Skip to content

Indicator Sharing

Jump to bottom Edit New page
MarkDavidson edited this page May 7, 2015 · 5 revisions

An open discussion of the requirements and use cases for Indicator Sharing.

Note: this is an area for discussion, not for ground truth. Please see the documentation on http://stixproject.github.io if you're looking for information on how things are done now. Otherwise, edit away.

Preamble / Background

The best way I could find to frame this discussion was in the context of a sharing organization and a sharing organization's membership. For the use cases that are written assume the following:

There is a sharing organization that has multiple members. Sharing organizations might federate information sharing between each other. Recognize that one organization can participate in multiple sharing organizations concurrently, though that is not discussed at this time. For the purpose of this page, a sharing organization is considered a distinct entity whose purpose is to facilitate information sharing. In reality, the described "sharing organization" might represent one function of a larger organization.

Please note that this section is on Indicator Sharing, not the Indicator constructs themselves. The implementation of these use cases may cross boundaries between STIX and TAXII.

Use Cases

  1. A Member organization submits an Indicator to the sharing organization for redistribution
  2. The sharing organization approves the Indicator - whether by automated or manual means – and redistributes the indicator. (At this point, the sharing organization becomes the “owner” of the indicator, keeping track of all modifications/revisions)
  3. The sharing organization rejects the Indicator - whether by automated or manual means - and notifies the original sender.
  4. Member org tells a sharing organization that an indicator is rubbish
  5. Member org tells a sharing organization that an indicator is good
  6. Member org tells a sharing organization that an indicator is no longer valid
  7. Member org submits an improved Indicator to the sharing organization
  8. Member org sites the indicator (Note - what's the requirement behind this use case?)
  9. The Sharing organization sends an update to a previously published indicator.

Member, Brokers, and Federation

This section makes an attempt at defining roles for information sharing.

  • Member - A Member is an organization that participates in an information sharing group.
  • Broker - A Broker is an organization that facilitates information exchange in an information sharing group.
  • Information sharing group - A group of Members and a Broker that exchange threat information.
  • Federation - Federation is the exchange of information across brokers.

Note that any one organization might be a member of multiple information sharing groups. A single organization might have a role as both a Member and a Broker.

Pictures: Member Broker Federation:

Member Broker Sequence

PlantUML Source

Member Broker Federation Architecture

PlantUML Source

Other discussion

Are there any missing use cases?

Add a custom footer
Add a custom sidebar
Clone this wiki locally