D3 Data Sharing Flows
Introduction
Distributed device descriptors are designed to be shared.
A D3 statement encapsulates an interoperable payload (JSON data), within a structure that identifies the identity of the issuer of the information. This allows the recipient of the information to identify the data provenance irrespective of the method of transport. This makes it ideal for sharing operational cyber security information in real time.
Practically, however, we need to consider the pros and cons of information disclosure, for various cyber security use cases. Too little information and the data is of no practical use for cyber security analysis; too much information carries both performance and privacy implications.
In this document we will outline a set of prioritised practical data sharing use cases and define the precise data structures to be transported.
This document covers the sharing of operational cyber security data between peers or peers and an authority, This document does not address the submission and approval of primary type data; that is covered in the D3 Sources section
Payload use cases
In this section we define the data structure to be shared, and the typical use to which this data is put
PCAP
Two collaborators may share the full capture of all activity observed across the network, or network segment.
PCAPs are well specified
| Dimension | Description |
|---|---|
| Structure | And interoperable PCAP file defined by: File is authenticated using a D3 claim and file is referenced by relative file name/URI and MD5 hash |
| Purpose | Forensic analysis of an attack, post event. Fine grained data against which an future unspecified algorithm can be runt |
| Considerations | Bandwidth and storage: PCAP files can be large, reflecting the full data captured. Privacy: this method exposes all unencrypted data for all devices in visibility. This method should only be use between strongly trusted parties |
Filtered PCAP
Typical filters may include
- restrict
Actor use cases
In this section we define the typical actors involved in the data exchange.
Authenticating a source
See section on authenticated sources in the D3 Sources document .