[cti-users] My opinion piece mentioning STIX-TAXII

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

[cti-users] My opinion piece mentioning STIX-TAXII

Bhujang Systems
Greetings all.

Here's an opinion piece of mine for The Tribune: North India's prominent and oldest newspaper.

...wherein I ponder over the future of a blatantly balkanized cyberspace and the structured cyber-intelligence revolution heralded by STIX-TAXII.

“The liberal dream of a neutral cyberspace is dead and the foreign threat detectors are conspiratorial and selective.”


Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] My opinion piece mentioning STIX-TAXII

Kevin Conlan

As a student of cybersecurity, with a keen interest in cyber intelligence, I really appreciate getting to read such a piece. Great insights into important issues, especially with regards to geopolitical implications.

Kevin

On Sep 23, 2015 4:25 AM, "Bhujang Systems" <[hidden email]> wrote:
Greetings all.

Here's an opinion piece of mine for The Tribune: North India's prominent and oldest newspaper.

...wherein I ponder over the future of a blatantly balkanized cyberspace and the structured cyber-intelligence revolution heralded by STIX-TAXII.

“The liberal dream of a neutral cyberspace is dead and the foreign threat detectors are conspiratorial and selective.”


Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] My opinion piece mentioning STIX-TAXII

Jordan, Bret
In reply to this post by Bhujang Systems
Nice article.  You will like some of the things we are trying to do with TAXII 2.0.   One key element that I am pushing for is a means for TAXII to be the glue that allows products, software, solutions, and devices inside the network to share and data-enric CTI.


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Sep 23, 2015, at 02:25, Bhujang Systems <[hidden email]> wrote:

Greetings all.

Here's an opinion piece of mine for The Tribune: North India's prominent and oldest newspaper.

...wherein I ponder over the future of a blatantly balkanized cyberspace and the structured cyber-intelligence revolution heralded by STIX-TAXII.

“The liberal dream of a neutral cyberspace is dead and the foreign threat detectors are conspiratorial and selective.”




signature.asc (859 bytes) Download Attachment
SOC
Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] My opinion piece mentioning STIX-TAXII

SOC
In reply to this post by Kevin Conlan
I think that STIX/TAXII actually can hurt your cyber defense security.
Hear me out here but there is an inherent problem in telling the
adversary that we know what they are up to. Don't think for a second
that the bad guys are not subscribing to these feeds. How else would
they know to change their binaries to avoid detection or relocate their
C2 servers to reclaim their bots that are not blacklisted because the IP
or domain has shown up in a TAXII feed somewhere or in some other post
or observation.

For this very reason and to collect intelligence on the adversary some
Threat Intel providers (us included) do not rush to publish the
information to the general public. If you subscribe to our service you
get that information immediately but it's marked non releasable even
though 95% of the time somebody forwards it anyway.

Until the people handling the IOC information stop blindly forwarding it
to everybody they know that works in the security realm this will
continue to be a problem.

Just think about it. The good guys play fair but the malicious actors
don't. STIX and TAXII are but tools whereas the real intelligence can be
gathered only if the adversary is unaware that we are watching them. As
soon as they know they are being monitored or they are found out they
change their tactics and go elsewhere (and the search then begins again).

So just another perspective here that I think some of you will find
interesting. I just blogged this today actually and thought I would
share my view on all of these standards that make sharing so easy.

Kevin Wetzel
CEO/Founder
Jigsaw Security Enterprise Inc
www.jigsawsecurityenterprise.com
(919)441-7353

On 9/23/2015 9:20 AM, Kevin Conlan wrote:

> As a student of cybersecurity, with a keen interest in cyber
> intelligence, I really appreciate getting to read such a piece. Great
> insights into important issues, especially with regards to geopolitical
> implications.
>
> Kevin
>
> On Sep 23, 2015 4:25 AM, "Bhujang Systems" <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Greetings all.
>
>     Here's an opinion piece of mine for The Tribune: North India's
>     prominent and oldest newspaper.
>
>     ...wherein I ponder over the future of a blatantly balkanized
>     cyberspace and the structured cyber-intelligence revolution heralded
>     by STIX-TAXII.
>
>     “The liberal dream of a neutral cyberspace is dead and the foreign
>     threat detectors are conspiratorial and selective.”
>
>     http://www.tribuneindia.com/news/comment/managing-our-porous-digital-frontlines/135560.html
>

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/

Reply | Threaded
Open this post in threaded view
|

RE: [cti-users] My opinion piece mentioning STIX-TAXII

Struse, Richard
Kevin,

This is a perspective I've heard expressed over the past few years and while I am sympathetic to the viewpoint I think there are some other factors at play.  First I'll point out that your point is really independent of STIX/TAXII.  Any cyber threat intelligence sharing network can and will exhibit some of the issues you raise.  But onto the points you make.

The existence of tools to facilitate CTI sharing doesn't necessarily imply that we then all use those tools to share everything with everyone.  I think if you look at the various sharing communities out there, you will find numerous trust communities, some large, some small and the information that is shared within each likely differs.  I think your point is that once a sharing community gets sufficiently large, the probability of various adversaries gaining access to that intelligence begins to be an issue - this is true.  That is why the most sensitive information is often shared only in the most tightly-controlled trust communities.  However, it is also important to remember that one of the things that automated CTI exchange is trying to do is to change the economics for the adversary.  If we can efficiently share actionable indicators in near-real-time and automate their implementation, then we may force the adversary to have to constantly adapt because the half-life of their tools and infrastructure becomes very short.   I would argue that this is better than the current state of affairs when organizations routinely get owned using exploits or infrastructure that have been known for years.  Finally, there is nothing about automated CTI exchange that requires anything to be pushed to the "general public".  

Thanks for sharing your perspective and let's keep the conversation going.  In the end I think that this isn't about the existence of standards for automated sharing of CTI, it's really about how we choose to use them.

Regards,
Rich

Richard J. Struse
Chair, OASIS Cyber Threat Intelligence (CTI) Technical Committee

Chief Advanced Technology Officer
National Cybersecurity and Communications Integration Center (NCCIC) and
Stakeholder Engagement and Cyber Infrastructure Resiliency (SECIR)
Cyber Security & Communications
U.S. Department of Homeland Security

e-mail:  [hidden email]
Phone:  202-527-2361



-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of SOC
Sent: Wednesday, September 23, 2015 9:53 PM
To: Kevin Conlan; Bhujang Systems
Cc: [hidden email]
Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII

I think that STIX/TAXII actually can hurt your cyber defense security.
Hear me out here but there is an inherent problem in telling the adversary that we know what they are up to. Don't think for a second that the bad guys are not subscribing to these feeds. How else would they know to change their binaries to avoid detection or relocate their
C2 servers to reclaim their bots that are not blacklisted because the IP or domain has shown up in a TAXII feed somewhere or in some other post or observation.

For this very reason and to collect intelligence on the adversary some Threat Intel providers (us included) do not rush to publish the information to the general public. If you subscribe to our service you get that information immediately but it's marked non releasable even though 95% of the time somebody forwards it anyway.

Until the people handling the IOC information stop blindly forwarding it to everybody they know that works in the security realm this will continue to be a problem.

Just think about it. The good guys play fair but the malicious actors don't. STIX and TAXII are but tools whereas the real intelligence can be gathered only if the adversary is unaware that we are watching them. As soon as they know they are being monitored or they are found out they change their tactics and go elsewhere (and the search then begins again).

So just another perspective here that I think some of you will find interesting. I just blogged this today actually and thought I would share my view on all of these standards that make sharing so easy.

Kevin Wetzel
CEO/Founder
Jigsaw Security Enterprise Inc
www.jigsawsecurityenterprise.com
(919)441-7353

On 9/23/2015 9:20 AM, Kevin Conlan wrote:

> As a student of cybersecurity, with a keen interest in cyber
> intelligence, I really appreciate getting to read such a piece. Great
> insights into important issues, especially with regards to
> geopolitical implications.
>
> Kevin
>
> On Sep 23, 2015 4:25 AM, "Bhujang Systems" <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Greetings all.
>
>     Here's an opinion piece of mine for The Tribune: North India's
>     prominent and oldest newspaper.
>
>     ...wherein I ponder over the future of a blatantly balkanized
>     cyberspace and the structured cyber-intelligence revolution heralded
>     by STIX-TAXII.
>
>     “The liberal dream of a neutral cyberspace is dead and the foreign
>     threat detectors are conspiratorial and selective.”
>
>    
> http://www.tribuneindia.com/news/comment/managing-our-porous-digital-f
> rontlines/135560.html
>
This publicly archived list provides a forum for asking questions,offering answers, and discussing topics of interest on STIX,TAXII, and CybOX.  Users and developers of solutions that leverageSTIX, TAXII and CybOX are invited to participate.In order to verify user consent to OASIS mailing list guidelinesand to minimize spam in the list archive, subscription is requiredbefore posting.Subscribe: [hidden email]: [hidden email]: [hidden email] help: [hidden email] archive: http://lists.oasis-open.org/archives/cti-users/List Guidelines: http://www.oasis-open.org/maillists/guidelines.phpCTI Technical Committee: https://www.oasis-open.org/committees/cti/Join OASIS: http://www.oasis-open.org/join/


smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] My opinion piece mentioning STIX-TAXII

Jordan, Bret
In reply to this post by SOC
Interesting view points..  And this has come up a few times in the past.  

In the TAXII SC we are very aware of this issue and another that you did not bring up, and that is the possibly of CTI repos being poisoned by a threat actor.  We are currently working on these problems and trying to address them with a TAXII 2.0.  I would encourage you to join the TAXII SC and help us work through these issues.  Your insight and knowledge would be very helpful.  


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Sep 23, 2015, at 19:52, SOC <[hidden email]> wrote:

I think that STIX/TAXII actually can hurt your cyber defense security.
Hear me out here but there is an inherent problem in telling the
adversary that we know what they are up to. Don't think for a second
that the bad guys are not subscribing to these feeds. How else would
they know to change their binaries to avoid detection or relocate their
C2 servers to reclaim their bots that are not blacklisted because the IP
or domain has shown up in a TAXII feed somewhere or in some other post
or observation.

For this very reason and to collect intelligence on the adversary some
Threat Intel providers (us included) do not rush to publish the
information to the general public. If you subscribe to our service you
get that information immediately but it's marked non releasable even
though 95% of the time somebody forwards it anyway.

