There is no real mechanism within STIX for a consumer of STIX data to ask a question from the rest of the threat sharing community that they are part of. This functionality is required if we are going to get good multi-directional threat intelligence sharing happening.
Scenario
A threat sharing community member has detected an IP address while doing some local network hunting that seems to be malicious, but they are unsure if it actually is. STIX needs to be able to allow the community member to send out a 'does anyone have information they can share about this' STIX request out to the entire community, and allow any other community member to reply to the community member. The replies may be shared with the entire community, or may be sent directly to the requester.
This is different from the normal 'broadcast' style STIX message, where the message is just sent to all parties and no replies are expected. With STIX request/response there is a direct question/answer relationship required.
Please note this request/response is also different to TAXII Query, as the question is being asked to all members of the channel, rather than just the single TAXII server you are locally connecting to (which is IMHO more where TAXII Query fits in).
POTENTIAL ANSWER
Creating a STIX Request Package and a STIX Response Package seems to be a good answer to this problem.
As I see it, a sender would have two types of questions they would want answered:
I have a 'thing' (e.g. IP address), and I to find more objects that are related to this thing so I understand it better (crowdsourced responses)
I have a particular STIX object and I would like to get the latest version of that object from the producer (particular object responses)
For the crowdsourced responses option, the STIX Request Package would contain a list of related STIX objects that the sender would like more information about. The STIX Request Package could contain something as small as a single IP address, or could contain a large slice of related data e.g. a list of 5200 Observables, Indicators, TTPs, Campaigns and Threat Actors. The STIX Request package would be sent to all recipients in the Threat Sharing Group, and any/all of the Threat Sharing Group members would be able to respond via a STIX Response package. STIX Responses from Threat Sharing Group members would be able to be sent to all Threat Sharing Group members (group reply) or sent directly back to the original STIX Request package author as a direct response (private reply). The STI Responses need to be able to say 'Yes, we've seen it, and we've included some objects that are related to it', or 'No, we've not seen it'.
For the particular object responses option, the STIX Request Package would contain a list of STIX identifiers that the sender would like more information about. The STIX Request Package would be sent directly to the producer of the object being queried. This relies on the fact that STIX IDs include the producers namespace, that the namespace includes the domain name of the Producer, and that the producer has the relevant TAXII auto-discovery functionality enabled in their setup. The producer would then look at the STIX Request Package author to determine if the producer wishes that information to be shared, and also check if the STIX Request Package author has the correct permissions to have access to that data. If they do then the data (or subset of the data) should be returned. This sort of STIX Request Package would always be sent back original STIX Request package author as a direct response (private reply).
Having both these features would enable more question and answers to be asked across threat sharing groups, meaning that Threat Analysts and Incident Responders would have the ability to find out more about their own particular use cases - hopefully improving the speed and effectiveness of Incident Response.
PROBLEM
There is no real mechanism within STIX for a consumer of STIX data to ask a question from the rest of the threat sharing community that they are part of. This functionality is required if we are going to get good multi-directional threat intelligence sharing happening.
Scenario
A threat sharing community member has detected an IP address while doing some local network hunting that seems to be malicious, but they are unsure if it actually is. STIX needs to be able to allow the community member to send out a 'does anyone have information they can share about this' STIX request out to the entire community, and allow any other community member to reply to the community member. The replies may be shared with the entire community, or may be sent directly to the requester.
This is different from the normal 'broadcast' style STIX message, where the message is just sent to all parties and no replies are expected. With STIX request/response there is a direct question/answer relationship required.
Please note this request/response is also different to TAXII Query, as the question is being asked to all members of the channel, rather than just the single TAXII server you are locally connecting to (which is IMHO more where TAXII Query fits in).
POTENTIAL ANSWER
Creating a STIX Request Package and a STIX Response Package seems to be a good answer to this problem.
As I see it, a sender would have two types of questions they would want answered:
For the crowdsourced responses option, the STIX Request Package would contain a list of related STIX objects that the sender would like more information about. The STIX Request Package could contain something as small as a single IP address, or could contain a large slice of related data e.g. a list of 5200 Observables, Indicators, TTPs, Campaigns and Threat Actors. The STIX Request package would be sent to all recipients in the Threat Sharing Group, and any/all of the Threat Sharing Group members would be able to respond via a STIX Response package. STIX Responses from Threat Sharing Group members would be able to be sent to all Threat Sharing Group members (group reply) or sent directly back to the original STIX Request package author as a direct response (private reply). The STI Responses need to be able to say 'Yes, we've seen it, and we've included some objects that are related to it', or 'No, we've not seen it'.
For the particular object responses option, the STIX Request Package would contain a list of STIX identifiers that the sender would like more information about. The STIX Request Package would be sent directly to the producer of the object being queried. This relies on the fact that STIX IDs include the producers namespace, that the namespace includes the domain name of the Producer, and that the producer has the relevant TAXII auto-discovery functionality enabled in their setup. The producer would then look at the STIX Request Package author to determine if the producer wishes that information to be shared, and also check if the STIX Request Package author has the correct permissions to have access to that data. If they do then the data (or subset of the data) should be returned. This sort of STIX Request Package would always be sent back original STIX Request package author as a direct response (private reply).
Having both these features would enable more question and answers to be asked across threat sharing groups, meaning that Threat Analysts and Incident Responders would have the ability to find out more about their own particular use cases - hopefully improving the speed and effectiveness of Incident Response.