The Ultimate Guide to Choosing WordPress Pros and Cons
Everything about TAXII
1. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
7/8/2014
TAXII: An Overview
Approved for Public Release; Distribution Unlimited: 12-4167
2. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Code
Fork us on GitHub
– https://github.com/TAXIIProject/
Python implementations
– https://github.com/TAXIIProject/libtaxii
Python library for serializing/deserializing XML messages, TAXII
Clients
– YETI – Proof of concept TAXII Server
Python/Django
– Installable via pip from PyPi
| 1 |
3. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
What is TAXII?
Trusted Automated eXchange of Indicator Information
Standardizes exchange of cyber threat information
– Can exchange other information, too
A set of specifications any software can implement
TAXII is NOT
– A specific sharing program
but sharing programs can use it
– Software
but software can use it to share information
– Mandate particular trust agreements or sharing
instead, use it to share what you want with the parties you choose
| 2 |
4. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Why was TAXII Created?
Driven by DHS CS&C NCCIC operational need to effectively
share cyber threat information with a diverse community.
– Existing standards did not solve the problem
An open community effort led by DHS
– Developed with strong participation from a diverse set of
government and industry stakeholders.
Ensures that TAXII addresses real challenges in real environments
In operational use today.
| 3 |
5. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Design Philosophy
Facilitate rather than re-architect existing sharing
arrangements
Do not force inclusion of undesired capabilities
Sharing communities each have their own character – a one-
size-fits-all approach will be more disruptive than beneficial
– Do not impose a single sharing model architecture
| 4 |
6. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Flexible Sharing Models
Most sharing models are variants of these three basic models
– TAXII can support
participation in any of these
models or multiple models
simultaneously
| 5 |
Source
Subscriber
Subscriber Subscriber
Subscriber
Hub
Spoke
(Consumer only)
Spoke
(Consumer &
Producer)
Spoke
(Producer only)
Spoke
(Consumer
& Producer)
Peer E
Peer D Peer C
Peer B
Peer A
7. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
TAXII Features
Minimal requirements imposed on data consumers
– Does not require data consumers to field internet services or
establish a particular security capability
Minimal data management requirements on data producers
– Does not require use of particular data management technologies
or constrain how producers manage access to their data
Flexible sharing model support
– Does not force a particular sharing model on users
Appropriately secure communication
– Supports multiple security mechanisms without forcing adoption of
unnecessary measures
Push and Pull content dissemination
– Users can exchange data using either or both models
Flexible protocol and message bindings
– Does not require a particular network protocol or message format
| 6 |
8. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
TAXII Services
TAXII defines four Services
– Discovery – A way to learn what services an entity supports and
how to interact with them
– Collection Management – A way to learn about and request
subscriptions to Data Collections
– Inbox – A way to receive pushed content (push messaging)
– Poll – A way to request content (pull messaging)
Each service is optional – implement only the ones you wish
– You can have multiple instances of each service
Services can be combined in different ways for different
sharing models
| 7 |
9. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
TAXII Data Collections
TAXII does not dictate how data producers store or organize their
data…
…but TAXII requires some common handle for communication
TAXII Data Collection – a producer-dictated organization of their
data
– A Data Collection can be either a Data Feed (ordered data) or Data
Set (unordered data)
– A given data record might exist in one or more TAXII data
collections
– Producers decide what data collections represent. Examples:
Topic – e.g., a collection for spear-phishing, a collection for botnets, etc.
Subject – e.g., a collection for each identified STIX campaign
Access – e.g., a collection for gold-level subscribers, a collection for
silver-level, etc.
Or producer might just have one collection with everything in it
In TAXII, all solicited data distribution (push or pull) occurs
relative to a TAXII Data Collection
| 8 |
10. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Query
Query is an extension point in TAXII
We have defined the ‘TAXII Default Query’
– You can define your own if you want
TAXII Default Query
– Defines what a Query looks like, processing rules, and how to
express which query capabilities are supported
– Uses Target (e.g., a field) and Test (e.g., “equals 4”) constructs that
can be combined using logical operators (e.g., AND/OR) to
construct more complex queries
A Query can be a Poll Parameter or a Subscription Parameter
Query results are expressed in the same way other information
is expressed (i.e., Poll Response or Inbox Message)
| 9 |
11. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Hub & Spoke Example
| 10 |
Discovery Poll
Inbox
Collect.
Manage.
Hub
Spoke
1
Spoke
2
Spoke
3
Spoke
4
Get connection
info
Subscribe to
data collections
Client
Push new data
to the hub
Pull recent data
from the hub
Push recent
data to a spoke
12. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
TAXII Specifications and Documentation
TAXII Overview
– Describes the scope and direction of TAXII
Services Specification
– Defines TAXII Services, TAXII Messages (conceptually), and TAXII
Message Exchanges (conceptually).