Until the people handling the IOC information stop blindly forwarding it
to everybody they know that works in the security realm this will
continue to be a problem.

Just think about it. The good guys play fair but the malicious actors
don't. STIX and TAXII are but tools whereas the real intelligence can be
gathered only if the adversary is unaware that we are watching them. As
soon as they know they are being monitored or they are found out they
change their tactics and go elsewhere (and the search then begins again).

So just another perspective here that I think some of you will find
interesting. I just blogged this today actually and thought I would
share my view on all of these standards that make sharing so easy.

Kevin Wetzel
CEO/Founder
Jigsaw Security Enterprise Inc
www.jigsawsecurityenterprise.com
(919)441-7353

On 9/23/2015 9:20 AM, Kevin Conlan wrote:
As a student of cybersecurity, with a keen interest in cyber
intelligence, I really appreciate getting to read such a piece. Great
insights into important issues, especially with regards to geopolitical
implications.

Kevin

On Sep 23, 2015 4:25 AM, "Bhujang Systems" <[hidden email]
<mailto:[hidden email]>> wrote:

   Greetings all.

   Here's an opinion piece of mine for The Tribune: North India's
   prominent and oldest newspaper.

   ...wherein I ponder over the future of a blatantly balkanized
   cyberspace and the structured cyber-intelligence revolution heralded
   by STIX-TAXII.

   “The liberal dream of a neutral cyberspace is dead and the foreign
   threat detectors are conspiratorial and selective.”

   http://www.tribuneindia.com/news/comment/managing-our-porous-digital-frontlines/135560.html


This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/



signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] My opinion piece mentioning STIX-TAXII

Christophe Vandeplas
In reply to this post by Struse, Richard
Richard,


I don't have much to add to what you tell, except that I fully agree
with your explanation.
Often people simplify the information sharing discussion to something
black or white mixing everything together.

However there is a clear distinction between tools/formats and the data itself.

The tools and formats are only a technique to carry the information
from one place to another (and make our life easier in automating it).
They are not there to tell us with who we need to share out info, and
definitely not telling us that we need to share all our information in
public (TLP:White).

Kind regards
Christophe
(the creator of MISP)



On 24 September 2015 at 04:12, Struse, Richard
<[hidden email]> wrote:

> Kevin,
>
> This is a perspective I've heard expressed over the past few years and while I am sympathetic to the viewpoint I think there are some other factors at play.  First I'll point out that your point is really independent of STIX/TAXII.  Any cyber threat intelligence sharing network can and will exhibit some of the issues you raise.  But onto the points you make.
>
> The existence of tools to facilitate CTI sharing doesn't necessarily imply that we then all use those tools to share everything with everyone.  I think if you look at the various sharing communities out there, you will find numerous trust communities, some large, some small and the information that is shared within each likely differs.  I think your point is that once a sharing community gets sufficiently large, the probability of various adversaries gaining access to that intelligence begins to be an issue - this is true.  That is why the most sensitive information is often shared only in the most tightly-controlled trust communities.  However, it is also important to remember that one of the things that automated CTI exchange is trying to do is to change the economics for the adversary.  If we can efficiently share actionable indicators in near-real-time and automate their implementation, then we may force the adversary to have to constantly adapt because the half-life of their tools and infrastructure becomes very short.   I would argue that this is better than the current state of affairs when organizations routinely get owned using exploits or infrastructure that have been known for years.  Finally, there is nothing about automated CTI exchange that requires anything to be pushed to the "general public".
>
> Thanks for sharing your perspective and let's keep the conversation going.  In the end I think that this isn't about the existence of standards for automated sharing of CTI, it's really about how we choose to use them.
>
> Regards,
> Rich
>
> Richard J. Struse
> Chair, OASIS Cyber Threat Intelligence (CTI) Technical Committee
>
> Chief Advanced Technology Officer
> National Cybersecurity and Communications Integration Center (NCCIC) and
> Stakeholder Engagement and Cyber Infrastructure Resiliency (SECIR)
> Cyber Security & Communications
> U.S. Department of Homeland Security
>
> e-mail:  [hidden email]
> Phone:  202-527-2361
>
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of SOC
> Sent: Wednesday, September 23, 2015 9:53 PM
> To: Kevin Conlan; Bhujang Systems
> Cc: [hidden email]
> Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII
>
> I think that STIX/TAXII actually can hurt your cyber defense security.
> Hear me out here but there is an inherent problem in telling the adversary that we know what they are up to. Don't think for a second that the bad guys are not subscribing to these feeds. How else would they know to change their binaries to avoid detection or relocate their
> C2 servers to reclaim their bots that are not blacklisted because the IP or domain has shown up in a TAXII feed somewhere or in some other post or observation.
>
> For this very reason and to collect intelligence on the adversary some Threat Intel providers (us included) do not rush to publish the information to the general public. If you subscribe to our service you get that information immediately but it's marked non releasable even though 95% of the time somebody forwards it anyway.
>
> Until the people handling the IOC information stop blindly forwarding it to everybody they know that works in the security realm this will continue to be a problem.
>
> Just think about it. The good guys play fair but the malicious actors don't. STIX and TAXII are but tools whereas the real intelligence can be gathered only if the adversary is unaware that we are watching them. As soon as they know they are being monitored or they are found out they change their tactics and go elsewhere (and the search then begins again).
>
> So just another perspective here that I think some of you will find interesting. I just blogged this today actually and thought I would share my view on all of these standards that make sharing so easy.
>
> Kevin Wetzel
> CEO/Founder
> Jigsaw Security Enterprise Inc
> www.jigsawsecurityenterprise.com
> (919)441-7353
>
> On 9/23/2015 9:20 AM, Kevin Conlan wrote:
>> As a student of cybersecurity, with a keen interest in cyber
>> intelligence, I really appreciate getting to read such a piece. Great
>> insights into important issues, especially with regards to
>> geopolitical implications.
>>
>> Kevin
>>
>> On Sep 23, 2015 4:25 AM, "Bhujang Systems" <[hidden email]
>> <mailto:[hidden email]>> wrote:
>>
>>     Greetings all.
>>
>>     Here's an opinion piece of mine for The Tribune: North India's
>>     prominent and oldest newspaper.
>>
>>     ...wherein I ponder over the future of a blatantly balkanized
>>     cyberspace and the structured cyber-intelligence revolution heralded
>>     by STIX-TAXII.
>>
>>     “The liberal dream of a neutral cyberspace is dead and the foreign
>>     threat detectors are conspiratorial and selective.”
>>
>>
>> http://www.tribuneindia.com/news/comment/managing-our-porous-digital-f
>> rontlines/135560.html
>>
>
> This publicly archived list provides a forum for asking questions,offering answers, and discussing topics of interest on STIX,TAXII, and CybOX.  Users and developers of solutions that leverageSTIX, TAXII and CybOX are invited to participate.In order to verify user consent to OASIS mailing list guidelinesand to minimize spam in the list archive, subscription is requiredbefore posting.Subscribe: [hidden email]: [hidden email]: [hidden email] help: [hidden email] archive: http://lists.oasis-open.org/archives/cti-users/List Guidelines: http://www.oasis-open.org/maillists/guidelines.phpCTI Technical Committee: https://www.oasis-open.org/committees/cti/Join OASIS: http://www.oasis-open.org/join/
>

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/

Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] My opinion piece mentioning STIX-TAXII

Bhujang Systems
Thank you all for the valuable comments. The way I see it: these are just the beginnings of structured, collaborative and ratified threat intelligence regimes. Veritably so, as is the dichotomy with security, they will also introduce new vulnerabilities and attack vectors. For a civilian-side cyber-defense framework, STIX-TAXII would do a good job. But certainly, to mitigate the inherent geopolitical or other risks associated with such sharing frameworks, another independent and robust layer of cyber-intelligence ought to be built around it by a nation state's defense/military services. 

On Thu, Sep 24, 2015 at 12:48 PM, Christophe Vandeplas <[hidden email]> wrote:
Richard,


I don't have much to add to what you tell, except that I fully agree
with your explanation.
Often people simplify the information sharing discussion to something
black or white mixing everything together.

However there is a clear distinction between tools/formats and the data itself.

The tools and formats are only a technique to carry the information
from one place to another (and make our life easier in automating it).
They are not there to tell us with who we need to share out info, and
definitely not telling us that we need to share all our information in
public (TLP:White).

Kind regards
Christophe
(the creator of MISP)



