Re: [cti] Working call notes Nov 6, 2017

[Terry MacDonald <terry.macdonald@cosive.com>]

Hi All,

I prefer Option 1, with Option 5 something we work on in the TAXII SC.

I should help highlight why I proposed option 5 during today's call to give some food for thought.

IEP was developed to allow a producer to simply mark how they would like an organisation to use the information they are providing. I think of like a more detailed version of TLP. IEP was intended for one organization to use to tell the other organization how it should use the information it receives. Nothing more, nothing less. This is why I believe Option 1 is the best option to use.

That said, we also recognize the fact that some trust groups will want to enforce adherence to an IEP Policy in order to receive threat intelligence shared within that trust group. That is why I suggested Option 5. Option 5 would add the optional ability for a TAXII channel to have admisssion criteria placed upon it. One of the possible admisssion criteria could be data markings. We could make it so that a producer can say that any client who connect to a TAXII channel must support IEP and/or TLP, and that the IEP must be used first it possible, with TLP being used as the backup. Another TAXII channel could say that all unmarked intel shared on that channel will have a default IEP policy applied to it, requiring any other intel marked with a different IEP policy to be explicitly marked. In the medium future we could even go so far as to have a TAXII channel that makes all recipients sign/approve a legal document before they gain access.

Option 1 + 5 make a powerful pair in my mind.

Cheers

Terry MacDonald | Chief Product Officer

M: +64 211 918 814

E: terry.macdonald@cosive.com

W: www.cosive.com

On Wed, Nov 8, 2017 at 10:56 AM, Sean Barnum <sean.barnum@fireeye.com> wrote:

Option #1

Get Outlook for iOS

---

From: cti@lists.oasis-open.org <cti@lists.oasis-open.org> on behalf of Allan Thomson <athomson@lookingglasscyber.com>
Sent: Tuesday, November 7, 2017 4:54:35 PM
To: Wunder, John A.; cti@lists.oasis-open.org

Subject: Re: [cti] Working call notes Nov 6, 2017

 

I think Option 1+5 seems a reasonable approach.

 

regards

 

Allan

 

 

From: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org> on behalf of "Wunder, John" <jwunder@mitre.org>
Date: Tuesday, November 7, 2017 at 1:43 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: Re: [cti] Working call notes Nov 6, 2017

 

Unfortunately the slide deck I presented seems to have disappeared, computers are hard! But, here are the options we talked through on the call that are referenced from the notes that Sarah sent. Note that the order is different than my earlier e-mail.

 

Option 1: Add language to the data markings portion of the specification to specify that markings are informational from a STIX perspective.

“Data marking support in this standard is present in order to facilitate data interchange within and amongst trust group communities. While the standard defines the methodology to communicate data markings, and also includes standard definitions for select marking types, it does not attempt to define how individual software implementations must or must not behave with respect to any individual marking. Understanding that the behavior of any individual software implementation with regard to data markings is highly context-specific and thus out of scope of this standard, support of any specific marking type is considered OPTIONAL.”

 

Option 2: Defer including IEP for STIX 2.1 and take the time to address the implementability and verifiability issues that have been brought up with IEP

 

Option 3: Add a property to data markings to specify whether consumers must understand them or not (i.e. may_understand vs. must_understand) <- Proposed by Mark Davidson on the call

 

Option 4: Specify that TLP is always a must_understand and IEP is always a may_understand. <- Proposed by Chris Ricard on the call

 

Option 5: Add the list of markings that must/may be understood to TAXII to specify as part of a TAXII collection or channel. <- Proposed by Terry MacDonald on the call

 

John

 

From: <cti@lists.oasis-open.org> on behalf of Sarah Kelley <Sarah.Kelley@cisecurity.org>
Date: Tuesday, November 7, 2017 at 4:09 PM
To: "cti@lists.oasis-open.org" <cti@lists.oasis-open.org>
Subject: [cti] Working call notes Nov 6, 2017

 

Here are the notes from the working call we just finished.

 

Sarah Kelley

Senior Cyber Threat Analyst

Multi-State Information Sharing and Analysis Center (MS-ISAC)                   

31 Tech Valley Drive

East Greenbush, NY 12061

 

sarah.kelley@cisecurity.org

518-266-3493

24x7 Security Operations Center

SOC@cisecurity.org - 1-866-787-4722

 

                  

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .

This email and any attachments thereto may contain private, confidential, and/or privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.