OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti] Missing MTI - what to do?

That is one of many use-cases we have talked about in TAXII land.  IMO, a TAXII implementation (not the specification) will have some sort of rich policy engine sitting on top of it.  And that policy engine will determine who can access what and what goes where.  



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Feb 4, 2016, at 15:39, Chris Ricard <cricard@fsisac.us> wrote:

Handling the entire STIX document at its highest TLP marking is certainly the easiest solution, but it doesn’t address the concept of "tear sheets".

Use Case:  I generate a STIX document containing a set of indicators, and relating these indicators to a specific threat actor.

The indicators themselves are TLP GREEN, but the attribution to the threat actor is TLP AMBER.

If the STIX document is handled at its highest TLP marking, I lose the ability to share out the indicators to the broader community, because of the Threat Actor attribution.

In the human-readable world, this is often accomplished through tear sheets.  The document would be marked TLP AMBER, but a lower section, marked GREEN, can be "torn off" (or C&Ped into a new document) and shared more broadly as a TLP GREEN document.

In the STIX/TAXII world, I would envision creating a TLP GREEN TAXII feed that would allow access to those top level objects tagged GREEN, while stripping off the TLP AMBER and RED top level objects that were part of the STIX document.

Just my 2 cents,

Chris Ricard

-----Original Message-----
From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of John-Mark Gurney
Sent: Thursday, February 04, 2016 3:51 PM
To: Eric Burger <Eric.Burger@georgetown.edu>
Cc: cti@lists.oasis-open.org
Subject: Re: [cti] Missing MTI - what to do?

Eric Burger wrote this message on Mon, Feb 01, 2016 at 19:03 -0500:
I agree with Bret here. The question is what do we do with mixed-level TLP. For example, the whole STIX document is TLP amber, but these elements are TLP red. While the TAXII server might pass or store the whole document, if someone with amber but not red access asks for the document, does the whole document fail? I would offer if the source took the effort to separately indicate amber vs. red, they mean to pass the amber stuff with their trusted TAXII server partner “doing the right thing” with the red elements.

To me, it seems like the document should be marked w/ the highest classification that it contains, so if it has elements which are red, then the document must be red...  If that's the case, then it should be less of an issue...


To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]