On 24 September 2015 at 04:12, Struse, Richard
<[hidden email]> wrote:
> Kevin,
>
> This is a perspective I've heard expressed over the past few years and while I am sympathetic to the viewpoint I think there are some other factors at play.  First I'll point out that your point is really independent of STIX/TAXII.  Any cyber threat intelligence sharing network can and will exhibit some of the issues you raise.  But onto the points you make.
>
> The existence of tools to facilitate CTI sharing doesn't necessarily imply that we then all use those tools to share everything with everyone.  I think if you look at the various sharing communities out there, you will find numerous trust communities, some large, some small and the information that is shared within each likely differs.  I think your point is that once a sharing community gets sufficiently large, the probability of various adversaries gaining access to that intelligence begins to be an issue - this is true.  That is why the most sensitive information is often shared only in the most tightly-controlled trust communities.  However, it is also important to remember that one of the things that automated CTI exchange is trying to do is to change the economics for the adversary.  If we can efficiently share actionable indicators in near-real-time and automate their implementation, then we may force the adversary to have to constantly adapt because the half-life of their tools and infrastructure becomes very short.   I would argue that this is better than the current state of affairs when organizations routinely get owned using exploits or infrastructure that have been known for years.  Finally, there is nothing about automated CTI exchange that requires anything to be pushed to the "general public".
>
> Thanks for sharing your perspective and let's keep the conversation going.  In the end I think that this isn't about the existence of standards for automated sharing of CTI, it's really about how we choose to use them.
>
> Regards,
> Rich
>
> Richard J. Struse
> Chair, OASIS Cyber Threat Intelligence (CTI) Technical Committee
>
> Chief Advanced Technology Officer
> National Cybersecurity and Communications Integration Center (NCCIC) and
> Stakeholder Engagement and Cyber Infrastructure Resiliency (SECIR)
> Cyber Security & Communications
> U.S. Department of Homeland Security
>
> e-mail:  [hidden email]
> Phone:  202-527-2361
>
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of SOC
> Sent: Wednesday, September 23, 2015 9:53 PM
> To: Kevin Conlan; Bhujang Systems
> Cc: [hidden email]
> Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII
>
> I think that STIX/TAXII actually can hurt your cyber defense security.
> Hear me out here but there is an inherent problem in telling the adversary that we know what they are up to. Don't think for a second that the bad guys are not subscribing to these feeds. How else would they know to change their binaries to avoid detection or relocate their
> C2 servers to reclaim their bots that are not blacklisted because the IP or domain has shown up in a TAXII feed somewhere or in some other post or observation.
>
> For this very reason and to collect intelligence on the adversary some Threat Intel providers (us included) do not rush to publish the information to the general public. If you subscribe to our service you get that information immediately but it's marked non releasable even though 95% of the time somebody forwards it anyway.
>
> Until the people handling the IOC information stop blindly forwarding it to everybody they know that works in the security realm this will continue to be a problem.
>
> Just think about it. The good guys play fair but the malicious actors don't. STIX and TAXII are but tools whereas the real intelligence can be gathered only if the adversary is unaware that we are watching them. As soon as they know they are being monitored or they are found out they change their tactics and go elsewhere (and the search then begins again).
>
> So just another perspective here that I think some of you will find interesting. I just blogged this today actually and thought I would share my view on all of these standards that make sharing so easy.
>
> Kevin Wetzel
> CEO/Founder
> Jigsaw Security Enterprise Inc
> www.jigsawsecurityenterprise.com
> (919)441-7353
>
> On 9/23/2015 9:20 AM, Kevin Conlan wrote:
>> As a student of cybersecurity, with a keen interest in cyber
>> intelligence, I really appreciate getting to read such a piece. Great
>> insights into important issues, especially with regards to
>> geopolitical implications.
>>
>> Kevin
>>
>> On Sep 23, 2015 4:25 AM, "Bhujang Systems" <[hidden email]
>> <mailto:[hidden email]>> wrote:
>>
>>     Greetings all.
>>
>>     Here's an opinion piece of mine for The Tribune: North India's
>>     prominent and oldest newspaper.
>>
>>     ...wherein I ponder over the future of a blatantly balkanized
>>     cyberspace and the structured cyber-intelligence revolution heralded
>>     by STIX-TAXII.
>>
>>     “The liberal dream of a neutral cyberspace is dead and the foreign
>>     threat detectors are conspiratorial and selective.”
>>
>>
>> http://www.tribuneindia.com/news/comment/managing-our-porous-digital-f
>> rontlines/135560.html
>>
>
> This publicly archived list provides a forum for asking questions,offering answers, and discussing topics of interest on STIX,TAXII, and CybOX.  Users and developers of solutions that leverageSTIX, TAXII and CybOX are invited to participate.In order to verify user consent to OASIS mailing list guidelinesand to minimize spam in the list archive, subscription is requiredbefore posting.Subscribe: [hidden email]: [hidden email]: [hidden email] help: [hidden email] archive: http://lists.oasis-open.org/archives/cti-users/List Guidelines: http://www.oasis-open.org/maillists/guidelines.phpCTI Technical Committee: https://www.oasis-open.org/committees/cti/Join OASIS: http://www.oasis-open.org/join/
>

Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] My opinion piece mentioning STIX-TAXII

Andras Iklody
In reply to this post by Christophe Vandeplas
Not to mention that (although it is one of the biggest use-cases) it doesn't even have to involve sharing information with other parties at all, it can just as well be used to share information between your own tools / devices. 

Best regards,
Andras

On Thu, Sep 24, 2015 at 9:18 AM, Christophe Vandeplas <[hidden email]> wrote:
Richard,


I don't have much to add to what you tell, except that I fully agree
with your explanation.
Often people simplify the information sharing discussion to something
black or white mixing everything together.

However there is a clear distinction between tools/formats and the data itself.

The tools and formats are only a technique to carry the information
from one place to another (and make our life easier in automating it).
They are not there to tell us with who we need to share out info, and
definitely not telling us that we need to share all our information in
public (TLP:White).

Kind regards
Christophe
(the creator of MISP)



On 24 September 2015 at 04:12, Struse, Richard
<[hidden email]> wrote:
> Kevin,
>
> This is a perspective I've heard expressed over the past few years and while I am sympathetic to the viewpoint I think there are some other factors at play.  First I'll point out that your point is really independent of STIX/TAXII.  Any cyber threat intelligence sharing network can and will exhibit some of the issues you raise.  But onto the points you make.
>
> The existence of tools to facilitate CTI sharing doesn't necessarily imply that we then all use those tools to share everything with everyone.  I think if you look at the various sharing communities out there, you will find numerous trust communities, some large, some small and the information that is shared within each likely differs.  I think your point is that once a sharing community gets sufficiently large, the probability of various adversaries gaining access to that intelligence begins to be an issue - this is true.  That is why the most sensitive information is often shared only in the most tightly-controlled trust communities.  However, it is also important to remember that one of the things that automated CTI exchange is trying to do is to change the economics for the adversary.  If we can efficiently share actionable indicators in near-real-time and automate their implementation, then we may force the adversary to have to constantly adapt because the half-life of their tools and infrastructure becomes very short.   I would argue that this is better than the current state of affairs when organizations routinely get owned using exploits or infrastructure that have been known for years.  Finally, there is nothing about automated CTI exchange that requires anything to be pushed to the "general public".
>
> Thanks for sharing your perspective and let's keep the conversation going.  In the end I think that this isn't about the existence of standards for automated sharing of CTI, it's really about how we choose to use them.
>
> Regards,
> Rich
>
> Richard J. Struse
> Chair, OASIS Cyber Threat Intelligence (CTI) Technical Committee
>
> Chief Advanced Technology Officer
> National Cybersecurity and Communications Integration Center (NCCIC) and
> Stakeholder Engagement and Cyber Infrastructure Resiliency (SECIR)
> Cyber Security & Communications
> U.S. Department of Homeland Security
>
> e-mail:  [hidden email]
> Phone:  <a href="tel:202-527-2361" value="+12025272361">202-527-2361
>
>
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf Of SOC
> Sent: Wednesday, September 23, 2015 9:53 PM
> To: Kevin Conlan; Bhujang Systems
> Cc: [hidden email]
> Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII
>
> I think that STIX/TAXII actually can hurt your cyber defense security.
> Hear me out here but there is an inherent problem in telling the adversary that we know what they are up to. Don't think for a second that the bad guys are not subscribing to these feeds. How else would they know to change their binaries to avoid detection or relocate their
> C2 servers to reclaim their bots that are not blacklisted because the IP or domain has shown up in a TAXII feed somewhere or in some other post or observation.
>
> For this very reason and to collect intelligence on the adversary some Threat Intel providers (us included) do not rush to publish the information to the general public. If you subscribe to our service you get that information immediately but it's marked non releasable even though 95% of the time somebody forwards it anyway.
>
> Until the people handling the IOC information stop blindly forwarding it to everybody they know that works in the security realm this will continue to be a problem.
>
> Just think about it. The good guys play fair but the malicious actors don't. STIX and TAXII are but tools whereas the real intelligence can be gathered only if the adversary is unaware that we are watching them. As soon as they know they are being monitored or they are found out they change their tactics and go elsewhere (and the search then begins again).
>
> So just another perspective here that I think some of you will find interesting. I just blogged this today actually and thought I would share my view on all of these standards that make sharing so easy.
>
> Kevin Wetzel
> CEO/Founder
> Jigsaw Security Enterprise Inc
> www.jigsawsecurityenterprise.com
> <a href="tel:%28919%29441-7353" value="+19194417353">(919)441-7353
>
> On 9/23/2015 9:20 AM, Kevin Conlan wrote:
>> As a student of cybersecurity, with a keen interest in cyber
>> intelligence, I really appreciate getting to read such a piece. Great
>> insights into important issues, especially with regards to
>> geopolitical implications.
>>
>> Kevin
>>
>> On Sep 23, 2015 4:25 AM, "Bhujang Systems" <[hidden email]
>> <mailto:[hidden email]>> wrote:
>>
>>     Greetings all.
>>
>>     Here's an opinion piece of mine for The Tribune: North India's
>>     prominent and oldest newspaper.
>>
>>     ...wherein I ponder over the future of a blatantly balkanized
>>     cyberspace and the structured cyber-intelligence revolution heralded
>>     by STIX-TAXII.
>>
>>     “The liberal dream of a neutral cyberspace is dead and the foreign
>>     threat detectors are conspiratorial and selective.”
>>
>>
>> http://www.tribuneindia.com/news/comment/managing-our-porous-digital-f
>> rontlines/135560.html
>>
>
> This publicly archived list provides a forum for asking questions,offering answers, and discussing topics of interest on STIX,TAXII, and CybOX.  Users and developers of solutions that leverageSTIX, TAXII and CybOX are invited to participate.In order to verify user consent to OASIS mailing list guidelinesand to minimize spam in the list archive, subscription is requiredbefore posting.Subscribe: [hidden email]: [hidden email]: [hidden email] help: [hidden email] archive: http://lists.oasis-open.org/archives/cti-users/List Guidelines: http://www.oasis-open.org/maillists/guidelines.phpCTI Technical Committee: https://www.oasis-open.org/committees/cti/Join OASIS: http://www.oasis-open.org/join/
>

This publicly archived list provides a forum for asking questions,

offering answers, and discussing topics of interest on STIX,

TAXII, and CybOX.  Users and developers of solutions that leverage

STIX, TAXII and CybOX are invited to participate.



In order to verify user consent to OASIS mailing list guidelines

and to minimize spam in the list archive, subscription is required

before posting.



