Here is a picture to help frame the discussion.
Scenario:
Analyst 1 and 2 have access to some yet-to-be-created workbench tool and they use this tool to investigate the latest APT attack against their network. Analyst 1 documents some IOCs in the BBZ on one of the windows machines and notifies Analyst 2 that the machine he is looking at is also talking to the Oracle SAP application and it should not. Analyst 2 arrives at the server hosting the Oracle SAP application and starts her investigation. Now both Analyst 1 and Analyst 2 are using the same super-neat-super-cool workbench tool that uses TAXII 2.0 to communicate. So as each of them start documenting the things they are finding, in the forms of Incidents, Indicators, Observables, etc. they get each others updates and it all goes in to some sort of shared report. This workbench tool is using STIX 2.0 and TAXII 2.0 behind the scenes and has a very pretty, minority report style, UI. You can think of it as these tools are talking to each other over the Indicator channel or a custom "workbench" channel. The point is it works and I think the design we have for TAXII 2.0 can do this very easily or everything to make this happen is a known element.
Where things get confusing and a bit murky leads to my specific question. If Analyst 2 also has a friend outside of this network that is part of some super-advanced APT research group and she wants to share some of her findings with this External Analyst. How does she do that? What needs to happen on both ends to make this work? Historically, and most easily, she would just use Email or IM. But for the sake of trying to make TAXII be the de facto solution for sharing CTI, I would like to run this exercise to the ground to make sure everything holds water.
Some of the details will be specification level, some implementation level, some deployment level, and some will be process level. However, I would like to figure out how this could work end to end.
The way I see it, please correct me where I am wrong, push back where needed, add context / color where needed:
1) Analyst 2 and the External Analyst will need access to some public TAXII server. Probably in the cloud. An organizationally owned solution should also work if it was public facing but poses some interesting challenges for notification.
2) If this is a cloud or remote solution Analyst 2 will need some way of either auto-discovering this solution, or some way for her application to know about it. Maybe it is a feature of this super-cool workbench tool. Maybe the company that writes the tool will offer access to a TAXII cloud instances for some minimal fee per year. Or maybe there are a series of public free services people can use.
3) Analyst 2 will need to create or provision some sort of temporary on the fly TrustGroup and/or Channel to facilitate this communication. Basically she will need to create a channel and then determine which users can access it.
4) Analyst 2 will then need to some how contact the external analyst and let them know that this Trust Group and/or Channel is there. Once again, this might be part of the product tooling. Maybe it is a like a Facebook or Instagram APP where you can add "friends" and "followers".
5) Once both parties are connected to the same trust group and channel, meaning they have both authenticated and passed all kinds of multi-factor blood and urine tests they can share data. Analyst 2 can send the data to the External Analyst and the External Analyst can send stuff back to Analyst 2.
6) Now if both Analyst 2 and the External Analyst are using the same super-cool workbench tool, then you could easily argue that everything is product and implementation/ deployment specific. But if Analyst 2 use some sort of super-cool workbench and say the External Analyst is using a Soltra Edge solution, how does this work? Do both the workbench and Soltra Edge solution need to know about each others APIs for this to work? Do each of them need to build support to talk to each other?
Thanks,
Bret
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."