Presentation is loading. Please wait.

Presentation is loading. Please wait.

TAXII SC Call 2015-10-13. Agenda Administrivia Month Behind Discussion Month Ahead.

Published byEvelyn Riley Modified over 8 years ago

Similar presentations

Presentation on theme: "TAXII SC Call 2015-10-13. Agenda Administrivia Month Behind Discussion Month Ahead."— Presentation transcript:

1 TAXII SC Call 2015-10-13

2 Agenda Administrivia Month Behind Discussion Month Ahead

3 Administrivia We’re trying out a new format: Month Behind Discussion Topics Month Ahead

4 Month Behind We got a lot done in the past month in TAXII Land

5 Month Behind Vision Statement HTTP REST API Groups of Channels as an API base TAXII 1.1.1 Authentication Didn’t discuss use cases TAXII is an open protocol for the communication of cyber threat information. Focusing on simplicity and scalability, TAXII enables authenticated and secure communication of cyber threat information across products and organizations.

6 Month Behind Vision Statement HTTP REST API Groups of Channels as an API base TAXII 1.1.1 Authentication Didn’t discuss use cases We decided on HTTPS at the default transport method for TAXII 2.0. This will make transitions between TAXII 1.1.1 and TAXII 2.0 easier.

7 Month Behind Vision Statement HTTP REST API Groups of Channels as an API base TAXII 1.1.1 Authentication Didn’t discuss use cases Also includes DNS SRV _taxii2._tcp.example.com. 86400 IN SRV 0 5 443 taxii.example.com https://github.com/TAXIIProject/TAXII- Specifications/wiki/HTTP-REST-API-for- TAXII-2.0

8 Month Behind Vision Statement HTTP REST API Groups of Channels as an API base TAXII 1.1.1 Authentication Didn’t discuss use cases Group creation and management are not in the REST API However, the concept of a “API-Base” is Groups of Channels can be done at the implementation level by using Hostnames - https://taxii2.x.comhttps://taxii2.x.com TCP Ports - https://sometaxiiserver.x.com:3200https://sometaxiiserver.x.com:3200 URL Paths - https://taxii2.x.com/somebasehttps://taxii2.x.com/somebase

9 Month Behind Vision Statement HTTP REST API Groups of Channels as an API base TAXII 1.1.1 Authentication Didn’t discuss use cases As you know we have had the initial copy and paste done for some time Once all of the DHS/OASIS legal issues were resolved we were able to finish this. Very view comments or issues were brought up by the SC This has now been sent to the full CTI TC for review

10 Month Behind Vision Statement HTTP REST API Groups of Channels as an API base TAXII 1.1.1 Authentication Didn’t discuss use cases One of the early requirements that we heard from the SC was TAXII 2.0 needed to define how authentication would work to guarantee interoperability After some discussion on Slack a proposal was made that most seem to agree with HTTP Basic with JWT (JSON Web Tokens)

11 Month Behind Vision Statement HTTP REST API Groups of Channels as an API base TAXII 1.1.1 Authentication Didn’t discuss use cases We did not discuss any use cases or analyst work flows on the lists, other than the one Bret sent out. So we would like to do that now.

12 Discussion: Scenario Walk Through The following workflow / scenario encompasses 4 common use cases for TAXII Internal to internal device communication Analyst to analyst communication inside of the network Organization to organization indicator / STIX publishing Analyst to external analyst work group (circle of interest) This is being done from my experience as a security architect and what I would have liked in my network Think about possible unit tests that we will need for each of these elements. If you think of additional workflows, please contribute them

13 Discussion: Scenario Walk Through

14 1) A Client in the BBZ downloads a PDF from the internet 2) The Proxy or the Layer7 Firewall intercepts the PDF and sends it off to a malware detonation platform over a proprietary API for analysis 3) 3-5 minutes later the malware detonation platform discovers the PDF is weaponized returns those results to the proxy via a proprietary API / solution

15 Discussion: Scenario Walk Through 3) The proxy publishes an indicator to the TAXII server’s indicator channel with: a) IP Flow information b) File name and hash c) Time stamp d) Assertion that the file is bad along with details

16 Discussion: Scenario Walk Through 4) The client consumes the indicator from the Indicator channel and responds with sighting information and additional data enrichment about what the malware did when it detonated. 5) An analyst workbench consumes all of this traffic (indicators, sightings, data enrichment elements) on the Indicator channel and can notify the analyst, SOC, or ticketing system a) Any security tool can hook up to the Indicator channel in this passive listening mode and do interesting things

17 Discussion: Scenario Walk Through 6) The Analyst goes to the client to investigate and using TBD mobile analyst workbench and discovers that the client is talking to a server in Server Zone (bad!!!!). He updates the information in his workbench tool and dispatches another Analyst to go look at the Server a) Out of scope interaction for TAXII, implementation specific to the tools being used

