Re: [cti-users] "Data Marking" syntaxes

I have used TLP for a lot of projects in the past, but there has always been a deep understand what each color means. I am not sure if we all agree to what that means right now for CTI communications.

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

On Nov 6, 2015, at 06:12, Dave Cridland <dave@cridland.net> wrote:
I think that "who" is a little misleading.

The problem with listing group members is that you end up with an ACL system (identity based access control, for those who like the fancy terms). This is only manageable if the data controller (and this is likely to be the analyst or administrator configuring the IDS) knows all the identities involved. In practise, whoever is defining that label will be considering properties of the data and how those compare to (perceived, desirable) properties of the audience.

By way of a concrete example, a label might look like this, in JSON:

{
"policy": "Surevine",
"classification": "tlp:amber",
"jurisdiction": ["eu", "safe harbour"],
"anonymize": true,
"proposal": true
}

Note that the classification here is using TLP, but you're right in that TLP is pretty useless beyond giving a human a high-level indicator of sensitivity. We can create rules for how to render this as a textual string, but the problem is that it's pretty hard to translate between policies without having to have a lot more cooperation than is reasonable to expect.

In an X.841 style, still represented in a made-up JSON format, it might look more like this - I apologise for the OIDs involved; I really do:

{
"policy_id": "1.2.826.0.1.6726289.0.1",
"classification": 12,
"categories": [
{
"type": "permissive",
"id": "1.2.826.0.1.6726289.0.1.1",
"values": [0, 1]
},
{
"type": "restrictive",
"id": "1.2.826.0.1.6726289.0.1.2",
"values": [0]
},
{
"type": "informative",
"id": "1.2.826.0.1.6726289.0.1.3",
"values": [0]
}
]
}

I think it's best left as an exercise for the reader on how the clearances might look, but it's important to state that while I've made up the JSON syntax itself, the data within it (the use of those OIDs, "permissive" and "restrictive" category types, etc) are all very well established, and well understood.

This JSON syntax could (and other syntaxes can be) used with this policy (here in XML-SPIF format; that's an XML variant of SDN.801c's ASN.1 SPIF format):
<SPIF xmlns="http://www.xmlspif.org/spif"
      creationDate="2015-09-24 09:23:00"
      rbacId="2.16.840.1.101.2.1.8.3"
      privilegeId="2.16.840.1.101.2.1.8.3"
      originatorDN="cn=Dave Cridland,o=Survine,c=GB"
      schemaVersion="2.0"
      keyIdentifier="">
    <defaultSecurityPolicyId name="Default" id="1.1"/>
    <securityPolicyId name="TLPX" id="1.2.826.0.1.6726289.0.1"/>
    <equivalentPolicies>
        <equivalentPolicy name="TLP" id="1.2.826.0.1.6726289.0.2"/>
    </equivalentPolicies>
    <securityClassifications>
        <securityClassification name="WHITE" lacv="10" hierarchy="1">
            <equivalentClassification policyRef="TLP" lacv="10" applied="both"/>
        </securityClassification>
        <securityClassification name="GREEN" lacv="11" hierarchy="2">
            <equivalentClassification policyRef="TLP" lacv="11" applied="both"/>
        </securityClassification>
        <securityClassification name="AMBER" lacv="12" hierarchy="3">
            <equivalentClassification policyRef="TLP" lacv="12" applied="both"/>
        </securityClassification>
        <securityClassification name="RED" lacv="13" hierarchy="4">
            <equivalentClassification policyRef="TLP" lacv="13" applied="both"/>
        </securityClassification>
        <markingQualifier>
            <qualifier markingQualifier="TLP:" qualifierCode="prefix"/>
        </markingQualifier>
    </securityClassifications>
    <securityCategoryTagSets>
        <securityCategoryTagSet name="Jurisdiction" id="1.2.826.0.1.6726289.0.1.1">
            <securityCategoryTag tagType="permissive">
                <tagCategory name="EU" lacv="0"/>
                <tagCategory name="SafeHarbour" lacv="1"/>
                <tagCategory name="US" lacv="2"/>
                <markingQualifier>
                    <qualifier markingQualifier="," qualifierCode="separator"/>
                    <qualifier markingQualifier="J:" qualifierCode="prefix"/>
                </markingQualifier>
            </securityCategoryTag>
        </securityCategoryTagSet>
        <securityCategoryTagSet name="Mandatory Data Manipulation" id="1.2.826.0.1.6726289.0.1.2">
            <securityCategoryTag tagType="restrictive">
                <tagCategory name="Anonymize" lacv="0"/>
                <tagCategory name="Aggregate" lacv="1"/>
                <markingQualifier>
                    <qualifier markingQualifier="," qualifierCode="separator"/>
                    <qualifier markingQualifier="MUST:" qualifierCode="prefix"/>
                </markingQualifier>
            </securityCategoryTag>
        </securityCategoryTagSet>
        <securityCategoryTagSet name="Data Status" id="1.2.826.0.1.6726289.0.1.3">
            <securityCategoryTag tagType="tagType7" tag7Encoding="bitSetAttributes" singleSelection="true">
                <tagCategory name="Analysis" lacv="0"/>
                <tagCategory name="Concrete" lacv="1"/>
                <markingQualifier>
                    <qualifier markingQualifier="," qualifierCode="separator"/>
                </markingQualifier>
            </securityCategoryTag>
        </securityCategoryTagSet>
    </securityCategoryTagSets>
</SPIF>
You'll see that the policy file I've sketched out here has mention of conversion to another, plain TLP policy, but it could offer equivalence rules to a number of others (including national classification policies). I've also not put in support for, for example, mandatory tags, and I'm clearly flailing about to find reasonable examples for the categories. But this is concrete code, at least.

