OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-users] Re: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer

Hi Jason, 

I think in the scheme of things, the scale of STIX question and answers will be ordered of magnitude lower than the actual threat intel being sent around.

The design of the question and answer was specifically to enable recipients to 'listen in' to the answers, so as to provide them extra Intel that they may not have. Being able to see what responses other organisations will in turn allow them to chip in with extra bits that they have found themselves. This is exactly how the current threat intel sharing groups operate now - shared encrypted mailing lists that all recipients see. 

Rather than providing new point to point question and answer functionality, we already have the ability to create a different community group for the discussions to use. Many communities have separate mailing list for different topics, and we have the ability to do the same with TAXII community channels. 

As you know an organisation can belong to many different TAXII communities at the same time, and all TAXII 2 implementations *should* be able to handle that. This in turn would make it possible for a community to add a specific question and answer community channel to their community, and allow for delineation between those who want to see the STIX questions and STIX answers and those who don't. 

That said I firmly believe that the most power is in the widest number of people seeing the question, and being able to provide a STIX answer. There have been times when someone providing a seemingly useless bit of threat intel has unlocked an investigation, and has ultimately brought miscreants to justice. STIX question/answer will hopefully extract partial bits of threat intel out of organisations that they may not otherwise publish as a full assertion, and that can only be a positive thing in my book. 

Terry MacDonald 

On 10 Jan. 2017 07:39, "Jason Keirstead" <Jason.Keirstead@ca.ibm.com> wrote:
I am "intrigued in a good way" as well - but there is a lot of stuff to figure out here.

One thing I think is missing is ability to subscribe or un-subscribe from these queries. A TAXII server may host 1M clients. So client X issues an RFI request and 100K other clients see it - many of whom do not want to respond to RFI requests. But of those, 20 do - and those 20 responses again go to 1M clients, instead of just the one who asked the question.

Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security| www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

From:        Terry MacDonald <terry.macdonald@cosive.com>
To:        Paul Patrick <Paul.Patrick@fireeye.com>
Cc:        cti-users@lists.oasis-open.org, cti-stix@lists.oasis-open.org
Date:        12/30/2016 12:20 AM
Subject:        [cti-users] Re: [cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer
Sent by:        <cti-users@lists.oasis-open.org>

Intrigued in a good way? :)

On 30 Dec. 2016 2:53 am, "Paul Patrick" <Paul.Patrick@fireeye.com> wrote:


I’m intrigued as it seems we’re back to looking at how to provide query capabilities in STIX/TAXII instead of just “what someone has shared”.  This is something a lot of our customers are demanding and having to fill with our own solutions.



Paul Patrick



From: <cti-stix@lists.oasis-open.org> on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Thursday, December 22, 2016 at 9:01 PM
cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org>
[cti-stix] STIX 2.1 Proposal - STIX Question and STIX Answer


Hi All,


In my discussion with colleagues, community groups and customers, one of the question's I keep getting asked about STIX is "Can I ask the community I'm in if anyone has information about a particular IP address?". At present my answer is …."Well, actually no. Not at present. You can only see what others have sent out."


This proposal outlines a way that we could implement this functionality, allowing STIX/TAXII to support requests for information, and responses to those requests.


Note: This initial proposal is for community-wide requests and community-wide responses. Future enhancements in later versions of STIX could allow for responses back to a single user if there was enough demand for this functionality.




Terry MacDonald | Chief Product Officer



M: +64 211 918 814

E: terry.macdonald@cosive.com

W: www.cosive.com



This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]