[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: FW: [cti-users] STIX/TAXII: created_by property?
|
Posting to Eric directly and member list as it appears my post to the cti-users list was denied. From: Allan Thomson <athomson@lookingglasscyber.com> Eric – created_by is an optional field in the standard as there may be certain use cases that do not require it. However, the Interoperability subcommittee have defined many use cases for sharing intelligence where the created_by field is defined by the creator of the intelligence that is ‘providing’ the intelligence and therefore the field is filled
in with the organization sourcing the content. I encourage you to check out the interoperability documents that describes how this content (and other STIX fields) are intended to be used and validated by interoperable products. If you have any additional questions please let us know. From: "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org> on behalf of Eric Spiegelberg <eric@graphaware.com> Hello. My company, Graphaware, has become interested in cybersecurity and has been following STIX and TAXII for some time. While our core expertise lies in graph databases, such as Neo4j, as professional software
developers we are exploring the implementation of the STIX and TAXII specs. I have a few questions on the created_by_ref property of STIX objects and am hoping this group can provide some insight. 1) When a STIX object is created, is the created_by property typically sent by the client (the creating entity) or it is typically omitted by the client and instead assigned by the TAXII server as part of the
STIX object creation? If the created_by property is typically sent by the creating client, how does the TAXII server know it can trust the client to provide a valid value? Is the fact that the client must be authenticated and authorized
to the TAXII server establish the trust that the client will not submit invalid/misleading/malicious STIX data? If the created_by property is not typically sent by the creating client, is it recommended that the TAXII server make use of the currently authenticated user to populate this information on the STIX object?
For example, if client A publishes the creation of a new STIX object and omits the created_by property the TAXII server will modify the incoming STIX object and assign a created_by property that points to client A. 2) Do the STIX/TAXII specs provide any guidance on created_by_ref value validation? For example, lets say that a client A, a successfully authenticated and authorized client, creates a STIX object with a created_by
property with a value of “client_B_id”. Yet, let’s say that this STIX/TAXII implementation does not have any data about client B. Would the creation of this STIX object, who’s created_by_ref is essentially unknown to the system, be allowed? While I can see
the creation needing to be allowed, particularly in the case where STIX data is “merely” being republished by a peer TAXII server, this scenario would create dangling data that references entities that are unknown within the system. From the view of data integrity,
this would be bad but from the view of flexibility and exchange of free form information, this would be good. Does the STIX/TAXII specs or this group have any opinion as to which way a compliant STIX/TAXII implementation should go? Thanks, Eric |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]