TAXII SC Call 2015-10-13. Agenda Administrivia Month Behind Discussion Month Ahead.

Slides:

Advertisements

Similar presentations

Siebel Web Services Siebel Web Services March, From

Advertisements

Enabling IPv6 in Corporate Intranet Networks

Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

.NET Remoting. .Net Remoting Replaces DCOM (Distributed Component Object Model – a proprietary Microsoft technology for communication among software components.

Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.

Windows Communication Foundation and Web Services.

JXTA P2P Platform Denny Chen Dai CMPT 771, Spring 08.

IS 247 Introduction to Web Application Development Tim Wu.

Layer 7- Application Layer

1. Introducing Java Computing  What is Java Computing?  Why Java Computing?  Enterprise Java Computing  Java and Internet Web Server.

1 The HyperText Transfer Protocol: HTTP Nick Smith Stuart Alley Tara Tjaden.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

CS 415 N-Tier Application Development By Umair Ashraf July 6,2013 National University of Computer and Emerging Sciences Lecture # 9 Introduction to Web.

1 Enabling Secure Internet Access with ISA Server.

By Justin Thompson. What is SOAP? Originally stood for Simple Object Access Protocol Created by vendors from Microsoft, Lotus, IBM, and others Protocol.

Managing Client Access

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Welcome We’re Mark and Bret; This is the TAXII SC.

IT 210 The Internet & World Wide Web introduction.

Cisco Discovery Working at a Small-to-Medium Business or ISP CHAPTER 7 ISP Services Jr.

Session 10 Windows Platform Eng. Dina Alkhoudari.

Chapter 10 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain how the functions of the application layer,

C Copyright © 2009, Oracle. All rights reserved. Appendix C: Service-Oriented Architectures.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Services Working at a Small-to-Medium Business or ISP – Chapter 7.

Web application architecture

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

ASHIMA KALRA IMPORTANT TERMS.  WWW WWW  URL URL  HTTP PROTOCOL HTTP PROTOCOL  PROXIES PROXIES.

Internet Concept and Terminology. The Internet The Internet is the largest computer system in the world. The Internet is often called the Net, the Information.

M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.

An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.

Enabling Embedded Systems to access Internet Resources.

Integrating with UCSF’s Shibboleth system

Chapter 1: The Internet and the WWW CIS 275—Web Application Development for Business I.

Microsoft Visual Studio 2010 Muhammad Zubair MS (FAST-NU) Experience: 5+ Years Contact:- Cell#:

Scalability Don McGregor Research Associate MOVES Institute

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Integrating and Troubleshooting Citrix Access Gateway.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

HTML5 AND THE FUTURE JAVASCRIPT PLATFORM Marcelo Lopez Ruiz Senior Software Design Engineer Microsoft Corporation.

Protocols COM211 Communications and Networks CDA College Olga Pelekanou

RTCWEB Considerations for NATs, Firewalls and HTTP proxies draft-hutton-rtcweb-nat-firewall- considerations A. Hutton, T. Stach, J. Uberti.

Networks Part 3: Packet Paths + Wireshark NYU-Poly: HSWP Instructor: Mandy Galante.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.

Firewalls2 By using a firewall: We can disable a service by throwing out packets whose source or destination port is the port number for that service.

IPv6 - The Way Ahead Christian Huitema Architect Windows Networking & Communications

Computer Network Architecture Lecture 6: OSI Model Layers Examples 1 20/12/2012.

TAXII SC Call 9/8/2015. Agenda Administrivia Survey Recap Discussion Recap Protocol Discussion Slack channel Month Ahead.

NSIS NAT/Firewall Signaling NSIS Interim Meeting Romsey/UK, June 2004 Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

COMP2322 Lab 4 Socket Programming Toby Lam March 2, 2016.

1 Server Business Logic & OAuth Beta Overview October 4, 2010 Alan Hantke Product Development Server Business Logic Intuit Partner Platform Diane Weiss.

Also known as hardware/physi cal address Customer Computer (Client) Internet Service Provider (ISP) MAC Address Each Computer has: Given by NIC card.

SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.

HP Use Cases for the Ubiquitous Web Presented at The Ubiquitous Web Workshop Tokyo, Japan March 9, 2006 Melinda Grant Gerrie Shults Imaging and Printing.

Practice Test Questions QUESTION 1 Which two actions must you perform to enable and use window scaling on a router? (Choose two.) A. Execute the.

Configuring DHCP Relay Configuration Example

Data Virtualization Tutorial… SSL with CIS Web Data Sources

Developing IoT endpoints with mbed Client

SHARING CYBER THREAT INTELLIGENCE JUST GOT A LOT EASIER

STIX Interoperability

Data Virtualization Tutorial… OAuth Example using Google Sheets

Working at a Small-to-Medium Business or ISP – Chapter 7

Working at a Small-to-Medium Business or ISP – Chapter 7

* Essential Network Security Book Slides.

TCP/IP Networking An Example

Working at a Small-to-Medium Business or ISP – Chapter 7

Protocol Application TCP/IP Layer Model

Presentation transcript:

TAXII SC Call

Agenda Administrivia Month Behind Discussion Month Ahead

Administrivia We’re trying out a new format: Month Behind Discussion Topics Month Ahead

Month Behind We got a lot done in the past month in TAXII Land

Month Behind Vision Statement HTTP REST API Groups of Channels as an API base TAXII Authentication Didn’t discuss use cases TAXII is an open protocol for the communication of cyber threat information. Focusing on simplicity and scalability, TAXII enables authenticated and secure communication of cyber threat information across products and organizations.

