[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [EXT] [cti-users] STIX/TAXII: created_by property?
Eric,
Great questions, and thanks for bringing them to the list. Let me try and answer them:
1) Populating the created_by_ref is up to the producer of the content. They may choose to do this on the actual devices that does it, or do it centrally after the fact. Within an organization you can populate this property how ever you want. Some people get hung up with the idea that only the content producer can change the object. While that is true, the content producer can be what ever you define it to be for your organization. The goal was that a third party could not change your object, not that you could not change it.
Here is an example... In your organizations you may decide that every device in the network populates the created_by_ref with a value from the device itself. You may pull all of that data in to your TAXII server.. Then when you go to push that data out to the rest of the world, you may decide to change all of the created_by_refs to be your organizational ID. That is okay. The data is all yours and you can do with it as you will. Now, you may need to build some mappings in your system if you do this, if you ever wanted to trace something back. But since you OWN the data, it is your data, and you can populate those fields how ever you want.
A TAXII server that is getting data from one of your devices or your org and populate the field if it is missing. It can do this by knowing the authenticated user, it can do this as an organizational policy, it can also do what ever. What it can not do is populate the field for an object that is not owned by the organization. So if you get an object from someone else, and it is not populated, you can NOT populate it for them. They may want to be anonymous. But since you or your organization did not create the object, you can not modify it.
2) There is currently no text in the document about validation of the created_by_ref. In a transitory system where data is being collected and reshared, you may not know or have a direct connection to the original creator. Yes, this can create a graph with non-connected edges. But I do not see a way around that. Long-term we will be looking to add digital signature support to STIX. This will hopefully help a little bit. But right now there is no way to know if the created_by_ref value is correct or if it was populated to point to someone else. I guess you could do a check from end users / devices / orgs that you have a direct connection to and flag objects that are a mismatch.
Does this help?
Bret
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]