowan-baker]

Rowan Baker / ControlPlane

[git-hub-forwork1]

Jason Nelson - Citi

[kennydunn72]

Hey. Kenny Dunn / NatWest

[aric-rosenbaum]

Aric Rosenbaum / Red Hat

[valmihai]

Valentin Mihai / Google

[abdullahsaf]

Abdullah Ali / Citi

[mark-rushing]

Mark Rushing/Citi

[eddie-knight]

👋 :shipit: Eddie Knight / Sonatype

[eddie-knight]

The project goal for the next couple calls is to determine what the group wants to contribute on and who would like to lead each effort. This will include a walkthrough from project leadership to get everyone up to speed on how the current proofs of concept have been designed and created.

In 30-60 days the goal is to have some kind of demo output, with the ability to demo after 60 days and begin iterative development based on feedback in the weeks after.

[mcleo-d]

William Cheung via Zoom Chat - How is MITRE compared with other Threat Catalogues such as CISA’s Known Exploited Vulnerabilities Catalog, ENISA’s Threat Taxonomy or OSA’s Threat Catalog? Or another words, why MITRE?

[git-hub-forwork1]

William Cheung via Zoom Chat - How is MITRE compared with other Threat Catalogues such as CISA’s Known Exploited Vulnerabilities Catalog, ENISA’s Threat Taxonomy or OSA’s Threat Catalog? Or another words, why MITRE?

Known Exploited Vulnerabilities Catalog is interchangeable with the NIST NVD and does not provide the same context as MITRE does towards attack path. Also, this is just a bug report and not procedures based on verifiable actions.

OSA’s Threat Catalog is a mapping exercise with pictures back to NIST Special Publication document. MITRE is action based description. It is up to the user to put into the context for their specific use case what the impact is and what actions to take. The challenge with this one is that it is just referencial to an existing document that does not have specific guidance on how to assess the technology and validate if it is protected outside of configuration check or people process that is not defined in the NIST document.

ENISA’s Threat Taxonomy is more COBIT like and very vague. It does not address what (technique) or specific how (procedure) like MITRE does.

Overall, this project wants to make use of something (MITRE Att&ck) that is maintained and curated independent of our project (CCC) and modify an existing bit of work from NIST (OSCAL) so that we can create new content that describes how to perform the assessment/validation of the known threat (defined by MITRE).

my assessment of the project above is not stating an opinion of usefulness or quality it is just giving justification towards why I think MITRE is most appropriate for this project.

[dduet66]

Don Duet / Concourse Labs