[cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

[cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Grobauer, Bernd
Hi,

I found this news item (from yesterday) about a new Open Source effort on TI standardization
and thought it might be of interest to the group:

http://www.businesswire.com/news/home/20151020005120/en/LookingGlass-Introduces-Open-Threat-Partner-eXchange-OpenTPX

Docs, JSON-schema, etc. on

https://www.opentpx.org/


According to the FAQ:

Q: Does OpenTPX replace STIX?

A: No. OpenTPX was designed primarily as a optimized mechanism for data exchange at large volume, high scale and high speed ingestion for a broader set of Internet intelligence and threat context. Aspects of data available in STIX (e.g. indicators) have direct mapping to OpenTPX.

Kind regards,

Bernd


-------------

Bernd Grobauer, Siemens CERT




This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/

Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Trey Darley-3
On 21.10.2015 10:17:03, Grobauer, Bernd wrote:
>
> I found this news item (from yesterday) about a new Open Source
> effort on TI standardization and thought it might be of interest to
> the group:
>
>

Good eye, Bernd, thanks for sharing!

My initial reaction was this [0]. But having reviewed the OpenTPX
introduction [1], I see some things that I quite like and from which
we might draw inspiration for the pending CTI standards major
revisions, namely:

  * nifty query language
  * lightweight extensibility mechanism a la OpenIOC 1.1's Parameters
     notion
  * how they score observables and allow for aging the scores over
    time (cf. score_24hr_decay_i, page 16 in [1])

[0]: http://imgs.xkcd.com/comics/standards.png
[1]: https://www.opentpx.org/docs/openTPX-introduction.pdf

--
Cheers,
Trey
--
Trey Darley
Senior Security Engineer
4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430
Soltra | An FS-ISAC & DTCC Company
www.soltra.com
--
"One size never fits all." --RFC 1925

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Wunder, John A.
Interestingly, they posted that same cartoon on their blog! https://www.opentpx.org/blog/introducing-open-threat-partner-exchange.html

BTW, from that blog post:

Why something new?
"We looked at XML and realized that it introduces, conservatively, double the amount of data we needed to process and transfer. When you're dealing with terabytes of raw data, doubling the size to conform to a format doesn't make a lot of sense. If we can convey the same information at half the size, it's an easy decision. JSON accomplishes the same goal with less overhead. XML formats like STIX also didn't have support for data types we needed. We already have experience trying to extend formats that didn't meet our current needs or weren't flexible enough for future needs. We looked at binary solutions like protobufs and realized that most producers of data were not going to spend time converting their processes into a format that was complicated for humans to quickly evaluate. A lot of data feeds are plain text, often compressed and the work involved in moving from a lists of IPs or domains to a JSON format is minimal, so the work for the data producer was not demanding. And to be honest, we're commonly the ones doing the conversion, so a common language was our goal.”

John

On Oct 21, 2015, at 7:01 AM, Trey Darley <[hidden email]> wrote:

On 21.10.2015 10:17:03, Grobauer, Bernd wrote:

I found this news item (from yesterday) about a new Open Source
effort on TI standardization and thought it might be of interest to
the group:



Good eye, Bernd, thanks for sharing!

My initial reaction was this [0]. But having reviewed the OpenTPX
introduction [1], I see some things that I quite like and from which
we might draw inspiration for the pending CTI standards major
revisions, namely: 

 * nifty query language
 * lightweight extensibility mechanism a la OpenIOC 1.1's Parameters
    notion
 * how they score observables and allow for aging the scores over
   time (cf. score_24hr_decay_i, page 16 in [1])

[0]: http://imgs.xkcd.com/comics/standards.png
[1]: https://www.opentpx.org/docs/openTPX-introduction.pdf

-- 
Cheers,
Trey
--
Trey Darley
Senior Security Engineer
4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430
Soltra | An FS-ISAC & DTCC Company
www.soltra.com
--
"One size never fits all." --RFC 1925

Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Jordan, Bret
In reply to this post by Grobauer, Bernd
Thanks for sending this out... It looks interesting. We will need to watch it closely, they have some neat things that are very similar to FB's threat exchange. 

Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Oct 21, 2015, at 04:17, Grobauer, Bernd <[hidden email]> wrote:

Hi,

I found this news item (from yesterday) about a new Open Source effort on TI standardization
and thought it might be of interest to the group:

http://www.businesswire.com/news/home/20151020005120/en/LookingGlass-Introduces-Open-Threat-Partner-eXchange-OpenTPX

Docs, JSON-schema, etc. on

https://www.opentpx.org/


According to the FAQ:

Q: Does OpenTPX replace STIX?

A: No. OpenTPX was designed primarily as a optimized mechanism for data exchange at large volume, high scale and high speed ingestion for a broader set of Internet intelligence and threat context. Aspects of data available in STIX (e.g. indicators) have direct mapping to OpenTPX.

Kind regards,

Bernd


-------------

Bernd Grobauer, Siemens CERT




This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/



signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Jason Lewis
Just to point out some key differences from the FB format.  Primarily
the topology support (networks, bgp, etc) and scoring.  Part of the
scoring is the decay, which becomes very important when dealing with
billions of elements.

