OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] Object Level Markings


Dave,


Great comments and questions.....   Let me try and fill in some of the gaps....  Yes, in STIX 2.0 we will have two types of relationships....  And as a general rule most everything will use a relationship in STIX 2.0.  Nested content in STIX 1.x proved to be a bad design in the wild.  


1) Embedded references (like created_by_ref and object_markings_ref).  These references are "facts" that will be known to the TLO.  However, like you said, a consumer may not have the reference yet, or may not have access to the referenced object.  For data markings we say, that if you do not have the object_markings_ref object, and you can not get it via another TAXII call, than you MUST stop processing the TLO.  In the real-world, you will have out-of-band gates that prevent you from ever sharing threat intelligence with someone that does not have access to the same the data-markings that you have access to.  


2) Relationship Objects.  These relationships are used for assertions or opinions about things.  So if you link an Observation to a Campaign, or an Incident to an IntrusionSet, you would use one of these external relationships to link it together.  This will allow you, in the future, to place a confidence score on your assertion that these two things are related.  It will also allow in the future for others to potentially down-vote your assertions.  


Bret  




From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Dave Cridland <dave.cridland@surevine.com>
Sent: Sunday, June 12, 2016 7:09 AM
To: cti-stix@lists.oasis-open.org
Subject: [cti-stix] Object Level Markings
 

Hi folks,

I'm a newcomer to this TC (and indeed OASIS), so you'll have to forgive me if I'm missing something, or retracing your steps, or going about things to wrong way.

The current section 6.5 appears to discuss aspects of object level markings, and suggests these might cover both legal permissioning (such as Copyright), and MAC systems (such as security labelling). Mixing the two is interesting - I hadn't considered this but it makes sense.

Also, the system operates by reference. This is going to be very difficult to manage, and is traditionally avoided in most cases. This is especially true if the referenced label data for the marking is not present within the same transmission, since automated tooling for MAC will become extremely complex (and complexity begets unhappy accreditors).

Has the group considered prior art in this space? I'm thinking particularly of XMPP's XEP-0258, but others may also apply. I'm particularly keen to ensure that multipolicy systems will work effectively, since I see that as being very likely in the CTI world shortly.

As for multiple orthogonal rules - I don't understand where precedence comes into this. Taking Copyright as an example, if one derives a work from an existing work, the copyright changes, and the license may also change - I don't see the benefit in including a list of previous copyright notices, and then having the systems decide which one applies.

I would expect that every marking present would need to be adhered to (some might not be practical to adhere to programmatically, of course). But you can't share something, say, UK SECRET, no matter what the copyright notice says - and vice-versa, an unclassified document cannot be shared if the copyright license is not available.

Happy to discuss this further, or or out of any particuar call.

Dave.



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]