Subscribe: [hidden email]

Unsubscribe: [hidden email]

Post: [hidden email]

List help: [hidden email]

List archive: http://lists.oasis-open.org/archives/cti-users/

List Guidelines: http://www.oasis-open.org/maillists/guidelines.php

CTI Technical Committee: https://www.oasis-open.org/committees/cti/

Join OASIS: http://www.oasis-open.org/join/


Reply | Threaded
Open this post in threaded view
|

RE: [cti-users] My opinion piece mentioning STIX-TAXII

Hinkle, Jacob (LNG-SBO)
In reply to this post by Jordan, Bret

Bret and Richard’s replies were very diplomatic and well stated.  I am going another direction because your assertion that sharing data about threats somehow gives the bad guys an advantage, is ludicrous and I think extremely short sighted.  Never mind all of the people you could have helped by sharing the information about a threat and how to mitigate it or defend against it, instead you are using the mass unaware public as pawns in your imaginary game of chess with the APT’s of the world. 

 

Yes there will be an arms race, but publishing intelligence protects people from the script kiddies of the world.  Yes the big-time legitimate hackers will be watching, you must always assume they are, and I hate to break it to you, even if you don’t publish it, they are aware enough to see that there IP’s aren’t working etc. and will shift their tactics anyway. 

 

The FBI has an issue with their Infragaurd program where big corporations don’t want to share the details of how their network was breached because then their competitors would know they’d been hacked. 

 

We as security professionals need the intelligence in order to make decisions and act quickly to counter new threats.  I can understand the vendors and software company’s holding onto a vulnerabilities details until they have worked out a way to fix it, or have fixed it, but withholding attack details in hopes that you can catch the hackers, while they are allowed to wreak havoc and cost people their livelihoods sounds a lot like you are using them as guinea pigs.

 

We are under attack.  It isn’t just evil nerds anymore, now we have state sponsored attacks taking place.  Security through obscurity is not a viable tactic.  Sharing the information will allow others to develop defenses and influence software development by security conscious companies.  Withholding the information causes more people to get hacked and lose money, jobs, intellectual property and weakens the nation they live in as a whole.

 

I know that many of us here do hard work to discover threat intel and we should be paid for that hard work.  I am not saying that you should give it all away for free yet.  I think that corporations and the government should introduce bounty programs to reward researchers for their work.

 

Take what I say with a grain of salt, I don’t get paid to research these attacks, just to defend against them, so I am biased in regards to the availability of intel.  I admit that.  I think that your stance is a necessary one as far as getting paid for researching….but it sounds sadly similar to the pharmaceutical corporations who charge a huge amount of money for life saving medicines that once having been researched and developed, cost next to nothing to produce.

 

I don’t know how to solve this problem, but I’d hate to see STIX and TAXII get locked behind a pay wall, and prevent mom and pop shops from being able to be secure just so we can turn a profit.

 

Anyway, there was my rant.  I think I realized halfway through writing this that it is a hard spot to be in.  We all want to be Batman, but none of us can afford to be a selfless hero.  Outside of government employees, I don’t know of anyone who gets paid to research things which will be free.  Donations and kickstarters aside.  I’d be interested in reading more on this topic if someone knows of a good article about it.

 

Sorry to rant Kevin.  You aren’t evil for wanting to be paid for your hard work.  But I think a better way forward needs to be found if we are trying to prevent people from being victimized.

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Jordan, Bret
Sent: Thursday, September 24, 2015 12:28 AM
To: SOC
Cc: Kevin Conlan; Bhujang Systems; [hidden email]
Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII

 

Interesting view points..  And this has come up a few times in the past.  

 

In the TAXII SC we are very aware of this issue and another that you did not bring up, and that is the possibly of CTI repos being poisoned by a threat actor.  We are currently working on these problems and trying to address them with a TAXII 2.0.  I would encourage you to join the TAXII SC and help us work through these issues.  Your insight and knowledge would be very helpful.  

 

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

On Sep 23, 2015, at 19:52, SOC <[hidden email]> wrote:

 

I think that STIX/TAXII actually can hurt your cyber defense security.
Hear me out here but there is an inherent problem in telling the
adversary that we know what they are up to. Don't think for a second
that the bad guys are not subscribing to these feeds. How else would
they know to change their binaries to avoid detection or relocate their
C2 servers to reclaim their bots that are not blacklisted because the IP
or domain has shown up in a TAXII feed somewhere or in some other post
or observation.

For this very reason and to collect intelligence on the adversary some
Threat Intel providers (us included) do not rush to publish the
information to the general public. If you subscribe to our service you
get that information immediately but it's marked non releasable even
though 95% of the time somebody forwards it anyway.

Until the people handling the IOC information stop blindly forwarding it
to everybody they know that works in the security realm this will
continue to be a problem.

Just think about it. The good guys play fair but the malicious actors
don't. STIX and TAXII are but tools whereas the real intelligence can be
gathered only if the adversary is unaware that we are watching them. As
soon as they know they are being monitored or they are found out they
change their tactics and go elsewhere (and the search then begins again).

So just another perspective here that I think some of you will find
interesting. I just blogged this today actually and thought I would
share my view on all of these standards that make sharing so easy.

Kevin Wetzel
CEO/Founder
Jigsaw Security Enterprise Inc
www.jigsawsecurityenterprise.com
(919)441-7353

On 9/23/2015 9:20 AM, Kevin Conlan wrote:

As a student of cybersecurity, with a keen interest in cyber
intelligence, I really appreciate getting to read such a piece. Great
insights into important issues, especially with regards to geopolitical
implications.

Kevin

On Sep 23, 2015 4:25 AM, "Bhujang Systems" <[hidden email]>> wrote:

   Greetings all.

   Here's an opinion piece of mine for The Tribune: North India's
   prominent and oldest newspaper.

   ...wherein I ponder over the future of a blatantly balkanized
   cyberspace and the structured cyber-intelligence revolution heralded
   by STIX-TAXII.

   “The liberal dream of a neutral cyberspace is dead and the foreign
   threat detectors are conspiratorial and selective.”

   http://www.tribuneindia.com/news/comment/managing-our-porous-digital-frontlines/135560.html


This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/

 

Reply | Threaded
Open this post in threaded view
|

RE: [cti-users] My opinion piece mentioning STIX-TAXII

Hinkle, Jacob (LNG-SBO)
In reply to this post by SOC
After having visited your site and read some of your blog posts, I found one that seems to go against what you have just said.  On September 18th you posted a blog post called "Thoughts on Executive Order 13636" in which you detailed your thoughts on the aforementioned EO.  You had this to say as one of your criticisms of the order:

" 2. Give us the data - Stop holding onto the data. If you don't share it then we can't stop the badness from happening and we don't trust you enough to share that information with you. See how that works?"

This seems to contradict what you said on this newsgroup about the sharing of data.  

I'd argue that we should not take the low hanging fruit of blacklisting IP's and domains as a "solution" and should instead detect and thwart attacks based on the types of activity the attacker is attempting to perform and use better security practices (DMZ's and IPS systems) in order to defend.  True APT's and hackers will modify their activity regardless, and by sharing the threats you force them to work harder.  Perhaps eventually we can make hacking so much work, that the work to payoff ratios will make hacking so difficult that only state sponsored actors can afford to spend time on it.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of SOC
Sent: Wednesday, September 23, 2015 9:53 PM
To: Kevin Conlan; Bhujang Systems
Cc: [hidden email]
Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII

I think that STIX/TAXII actually can hurt your cyber defense security.
Hear me out here but there is an inherent problem in telling the adversary that we know what they are up to. Don't think for a second that the bad guys are not subscribing to these feeds. How else would they know to change their binaries to avoid detection or relocate their
C2 servers to reclaim their bots that are not blacklisted because the IP or domain has shown up in a TAXII feed somewhere or in some other post or observation.

For this very reason and to collect intelligence on the adversary some Threat Intel providers (us included) do not rush to publish the information to the general public. If you subscribe to our service you get that information immediately but it's marked non releasable even though 95% of the time somebody forwards it anyway.

Until the people handling the IOC information stop blindly forwarding it to everybody they know that works in the security realm this will continue to be a problem.

Just think about it. The good guys play fair but the malicious actors don't. STIX and TAXII are but tools whereas the real intelligence can be gathered only if the adversary is unaware that we are watching them. As soon as they know they are being monitored or they are found out they change their tactics and go elsewhere (and the search then begins again).

So just another perspective here that I think some of you will find interesting. I just blogged this today actually and thought I would share my view on all of these standards that make sharing so easy.

Kevin Wetzel
CEO/Founder
Jigsaw Security Enterprise Inc
www.jigsawsecurityenterprise.com
(919)441-7353

On 9/23/2015 9:20 AM, Kevin Conlan wrote:

> As a student of cybersecurity, with a keen interest in cyber
> intelligence, I really appreciate getting to read such a piece. Great
> insights into important issues, especially with regards to
> geopolitical implications.
>
> Kevin
>
> On Sep 23, 2015 4:25 AM, "Bhujang Systems" <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Greetings all.
>
>     Here's an opinion piece of mine for The Tribune: North India's
>     prominent and oldest newspaper.
>
>     ...wherein I ponder over the future of a blatantly balkanized
>     cyberspace and the structured cyber-intelligence revolution heralded
>     by STIX-TAXII.
>
>     “The liberal dream of a neutral cyberspace is dead and the foreign
>     threat detectors are conspiratorial and selective.”
>
>    
> http://www.tribuneindia.com/news/comment/managing-our-porous-digital-f
> rontlines/135560.html
>

This publicly archived list provides a forum for asking questions,offering answers, and discussing topics of interest on STIX,TAXII, and CybOX.  Users and developers of solutions that leverageSTIX, TAXII and CybOX are invited to participate.In order to verify user consent to OASIS mailing list guidelinesand to minimize spam in the list archive, subscription is requiredbefore posting.Subscribe: [hidden email]: [hidden email]: [hidden email] help: [hidden email] archive: http://lists.oasis-open.org/archives/cti-users/List Guidelines: http://www.oasis-open.org/maillists/guidelines.phpCTI Technical Committee: https://www.oasis-open.org/committees/cti/Join OASIS: http://www.oasis-open.org/join/

Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] My opinion piece mentioning STIX-TAXII

Houston
In reply to this post by Hinkle, Jacob (LNG-SBO)
I agree with Jacob here and glad someone spoke up.

Reality, you have to share intelligence to get better context.
Sharing, even in a very tight trust group, is paramount.
If anyone thinks that charging for intelligence will prevent the bad
guys from invading our space needs to do some research on their
budgets.