Month Behind Vision Statement HTTP REST API Groups of Channels as an API base TAXII Authentication Didn’t discuss use cases We decided on HTTPS at the default transport method for TAXII 2.0. This will make transitions between TAXII and TAXII 2.0 easier.

Month Behind Vision Statement HTTP REST API Groups of Channels as an API base TAXII Authentication Didn’t discuss use cases Also includes DNS SRV _taxii2._tcp.example.com IN SRV taxii.example.com Specifications/wiki/HTTP-REST-API-for- TAXII-2.0

Month Behind Vision Statement HTTP REST API Groups of Channels as an API base TAXII Authentication Didn’t discuss use cases Group creation and management are not in the REST API However, the concept of a “API-Base” is Groups of Channels can be done at the implementation level by using Hostnames - TCP Ports - URL Paths -

Month Behind Vision Statement HTTP REST API Groups of Channels as an API base TAXII Authentication Didn’t discuss use cases As you know we have had the initial copy and paste done for some time Once all of the DHS/OASIS legal issues were resolved we were able to finish this. Very view comments or issues were brought up by the SC This has now been sent to the full CTI TC for review

Month Behind Vision Statement HTTP REST API Groups of Channels as an API base TAXII Authentication Didn’t discuss use cases One of the early requirements that we heard from the SC was TAXII 2.0 needed to define how authentication would work to guarantee interoperability After some discussion on Slack a proposal was made that most seem to agree with HTTP Basic with JWT (JSON Web Tokens)

Month Behind Vision Statement HTTP REST API Groups of Channels as an API base TAXII Authentication Didn’t discuss use cases We did not discuss any use cases or analyst work flows on the lists, other than the one Bret sent out. So we would like to do that now.

Discussion: Scenario Walk Through The following workflow / scenario encompasses 4 common use cases for TAXII Internal to internal device communication Analyst to analyst communication inside of the network Organization to organization indicator / STIX publishing Analyst to external analyst work group (circle of interest) This is being done from my experience as a security architect and what I would have liked in my network Think about possible unit tests that we will need for each of these elements. If you think of additional workflows, please contribute them

Discussion: Scenario Walk Through

1) A Client in the BBZ downloads a PDF from the internet 2) The Proxy or the Layer7 Firewall intercepts the PDF and sends it off to a malware detonation platform over a proprietary API for analysis 3) 3-5 minutes later the malware detonation platform discovers the PDF is weaponized returns those results to the proxy via a proprietary API / solution

Discussion: Scenario Walk Through 3) The proxy publishes an indicator to the TAXII server’s indicator channel with: a) IP Flow information b) File name and hash c) Time stamp d) Assertion that the file is bad along with details

Discussion: Scenario Walk Through 4) The client consumes the indicator from the Indicator channel and responds with sighting information and additional data enrichment about what the malware did when it detonated. 5) An analyst workbench consumes all of this traffic (indicators, sightings, data enrichment elements) on the Indicator channel and can notify the analyst, SOC, or ticketing system a) Any security tool can hook up to the Indicator channel in this passive listening mode and do interesting things

Discussion: Scenario Walk Through 6) The Analyst goes to the client to investigate and using TBD mobile analyst workbench and discovers that the client is talking to a server in Server Zone (bad!!!!). He updates the information in his workbench tool and dispatches another Analyst to go look at the Server a) Out of scope interaction for TAXII, implementation specific to the tools being used

Discussion: Scenario Walk Through 7) Now the two analysts can share information back and forth through their workbench tool that is connected to their TAXII server. a) Analyst 2 may find an interesting IP / URL address and after she updates her tool, Analyst 1 will see it and could respond with, yeah, I already looked at that, and it is a red herring so do not waste your time on it. b) In STIX land this would be done with a relationship object and a negative assertion

Discussion: Scenario Walk Through 8) At some point Analyst 1 may choose to publish the indicator on their Public TAXII server. He may do this directly on the Public TAXII server’s Indicator channel or if the Public TAXII server is connected to the internal TAXII server by a specialized channel, say “external indicators” he can just publish to the internal TAXII server a) Anyone subscribed to the Public TAXII server’s indicator channel would get the published Indicator

Discussion: Scenario Walk Through 9) Analyst 2 discovers some neat new malware on the server and needs some help investigating it. She wants to sent it to an analyst friend outside of the organization. a) If Analyst 2 has access to her own public TAXII server or a cloud TAXII server she could share the information with an external analyst

Discussion: Scenario Walk Through 10) In order for Analyst 2 to share something with the External Analyst via a cloud TAXII server the Analyst would need to connect to the vendor implementation specific management UI and setup an API Base for her and the External Analyst to use. Once she has done that, she could use her TAXII client to create a new channel for their use. She would then need to tell the External Analyst about the API Base and which channel she was using via an out-of-band method

Month Ahead Start Spec Work REST Messages Road Map We should have enough information now, to start initial work on the spec for TAXII 2.0. As we work on the spec we should be able to flesh out more details Open call for editors

Month Ahead Start Spec Work REST Messages Road Map We need to start identifying the types of messages that will exist on the channels and what they will look like Container Messages Control Messages Setting up new channels Tearing down channels Flesh out the x-header values we need Identify the resource elements of the REST API and what control codes should be returned

Month Ahead Start Spec Work REST Messages Road Map At the current trend line we should have an early draft of the specification for TAXII 2.0 by end-of year This should give implementers an early vision in to where things are going so they can start writing code.

End Slide Questions / Comments / Thoughts?