XML Message Binding Specification
– Defines the XML format for TAXII Messages
HTTP Protocol Binding Specification
– Defines the HTTP/HTTPS transport for TAXII Message Exchange
Default Query Specification
– Defines a query format and processing rules.
Content Binding Reference
– Lists common Content Binding IDs for use within TAXII.
| 11 |
13. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
TAXII Specifications and Documentation
| 12 |
14. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Message and Protocol Bindings
TAXII Services Specification defines TAXII Concepts
– Which fields must/may be present in a TAXII Message
– Allowable ordering of TAXII Messages
TAXII 1.1 Bindings map concepts to specific technologies (e.g.,
XML, HTTP)
– XML/HTTPS is what you should use unless you have a
requirement not to
– Future alternatives for XML and HTTP/HTTPS could be defined
Additional bindings gives organizations with strict
network/format requirements ability to still use TAXII
– However, when using differing bindings, direct interoperation is not
possible
– Indirect interoperation is possible because all bindings can be
mapped to the same core message model
Gateways can provide automated translation between bindings
| 13 |
15. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Open Source Projects
We’ve done some implementation work for you
libtaxii
– python APIs for TAXII XML Messages and TAXII HTTP/HTTPS
Clients
YETI
– proof of concept TAXII Server (python/Django)
| 14 |
16. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
For more information
TAXII Website
– Contains official releases and other info
– http://taxii.mitre.org/
Sign up for the TAXII Discussion and Announcement mailing
lists
– http://taxii.mitre.org/community/registration.html
– Or message us directly: taxii@mitre.org
TAXII-related software can be found on GitHub
– https://github.com/TAXIIProject
| 15 |
17. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
| 16 |
18. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Discovery Service
Allows clients to discover what TAXII Services the server offers
Message Exchange:
– Client sends a Discovery Request
The Discovery Request does not have any parameters
– Server responds with a Discovery Response that lists TAXII
Services
Includes service type (e.g., Inbox), address, description, etc.
Server can elide services
– This is a theme in TAXII
| 17 |
19. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Inbox Service
Hosted by data consumers to receive pushed content
Basically a listener for incoming content
Message Exchange:
– Client sends an Inbox Message containing 0 or more Content
Blocks
– Server responds with a Status Message (indicating Success or an
error condition)
| 18 |
20. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Poll Service
Hosted by data producers to allow consumers to Poll data
Consumers request updates relative to a TAXII Data Collection
Message Exchange:
– Client sends Poll Request (contains Data Collection name,
optional query, etc)
– Server responds with a Poll Response containing 0 or more
Content Blocks or a Status Message
Poll Requests can specify various parameters
– Query
– Response type (Count or Full)
– Acceptable response types (e.g., STIX 1.1.1)
– … and a few more
| 19 |
21. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
TAXII Collection Management Service
Hosted by data producers to provide information on Data
Collections and/or process Subscriptions
Can offer one or both of two message exchanges
Message Exchange (1/2): Collection Information Exchange
– Client sends a Collection Information Request (no parameters)
– Server responds with a Collection Information Response listing
Data Collections a Status Message. Information Response
includes:
Data Collection names and descriptions
How TAXII Data Collection content can be accessed (“pull” or indicate
delivery protocols)
Any other information about a TAXII Data Collection (e.g., membership
requirements, payment requirements, etc.)
| 20 |
22. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
TAXII Collection Management Service
(cont’d)
Message Exchange (2/2): Subscription Management
Exchange
– Client sends a Manage Collection Subscription Request
requesting a status, create, cancel, pause, or resume action on
a subscription
Create Subscription requests can include a query
– Server responds with a Manage Collection Subscription
Response or Status Message
– Note this just deals with arranging subscriptions, not actual data
dissemination
TAXII does not specify the process for deciding whether to
allow the requested action to occur nor how the action
manifests
Note this just deals with arranging subscriptions, not actual
data dissemination
| 21 |
23. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
In Summary
Discovery Service – Discover TAXII Services
Inbox Service – Push data
Poll Service – Poll Data
Collection Management Service – Request information on
Collections, Manage Subscriptions
| 22 |
24. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
| 23 |
Source/Subscriber Walkthrough
25. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Background
One possible way to use TAXII to implement
Source/Subscriber
– Others may make different choices
Assume an existing sharing arrangement
– A vendor (the source) publishes threat alerts as information
becomes known
– Customers (subscribers) can pay to receive these daily updates
Multiple levels of access depending on contract costs
– Currently, customers log into the vendor web site to view
updates
| 24 |
26. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Step 1: Source Organizes its Data
Vendor organizes data records into TAXII Data Collections
– Decides on “contract level” for collections