PS. Long Live Evil Nerds :)

On Thu, Sep 24, 2015 at 8:32 AM, Hinkle, Jacob (LNG-SBO)
<[hidden email]> wrote:

> Bret and Richard’s replies were very diplomatic and well stated.  I am going
> another direction because your assertion that sharing data about threats
> somehow gives the bad guys an advantage, is ludicrous and I think extremely
> short sighted.  Never mind all of the people you could have helped by
> sharing the information about a threat and how to mitigate it or defend
> against it, instead you are using the mass unaware public as pawns in your
> imaginary game of chess with the APT’s of the world.
>
>
>
> Yes there will be an arms race, but publishing intelligence protects people
> from the script kiddies of the world.  Yes the big-time legitimate hackers
> will be watching, you must always assume they are, and I hate to break it to
> you, even if you don’t publish it, they are aware enough to see that there
> IP’s aren’t working etc. and will shift their tactics anyway.
>
>
>
> The FBI has an issue with their Infragaurd program where big corporations
> don’t want to share the details of how their network was breached because
> then their competitors would know they’d been hacked.
>
>
>
> We as security professionals need the intelligence in order to make
> decisions and act quickly to counter new threats.  I can understand the
> vendors and software company’s holding onto a vulnerabilities details until
> they have worked out a way to fix it, or have fixed it, but withholding
> attack details in hopes that you can catch the hackers, while they are
> allowed to wreak havoc and cost people their livelihoods sounds a lot like
> you are using them as guinea pigs.
>
>
>
> We are under attack.  It isn’t just evil nerds anymore, now we have state
> sponsored attacks taking place.  Security through obscurity is not a viable
> tactic.  Sharing the information will allow others to develop defenses and
> influence software development by security conscious companies.  Withholding
> the information causes more people to get hacked and lose money, jobs,
> intellectual property and weakens the nation they live in as a whole.
>
>
>
> I know that many of us here do hard work to discover threat intel and we
> should be paid for that hard work.  I am not saying that you should give it
> all away for free yet.  I think that corporations and the government should
> introduce bounty programs to reward researchers for their work.
>
>
>
> Take what I say with a grain of salt, I don’t get paid to research these
> attacks, just to defend against them, so I am biased in regards to the
> availability of intel.  I admit that.  I think that your stance is a
> necessary one as far as getting paid for researching….but it sounds sadly
> similar to the pharmaceutical corporations who charge a huge amount of money
> for life saving medicines that once having been researched and developed,
> cost next to nothing to produce.
>
>
>
> I don’t know how to solve this problem, but I’d hate to see STIX and TAXII
> get locked behind a pay wall, and prevent mom and pop shops from being able
> to be secure just so we can turn a profit.
>
>
>
> Anyway, there was my rant.  I think I realized halfway through writing this
> that it is a hard spot to be in.  We all want to be Batman, but none of us
> can afford to be a selfless hero.  Outside of government employees, I don’t
> know of anyone who gets paid to research things which will be free.
> Donations and kickstarters aside.  I’d be interested in reading more on this
> topic if someone knows of a good article about it.
>
>
>
> Sorry to rant Kevin.  You aren’t evil for wanting to be paid for your hard
> work.  But I think a better way forward needs to be found if we are trying
> to prevent people from being victimized.
>
>
>
> From: [hidden email] [mailto:[hidden email]]
> On Behalf Of Jordan, Bret
> Sent: Thursday, September 24, 2015 12:28 AM
> To: SOC
> Cc: Kevin Conlan; Bhujang Systems; [hidden email]
> Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII
>
>
>
> Interesting view points..  And this has come up a few times in the past.
>
>
>
> In the TAXII SC we are very aware of this issue and another that you did not
> bring up, and that is the possibly of CTI repos being poisoned by a threat
> actor.  We are currently working on these problems and trying to address
> them with a TAXII 2.0.  I would encourage you to join the TAXII SC and help
> us work through these issues.  Your insight and knowledge would be very
> helpful.
>
>
>
>
>
> Thanks,
>
>
>
> Bret
>
>
>
>
>
>
>
> Bret Jordan CISSP
>
> Director of Security Architecture and Standards | Office of the CTO
>
> Blue Coat Systems
>
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
>
>
>
> On Sep 23, 2015, at 19:52, SOC <[hidden email]> wrote:
>
>
>
> I think that STIX/TAXII actually can hurt your cyber defense security.
> Hear me out here but there is an inherent problem in telling the
> adversary that we know what they are up to. Don't think for a second
> that the bad guys are not subscribing to these feeds. How else would
> they know to change their binaries to avoid detection or relocate their
> C2 servers to reclaim their bots that are not blacklisted because the IP
> or domain has shown up in a TAXII feed somewhere or in some other post
> or observation.
>
> For this very reason and to collect intelligence on the adversary some
> Threat Intel providers (us included) do not rush to publish the
> information to the general public. If you subscribe to our service you
> get that information immediately but it's marked non releasable even
> though 95% of the time somebody forwards it anyway.
>
> Until the people handling the IOC information stop blindly forwarding it
> to everybody they know that works in the security realm this will
> continue to be a problem.
>
> Just think about it. The good guys play fair but the malicious actors
> don't. STIX and TAXII are but tools whereas the real intelligence can be
> gathered only if the adversary is unaware that we are watching them. As
> soon as they know they are being monitored or they are found out they
> change their tactics and go elsewhere (and the search then begins again).
>
> So just another perspective here that I think some of you will find
> interesting. I just blogged this today actually and thought I would
> share my view on all of these standards that make sharing so easy.
>
> Kevin Wetzel
> CEO/Founder
> Jigsaw Security Enterprise Inc
> www.jigsawsecurityenterprise.com
> (919)441-7353
>
> On 9/23/2015 9:20 AM, Kevin Conlan wrote:
>
> As a student of cybersecurity, with a keen interest in cyber
> intelligence, I really appreciate getting to read such a piece. Great
> insights into important issues, especially with regards to geopolitical
> implications.
>
> Kevin
>
> On Sep 23, 2015 4:25 AM, "Bhujang Systems" <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>    Greetings all.
>
>    Here's an opinion piece of mine for The Tribune: North India's
>    prominent and oldest newspaper.
>
>    ...wherein I ponder over the future of a blatantly balkanized
>    cyberspace and the structured cyber-intelligence revolution heralded
>    by STIX-TAXII.
>
>    “The liberal dream of a neutral cyberspace is dead and the foreign
>    threat detectors are conspiratorial and selective.”
>
>
> http://www.tribuneindia.com/news/comment/managing-our-porous-digital-frontlines/135560.html
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX.  Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: [hidden email]
> Unsubscribe: [hidden email]
> Post: [hidden email]
> List help: [hidden email]
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>
>

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/

Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] My opinion piece mentioning STIX-TAXII

Mark Clancy
So my $0.02 is we have to tackle the economics of the problem.  Indicators/Observable are the lower order CTI data.  Attackers can change these, but to do so requires them to perform some work effort vs. none by leaving the badness in situ on contested. The defenders today (prior to automation of CTI anyway) have large costs and time lags to respond to even the static Indicator/Observable in use and get harmed by them left and right today. Not all attackers are doing their own "Counter CTI" and for those who don't monitor sharing channels we get a win right away against those miscreants by even pervasive sharing of this data.  Such sharing may tip the miscreants off if they have "Counter CTI" and they can do a work cycle to change at modest cost, but if we have automation on the defender side the re-positioning cost in response to that cycle is reduced from the current state. If we share Indicator/Observable level data with Course of Action even more so.  Yes I totally believe in OpSec too so your most sensitive stuff should be close hold to those who can use it appropriately and not tip off the sophisticated miscreants pre-maturely, but let us be honest this is really a tiny subset of a much bigger world of CTI.  

Where we really get value how ever is when we force the attackers to change things that are expensive for them and cheap for us.  This requires us to be sharing things way above the Indicator/Observable data which is the tonnage in the CTI world right now.  TTPs and Exploit Targets for example.If we force miscreants to change their methodology rather than specific compromised widget they get a lot less reuse leverage and have to do a more expensive work cycle to reacquire a target. The more we make it cost them the more they have to focus resources on objectives of high value.  Similarly if we are using CTI and automation to just 'handle" the less sophisticated/non-targeted stuff the more time we get back to make the advanced attackers job hard.  Even the public reporting outing APT groups forced them if for no other reason than internal politics to slow their tempo for a period of time which made our lives even if for just a moment easier.

The risk reward trade off question is how hard it to re-acquire the next generation of the threat vs the harm avoided by outing it... Does this drive unsustainable costs to our adversary and manageable costs to the defenders?

-Mark


Mark Clancy
Chief Executive Officer
SOLTRA | An FS-ISAC and DTCC Company
+1.813.470.2400 office | +1.610.659.6671 US mobile |​  +44 7823 626 535  UK mobile
[hidden email] | soltra.com

One organization's incident becomes everyone's defense.



________________________________________
From: [hidden email] <[hidden email]> on behalf of Houston Hopkins <[hidden email]>
Sent: Thursday, September 24, 2015 10:26 AM
To: Hinkle, Jacob (LNG-SBO)
Cc: Jordan, Bret; SOC; Kevin Conlan; Bhujang Systems; [hidden email]
Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII

I agree with Jacob here and glad someone spoke up.

Reality, you have to share intelligence to get better context.
Sharing, even in a very tight trust group, is paramount.
If anyone thinks that charging for intelligence will prevent the bad
guys from invading our space needs to do some research on their
budgets.