18 Discussion: Scenario Walk Through 7) Now the two analysts can share information back and forth through their workbench tool that is connected to their TAXII server. a) Analyst 2 may find an interesting IP / URL address and after she updates her tool, Analyst 1 will see it and could respond with, yeah, I already looked at that, and it is a red herring so do not waste your time on it. b) In STIX land this would be done with a relationship object and a negative assertion

19 Discussion: Scenario Walk Through 8) At some point Analyst 1 may choose to publish the indicator on their Public TAXII server. He may do this directly on the Public TAXII server’s Indicator channel or if the Public TAXII server is connected to the internal TAXII server by a specialized channel, say “external indicators” he can just publish to the internal TAXII server a) Anyone subscribed to the Public TAXII server’s indicator channel would get the published Indicator

20 Discussion: Scenario Walk Through 9) Analyst 2 discovers some neat new malware on the server and needs some help investigating it. She wants to sent it to an analyst friend outside of the organization. a) If Analyst 2 has access to her own public TAXII server or a cloud TAXII server she could share the information with an external analyst

21 Discussion: Scenario Walk Through 10) In order for Analyst 2 to share something with the External Analyst via a cloud TAXII server the Analyst would need to connect to the vendor implementation specific management UI and setup an API Base for her and the External Analyst to use. Once she has done that, she could use her TAXII client to create a new channel for their use. She would then need to tell the External Analyst about the API Base and which channel she was using via an out-of-band method

22 Month Ahead Start Spec Work REST Messages Road Map We should have enough information now, to start initial work on the spec for TAXII 2.0. As we work on the spec we should be able to flesh out more details Open call for editors

23 Month Ahead Start Spec Work REST Messages Road Map We need to start identifying the types of messages that will exist on the channels and what they will look like Container Messages Control Messages Setting up new channels Tearing down channels Flesh out the x-header values we need Identify the resource elements of the REST API and what control codes should be returned

24 Month Ahead Start Spec Work REST Messages Road Map At the current trend line we should have an early draft of the specification for TAXII 2.0 by end-of year 2015. This should give implementers an early vision in to where things are going so they can start writing code.

25 End Slide Questions / Comments / Thoughts?

Download ppt "TAXII SC Call 2015-10-13. Agenda Administrivia Month Behind Discussion Month Ahead."

Similar presentations

Siebel Web Services Siebel Web Services March, From

Siebel Web Services Siebel Web Services March, From
Enabling IPv6 in Corporate Intranet Networks

Enabling IPv6 in Corporate Intranet Networks
Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.

Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
.NET Remoting. .Net Remoting Replaces DCOM (Distributed Component Object Model – a proprietary Microsoft technology for communication among software components.

.NET Remoting. .Net Remoting Replaces DCOM (Distributed Component Object Model – a proprietary Microsoft technology for communication among software components.
236349 Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.

Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.
Windows Communication Foundation and Web Services.

Windows Communication Foundation and Web Services.
JXTA P2P Platform Denny Chen Dai CMPT 771, Spring 08.

JXTA P2P Platform Denny Chen Dai CMPT 771, Spring 08.
IS 247 Introduction to Web Application Development Tim Wu.

IS 247 Introduction to Web Application Development Tim Wu.
Layer 7- Application Layer

Layer 7- Application Layer
1. Introducing Java Computing  What is Java Computing?  Why Java Computing?  Enterprise Java Computing  Java and Internet Web Server.

1. Introducing Java Computing  What is Java Computing?  Why Java Computing?  Enterprise Java Computing  Java and Internet Web Server.
1 The HyperText Transfer Protocol: HTTP Nick Smith Stuart Alley Tara Tjaden.

1 The HyperText Transfer Protocol: HTTP Nick Smith Stuart Alley Tara Tjaden.
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
CS 415 N-Tier Application Development By Umair Ashraf July 6,2013 National University of Computer and Emerging Sciences Lecture # 9 Introduction to Web.

CS 415 N-Tier Application Development By Umair Ashraf July 6,2013 National University of Computer and Emerging Sciences Lecture # 9 Introduction to Web.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
By Justin Thompson. What is SOAP? Originally stood for Simple Object Access Protocol Created by vendors from Microsoft, Lotus, IBM, and others Protocol.

By Justin Thompson. What is SOAP? Originally stood for Simple Object Access Protocol Created by vendors from Microsoft, Lotus, IBM, and others Protocol.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Welcome We’re Mark and Bret; This is the TAXII SC.

Welcome We’re Mark and Bret; This is the TAXII SC.
IT 210 The Internet & World Wide Web introduction.

IT 210 The Internet & World Wide Web introduction.

Similar presentations

Ads by Google