Re: [cti-cybox] Re: [cti-stix] Re: [cti-cybox] Re: [EXT] [cti-cybox] Agenda for August 8 Working Call

["Struse, Richard J." <rjs@mitre.org>]

Mark,

 

Excellent point.  Just to clarify, when you speak of “consumers”, do you mean software/systems that a recipient of threat intelligence is using?  That is, if Bank A uses Product X and their ISAC sends them IEP-marked STIX, if Product X does not have the capability to interpret IEP markings and (present them to the user for example), that Product X should reject that content?  There is a separate question as to whether or not Bank A has agreed to be bound by IEP in its agreement with the ISAC but that’s out of scope for us.

 

Am I getting this right?

 

Thanks,

Rich

 

From: <cti-cybox@lists.oasis-open.org> on behalf of Mark Davidson <Mark.Davidson@nc4.com>
Date: Wednesday, August 9, 2017 at 8:19 AM
To: Bret Jordan <Bret_Jordan@symantec.com>, "Back, Greg" <gback@mitre.org>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] Re: [cti-stix] Re: [cti-cybox] Re: [EXT] [cti-cybox] Agenda for August 8 Working Call

 

I realize I’m a late entrant to this discussion, but –

 

IEP support must be a requirement in STIX. Otherwise, a producer can place IEP markings that the consumer happily ignores, creating an information leakage guarantee risk.

 

That said, I do not think that consumers need to have IEP capability. Rather, they must be able to detect whether IEP markings exist and, if a consumer does not support IEP, refuse to process the document further. If we do not specify this minimum level of requirement, the IEP object will essentially be inert unless every single consuming implementation chooses to support it.

 

As one method for achieving this, SOAP Headers (yes, the early 2000’s rear their ugly head) has a general “must understand” concept. Producers can specify arbitrary headers; and within those headers, policies. If the “mustUnderstand” header is set to true, the recipient must produce a fault if they cannot process the header. If the “mustUnderstand” header is set to false, processing the header is optional.

I would liken IEP support to a “mustUnderstand=true”. You are not required to support it, but if you do not support it you are required to reject documents that have it.

 

As a producer, I’d like confidence that the markings I place will be respected, and I would like that confidence to be placed something other than convention.

 

Thank you.

-Mark

 

From: <cti-cybox@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
Date: Monday, August 7, 2017 at 10:58 PM
To: "Back, Greg" <gback@mitre.org>
Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: Re: [cti-cybox] Re: [cti-stix] Re: [cti-cybox] Re: [EXT] [cti-cybox] Agenda for August 8 Working Call

 

Those are good questions.  The specification will not mandate, or I hope will not mandate, the use of IEP, but is the interop SC going to mandate it in their profiles?

 

Bret 

Sent from my iPhone

On Aug 7, 2017, at 7:46 PM, Back, Greg <gback@mitre.org> wrote:

As long as we aren’t mandating all consumers (and producers, though I’m more worried about consumers) to implement IEP, I’m fine with this. I’m also fine with using interoperability to promote the use of IEP, and (hopefully) letting market forces make IEP used universally.

 

On 2017-08-07, 19:01 UTC, "cti-stix@lists.oasis-open.org on behalf of Struse, Richard J." <cti-stix@lists.oasis-open.org on behalf of rjs@mitre.org> wrote:

 

Meant to say: “…that we are NOT requiring IEP nor…”

 

From: <cti-stix@lists.oasis-open.org> on behalf of Richard Struse <rjs@mitre.org>
Date: Monday, August 7, 2017 at 2:59 PM
To: Bret Jordan <Bret_Jordan@symantec.com>, "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: [cti-stix] Re: [cti-cybox] Re: [EXT] [cti-cybox] Agenda for August 8 Working Call

 

Since we began this work there has been a clear recognition that TLP, while useful, isn’t sufficient to represent the sorts of policy expressions that are required to truly enable CTI sharing ecosystems. The FIRST community is exactly the sort of hands-on community best suited to develop such policy frameworks and it doesn’t seem like there are any competing policy frameworks under consideration.  Given that, and the fact that we are requiring IEP nor are we “tying” STIX to IEP (or vice-versa), it seems worthwhile to do the work necessary to figure out how to best support those communities that wish to use IEP.

 

Is there anyone actively opposed to the TC figuring out how we might support IEP?

 

From: <cti-cybox@lists.oasis-open.org> on behalf of Bret Jordan <Bret_Jordan@symantec.com>
Date: Monday, August 7, 2017 at 2:45 PM
To: "Wunder, John A." <jwunder@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "cti-cybox@lists.oasis-open.org" <cti-cybox@lists.oasis-open.org>
Subject: [cti-cybox] Re: [EXT] [cti-cybox] Agenda for August 8 Working Call

 

On the IEP front, we need to make sure the TC wants to do it before we figure out how we should do it.  I would love to see some discussion over email first, before we tackle it on a working call that only has a subset of the membership.  In other words, a working call is not a good place to decide "if" we should do something.  It is a great place to figure out "how" we should do it, once the TC has sufficiently debated and decided to do it.

 

 

Bret

 

---

From: cti-cybox@lists.oasis-open.org <cti-cybox@lists.oasis-open.org> on behalf of Wunder, John A. <jwunder@mitre.org>
Sent: Monday, August 7, 2017 9:11 AM
To: cti-stix@lists.oasis-open.org; cti-cybox@lists.oasis-open.org
Subject: [EXT] [cti-cybox] Agenda for August 8 Working Call

 

All,

 

We have three topics for the working call this week:

 

1.       Continue work on DNS Request/Response

2.       Continue work on Location, in particular discuss ISO 3166

3.       Discuss inclusion of IEP (how we should do it)

 

John

Disclaimer: This message is intended only for the use of the individual or entity to which it is addressed and may contain information which is privileged, confidential, proprietary, or exempt from disclosure under applicable law. If you are not the intended recipient or the person responsible for delivering the message to the intended recipient, you are strictly prohibited from disclosing, distributing, copying, or in any way using this message. If you have received this communication in error, please notify the sender and destroy and delete any copies you may have received.