[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-taxii] Query Use Cases Needed! - Privacy Preserving Data Sharing
I spent a little bit of time reading the paper, and it’s clear to me that I need to spend more time reading the paper =) Chris, For the TAXII SC right now, I think the most useful thing would be a well-defined use case and possibly some requirements around it. Namely: ·
What are the roles/goals of participants in the (we need a shorter name.. how about) Anonymous Sharing use case? ·
What is the high level (5-7 or so steps) workflow (aka main success scenario) for this use case? Essentially, our use cases right now range from “only a description” (which is most of them) to “mostly flushed out” (which is one of them). It would be great to move toward “mostly flushed out” for more use
cases. Anything you can contribute would be a great help. As you experiment with this feature, I would be happy to hear lessons learned, things that worked or did not work, and the like. And if there’s the possibility that we can help in some way (e.g., “How would you
do that with TAXII?”), we’d be happy to help. Thank you. -Mark From: cti-taxii@lists.oasis-open.org [mailto:cti-taxii@lists.oasis-open.org]
On Behalf Of Patrick Maroney Chris, Great set of topics/ideas. Need to fully digest same and review related papers. However, in terms of engagement, wanted to share some initial musings. (1) The algorithmic costs need to be considered. In other words, generation of the Ciphers and calculations on the back end (at scale) would need to be addressed. (2) Connecting dots would be harder as "I" have to know what compound questions to ask ahead of time (especially as it pertains to relationships and ) . In other words, what happens if I don't ask the exact compound
question? in a simple "T/F" model I could test 100 assertions, get 99/100 "right", but still get a "F" return. As one continues the thought experiment, adding relationships and their attributes, temporal context, subjective measures/values, etc., some interesting
things emerge. In other, other words some iteration through probabilistic outcomes should be envisioned (i.e., "Your'e getting Warmer...").
(3) I still see Source and Source Path Determinism (obfuscated where/as required) as key elements to success in any model where one is (1) trying to measure things like value, relevance, effectiveness, etc., (2) provide for RFIs, (3) provide a pathway for
sharing of sightings/observations/analysis/assertions/...
Patrick Maroney _____________________________ Hi all, Sorry for the thread roll back - I've been thinking about the True/False use case, and I think there's an interesting avenue to explore here... Combined with this use case:
https://github.com/TAXIIProject/TAXII-Specifications/wiki/TAXII-2.0-Use-Cases#government-wants-to-share-intel-but-no-one-to-know-it-was-them ...which is obviously close to my heart : ) the True/False use case not only allows organisations to protect the 'who' but also potentially the 'what'. There's some great work going on in academia (eg:
http://arxiv.org/pdf/1502.05337.pdf) that investigates the concept of privacy preserving data sharing, allowing organisations to share potentially sensitive data with others without actually revealing what that
data is (eg: storing an indicator in encrypted form, encrypting incoming indicators and comparing the cipher text to the stored indicator). The effect is similar to the True/False use case, but allows for a more peer-distributed set up. The advantage being
that, when it's identified, the indicator is already shared. Those who work in a classified environment may appreciate the elegance of, what is effectively, automated parallel evidence procedures - it's almost like a massive game of CTF (which would, similarly,
need to be really well locked down)! Governments (and other organisations with sensitive / classified data sources) are getting better at data sharing, but can always do more (us included). This might help remove some of the barriers. There's a nice by-product of this use case too (as described in the UCL paper linked above) that organisations can mathematically estimate the value of data sharing. Apart from just proving that sharing data
is a good thing (some people still need to be reminded of that) it allows users to assess the 'value' of feeds based on how much they can tell the recipient that they don't already know / create links between objects / <insert your calculation of 'value' here>.
