CTI-TC Weekly Working Sessions

Similar documents
Transcription ICANN Durban Meeting. IDN Variants Meeting. Saturday 13 July 2013 at 15:30 local time

CRISP Team teleconference held on Friday, January 2 nd 2015 (13:00 UTC) CRISP members present:

Apologies: Julie Hedlund. ICANN Staff: Mary Wong Michelle DeSmyter

ICANN Transcription IGO-INGO Protections Policy Development Process (PDP) Working Group Thursday 07 November 2013 at 14:00 UTC

Recordings has now started. Thomas Rickert: And so...

Fast Flux PDP WG Teleconference TRANSCRIPTION Friday 20 March :00 UTC Note:

Adobe Connect recording: Attendance is on wiki page:

Dave Piscitello: issues and try to (trap) him to try to get him into a (case) to take him to the vet.

ICANN San Francisco Meeting IRD WG TRANSCRIPTION Saturday 12 March 2011 at 16:00 local

SYSTEMATIC RESEARCH IN PHILOSOPHY. Contents

Transcription ICANN Los Angeles Translation and Transliteration Contact Information PDP WG Update to the Council meeting Saturday 11 October 2014

Attendees: Pitinan Kooarmornpatana-GAC Rudi Vansnick NPOC Jim Galvin - RySG Petter Rindforth IPC Jennifer Chung RySG Amr Elsadr NCUC

Hey everybody. Please feel free to sit at the table, if you want. We have lots of seats. And we ll get started in just a few minutes.

ICANN Transcription ICANN Hyderabad. RySG Meeting Sunday, 06 November 2016 at 08:30 IST

The L o s t. Ge n e s i s. Ancient Cosmology and the Origins Debate

problems I know because I ve done these kinds of New Year s messages many times. Look what GOD has done! Ephesians 1

Transcription ICANN London IDN Variants Saturday 21 June 2014

KEEP THIS COPY FOR REPRODUCTION Pý:RPCS.15i )OCUMENTATION PAGE 0 ''.1-AC7..<Z C. in;2re PORT DATE JPOTTYPE AND DATES COVERID

ICANN Moderator: Michelle DeSmyter /11:00 am CT Confirmation # Page 1

GNSO Travel Drafting Team 31 March 2010 at 14:00 UTC

Anne Aikman-Scalese: Hi, it's Anne Aikman-Scalese. I'm unable to get into Adobe at the moment but I don't know why. Thank you.

TEXT MINING TECHNIQUES RORY DUTHIE

Online Mission Office Database Software

Transcription ICANN Beijing Meeting. Locking of a Domain Name meeting. Saturday 6 April 2013 at 10:30 local time

CITY OF BOISE PLANNING & ZONING COMMISSION MEETING

On the Relationship between Religiosity and Ideology

Jesus at the Temple. Leader BIBLE STUDY. Mar 26, fully man.

Facilitating moral reasoning: Ethical accounting

Churches Improve Ministry Effectiveness During Implementation Process With Church Community Builder. A Case Study by Ben Stroup

CREATE INSTANT CHANGE

Do not open this examination paper until instructed to do so. Section A: answer one question. Section B: answer one question.

DUBLIN Thick Whois Policy Implementation - IRT Meeting

L2/ Background. Proposal

A New Parameter for Maintaining Consistency in an Agent's Knowledge Base Using Truth Maintenance System

Hi and welcome back if you have viewed any of the previous videos. My name is Tim

Scott Foresman Reading Street Common Core 2013

Summary of Registration Changes

Resolved: The United States should adopt a no first strike policy for cyber warfare.

