Re: [cti] Missing MTI - what to do?

["Wunder, John A." <jwunder@mitre.org>]

Can you elaborate on that, Pat? I’m not following…

And to answer the other question…in the data markings proposal, there are two levels of markings:

• L1 markings apply to a package or an object. When applied to a package, it is NOT highest marking…it’s default marking (applies recursively) unless overriden. There’s no concept of highest marking in L1 markings unless it’s something that the marking model (TLP, whatever) adds.
• L2 markings apply to packages, objects, and properties recursively as selected by the controlled structure. Again, these are NOT highest marking but rather default recursive unless overridden.

So yes, you can do tear lines via this approach, but no, we don’t have a “highest marking” type cover sheet. That’s more a policy/convenience mechanism for paper documents. It also doesn’t really apply for some marking models…you can’t really have a “highest” terms of use marking.

Would it be OK for a TAXII server to modify the messages that it receives on a channel before republishing? We’re talking about markings here, but it really could apply to anything (anonymization, enrichment, etc).

John

From: <cti@lists.oasis-open.org> on behalf of Patrick Maroney <Pmaroney@Specere.org>
Date: Friday, February 5, 2016 at 11:42 AM
To: "Jordan, Bret" <bret.jordan@bluecoat.com>, pam smith <Pam.Smith@jhuapl.edu>
Cc: Chris Ricard <cricard@fsisac.us>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Missing MTI - what to do?

I don't recall seeing any responses to (informal) call to establish consensus within the broader CTI TC Community on whether we will carry some of today's core TAXII Tenets forward (and if not, explicitly codifying the differences).

I'm not trying to re-visit specifics of these decisions here, merely advocating that reaching consensus on these core architecture decisions will greatly impact outcomes for this type of discussion.

For example (only),  if one subscribes to the notion that a (1) "TAXII Transport Gateway", (2) "TAXII End-Point", and (3) "TAXII Repository" are distinct functional components within the TAXII Architecture/Specification, then the context of these Data Marking discussions shift dramatically.

Patrick Maroney

Office:  (856)983-0001

Cell:      (609)841-5104

President

Integrated Networking Technologies, Inc.

PO Box 569

Marlton, NJ 08053

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of Bret Jordan <bret.jordan@bluecoat.com>
Date: Friday, February 5, 2016 at 11:20 AM
To: Pamela Smith <Pam.Smith@jhuapl.edu>
Cc: Chris Ricard <cricard@fsisac.us>, "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Missing MTI - what to do?

I believe that is part os John Wunder's new data marking proposal. 

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Feb 5, 2016, at 05:44, Smith, Pamela A. <Pam.Smith@jhuapl.edu> wrote:

Is it possible to have two TLP Markings at the document level:

one marking as "Highest-Most-Restrictive"
one marking as "Default" (that can be over-written by the level 2 markings)

This is how we do this in the community I've been working with.  This allows the concept of a "cover sheet" that contains the highest-most restrictive marking.

Pam Smith
JHU/APL
________________________________________
From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Chris Ricard <cricard@fsisac.us>
Sent: Thursday, February 4, 2016 5:39 PM
To: cti@lists.oasis-open.org
Subject: RE: [cti] Missing MTI - what to do?

Handling the entire STIX document at its highest TLP marking is certainly the easiest solution, but it doesn’t address the concept of "tear sheets".

Use Case:  I generate a STIX document containing a set of indicators, and relating these indicators to a specific threat actor.

The indicators themselves are TLP GREEN, but the attribution to the threat actor is TLP AMBER.

If the STIX document is handled at its highest TLP marking, I lose the ability to share out the indicators to the broader community, because of the Threat Actor attribution.

In the human-readable world, this is often accomplished through tear sheets.  The document would be marked TLP AMBER, but a lower section, marked GREEN, can be "torn off" (or C&Ped into a new document) and shared more broadly as a TLP GREEN document.

In the STIX/TAXII world, I would envision creating a TLP GREEN TAXII feed that would allow access to those top level objects tagged GREEN, while stripping off the TLP AMBER and RED top level objects that were part of the STIX document.

Just my 2 cents,

Chris Ricard
FS-ISAC

-----Original Message-----
From: cti@lists.oasis-open.org [mailto:cti@lists.oasis-open.org] On Behalf Of John-Mark Gurney
Sent: Thursday, February 04, 2016 3:51 PM
To: Eric Burger <Eric.Burger@georgetown.edu>
Cc: cti@lists.oasis-open.org
Subject: Re: [cti] Missing MTI - what to do?

Eric Burger wrote this message on Mon, Feb 01, 2016 at 19:03 -0500:

I agree with Bret here. The question is what do we do with mixed-level TLP. For example, the whole STIX document is TLP amber, but these elements are TLP red. While the TAXII server might pass or store the whole document, if someone with amber but not red access asks for the document, does the whole document fail? I would offer if the source took the effort to separately indicate amber vs. red, they mean to pass the amber stuff with their trusted TAXII server partner “doing the right thing” with the red elements.

To me, it seems like the document should be marked w/ the highest classification that it contains, so if it has elements which are red, then the document must be red...  If that's the case, then it should be less of an issue...

John-Mark

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php