Re: [EXT] [cti-users] STIX/TAXII: created_by property?

[Bret Jordan <Bret_Jordan@symantec.com>]

Eric,

Great questions, and thanks for bringing them to the list.  Let me try and answer them:

1) Populating the created_by_ref is up to the producer of the content. They may choose to do this on the actual devices that does it, or do it centrally after the fact. Within an organization you can populate this property how ever you want.  Some people get hung up with the idea that only the content producer can change the object.  While that is true, the content producer can be what ever you define it to be for your organization.  The goal was that a third party could not change your object, not that you could not change it. 

Here is an example...  In your organizations you may decide that every device in the network populates the created_by_ref with a value from the device itself.  You may pull all of that data in to your TAXII server.. Then when you go to push that data out to the rest of the world, you may decide to change all of the created_by_refs to be your organizational ID. That is okay.  The data is all yours and you can do with it as you will.  Now, you may need to build some mappings in your system if you do this, if you ever wanted to trace something back.  But since you OWN the data, it is your data, and you can populate those fields how ever you want.

A TAXII server that is getting data from one of your devices or your org and populate the field if it is missing.  It can do this by knowing the authenticated user, it can do this as an organizational policy, it can also do what ever.  What it can not do is populate the field for an object that is not owned by the organization.  So if you get an object from someone else, and it is not populated, you can NOT populate it for them.  They may want to be anonymous.  But since you or your organization did not create the object, you can not modify it. 

2) There is currently no text in the document about validation of the created_by_ref.  In a transitory system where data is being collected and reshared, you may not know or have a direct connection to the original creator.  Yes, this can create a graph with non-connected edges.  But I do not see a way around that.  Long-term we will be looking to add digital signature support to STIX. This will hopefully help a little bit.  But right now there is no way to know if the created_by_ref value is correct or if it was populated to point to someone else. I guess you could do a check from end users / devices / orgs that you have a direct connection to and flag objects that are a mismatch.  

Does this help?

Bret

---

From: cti-users@lists.oasis-open.org <cti-users@lists.oasis-open.org> on behalf of Eric Spiegelberg <eric@graphaware.com>
Sent: Wednesday, July 26, 2017 9:04:51 AM
To: cti-users@lists.oasis-open.org
Subject: [EXT] [cti-users] STIX/TAXII: created_by property?

 

Hello.

My company, Graphaware, has become interested in cybersecurity and has been following STIX and TAXII for some time. While our core expertise lies in graph databases, such as Neo4j, as professional software developers we are exploring the implementation of the STIX and TAXII specs.

I have a few questions on the created_by_ref property of STIX objects and am hoping this group can provide some insight.

1) When a STIX object is created, is the created_by property typically sent by the client (the creating entity) or it is typically omitted by the client and instead assigned by the TAXII server as part of the STIX object creation? 

If the created_by property is typically sent by the creating client, how does the TAXII server know it can trust the client to provide a valid value? Is the fact that the client must be authenticated and authorized to the TAXII server establish the trust that the client will not submit invalid/misleading/malicious STIX data?

If the created_by property is not typically sent by the creating client, is it recommended that the TAXII server make use of the currently authenticated user to populate this information on the STIX object? For example, if client A publishes the creation of a new STIX object and omits the created_by property the TAXII server will modify the incoming STIX object and assign a created_by property that points to client A.

2) Do the STIX/TAXII specs provide any guidance on created_by_ref value validation? For example, lets say that a client A, a successfully authenticated and authorized client, creates a STIX object with a created_by property with a value of “client_B_id”. Yet, let’s say that this STIX/TAXII implementation does not have any data about client B. Would the creation of this STIX object, who’s created_by_ref is essentially unknown to the system, be allowed? While I can see the creation needing to be allowed, particularly in the case where STIX data is “merely” being republished by a peer TAXII server, this scenario would create dangling data that references entities that are unknown within the system. From the view of data integrity, this would be bad but from the view of flexibility and exchange of free form information, this would be good. Does the STIX/TAXII specs or this group have any opinion as to which way a compliant STIX/TAXII implementation should go?

Thanks,

Eric