OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]


Re: "I very much like the idea of adding support for the MISP taxonomies..,,   KEWL!


...but I still think that confidence should be a numerical value.

I would like to see a way that the admiralty scale taxonomy can be mapped to a numerical equivalent. That way if someone wants to use a different taxonomy because the admiralty scale is either too broad or too narrow, they are free to do so, because we are not directly mandating it be used."

[Musings: ]

One approach would be to simply define and publish a MISP taxonomy with whatever numeric scale(s) you wish (presumably consensus driven).  I've seen good arguments for 1-5, 1-100, and even "0.000" to "1.0" for probability based metrics.  Same sort of arguments for "H", "M", "L"  Confidence vs. Numeric.  

Note that I'm not arguing for one or the other, I'm arguing for flexibility if we can manage same with a very well defined, non-subjective, set of conventions/rules.


[Thinking outside the litter box:]

Transformations of data from one representation to another is going to be required in many common scenarios.  For example, If someone has an internal COTs Trouble Ticketing System X that uses  "H", "M", "L"  and the data for that parameter comes in a numeric  1-100 form, your going to have to map/transform the data sooner or later.   If we instead accept this as a fact of life and frame out a central transformation architecture, we can provide a consistent framework and repeatable processes all can leverage.

I have some concepts I want to propose (when they're flushed out and documented).  The basic concept is to add a series of Transformation, Tokenization, Redaction, Testing, etc. services to the TAXII Architecture Specification.  These functions could be applied to data transiting a TAXII "Transport Only" Gateway,  or run as REST Services on a TAXII Repo/TAXII EndPoint.  

I'll use the multi ISAC collaboration through a third party like the National Council of  ISACs (NCI) as an example.  Each ISAC has it's own variants on rules regarding TLP, data handling/marking.  ISAC A requires that data it sends to other ISACs via NCI is marked one TLP Level higher once it's leaves the ISAC A's COT (Community of Trust).  This transformation rule would be applied to ISAC A's Central COT TAXII Gateway that inter-exchanges data with NCI and other external parties.  

For example,  If there was a convention that all individual ISAC TLP marking get a "bump" when transiting the NCI central TAXII Services, that would be applied centrally.  Similarly NCI acting as a central trusted third party may need to Arbitrate variants between ISACs on rules regarding TLP, data handling/marking.   By providing a modular TAXII Services architecture for integrating a series of Transformation, Tokenization, Redaction, Testing, etc. services into the TAXII Transit Gateways, TAXII Repositories, and TAXII End-Points we can do some very powerful things, including addressing many of the concerns/requirements we've been discussing.  

By integrating these functions into the fabric of "Our Thing" (in the TAXII Services Framework) we can crowd source the development of shared solutions to common problems and apply them consistency across the ecosystem. 

I've been playing around with this to test/validate the Tokenization Concepts proposed to the Community  

(https://www.linkedin.com/pulse/case-automated-cyber-threat-intelligence-tokenization-patrick-maroney).  

It probably sounds more complex than it is.

However, I won't ready to formally "pitch" this concept until We can test against reference implementations once we get  the Next Generation  RESTful TAXII servers up and running.  


Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org

_____________________________
From: Jason Keirstead <jason.keirstead@ca.ibm.com>
Sent: Thursday, September 8, 2016 3:39 PM
Subject: Re: [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]
To: Patrick Maroney <pmaroney@specere.org>
Cc: <cti@lists.oasis-open.org>, <cti-stix@lists.oasis-open.org>, Dave Cridland <dave.cridland@surevine.com>, JE <je@cybersecurityscout.eu>, Terry MacDonald <terry.macdonald@cosive.com>


I very much like the idea of adding support for the MISP taxonomies, but I still think that confidence should be a numerical value.

I would like to see a way that the admiralty scale taxonomy can be mapped to a numerical equivalent. That way if someone wants to use a different taxonomy because the admiralty scale is either too broad or too narrow, they are free to do so, because we are not directly mandating it be used.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


Inactive hide details for Patrick Maroney ---09/08/2016 01:29:55 PM---Good discussion folks.  In support of the concepts expresPatrick Maroney ---09/08/2016 01:29:55 PM---Good discussion folks. In support of the concepts expressed here, I'd like to raise the topic of su

From: Patrick Maroney <Pmaroney@Specere.org>
To: Dave Cridland <dave.cridland@surevine.com>, JE <je@cybersecurityscout.eu>
Cc: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "Terry MacDonald" <terry.macdonald@cosive.com>
Date: 09/08/2016 01:29 PM
Subject: [cti-stix] MISP Taxonomies [Was: CTI Brussels F2F Meeting...RSVP deadline 5 September]
Sent by: <cti-stix@lists.oasis-open.org>





Good discussion folks. In support of the concepts expressed here, I'd like to raise the topic of supporting the MISP Taxonomy format and the public repository of Taxonomies and format for consideration.

https://github.com/MISP/misp-taxonomies

Alexandre Dulaunoy has cleared up concerns raised regarding licensing, so we can assess on the technical merits.


Image

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email:
pmaroney@specere.org



From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Dave Cridland <dave.cridland@surevine.com>
Sent:
Thursday, September 8, 2016 4:13:31 AM
To:
JE
Cc:
cti-stix@lists.oasis-open.org; cti@lists.oasis-open.org; Terry MacDonald
Subject:
RE: [cti] CTI Brussels F2F Meeting...RSVP deadline 5 September

There's two approaches, both already existing, which can help with this. Firstly, a common, shared policy (and just as important, commonly understood semantics). The FIRST IEP work is along these lines.

Secondly, real security label/classification/policy systems allow one policy to be translated to another, as long as the semantics can be mapped. These systems exist already, and are specified in a slew of documents include SDN.801(c), X.841, and so on.

Obviously these two are complementary - if there are lots of common semantics in organisation's policies, it makes it easy to express handling requirements, and the existing label specs allow each organization to have their own policy which they can develop independently.

But all this is already handled by STIX - it's just payload data to STIX and TAXII.

Dave.


On 8 Sep 2016 09:29, "JE" <je@cybersecurityscout.eu> wrote:


Bret Jordan
Alexandre Dulaunoy
Raymon van der Velde
Ryusuke Masuoka
Kazuo Noguchi
Jason Keirstead
Jerome Athias
Allan Thomson
Daniel Riedel
John-Mark Gurney
Carol Geyer
Richard Struse
Joerg Eschweiler
Trey Darley
Marko Dragoljevic
Sergey Polzunov
Aukjan van Belkum
Wouter Bolsterlee
Andras Iklody
Mark Davidson
Masato Terada



GIF image

JPEG image

GIF image

GIF image



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]