RAW COPY WORLD TELECOMMUNICATION STANDARDIZATION ASSEMBLY WG3A HAMMAMET, TUNISIA 28 OCTOBER, 2016

LOVE AT WORK: WHAT IS MY LIVED EXPERIENCE OF LOVE, AND HOW MAY I BECOME AN INSTRUMENT OF LOVE S PURPOSE? PROLOGUE

Apologies: Rudi Vansnick NPOC Ephraim Percy Kenyanito NCUC. ICANN staff: Julie Hedlund Amy Bivins Lars Hoffmann Terri Agnew

The recordings and transcriptions of the calls are posted on the GNSO Master Calendar page

How to Write A Seminar Paper. Part II: Writing Strategies. A Yale Graduate Writing Center Workshop Series

LESSON FOUR The Epistles: How do I Apply Them?

Bank Chains Process in SAP

PORTER COUNTY BOARD OF COMMISSIONERS SPECIAL MEETING THURSDAY, MARCH 21, :00 A.M.

OPENRULES. Tutorial. Determine Patient Therapy. Decision Model. Open Source Business Decision Management System. Release 6.0

ICANN Transcription Translation and Transliteration of Contact Information PDP Charter DT Thursday 13 March 2014 at 14:00 UTC

How to Use Quotations in Your Research Paper 1

St. John Neumann Catholic Church Strategic Plan. May 2007

AC recording:

Responses to Several Hebrew Related Items

Prentice Hall U.S. History Modern America 2013

Other Logics: What Nonclassical Reasoning Is All About Dr. Michael A. Covington Associate Director Artificial Intelligence Center

Attendance of the call is posted on agenda wiki page:

The Critical Mind is A Questioning Mind

Angelic Consciousness for Inspired Action and Accelerated Manifestation Part II

Minnesota Academic Standards for Language Arts Kindergarten

The recording has started. You may now proceed.

LIFE OF JESUS Jesus Turns Water Into Wine

Excel Lesson 3 page 1 April 15

ICANN Transcription ICANN Panama City GNSO: CPH TechOps Meeting Wednesday, 27 June 2018 at 17:00 EST

3 Steps that Transform Sibling Conflict into Sibling camaraderie Help kids resolve minor disputes without playing judge or jury.

TRANSCRIPT. Contact Repository Implementation Working Group Meeting Durban 14 July 2013

Artificial Intelligence Prof. Deepak Khemani Department of Computer Science and Engineering Indian Institute of Technology, Madras

How many people will be studied? We expect about 200 people will be in this research study internationally.

Holding Our Sisters Accountable

Gladys C. Baisa. Talking Story. Councilmember. with. Maui Style LivingMaui. By Tom Blackburn-Rodriguez

CONTENTMENT LESSON 5 LOOK IN THE RIGHT PLACE

RootsWizard User Guide Version 6.3.0

Discernment and Clarification of Core Values

The Quarterly Update

Created by Adam Melvin

ON CAUSAL AND CONSTRUCTIVE MODELLING OF BELIEF CHANGE

1. A PowerPoint is available for this lesson 2. Two identical instruction manuals 3. Study Bibles (one per group) Lesson Overview

A Correlation of Scott Foresman Reading Street Common Core Edition Kindergarten, 2013

PSWG Conference Call 17 January 2017

SINGAPORE At Large Registration Issues Working Group

CCT Review Plenary Call #25-16 November 2016

Roman: Mayor Cubillos has the motion, vice mayor has second, all in favor?

Apologies: Rafik Dammak Michele Neylon. Guest Speakers: Richard Westlake Colin Jackson Vaughan Renner

Adobe Connect recording: Attendance is on wiki agenda page:

Attendees: Edmon Chung, RySG, Co-Chair Rafik Dammak, NCSG Jonathan Shea Jian Zhang, NomCom Appointee, Co?Chair Mirjana Tasic

3. WHERE PEOPLE STAND

TRANSFORMING CHURCHES. A tool for CBOQ church leadership teams to help Navigate congregational life and change in 21 st Century Central Canada

Bölüm #1. Tarih. Konuşmacılar. İngilizce Konuşma Süresi. İngilizce Saati Nedir? Bizi Neler Bekliyor? 14 Şubat Hüseyin & Canberk.