PS. Long Live Evil Nerds :)

On Thu, Sep 24, 2015 at 8:32 AM, Hinkle, Jacob (LNG-SBO)
<[hidden email]> wrote:

> Bret and Richard’s replies were very diplomatic and well stated.  I am going
> another direction because your assertion that sharing data about threats
> somehow gives the bad guys an advantage, is ludicrous and I think extremely
> short sighted.  Never mind all of the people you could have helped by
> sharing the information about a threat and how to mitigate it or defend
> against it, instead you are using the mass unaware public as pawns in your
> imaginary game of chess with the APT’s of the world.
>
>
>
> Yes there will be an arms race, but publishing intelligence protects people
> from the script kiddies of the world.  Yes the big-time legitimate hackers
> will be watching, you must always assume they are, and I hate to break it to
> you, even if you don’t publish it, they are aware enough to see that there
> IP’s aren’t working etc. and will shift their tactics anyway.
>
>
>
> The FBI has an issue with their Infragaurd program where big corporations
> don’t want to share the details of how their network was breached because
> then their competitors would know they’d been hacked.
>
>
>
> We as security professionals need the intelligence in order to make
> decisions and act quickly to counter new threats.  I can understand the
> vendors and software company’s holding onto a vulnerabilities details until
> they have worked out a way to fix it, or have fixed it, but withholding
> attack details in hopes that you can catch the hackers, while they are
> allowed to wreak havoc and cost people their livelihoods sounds a lot like
> you are using them as guinea pigs.
>
>
>
> We are under attack.  It isn’t just evil nerds anymore, now we have state
> sponsored attacks taking place.  Security through obscurity is not a viable
> tactic.  Sharing the information will allow others to develop defenses and
> influence software development by security conscious companies.  Withholding
> the information causes more people to get hacked and lose money, jobs,
> intellectual property and weakens the nation they live in as a whole.
>
>
>
> I know that many of us here do hard work to discover threat intel and we
> should be paid for that hard work.  I am not saying that you should give it
> all away for free yet.  I think that corporations and the government should
> introduce bounty programs to reward researchers for their work.
>
>
>
> Take what I say with a grain of salt, I don’t get paid to research these
> attacks, just to defend against them, so I am biased in regards to the
> availability of intel.  I admit that.  I think that your stance is a
> necessary one as far as getting paid for researching….but it sounds sadly
> similar to the pharmaceutical corporations who charge a huge amount of money
> for life saving medicines that once having been researched and developed,
> cost next to nothing to produce.
>
>
>
> I don’t know how to solve this problem, but I’d hate to see STIX and TAXII
> get locked behind a pay wall, and prevent mom and pop shops from being able
> to be secure just so we can turn a profit.
>
>
>
> Anyway, there was my rant.  I think I realized halfway through writing this
> that it is a hard spot to be in.  We all want to be Batman, but none of us
> can afford to be a selfless hero.  Outside of government employees, I don’t
> know of anyone who gets paid to research things which will be free.
> Donations and kickstarters aside.  I’d be interested in reading more on this
> topic if someone knows of a good article about it.
>
>
>
> Sorry to rant Kevin.  You aren’t evil for wanting to be paid for your hard
> work.  But I think a better way forward needs to be found if we are trying
> to prevent people from being victimized.
>
>
>
> From: [hidden email] [mailto:[hidden email]]
> On Behalf Of Jordan, Bret
> Sent: Thursday, September 24, 2015 12:28 AM
> To: SOC
> Cc: Kevin Conlan; Bhujang Systems; [hidden email]
> Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII
>
>
>
> Interesting view points..  And this has come up a few times in the past.
>
>
>
> In the TAXII SC we are very aware of this issue and another that you did not
> bring up, and that is the possibly of CTI repos being poisoned by a threat
> actor.  We are currently working on these problems and trying to address
> them with a TAXII 2.0.  I would encourage you to join the TAXII SC and help
> us work through these issues.  Your insight and knowledge would be very
> helpful.
>
>
>
>
>
> Thanks,
>
>
>
> Bret
>
>
>
>
>
>
>
> Bret Jordan CISSP
>
> Director of Security Architecture and Standards | Office of the CTO
>
> Blue Coat Systems
>
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
>
>
>
> On Sep 23, 2015, at 19:52, SOC <[hidden email]> wrote:
>
>
>
> I think that STIX/TAXII actually can hurt your cyber defense security.
> Hear me out here but there is an inherent problem in telling the
> adversary that we know what they are up to. Don't think for a second
> that the bad guys are not subscribing to these feeds. How else would
> they know to change their binaries to avoid detection or relocate their
> C2 servers to reclaim their bots that are not blacklisted because the IP
> or domain has shown up in a TAXII feed somewhere or in some other post
> or observation.
>
> For this very reason and to collect intelligence on the adversary some
> Threat Intel providers (us included) do not rush to publish the
> information to the general public. If you subscribe to our service you
> get that information immediately but it's marked non releasable even
> though 95% of the time somebody forwards it anyway.
>
> Until the people handling the IOC information stop blindly forwarding it
> to everybody they know that works in the security realm this will
> continue to be a problem.
>
> Just think about it. The good guys play fair but the malicious actors
> don't. STIX and TAXII are but tools whereas the real intelligence can be
> gathered only if the adversary is unaware that we are watching them. As
> soon as they know they are being monitored or they are found out they
> change their tactics and go elsewhere (and the search then begins again).
>
> So just another perspective here that I think some of you will find
> interesting. I just blogged this today actually and thought I would
> share my view on all of these standards that make sharing so easy.
>
> Kevin Wetzel
> CEO/Founder
> Jigsaw Security Enterprise Inc
> www.jigsawsecurityenterprise.com
> (919)441-7353
>
> On 9/23/2015 9:20 AM, Kevin Conlan wrote:
>
> As a student of cybersecurity, with a keen interest in cyber
> intelligence, I really appreciate getting to read such a piece. Great
> insights into important issues, especially with regards to geopolitical
> implications.
>
> Kevin
>
> On Sep 23, 2015 4:25 AM, "Bhujang Systems" <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>    Greetings all.
>
>    Here's an opinion piece of mine for The Tribune: North India's
>    prominent and oldest newspaper.
>
>    ...wherein I ponder over the future of a blatantly balkanized
>    cyberspace and the structured cyber-intelligence revolution heralded
>    by STIX-TAXII.
>
>    “The liberal dream of a neutral cyberspace is dead and the foreign
>    threat detectors are conspiratorial and selective.”
>
>
> http://www.tribuneindia.com/news/comment/managing-our-porous-digital-frontlines/135560.html
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX.  Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: [hidden email]
> Unsubscribe: [hidden email]
> Post: [hidden email]
> List help: [hidden email]
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>
>

This publicly archived list provides a forum for asking questions,

offering answers, and discussing topics of interest on STIX,

TAXII, and CybOX.  Users and developers of solutions that leverage

STIX, TAXII and CybOX are invited to participate.



In order to verify user consent to OASIS mailing list guidelines

and to minimize spam in the list archive, subscription is required

before posting.



Subscribe: [hidden email]

Unsubscribe: [hidden email]

Post: [hidden email]

List help: [hidden email]

List archive: http://lists.oasis-open.org/archives/cti-users/

List Guidelines: http://www.oasis-open.org/maillists/guidelines.php

CTI Technical Committee: https://www.oasis-open.org/committees/cti/

Join OASIS: http://www.oasis-open.org/join/
Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] please remove me

Randy Bachman
I did the remove instructions and it didn't work

Randy Bachman
Cybersecurity Engineer
Cybersecurity and Communications Reliability
Public Safety and Homeland Security Bureau
Federal Communications Commission
202-418-2410

________________________________________
From: [hidden email] <[hidden email]> on behalf of Mark Clancy <[hidden email]>
Sent: Friday, September 25, 2015 12:57 PM
To: Houston Hopkins; Hinkle, Jacob (LNG-SBO)
Cc: Jordan, Bret; SOC; Kevin Conlan; Bhujang Systems; [hidden email]
Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII

So my $0.02 is we have to tackle the economics of the problem.  Indicators/Observable are the lower order CTI data.  Attackers can change these, but to do so requires them to perform some work effort vs. none by leaving the badness in situ on contested. The defenders today (prior to automation of CTI anyway) have large costs and time lags to respond to even the static Indicator/Observable in use and get harmed by them left and right today. Not all attackers are doing their own "Counter CTI" and for those who don't monitor sharing channels we get a win right away against those miscreants by even pervasive sharing of this data.  Such sharing may tip the miscreants off if they have "Counter CTI" and they can do a work cycle to change at modest cost, but if we have automation on the defender side the re-positioning cost in response to that cycle is reduced from the current state. If we share Indicator/Observable level data with Course of Action even more so.  Yes I totally believe in OpSec too so your most sensitive stuff should be close hold to those who can use it appropriately and not tip off the sophisticated miscreants pre-maturely, but let us be honest this is really a tiny subset of a much bigger world of CTI.

Where we really get value how ever is when we force the attackers to change things that are expensive for them and cheap for us.  This requires us to be sharing things way above the Indicator/Observable data which is the tonnage in the CTI world right now.  TTPs and Exploit Targets for example.If we force miscreants to change their methodology rather than specific compromised widget they get a lot less reuse leverage and have to do a more expensive work cycle to reacquire a target. The more we make it cost them the more they have to focus resources on objectives of high value.  Similarly if we are using CTI and automation to just 'handle" the less sophisticated/non-targeted stuff the more time we get back to make the advanced attackers job hard.  Even the public reporting outing APT groups forced them if for no other reason than internal politics to slow their tempo for a period of time which made our lives even if for just a moment easier.

The risk reward trade off question is how hard it to re-acquire the next generation of the threat vs the harm avoided by outing it... Does this drive unsustainable costs to our adversary and manageable costs to the defenders?

-Mark


Mark Clancy
Chief Executive Officer
SOLTRA | An FS-ISAC and DTCC Company
+1.813.470.2400 office | +1.610.659.6671 US mobile |​  +44 7823 626 535  UK mobile
[hidden email] | soltra.com

One organization's incident becomes everyone's defense.



________________________________________
From: [hidden email] <[hidden email]> on behalf of Houston Hopkins <[hidden email]>
Sent: Thursday, September 24, 2015 10:26 AM
To: Hinkle, Jacob (LNG-SBO)
Cc: Jordan, Bret; SOC; Kevin Conlan; Bhujang Systems; [hidden email]
Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII

I agree with Jacob here and glad someone spoke up.

Reality, you have to share intelligence to get better context.
Sharing, even in a very tight trust group, is paramount.
If anyone thinks that charging for intelligence will prevent the bad
guys from invading our space needs to do some research on their
budgets.

