Re: [cti-users] Re: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer

[Terry MacDonald <terry.macdonald@gmail.com>]

Hi Brian, and welcome to the CTI!

A lot of this has to do with some architectural decisions made for TAXII2. There was a long discussion about a year and a half ago about making TAXII a distributed messaging bus type model, rather than a point to point model as it was. Various different technologies we're discussed, including binary protocols such as prorobuf2, and other specific messaging queue/bus protocols such as AMQP. The community agreed at that time that an HTTPS based system was easier for people to comprehend and would be more likely to traverse web proxy servers.

TAXII 2 will be able to 'broadcast' threat intel messages out to recipients in a community. At present this is done from within one single server, but with some enhancements we could make this community broadcast be shared across multiple TAXII servers.

This then opens up asking broadcast questions of the community and getting broadcast answers in return. 

If we wish to restrict these answers and add the ability for private responses then there are two ways I can see this working: 

1. When STIX objects support being encrypted, and Identity objects contain public keys, we could encrypt the answers so that when they are distributed to the community only the recipients with the right private keys can open them  (but everyone still gets an encrypted copy)

2. We leverage the TAXII DNS service record and allow the answering TAXII server to directly contact the TAXII server that asked the STIX question. Or we add a field into the STIX question that points to the TAXII server address that asked the STIX question. In either case the answering TAXII server needs the ability to locate the TAXII server that asked the question and be able to provide it with an answer.

Cheers 

Terry MacDonald 

Cosive

On 10 Jan. 2017 07:54, "Bryan McCaffrey" <bryan@ambientdata.com> wrote:

I'm just getting up to speed here. I'd like to contribute more going forward. 

Could we look to the existing routing protocols out there for a question-answer model? I'm going to do some more thinking on this but an BGP-like routing protocol model could be used? Does that even make sense? If not, feel free to call me out. 

Bryan McCaffrey

On Mon, Jan 9, 2017 at 1:36 PM, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:

I am "intrigued in a good way" as well - but there is a lot of stuff to figure out here.

One thing I think is missing is ability to subscribe or un-subscribe from these queries. A TAXII server may host 1M clients. So client X issues an RFI request and 100K other clients see it - many of whom do not want to respond to RFI requests. But of those, 20 do - and those 20 responses again go to 1M clients, instead of just the one who asked the question.



-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security| www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown




From:        Terry MacDonald <terry.macdonald@cosive.com>
To:        Paul Patrick <Paul.Patrick@fireeye.com>
Cc:        cti-users@lists.oasis-open.org, cti-stix@lists.oasis-open.org
Date:        12/30/2016 12:20 AM
Subject:        [cti-users] Re: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer
Sent by:        <cti-users@lists.oasis-open.org>

---

Intrigued in a good way? :)

On 30 Dec. 2016 2:53 am, "Paul Patrick" <Paul.Patrick@fireeye.com> wrote:
Terry,

 

I’m intrigued as it seems we’re back to looking at how to provide query capabilities in STIX/TAXII instead of just “what someone has shared”.  This is something a lot of our customers are demanding and having to fill with our own solutions.

 

 

Paul Patrick

 

 

From: <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Date: Thursday, December 22, 2016 at 9:01 PM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
Subject: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer

 

Hi All,

 

In my discussion with colleagues, community groups and customers, one of the question's I keep getting asked about STIX is "Can I ask the community I'm in if anyone has information about a particular IP address?". At present my answer is …."Well, actually no. Not at present. You can only see what others have sent out."

 

This proposal outlines a way that we could implement this functionality, allowing STIX/TAXII to support requests for information, and responses to those requests.

 

Note: This initial proposal is for community-wide requests and community-wide responses. Future enhancements in later versions of STIX could allow for responses back to a single user if there was enough demand for this functionality.

 

Cheers

 

Terry MacDonald | Chief Product Officer

 

 

M: +64 211 918 814

E: terry.macdonald@cosive.com

W: www.cosive.com

 

 

 
This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.

--

Bryan McCaffrey

Digital Forensic Investigator

Security Researcher