I'd be very interested in what properties at this level would be useful to practitioners - jurisdiction seems like one, but I'm sure there's a slew of others. What these are will vary, I'm sure, but the benefit of this kind of system is that variances can be handled in a stable manner.
On 6 November 2015 at 03:18, Jordan, Bret <bret.jordan@bluecoat.com> wrote:
Okay I have kept quite on this topic for a few days, just watching and listening... Now maybe I am overly simplifying things a bit. But it seems to be that there are really only a few things people honestly care about, at least all of the examples so far only point to these things:

1) Can you share this data I am sending to you

2) If you can share it, who else can you share it with

3) If you share it do you need to anonymize it

It seems like if we use TLP, we need some sort of magic decoder ring to keep track of what WHITE is, what GREEN is what AMBER is etc...

So why not just say:

{
"share": "public || restricted",
"group": "group members if share==restricted",
"anonymize": "true || false"
}

Does this cover the very advanced stuff some group need. No. But with it being JSON, the can just add their own text fields for extra context. Since a human will need to read them anyway. But, does something like this get us 60% or 70%, or 80% there?

Thanks,

Bret

Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

On Nov 5, 2015, at 08:02, Patrick Maroney <Pmaroney@Specere.org> wrote:

Intelligence passed within a "Community of Trust" instantiation carries a de facto domain context (i.e., FS-ISAC) and controlling "TLP Policy" within that domain. The challenges come at the intersections of "Communities of Trust". This includes "Spoke and Hub", "Meshed", "Point to Point" and potentially complex hybrid aggregations of these topologies.

While very much an implementation specific detail, the CTI standard should provide well defined constructs for mapping/transforming Data Marking and Handling policies at the Intersections of these domains. Ultimately it would be great if we could apply DRM concepts and controls (including encryption, content expiration, etc.) to STIX Packages.

As an aside, I'm really liking the emerging concept of using Data Marking at the Package level and just sending multiple Packages (i.e., this package contains the TLP Green stuff, this package contains the TLP Amber stuff, and this package contains the TLP Red stuff). I would then distribute the Green to the NCI (which would contain my mapping policy that NCI sends as TLP Amber to it's Member ISACs), the Orange to my ISAC, and the Red to other known Victims. The Packages and Objects within these individual packages will include all of the RefIDs required to reassemble the pieces I have in my possession (including updates to same). In this model the mapping/transforming Data Marking and Handling policies are then applied at the Package level which makes this simpler by orders of magnitude (V.s. Our discussions on how to manage this at the Object Level).

This would actually enable those interested in the direct application of existing DRM capabilities to these Packages, which just become another specialized form of a document with associated DRM policies.

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org

__

cti-users message