PS. Long Live Evil Nerds :)

On Thu, Sep 24, 2015 at 8:32 AM, Hinkle, Jacob (LNG-SBO)
<[hidden email]> wrote:

> Bret and Richard’s replies were very diplomatic and well stated.  I am going
> another direction because your assertion that sharing data about threats
> somehow gives the bad guys an advantage, is ludicrous and I think extremely
> short sighted.  Never mind all of the people you could have helped by
> sharing the information about a threat and how to mitigate it or defend
> against it, instead you are using the mass unaware public as pawns in your
> imaginary game of chess with the APT’s of the world.
>
>
>
> Yes there will be an arms race, but publishing intelligence protects people
> from the script kiddies of the world.  Yes the big-time legitimate hackers
> will be watching, you must always assume they are, and I hate to break it to
> you, even if you don’t publish it, they are aware enough to see that there
> IP’s aren’t working etc. and will shift their tactics anyway.
>
>
>
> The FBI has an issue with their Infragaurd program where big corporations
> don’t want to share the details of how their network was breached because
> then their competitors would know they’d been hacked.
>
>
>
> We as security professionals need the intelligence in order to make
> decisions and act quickly to counter new threats.  I can understand the
> vendors and software company’s holding onto a vulnerabilities details until
> they have worked out a way to fix it, or have fixed it, but withholding
> attack details in hopes that you can catch the hackers, while they are
> allowed to wreak havoc and cost people their livelihoods sounds a lot like
> you are using them as guinea pigs.
>
>
>
> We are under attack.  It isn’t just evil nerds anymore, now we have state
> sponsored attacks taking place.  Security through obscurity is not a viable
> tactic.  Sharing the information will allow others to develop defenses and
> influence software development by security conscious companies.  Withholding
> the information causes more people to get hacked and lose money, jobs,
> intellectual property and weakens the nation they live in as a whole.
>
>
>
> I know that many of us here do hard work to discover threat intel and we
> should be paid for that hard work.  I am not saying that you should give it
> all away for free yet.  I think that corporations and the government should
> introduce bounty programs to reward researchers for their work.
>
>
>
> Take what I say with a grain of salt, I don’t get paid to research these
> attacks, just to defend against them, so I am biased in regards to the
> availability of intel.  I admit that.  I think that your stance is a
> necessary one as far as getting paid for researching….but it sounds sadly
> similar to the pharmaceutical corporations who charge a huge amount of money
> for life saving medicines that once having been researched and developed,
> cost next to nothing to produce.
>
>
>
> I don’t know how to solve this problem, but I’d hate to see STIX and TAXII
> get locked behind a pay wall, and prevent mom and pop shops from being able
> to be secure just so we can turn a profit.
>
>
>
> Anyway, there was my rant.  I think I realized halfway through writing this
> that it is a hard spot to be in.  We all want to be Batman, but none of us
> can afford to be a selfless hero.  Outside of government employees, I don’t
> know of anyone who gets paid to research things which will be free.
> Donations and kickstarters aside.  I’d be interested in reading more on this
> topic if someone knows of a good article about it.
>
>
>
> Sorry to rant Kevin.  You aren’t evil for wanting to be paid for your hard
> work.  But I think a better way forward needs to be found if we are trying
> to prevent people from being victimized.
>
>
>
> From: [hidden email] [mailto:[hidden email]]
> On Behalf Of Jordan, Bret
> Sent: Thursday, September 24, 2015 12:28 AM
> To: SOC
> Cc: Kevin Conlan; Bhujang Systems; [hidden email]
> Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII
>
>
>
> Interesting view points..  And this has come up a few times in the past.
>
>
>
> In the TAXII SC we are very aware of this issue and another that you did not
> bring up, and that is the possibly of CTI repos being poisoned by a threat
> actor.  We are currently working on these problems and trying to address
> them with a TAXII 2.0.  I would encourage you to join the TAXII SC and help
> us work through these issues.  Your insight and knowledge would be very
> helpful.
>
>
>
>
>
> Thanks,
>
>
>
> Bret
>
>
>
>
>
>
>
> Bret Jordan CISSP
>
> Director of Security Architecture and Standards | Office of the CTO
>
> Blue Coat Systems
>
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
>
>
>
> On Sep 23, 2015, at 19:52, SOC <[hidden email]> wrote:
>
>
>
> I think that STIX/TAXII actually can hurt your cyber defense security.
> Hear me out here but there is an inherent problem in telling the
> adversary that we know what they are up to. Don't think for a second
> that the bad guys are not subscribing to these feeds. How else would
> they know to change their binaries to avoid detection or relocate their
> C2 servers to reclaim their bots that are not blacklisted because the IP
> or domain has shown up in a TAXII feed somewhere or in some other post
> or observation.
>
> For this very reason and to collect intelligence on the adversary some
> Threat Intel providers (us included) do not rush to publish the
> information to the general public. If you subscribe to our service you
> get that information immediately but it's marked non releasable even
> though 95% of the time somebody forwards it anyway.
>
> Until the people handling the IOC information stop blindly forwarding it
> to everybody they know that works in the security realm this will
> continue to be a problem.
>
> Just think about it. The good guys play fair but the malicious actors
> don't. STIX and TAXII are but tools whereas the real intelligence can be
> gathered only if the adversary is unaware that we are watching them. As
> soon as they know they are being monitored or they are found out they
> change their tactics and go elsewhere (and the search then begins again).
>
> So just another perspective here that I think some of you will find
> interesting. I just blogged this today actually and thought I would
> share my view on all of these standards that make sharing so easy.
>
> Kevin Wetzel
> CEO/Founder
> Jigsaw Security Enterprise Inc
> www.jigsawsecurityenterprise.com
> (919)441-7353
>
> On 9/23/2015 9:20 AM, Kevin Conlan wrote:
>
> As a student of cybersecurity, with a keen interest in cyber
> intelligence, I really appreciate getting to read such a piece. Great
> insights into important issues, especially with regards to geopolitical
> implications.
>
> Kevin
>
> On Sep 23, 2015 4:25 AM, "Bhujang Systems" <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>    Greetings all.
>
>    Here's an opinion piece of mine for The Tribune: North India's
>    prominent and oldest newspaper.
>
>    ...wherein I ponder over the future of a blatantly balkanized
>    cyberspace and the structured cyber-intelligence revolution heralded
>    by STIX-TAXII.
>
>    “The liberal dream of a neutral cyberspace is dead and the foreign
>    threat detectors are conspiratorial and selective.”
>
>
> http://www.tribuneindia.com/news/comment/managing-our-porous-digital-frontlines/135560.html
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX.  Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: [hidden email]
> Unsubscribe: [hidden email]
> Post: [hidden email]
> List help: [hidden email]
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>
>

This publicly archived list provides a forum for asking questions,

offering answers, and discussing topics of interest on STIX,

TAXII, and CybOX.  Users and developers of solutions that leverage

STIX, TAXII and CybOX are invited to participate.



In order to verify user consent to OASIS mailing list guidelines

and to minimize spam in the list archive, subscription is required

before posting.



Subscribe: [hidden email]

Unsubscribe: [hidden email]

Post: [hidden email]

List help: [hidden email]

List archive: http://lists.oasis-open.org/archives/cti-users/

List Guidelines: http://www.oasis-open.org/maillists/guidelines.php

CTI Technical Committee: https://www.oasis-open.org/committees/cti/

Join OASIS: http://www.oasis-open.org/join/
Reply | Threaded
Open this post in threaded view
|

RE: [cti-users] My opinion piece mentioning STIX-TAXII

pankaj.anand
In reply to this post by Mark Clancy
I agree to the point that this information must be shared as open platform so that maximum defenders can make use of this. As there are no confined boundaries in internet, so there will be adversaries looking into this. This is for more generic attacks and should be consumed without boundaries. In today's world I think generic attacks are random and adversaries are also not investing too much time and effort to change tactics. So as long as we can change faster than adversaries TTP, we shall continue to be on advantage and discourage adversaries to add efforts and cost for an attack. Even if this gets into commercial boundaries, adversaries can still have access, so keeping it open source or not, doesn't matter.

Other concept is time lag between information exchange. As in industry not much organizations have matured threat intel platform and have substantial lag time for sharing and even for utilization. Unless it's near real time the usage may not be as effective (considering Verizon DBIR - most of this information is short lived and almost more than 90% changes within a day). So how fast information gets exchanged and implemented also matters. Is attach speed faster or threat sharing faster? I assume that's also one of the reason that the overlap of information between various inbound threat channels is very less (3%).

By using STIX/TAXI we are getting into basic building blocks where majority of industry has yet to adapt.

Thanks,

Pankaj Anand


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Mark Clancy
Sent: Friday, September 25, 2015 10:28 PM
To: Houston Hopkins <[hidden email]>; Hinkle, Jacob (LNG-SBO) <[hidden email]>
Cc: Jordan, Bret <[hidden email]>; SOC <[hidden email]>; Kevin Conlan <[hidden email]>; Bhujang Systems <[hidden email]>; [hidden email]
Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII

So my $0.02 is we have to tackle the economics of the problem.  Indicators/Observable are the lower order CTI data.  Attackers can change these, but to do so requires them to perform some work effort vs. none by leaving the badness in situ on contested. The defenders today (prior to automation of CTI anyway) have large costs and time lags to respond to even the static Indicator/Observable in use and get harmed by them left and right today. Not all attackers are doing their own "Counter CTI" and for those who don't monitor sharing channels we get a win right away against those miscreants by even pervasive sharing of this data.  Such sharing may tip the miscreants off if they have "Counter CTI" and they can do a work cycle to change at modest cost, but if we have automation on the defender side the re-positioning cost in response to that cycle is reduced from the current state. If we share Indicator/Observable level data with Course of Action even more so.  Yes I totally believe in OpSec too so your most sensitive stuff should be close hold to those who can use it appropriately and not tip off the sophisticated miscreants pre-maturely, but let us be honest this is really a tiny subset of a much bigger world of CTI.

Where we really get value how ever is when we force the attackers to change things that are expensive for them and cheap for us.  This requires us to be sharing things way above the Indicator/Observable data which is the tonnage in the CTI world right now.  TTPs and Exploit Targets for example.If we force miscreants to change their methodology rather than specific compromised widget they get a lot less reuse leverage and have to do a more expensive work cycle to reacquire a target. The more we make it cost them the more they have to focus resources on objectives of high value.  Similarly if we are using CTI and automation to just 'handle" the less sophisticated/non-targeted stuff the more time we get back to make the advanced attackers job hard.  Even the public reporting outing APT groups forced them if for no other reason than internal politics to slow their tempo for a period of time which made our lives even if for just a moment easier.

