Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stix Difficulties: Obfuscation of Producer Identity is Difficult #73

Open
terrymacdonald opened this issue Dec 2, 2015 · 0 comments
Open

Comments

@terrymacdonald
Copy link

PROBLEM

Sometimes some Organizations want to tell other Organizations some information, without them knowing it came from them. This may be for 'National Security' reasons, commercial confidence reason, or even just licensing requirements. We need a way for secretive organizations to provide data without their identity being disclosed, yet we also need their identifier to relate specifically to them so that they can receive Sightings as feedback, and so that others in the Community can respond to the information they provide.

POTENTIAL ANSWER

We can take some lessons from the networking world. When an Organization wants to keep it's internal network ranges secret, it can use Network Address Translation (NAT) to 'hide' this information behind a NAT proxy, which will translate the real IP address into a fake IP address as the traffic passes through it.

Similarly, we can use the concept of a STIX proxy, where content generated in the namespace of a secretive organization can be hidden behind a STIX proxy, and where all content eminating out of the external side of the STIX proxy is within the namespace of the Organization operating the STIX proxy.

As an example, if Gov Dept X wants to send out a list of Indicators X to all OASIS members, yet doesn't want anyone to know where it came from, it could use a third-party STIX proxying service (lets call it SProxY) to hide its content behind. Gov Dept X could sent SProxY it's Indicator X, with the request that SPRoxY sends out the content on it's behalf. SProxY will then distribute the content within the SProxY namespace, making it appear to everyone who views the content that it came directly from SProxY. SProxY has effectively NATed the communication; everyone thinks it is SProxY's information but only SProxY knows the truth.

This proxy style obfuscation has the added benefit of allowing bi-directional communcation, meaning that if anyone else releases content that adds to or enhances the content using the SProxY identifier, SProxY is able to see that, translate the SProxY identifier back to the original GovDept X identifier, and give the Gov Dept X that information.

It means that Gov Dept X is able to fully participate in trust groups without the participants of the trust groups knowing the original source of the information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant