search

oasis-tcs / cti-stix2

OASIS CTI TC: Provides issue tracking and wiki pages for the STIX 2.x Work Products
https://github.com/oasis-tcs/cti-stix2
Other
23 stars 9 forks source link

Recommended Change to Section 4.3.1, Course of Action - Properties #257

Open jordan2175 opened 3 years ago

jordan2175 commented 3 years ago

This came in via email during public review: https://lists.oasis-open.org/archives/cti-comment/202101/msg00003.html

----- Original message ----- From: Christopher Carlson chris@ctcarlson.com To: Emily Ratliff Emily.Ratliff@ibm.com Cc: Subject: [EXTERNAL] Re: [cti-comment] Comment Resolution Log for STIX 2.1 CSD 05 Public Review Date: Fri, Jan 15, 2021 12:58 PM

Here is the content that I provided:

Recommended Change to Section 4.3.1, Course of Action - Properties

Add one more Property:

Property Name: function (optional) Type: list of type open-vocab; Description: The values for this property SHOULD come from the course-of-action-ov open vocabulary.

Add one more STIX Vocabulary to support this change Cybersecurity Framework Function Vocabulary. Vocabulary Name: course-of-action-ov

The course of action type vocabulary is currently used in the following SDO(s): Course of Action

The course of action type is an open vocabulary that provides a high-level characterization of the function to be provided by a Course of Action. For example, a recovery course of action improves the ability to facilitate recovery from an incident. A course of action may improve more than one course of action type, such as detecting and responding to an incident.

Values should be drawn from the NIST Cybersecurity Framework, Table 1 "Function" column shown below (document available at https://www.nist.gov/cyberframework) . image.png

The benefit of this additional information is that it can assist organizing security control improvement projects to reduce the probability of loss events.

Thanks,

Christopher Carlson C T Carlson LLC www.ctcarlson.com

jordan2175 commented 3 years ago

We talked about this and should do this via labels, extensions, or in a future version of STIX.

allant0 commented 3 years ago

We already had a COA set of changes that were removed because the TC didn't have sufficient support in implementation for that change. So if we actually agreed to this change then not only is it a material change but the rules on test/implementation would apply and it would take 120 days (or whatever the timer was) for validation that this change works sufficiently to keep it in the spec. This is exactly why the previous changes were removed and I see no reason do this change either given the criteria for inclusion. In fact, if we add anything then I would argue to add what we did previously back in. But I'm not arguing for that either.

Future release please.