OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] Information Exchange Policy (IEP) Framework


+1

On Thursday, 28 July 2016, Terry MacDonald <terry.macdonald@cosive.com> wrote:
Hi All,

The FIRST Information Exchange Policy (IEP) Special Interest Group has recently completed version 1.0 of the IEP Framework. The IEP was developed with STIX compatibility in mind, and is a JSON based Framework allowing content producers to specify restrictions for threat intelligence Handling, Action, Sharing, and Licensing (HASL)​. 

I believe that the IEP should be added to the list of Data Marking Examples in STIX 2.0, to enable content producers to better define how their threat intelligence can be used. IEP support has already been added to MISP, and we believe that adding an example to STIX 2.0 documentation will help vendors understand how to use IEP most effectively.

The section that I have supplied for inclusion is below. Can you please indicate if you do or do not support the addition of this example in the STIX document. I firmly believe that this is crucial to supporting effective automated threat intelligence exchange. 

----------------------
Suggested STIX document content

​9.1.6.​ Information Exchange Policy Marking Object Type

The information exchange policy marking type sub-object defines how you would represent an Information Exchange Policy (IEP) using the FIRST Information Exchange Policy Framework. Information Exchange policy marking types do not override each other.


Property Name

Type

Description

type (required)

string

The value of this field MUST be iep-marking.

iep-policy (required)

string

An IEP policy statement applied to the content marked by this marking definition.

​9.1.7.​ Examples

{

 "type": "marking-definition",

 "id": "marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da",

 "created": "2016-08-01T00:00:00Z",

 "modified": "2016-08-01T00:00:00Z",

 "version": 1,

 "definition": {

   "type": "tlp-marking",

   "iep-policy": {

     "id": "01bc4353-4829-4d55-8d52-0ab7e0790df9",

     "must-encrypt-transit": true,

     "must-encrypt-rest": true,

     "actions": "no action",

     "redistribution": "external trusted partners",

     "redistribution_ext": {

       "vocab_id": "http://us-cert.org/tlp-vocab",

       "value": "red"

     },

     "attribution": "must not attribute",

     "obfuscation": "must obfuscate source",

     "commercial-use": "allowed",

     "terms-of-use": "TOU text",

     "start-date": "2016-01-31 10:09:00",

     "end-date": "2017-01-31 10:09:00",

     "reference": "https://www.mycompany.com/myieppolicy",

     "version": 1

   }

 }

}



---------
Futher details:

FIRST realized that the Traffic Light Protocol only allowed producers to communicate basic sharing restrictions to the recipients of data. It covered the basic Sharing policy, but didn't address the Action, Handling, or Licensing restrictions at all.

The timely distribution of sensitive information will only thrive in an environment where both producers and consumers have a clear understanding of how shared information can and cannot be used, with very few variations of interpretation.

FIRST members realized that the industry needed a Information Exchange Policy that would provide organizations who create threat intelligence content with a richer ability to inform their recipients of how they may use the intel they receive. 

Thus the FIRST Information Exchange Policy Framework was born.

The IEP framework is structured as 4 Policy Groups that act as high level categories which are intended to encapsulate the majority of individual policy statements one would require. The four policy types are supported: Handling, Action, Sharing, and Licensing (HASL)​. 
  • HANDLING ​policy statements define any obligations or controls on information received, to ensure the confidentiality of information that is shared.
  • ACTION ​policy statements define the permitted actions or uses of the information received that can be carried out by a recipient.
  • SHARING ​policy statements define any permitted redistribution of information that is received.
  • LICENSING ​policy statements define any applicable agreements, licenses, or terms of use that governs the information being shared
-----

Cheers

Terry MacDonald | Chief Product Officer








[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]