Inimitable Human Intelligence and The Truth on Morality. to life, such as 3D projectors and flying cars. In fairy tales, magical spells are cast to

Carolina Bachenheimer-Schaefer, Thorsten Reibel, Jürgen Schilder & Ilija Zivadinovic Global Application and Solution Team

Dreamology 1.0 March 29, 2011

Lecture 9. A summary of scientific methods Realism and Anti-realism

The Disadvantage Uniqueness: Link:

Inauguration Address. Christopher L. Holoman, Ph.D.

The Decline of the Traditional Church Choir: The Impact on the Church and Society. Dr Arthur Saunders

Angel Tree Church Coordinator s Guide

Reward Chart. I prayed. I Completed the Challenge! I Read My Devotion. Day Three. Day Four. Day Five. Day Seven. Day One. Day Two. Day Six.

Excuse me, the recording has started.

Critical Thinking. What is critical thinking? Speaker: Frank Reed

Writing Module Three: Five Essential Parts of Argument Cain Project (2008)

Building Your Framework everydaydebate.blogspot.com by James M. Kellams

ICANN Transcription Translation and Transliteration of Contact Information PDP Charter DT Thursday 17 April 2014 at 13:00 UTC

Transcription:

CTI-TC Weekly Working Sessions Meeting Date: December 6, 2016 Time: 15:00:00 UTC Purpose: Weekly CTI TC Joint Working Session Attendees: Jordan Darley Thomson Burger Taylor Jon Baker Laura [Last name not given] Davidson Kirillov Wunder Moderator Greg Back Stephen Banghart Sanjiv Kalkar Keirstead Piazza Masato Terada - Gurney Jane Ginn - Recorder Other unidentified guests Agenda: 1. Status update on bundle, versioning, and timestamp 2. Timestamp precision discussion 3. Patterning OTHERWISE operator 4. Topics / volunteers for STIX 2.1 and F2F a. Malware b. Infrastructure c. Confidence d. Location e. Incident f. COA g. Internationalization h. Others? Meeting Notes F2F Session coming up in January Please complete EventBrite Invite if you are going I ll send out the invite again Reviewed the status of Bundle, Versioning, Timestamps - Provided an alternative approach to Timestamp What would the default be? - Explained how it would work Asked how Leap-second would work with the proposal - Explained how it would work I don t see how this is relevant from operational point of view

Discussed how Observed Data on a pattern it might be relevant - Discussed why it would be important Low on the list of race conditions Is there anyone we have not heard from yet? What was the key point that made? I m in car Part of issue We are trying to have 1 way of representing time Two distinct pattern One in Pattern and one in Observation Explained how it would work with Pattern Other side, is I ve Observed These Events With these, we are in the realm of nanosecond Then may well care about this level of precision When you talk about STIX Observables People conflate the data model with SDO Some syslog or Netflow data that the pattern will be applied against I will leave that in my non-academic colleague s laps We may be artificially creating a problem where one does not exist If you care about a sequence of events It is possible that this level of granularity May be required, hopefully small The order of events is important the exact Timestamp does not matter I survived the first debate on Timestamp How bad would it be to leave things As they are? I thought we did this in January of last year, not this year I would be fine with leaving it the way it is It will make all parties equally unhappy Let s let people think about that Now let s talk about Timestamp Precision Do we need that field? Where do we need it? Right now it is on all Objects except first_seen and last_seen The only thing I understand from the original debate BTW, I hate the way We do that now I don t understand operationally how it will work It seems like this stems from a single Use Case It surprises me that this is not a solved problem From that perspective, does this belong on the Report object Page 2

