STIX2 / TAXII2 In Practice- 2.5 hours of content

[treyka]

• Leveraging STIX2 for Modelling TI
  • Key things to consider when your modelling (~30 min)
  • Specific examples of:
  • intel report to stix model (~10 min)
  • indicators vs sightings and why (~10 min)
  • how to model common uses for mitigation leveraging pattern grammar (~20 min)
• Using python-stix2 tutorial/implementation guidance (~30 min)
  • Programming using the OASIS Open libraries

[ikiril01]

I believe we already have some slides we can use for (at least as a starting point):

• Intel report to STIX model
• Indicators vs sightings and why

Also, we can probably create some slides based on the examples in https://oasis-open.github.io/cti-documentation/stix/examples

[ikiril01]

For the python-stix2 stuff, we can probably reuse much of the content on RTD: https://stix2.readthedocs.io/en/latest/

[ikiril01]

We should also try to break down each topic by time, to give us a rough idea of how much content we'll need - I took a stab at doing so in the top comment

[treyka]

I'm working on updating the Jupyter notebook...

[ikiril01]

Slide deck here: https://docs.google.com/presentation/d/1Op4921a15aFzOeIaE-nYKdHR0LszQlQqiGOJ5BFy2g0/edit?usp=sharing

[ikiril01]

As a secondary modeling exercise/presentation, we may want to think about incorporating the work done by Palo Alto on Oilrig: https://researchcenter.paloaltonetworks.com/2017/12/unit42-introducing-the-adversary-playbook-first-up-oilrig/

[johnwunder]

Trey and I talked through an agenda for a 1hr developer session (to follow the modeling stuff).

• TAXII 2.0 (20 minutes)

  • Discovery
  • API Root
  • Queries for data
  • Adding data

• STIX 2.0 (20 minutes)

  • Indicators/patterning, translator
  • Sightings of indicators
  • Intrusion sets / attack patterns
  • Relationships

• STIX 2.1 (20 minutes)

  • Opinions from Perch
  • i18n exercise
  • Issuing an opinion against a relationship between campaign and intrusion set