[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-stix] Top-level Sighting Object from last meeting
Adding cti-taxii (it involves taxii talk) I'm still of the opinion that this falls under the realm of STIX. Joep's comment that the question/answer functionality needs to work across non-TAXII communication methods made the decision for me. If we add that functionality to TAXII and not STIX then we lose the ability to request and respond if TAXII isn't used. I'm now wondering if we should have some kind of combination of TAXII and STIX query functionality.... What if TAXII handled the TAXII to TAXII content distribution (delivery of CTI content), and the querying of a local TAXII repository (local TAXII client to local TAXII Server lookup if it has a data repo). And what if STIX handled any threat intel questions asked of the sharing community via STIX request and STIX response? This separation would allow STIX request/responses to still be asked even if communication was via email (imagine attaching that to a post to an email community) allowing people who do have a STIX implementation but no TAXII implementation to participate in Threat Intel sharing. It may even help drive STIX/TAXII adoption by prompting more people to start using STIX... Cheers Terry MacDonald Senior STIX Subject Matter Expert SOLTRA | An FS-ISAC and DTCC Company +61 (407) 203 206 | terry@soltra.com -----Original Message----- From: Trey Darley Sent: Friday, 30 October 2015 8:22 PM To: Jason Keirstead <Jason.Keirstead@ca.ibm.com> Cc: Jerome Athias <athiasjerome@gmail.com>; Joep Gommers <joep@eclecticiq.com>; Jordan, Bret <bret.jordan@bluecoat.com>; Sean D. Barnum <sbarnum@mitre.org>; Cory Casanave <cory-c@modeldriven.com>; Thompson, Dean <Dean.Thompson@anz.com>; Terry MacDonald <terry@soltra.com>; cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Top-level Sighting Object from last meeting On 29.10.2015 12:04:18, Jason Keirstead wrote: > > The use case for negative assertions is anything but clear to me - > Like Aharon said, under what situation do I send the negative > assertion that I did not see it, and how often do I send it - hourly? > Daily? Weekly? > One of the core use cases the notional TAXII 2.0 REST Query API addresses is answering the question, "Have you seen this thing?" Rather than making negative assertions a producer-side object (and getting into the rat's nest Jason outlined above), put it on the consumer side. Combining this approach with the notional query broadcast capability I outlined earlier today in [0] & [1], you can use the REST Query API to inquire of the entire world (where $world == the part of the CTI community you're privy to.) [0]: https://lists.oasis-open.org/archives/cti-stix/201510/msg00300.html [1]: https://taxiiproject.github.io/taxii2/notional-query-api/#query-scoping -- Cheers, Trey -- Trey Darley Senior Security Engineer 4DAA 0A88 34BC 27C9 FD2B A97E D3C6 5C74 0FB7 E430 Soltra | An FS-ISAC & DTCC Company www.soltra.com -- "For all resources, whatever it is, you need more." --RFC 1925
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]