Two Use Cases Delivered Obfuscation & Uncertainty in Granularity To rephrase what asked - Do we need it? It is easier to add then remove a field I don t personally have an opinion I believe it is optional a compromise Might be to reserve the term What is the scope? Part of the Core or part of all of the Objects? Cyber Observable layer does not use this level of precision Maybe what is proposing is the way to go I don t understand from a product does any TIP use this now? What are people doing now? How is this done, how is this used? I know this data is only accurate to the hour so I ll tag it What does the Consumer do with this? I can come up with some Use Cases, but it should be promoted by those that Need it I think it is important when you write the report I would say that people do care about that I can see this as a justification Created and modified, set by a machine In old version, we saw this as being crafted by hand In new version, we know when this is created Only Use Case for obfuscation These have to have analytical value No disrespect to any machines on the phone We have to consider these Use Cases Good point. Precision stuff is human oriented. Why not leave those fields? Blank and put it in the description By not putting it in a field that is meant to be parsed you are making explicit To put that in a description Explained how it would work When you talk about a machine parsing it You can only know if machine is accurate What choice do you have to bubble up to a human? There might be some other stuff but all zeroed out then retain what Is in the precision field Page 3

I think that feels there might be some value to this field Only on certain Objects Ok, I ll make a list where we have it now Proposed another alternative: Use as is today, 2 nd option to use a range, 3 rd otion Would be to break out the fields I don t really like those two solutions I m not saying I like them, I m trying to be complete I ll turn over to and Issue we found on STIX Patterning Called: along_with Gave example of file and registry key Separate observations With some cases you might need to look for a process We didn t have that ability to express these kinds of patterns So we added a new field called otherwise In section 4.1.2 Can you explain the difference between or and otherwise? Explained how that would work The main reason we could have kept and and or That is the rationale we used to specify these operators We thought it would be easier to explain in the Spec Gave an example Asked a question Clarified how the example would work We need to be able to and and or single objects Example 6-22 is a notional example of how this would work You need to use along with and Asked for clarification The granularity of and and or is single properties The granularity of otherwise is on an expression level Are we able to group? You can see that on the example Wrapped with () You could have represented this in two patterns before This gives you Page 4

The ability to do that. If we didn t have this it would limit authors You could create as two, or one As an author is that you should have that ability - I just wanted to clarify about how it would work Why are we using different terms? You also have followed_by - You have to have something to order against Do we really need different names? Or do we just need () and brackets It feels like the key differentiator is level of scope, or level of abstraction In implementation, it might be confusing In other patterning grammar does it it might be easier to get it wrong - If you leave them the same, there is a problem Gave example of Validator Is the MITRE tool wrong? Or does the tool need to be updated If I was developing a product -- used Splunk scripts as an example If I was a Product Manager I would follow a similar modality I see this as I don t care As an implementer, I can see confusion If it is a User Interface more difficult Other CLI-type behavior will people be able to understand Gave example of Firewall Rules If someone has a particular Use Case It seems like it is begging for confusion So you would prefer just and and or Explained why I could go other way With along_with there is some ordering I think that is why it was added We could use and_then for ordering A User Interface could help the User decide Page 5

I kind of like and_then - I don t like it too similar and lead to confusion I am still at a loss why we can t just use and and or You only have 3 operators - If so many people are opposed to it. Why was it not raised earlier? Only a few people on the calls We are always going to get more comments on these working calls We need to be open to taking feedback This happens it did happen with TAXII and now other Hey why wasn t that brought up sooner? We are rehashing the Timestamp debate of 2015 we all suffered through this We can t use that argument where were you then? Is the concern the terminology or the functionality? Is the main concern followed_by --- Otherwise Followed_by is not the same That was more of a secondary discussion I m getting a sense that the consensus is to go with and and or I believe that was the never-mind operator I had one more topic there is a bunch of topics we need to tackle It works better if a small group puts together a proposal Maybe we can talk about it next week We ll be looking for volunteers to do these topics We are in the home stretch let s put together some ideas for 2.1 I ll volunteer for Location and Intel Notes & Confidence and COA If anyone has any other comments, let s discuss on the list or Slack Meeting Terminated ***************************************************************** Page 6

2024 © religiondocbox.com Privacy Policy | Terms of Service | Feedback