Skip to content

Asserting Data Markings on Content

Jump to bottom Edit New page
John Wunder edited this page Nov 6, 2015 · 3 revisions

Asserting Data Markings on Content

Pre-1.2.1 Use Case (True/False): True

Relevant to which SCs (STIX/TAXII/CybOX): STIX/CybOX/TAXII

Abstraction Level (High, Medium or Low): High

Related Use Cases: (none yet)

Description: A producer must be able to "mark" data with certain attributes about how it should be shared and handled. These markings must be unambiguous to a consumer.

Stakeholders/Goals:

  • Stakeholder: Basic Sharing Community

    • Goals
      • An organization sharing data is able to unambiguously mark entire "top-level objects" (indicators, campaigns, etc.) with some set of markings. Objects with different markings may be shared at the same time with the same consumers.
      • An organization re-sharing data is able to maintain the existing markings applied to the top-level objects.

  • Stakeholder: Advanced Sharing Community

    • Goals
      • All goals of the basic sharing community
      • An organization is able to share top-level objects where fields in the object have different markings.

Preconditions:

  1. One or more marking structures have been defined that will be used to mark data
  2. The data to be marked exists and is encoded in STIX

Dependencies:

  1. The definition of actual marking structure(s) and a means of referencing or embedding them.

Main Success Scenario:

Basic

  1. Organization A creates three indicators (Indicator A, Indicator B, and Indicator C) related to a piece of malware (TTP A).
  2. Organization A determines that Indicator C is sensitive and should be marked TLP:RED, while the other data is not sensitive and is marked TLP:GREEN.
  3. Organization A shares all of the data with Organization B. Indicator A, B, and TTP A are marked at TLP:GREEN and Indicator C is marked TTP:RED.
  4. Organization B receives the data and, in its systems, marks the TLP:GREEN data as resharable within the community but Indicator C as non-sharable.

Advanced

  1. Organization A creates one indicator. The indicator itself is TLP:GREEN, but the description contains information about how it was derived and is therefore TLP:RED.
  2. Organization A shares the indicator with Organization B.
  3. Organization B re-shares the indicator, but the TLP:RED description is not included.
Add a custom footer
Add a custom sidebar
Clone this wiki locally