Hi Eric,
One way to think of this is to think of communities. A community is a group of client's that will share threat intelligence information with each other.
As Bret described, it is possible to have internal-only communities made up of only devices you control, and external communities made up of devices from different organizations.
In an internal-only community, it makes sense for the created_by_ref to be a device identifier within your organization (or maybe a department name, or a network name), as that makes more sense internally for you.
When it comes time to share the object externally, it makes sense to create a new object using all the same data from the internal STIX object (but filtering out anything you don't want shared externally), changing the created_by to your organizational
name.
I recommend using a separate, different STIX object for the external community because:
* The created_by field is being changed. If you changed this field without changing the STIX id , you would need to increase the version of the object as well, which them causes problems on the internal only community.
* It allows you to filter out other sensitive data when you create the STIX object for the external community
I wouldn't recommend using the exact same STIX object with the same STIX id in both the internal only community and the external community.
Cheers
Terry MacDonald
Cosive