Many records will be present in all collections, but some fields may be
stripped before dissemination
– All Data Collections are Data Feeds
The vendor wants the data to be ordered so that consumers can request
only the most recent data
– Access to a feed contingent upon the purchasing of a contract
Vendor labels all data within each TAXII Data Feed with a
timestamp
– Decides to use the time of posting as that timestamp
More than one data record may have the same timestamp – not a
problem
A single record could have the same timestamp in all data feeds – not a
requirement
| 25 |
27. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Step 2a: Source Implements TAXII Services
Decides to implement a Collection Management Service
– Collection Information Requests
Lists available collections
Explain what information is provided via each Data Collection (i.e.,
contract levels)
Reference to site where one can purchase necessary contracts
– Collection Management Requests
Forward management requests to back-end for comparison to
purchased contracts
Decides to implement a Poll Service
– Give customers the option to pull content from a collection
Decides to interface with Customers’ Inbox Services
– Support pushing content to customer Inbox Services
Decides NOT to implement a Discovery Service
– Vendor decides to continue publishing this information using HTML
| 26 |
MUST do
at least
one
28. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Step 2b: Subscriber Implements TAXII Service
May implement an Inbox Service
– If customer wishes have updates pushed, must implement Inbox
– Inbox listens to appropriate port for connections
In TAXII 1.1, this would be a (truncated) HTTP server
– May avoid implementing if all content to be pulled via Poll
Service
Subscribers may interface with the Vendor’s TAXII Poll
Service for pull messaging
For this design, subscribers must interface with the Vendor’s
TAXII Collection Management Service
| 27 |
29. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Step 3: Establish Sharing Relationships
Customer contacts vendor
Collection Management
Service to get list of
collections
Customer purchases a
contract via Vendor web site
– Also establishes
authentication credentials
Customer contacts vendor
Collection Management
Service to establish
subscription
– Request verified before
acceptance
| 28 |
Customer
Vendor TAXII
Collection
Management
Service
30. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Step 4: Share
Content pushed to
Customer’s Inbox Service
Customer pulls from
Vendor’s Poll Service
– Request verified before
being fulfilled
| 29 |
Customer
Vendor Poll
Service
Customer
Inbox
Service
Vendor
31. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
| 30 |
Hub and Spoke Walkthrough
32. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Background
One possible way to use TAXII to implement Hub and Spoke
– Others may make different choices
Assume an existing sharing arrangement
– Community exists with a pre-existing intra-group sharing
agreement
– Currently all threat alerts sent via e-mail to the group mailing list
Automatically re-distributed to all group members
| 31 |
33. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Step 1a: Hub Implements TAXII Services
Decide to implement a Inbox Service
– Used to receive all input from spokes (Hub does not poll)
Decide to interface with Spokes’ TAXII Inbox Services for
message delivery
– Support pushing of alerts to spokes
Decide to implement a Poll Service
– Support spokes pulling current and/or archived alerts
– Decide on only one TAXII data feed for all information
– Decide timestamps = the time the alert arrives in Hub’s Inbox
Decide NOT to implement a Discovery Service
– Members informed of the Hub’s services via other means
Decide NOT to implement a Collection Management Service
– Spokes automatically enrolled when they join the sharing group
| 32 |
34. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Step 1b: Spokes Implement TAXII Services
Spokes that produce data interface with the Hub’s TAXII Inbox
Service
May implement an Inbox Service
– If spoke wants pushed info, must implement Inbox
– May avoid implementing if all content to be pulled via Poll
Service
Some spokes may interface with the Hub’s TAXII Poll Service
– May avoid this use if all content to be pushed to the spoke’s
Inbox Service
| 33 |
35. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
Step 2: Share
Spoke X pushes new alert
to Hub’s Inbox Service
Hub re-sends alert to all
spokes that requested
push notification
Hub archives alert so
spokes can poll for the
alert at a later time
| 34 |
Hub
X
36. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
libtaxii
Python library
Supports TAXII 1.0 and TAXII 1.1
APIs for TAXII Messages
APIs for TAXII Clients
No server-specific functionality (but servers can and do use the
TAXII Message APIs)
| 35 |
37. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
libtaxii – Poll Request Code
| 36 |
38. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
libtaxii – Poll Request XML
| 37 |
39. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
libtaxii – Poll Response Code
| 38 |
40. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
libtaxii - Poll Response XML
| 39 |
41. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
libtaxii – TAXII Client Code
| 40 |
42. HS SEDI is a trademark of the U.S. Department of Homeland Security (DHS)
The HS SEDI FFRDC is managed and operated by The MITRE Corporation for DHS
YETI
The name doesn’t actually mean anything
Proof of concept TAXII Server
Built on Python and Django (a Python web app framework)
Implements TAXII Discovery Service, Poll Service, and Inbox
Service
– We are working on a query implementation
Have one deployment hosted at http://taxiitest.mitre.org
| 41 |