The risk reward trade off question is how hard it to re-acquire the next generation of the threat vs the harm avoided by outing it... Does this drive unsustainable costs to our adversary and manageable costs to the defenders?

-Mark


Mark Clancy
Chief Executive Officer
SOLTRA | An FS-ISAC and DTCC Company
+1.813.470.2400 office | +1.610.659.6671 US mobile |​  +44 7823 626 535
+UK mobile
[hidden email] | soltra.com

One organization's incident becomes everyone's defense.



________________________________________
From: [hidden email] <[hidden email]> on behalf of Houston Hopkins <[hidden email]>
Sent: Thursday, September 24, 2015 10:26 AM
To: Hinkle, Jacob (LNG-SBO)
Cc: Jordan, Bret; SOC; Kevin Conlan; Bhujang Systems; [hidden email]
Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII

I agree with Jacob here and glad someone spoke up.

Reality, you have to share intelligence to get better context.
Sharing, even in a very tight trust group, is paramount.
If anyone thinks that charging for intelligence will prevent the bad guys from invading our space needs to do some research on their budgets.

PS. Long Live Evil Nerds :)

On Thu, Sep 24, 2015 at 8:32 AM, Hinkle, Jacob (LNG-SBO) <[hidden email]> wrote:

> Bret and Richard’s replies were very diplomatic and well stated.  I am
> going another direction because your assertion that sharing data about
> threats somehow gives the bad guys an advantage, is ludicrous and I
> think extremely short sighted.  Never mind all of the people you could
> have helped by sharing the information about a threat and how to
> mitigate it or defend against it, instead you are using the mass
> unaware public as pawns in your imaginary game of chess with the APT’s of the world.
>
>
>
> Yes there will be an arms race, but publishing intelligence protects
> people from the script kiddies of the world.  Yes the big-time
> legitimate hackers will be watching, you must always assume they are,
> and I hate to break it to you, even if you don’t publish it, they are
> aware enough to see that there IP’s aren’t working etc. and will shift their tactics anyway.
>
>
>
> The FBI has an issue with their Infragaurd program where big
> corporations don’t want to share the details of how their network was
> breached because then their competitors would know they’d been hacked.
>
>
>
> We as security professionals need the intelligence in order to make
> decisions and act quickly to counter new threats.  I can understand
> the vendors and software company’s holding onto a vulnerabilities
> details until they have worked out a way to fix it, or have fixed it,
> but withholding attack details in hopes that you can catch the
> hackers, while they are allowed to wreak havoc and cost people their
> livelihoods sounds a lot like you are using them as guinea pigs.
>
>
>
> We are under attack.  It isn’t just evil nerds anymore, now we have
> state sponsored attacks taking place.  Security through obscurity is
> not a viable tactic.  Sharing the information will allow others to
> develop defenses and influence software development by security
> conscious companies.  Withholding the information causes more people
> to get hacked and lose money, jobs, intellectual property and weakens the nation they live in as a whole.
>
>
>
> I know that many of us here do hard work to discover threat intel and
> we should be paid for that hard work.  I am not saying that you should
> give it all away for free yet.  I think that corporations and the
> government should introduce bounty programs to reward researchers for their work.
>
>
>
> Take what I say with a grain of salt, I don’t get paid to research
> these attacks, just to defend against them, so I am biased in regards
> to the availability of intel.  I admit that.  I think that your stance
> is a necessary one as far as getting paid for researching….but it
> sounds sadly similar to the pharmaceutical corporations who charge a
> huge amount of money for life saving medicines that once having been
> researched and developed, cost next to nothing to produce.
>
>
>
> I don’t know how to solve this problem, but I’d hate to see STIX and
> TAXII get locked behind a pay wall, and prevent mom and pop shops from
> being able to be secure just so we can turn a profit.
>
>
>
> Anyway, there was my rant.  I think I realized halfway through writing
> this that it is a hard spot to be in.  We all want to be Batman, but
> none of us can afford to be a selfless hero.  Outside of government
> employees, I don’t know of anyone who gets paid to research things which will be free.
> Donations and kickstarters aside.  I’d be interested in reading more
> on this topic if someone knows of a good article about it.
>
>
>
> Sorry to rant Kevin.  You aren’t evil for wanting to be paid for your
> hard work.  But I think a better way forward needs to be found if we
> are trying to prevent people from being victimized.
>
>
>
> From: [hidden email]
> [mailto:[hidden email]]
> On Behalf Of Jordan, Bret
> Sent: Thursday, September 24, 2015 12:28 AM
> To: SOC
> Cc: Kevin Conlan; Bhujang Systems; [hidden email]
> Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII
>
>
>
> Interesting view points..  And this has come up a few times in the past.
>
>
>
> In the TAXII SC we are very aware of this issue and another that you
> did not bring up, and that is the possibly of CTI repos being poisoned
> by a threat actor.  We are currently working on these problems and
> trying to address them with a TAXII 2.0.  I would encourage you to
> join the TAXII SC and help us work through these issues.  Your insight
> and knowledge would be very helpful.
>
>
>
>
>
> Thanks,
>
>
>
> Bret
>
>
>
>
>
>
>
> Bret Jordan CISSP
>
> Director of Security Architecture and Standards | Office of the CTO
>
> Blue Coat Systems
>
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing
> that can not be unscrambled is an egg."
>
>
>
> On Sep 23, 2015, at 19:52, SOC <[hidden email]> wrote:
>
>
>
> I think that STIX/TAXII actually can hurt your cyber defense security.
> Hear me out here but there is an inherent problem in telling the
> adversary that we know what they are up to. Don't think for a second
> that the bad guys are not subscribing to these feeds. How else would
> they know to change their binaries to avoid detection or relocate
> their
> C2 servers to reclaim their bots that are not blacklisted because the
> IP or domain has shown up in a TAXII feed somewhere or in some other
> post or observation.
>
> For this very reason and to collect intelligence on the adversary some
> Threat Intel providers (us included) do not rush to publish the
> information to the general public. If you subscribe to our service you
> get that information immediately but it's marked non releasable even
> though 95% of the time somebody forwards it anyway.
>
> Until the people handling the IOC information stop blindly forwarding
> it to everybody they know that works in the security realm this will
> continue to be a problem.
>
> Just think about it. The good guys play fair but the malicious actors
> don't. STIX and TAXII are but tools whereas the real intelligence can
> be gathered only if the adversary is unaware that we are watching
> them. As soon as they know they are being monitored or they are found
> out they change their tactics and go elsewhere (and the search then begins again).
>
> So just another perspective here that I think some of you will find
> interesting. I just blogged this today actually and thought I would
> share my view on all of these standards that make sharing so easy.
>
> Kevin Wetzel
> CEO/Founder
> Jigsaw Security Enterprise Inc
> www.jigsawsecurityenterprise.com
> (919)441-7353
>
> On 9/23/2015 9:20 AM, Kevin Conlan wrote:
>
> As a student of cybersecurity, with a keen interest in cyber
> intelligence, I really appreciate getting to read such a piece. Great
> insights into important issues, especially with regards to
> geopolitical implications.
>
> Kevin
>
> On Sep 23, 2015 4:25 AM, "Bhujang Systems" <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>    Greetings all.
>
>    Here's an opinion piece of mine for The Tribune: North India's
>    prominent and oldest newspaper.
>
>    ...wherein I ponder over the future of a blatantly balkanized
>    cyberspace and the structured cyber-intelligence revolution heralded
>    by STIX-TAXII.
>
>    “The liberal dream of a neutral cyberspace is dead and the foreign
>    threat detectors are conspiratorial and selective.”
>
>
> http://www.tribuneindia.com/news/comment/managing-our-porous-digital-f
> rontlines/135560.html
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX, TAXII,
> and CybOX.  Users and developers of solutions that leverage STIX,
> TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines and
> to minimize spam in the list archive, subscription is required before
> posting.
>
> Subscribe: [hidden email]
> Unsubscribe: [hidden email]
> Post: [hidden email]
> List help: [hidden email]
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>
>

This publicly archived list provides a forum for asking questions,

offering answers, and discussing topics of interest on STIX,

TAXII, and CybOX.  Users and developers of solutions that leverage

STIX, TAXII and CybOX are invited to participate.



In order to verify user consent to OASIS mailing list guidelines

and to minimize spam in the list archive, subscription is required

before posting.



Subscribe: [hidden email]

Unsubscribe: [hidden email]

Post: [hidden email]

List help: [hidden email]

List archive: http://lists.oasis-open.org/archives/cti-users/

List Guidelines: http://www.oasis-open.org/maillists/guidelines.php

CTI Technical Committee: https://www.oasis-open.org/committees/cti/

Join OASIS: http://www.oasis-open.org/join/
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com
Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] My opinion piece mentioning STIX-TAXII

Jordan, Bret
This is our desire and goal.  However, there are some steps along the way, let me illustrate two of them...

1) How to you make the shared CTI machine actionable for any arbitrary STIX 1.2 document today. Hint, think through what you would need to do in code to make this happen.  

2) How do you know for sure that you can trust the CTI you are openly getting?  Or how do you now the CTI is even valid?  Open public sharing is a two edged sword without validation, verification, and assessment.




Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Sep 29, 2015, at 08:13, [hidden email] wrote:

I agree to the point that this information must be shared as open platform so that maximum defenders can make use of this. As there are no confined boundaries in internet, so there will be adversaries looking into this. This is for more generic attacks and should be consumed without boundaries. In today's world I think generic attacks are random and adversaries are also not investing too much time and effort to change tactics. So as long as we can change faster than adversaries TTP, we shall continue to be on advantage and discourage adversaries to add efforts and cost for an attack. Even if this gets into commercial boundaries, adversaries can still have access, so keeping it open source or not, doesn't matter.

Other concept is time lag between information exchange. As in industry not much organizations have matured threat intel platform and have substantial lag time for sharing and even for utilization. Unless it's near real time the usage may not be as effective (considering Verizon DBIR - most of this information is short lived and almost more than 90% changes within a day). So how fast information gets exchanged and implemented also matters. Is attach speed faster or threat sharing faster? I assume that's also one of the reason that the overlap of information between various inbound threat channels is very less (3%).

By using STIX/TAXI we are getting into basic building blocks where majority of industry has yet to adapt.

Thanks,

Pankaj Anand




signature.asc (859 bytes) Download Attachment