With the anticipation of having more feeds than a user has processing power, this could allow them to prioritise feeds based on empirical evidence rather than reputation. Thoughts? This is something we're hoping to experiment with in CERT-UK against our Edge setup. If we can make that help the community then let me know! Cheers, -----Original Message-----
All, Posting on behalf of Dean Thompson (Dean.Thompson@anz.com) Hi, Does anyone see benefit in these two use cases as well: * Query for all known indicators given an observable * True/False return or return ID ref of a STIX report/package which contains whether an observable has been seen o Potentially very useful for tool integration And I know that this is a use case discussion, but with regards to channels: * Subscribe to a channel for the detection of a certain observable/inidicator/incident and send me the package/report if you see it (long time lurker / one time sender) Regards, Dean -Mark P.S. Friendly reminder that you cannot post to the subcommittee list as an observer, only as a member. You can update your status by requesting a change directly to Bret or I (we have an admin panel that we can
make these changes in), or you can unsubscribe / resubscribe as a member. From:
cti-taxii@lists.oasis-open.org [mailto:cti-taxii@lists.oasis-open.org] On Behalf Of
Jordan, Bret Sent: Thursday, August 13, 2015 12:12 AM To: Wunder, John A. <jwunder@mitre.org>;
cti-taxii@lists.oasis-open.org Subject: Re: [cti-taxii] Query Use Cases Needed! All these are really good use cases. Thanks for taking the time to write them down. As these are all falling in to a general theme I think we can now being to look at the ideas that we need to support them.... So what I get from this discussion is: 1) We need a way for a client to present some sort of key/value pair where the key is the object identifier and the type of dataset that the value exists in and then the value is what it contains.
2) We need the ability to say, if that value in the object equals something, does not equal something, contains, etc. 3) We need the ability to say this object AND this other object or this OR that.
Some examples... 1) Give me all indicators that contain a name of XYZ, that were seen between 2015-07-01T00:00:00 AND 2015-07-01T00:01:00 but not indicators with a TTP of FOO 2) Give me all TTPs with a name that contains ABC, and have observables in the following net block 4.0.0.0/8 and happened during January or February of 2015 The trick is going to be making this easy to do... As with all discussions on TAXII, we can easily and rapidly go from high level use-cases to putting rubber to the road. Simple Example Structures of a Query (to get the discussion going) Query: Key: stix-indicator-name Value: RedHat Operator: contains Query Key: stix-indicator-id Value: 1111-1234-1234-54321 Operator: equals This is pretty easy to wrap our brains around.... What gets more tricky is how to do an AND or an OR operator. Any thoughts?
Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE
7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
On Aug 12, 2015, at 13:47, Wunder, John A. <jwunder@mitre.org <mailto:jwunder@mitre.org>
> wrote: So here’s a few I’ve needed personally (project only partially uses STIX/TAXII now, but the concepts translate): * Return all courses of action related to a given set of TTPs (granted this relationship does not exist in STIX now) * Return all TTPs for a given set of indicators * Return all incidents for a given set of indicators * Query by construct type + title (I.e. Give me all campaigns where the name matches Deep Panda) * The most advanced one I can think of: return incidents with specific affected asset (identified by IP or ID) John From: <cti-taxii@lists.oasis-open.org <mailto:cti-taxii@lists.oasis-open.org>
> on behalf of Jason Keirstead Date: Wednesday, August 12, 2015 at 3:36 PM To: Mark Davidson Cc: "cti-taxii@lists.oasis-open.org <mailto:cti-taxii@lists.oasis-open.org>
" Subject: Re: [cti-taxii] Query Use Cases Needed! Query by threat actor (with expected string search options) I would think to be important. - Jason Keirstead Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security <http://www.ibm.com/security> |
www.securityintelligence.com <http://www.securityintelligence.com>
Without data, all you are is just another person with an opinion - Unknown
<graycol.gif>"Davidson II, Mark S" ---2015/08/12 03:22:56 PM---All, Since query was called out yesterday as a potential challenge for the Channel model that's been From: "Davidson II, Mark S" <mdavidson@mitre.org <mailto:mdavidson@mitre.org>
> To: "cti-taxii@lists.oasis-open.org <mailto:cti-taxii@lists.oasis-open.org>
" <cti-taxii@lists.oasis-open.org <mailto:cti-taxii@lists.oasis-open.org> > Date: 2015/08/12 03:22 PM Subject: [cti-taxii] Query Use Cases Needed! Sent by: <cti-taxii@lists.oasis-open.org <mailto:cti-taxii@lists.oasis-open.org>
> ________________________________ All, Since query was called out yesterday as a potential challenge for the Channel model that’s been proposed for TAXII, I’d like for us to try and validate the Channel model against query use cases.
I’d like for us to start by identifying query use cases that we think we care about. For now, a one-liner of the use case is probably the right level of abstraction (we can add more detail later). To get the conversation started, here are some things I’ve heard on the list: * Query by ID * Query by “observable” (e.g., IP / Hash) Once we’ve collected the use cases, we can analyze their impact on the channel model. Please offer up your one-liner query use cases! Thank you. -Mark P.S. We have not forgotten the query discussions of old; this is partly to generate discussion and partly to see what’s still on the forefront. <graycol.gif> --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]