On Wed, Oct 21, 2015 at 1:28 PM, Jordan, Bret <[hidden email]> wrote:

> Thanks for sending this out... It looks interesting. We will need to watch
> it closely, they have some neat things that are very similar to FB's threat
> exchange.
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
>
> On Oct 21, 2015, at 04:17, Grobauer, Bernd <[hidden email]>
> wrote:
>
> Hi,
>
> I found this news item (from yesterday) about a new Open Source effort on TI
> standardization
> and thought it might be of interest to the group:
>
> http://www.businesswire.com/news/home/20151020005120/en/LookingGlass-Introduces-Open-Threat-Partner-eXchange-OpenTPX
>
> Docs, JSON-schema, etc. on
>
> https://www.opentpx.org/
>
>
> According to the FAQ:
>
> Q: Does OpenTPX replace STIX?
>
> A: No. OpenTPX was designed primarily as a optimized mechanism for data
> exchange at large volume, high scale and high speed ingestion for a broader
> set of Internet intelligence and threat context. Aspects of data available
> in STIX (e.g. indicators) have direct mapping to OpenTPX.
>
> Kind regards,
>
> Bernd
>
>
> -------------
>
> Bernd Grobauer, Siemens CERT
>
>
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX.  Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: [hidden email]
> Unsubscribe: [hidden email]
> Post: [hidden email]
> List help: [hidden email]
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>
>

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/

JA
Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

JA
Yep the decay is interesting
It could be evaluated as an option like the Valid_Time_Position where both have benefits depending the use case (e.g. Exercise scenario)

Regarding scoring, there is opportunity for researches based on STIX ;-)


On Monday, 26 October 2015, Jason Lewis <[hidden email]> wrote:
Just to point out some key differences from the FB format.  Primarily
the topology support (networks, bgp, etc) and scoring.  Part of the
scoring is the decay, which becomes very important when dealing with
billions of elements.

On Wed, Oct 21, 2015 at 1:28 PM, Jordan, Bret <<a href="javascript:;" onclick="_e(event, &#39;cvml&#39;, &#39;bret.jordan@bluecoat.com&#39;)">bret.jordan@...> wrote:
> Thanks for sending this out... It looks interesting. We will need to watch
> it closely, they have some neat things that are very similar to FB's threat
> exchange.
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
>
> On Oct 21, 2015, at 04:17, Grobauer, Bernd <<a href="javascript:;" onclick="_e(event, &#39;cvml&#39;, &#39;Bernd.Grobauer@siemens.com&#39;)">Bernd.Grobauer@...>
> wrote:
>
> Hi,
>
> I found this news item (from yesterday) about a new Open Source effort on TI
> standardization
> and thought it might be of interest to the group:
>
> http://www.businesswire.com/news/home/20151020005120/en/LookingGlass-Introduces-Open-Threat-Partner-eXchange-OpenTPX
>
> Docs, JSON-schema, etc. on
>
> https://www.opentpx.org/
>
>
> According to the FAQ:
>
> Q: Does OpenTPX replace STIX?
>
> A: No. OpenTPX was designed primarily as a optimized mechanism for data
> exchange at large volume, high scale and high speed ingestion for a broader
> set of Internet intelligence and threat context. Aspects of data available
> in STIX (e.g. indicators) have direct mapping to OpenTPX.
>
> Kind regards,
>
> Bernd
>
>
> -------------
>
> Bernd Grobauer, Siemens CERT
>
>
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX.  Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: <a href="javascript:;" onclick="_e(event, &#39;cvml&#39;, &#39;cti-users-subscribe@lists.oasis-open.org&#39;)">cti-users-subscribe@...
> Unsubscribe: <a href="javascript:;" onclick="_e(event, &#39;cvml&#39;, &#39;cti-users-unsubscribe@lists.oasis-open.org&#39;)">cti-users-unsubscribe@...
> Post: <a href="javascript:;" onclick="_e(event, &#39;cvml&#39;, &#39;cti-users@lists.oasis-open.org&#39;)">cti-users@...
> List help: <a href="javascript:;" onclick="_e(event, &#39;cvml&#39;, &#39;cti-users-help@lists.oasis-open.org&#39;)">cti-users-help@...
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>
>

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: <a href="javascript:;" onclick="_e(event, &#39;cvml&#39;, &#39;cti-users-subscribe@lists.oasis-open.org&#39;)">cti-users-subscribe@...
Unsubscribe: <a href="javascript:;" onclick="_e(event, &#39;cvml&#39;, &#39;cti-users-unsubscribe@lists.oasis-open.org&#39;)">cti-users-unsubscribe@...
Post: <a href="javascript:;" onclick="_e(event, &#39;cvml&#39;, &#39;cti-users@lists.oasis-open.org&#39;)">cti-users@...
List help: <a href="javascript:;" onclick="_e(event, &#39;cvml&#39;, &#39;cti-users-help@lists.oasis-open.org&#39;)">cti-users-help@...
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/

Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

pmaroney
Relevance, Certainty, Validity, etc. along with other highly subjective measures like Business Impact (of mitigation/Blocking) are really not effective shared measures for IOCs with perhaps exceptions for widely seen common Malware/NuisanceWare/AdWare.
Point is that a majority of serious APT attacks against Sectors, Industries, Agencies, etc. are highly targeted. In some cases the attack packages and ephemeral TTPs are tailored uniquely to an individual organization.
I can authoritatively cite an example:  some of the most dangerous highly targeted APT threats are typically flagged by AV as "Low" priority/criticality/risk, which in turn leads to inadequate responses when detected.  We've found evidence of relatively early leading APT artifact AV detections in every APT Intrusion investigation since 2002.  When asked why these leading indicators were ignored, without fail the response would be something along the lines of: "Oh we don't have the resources to investigate thousands of AV detections, we only look at Med to High Risk", or "Oh we looked at it, it was flagged as low risk".  AV Vendors when challenged on these rating methodologies would also respond without fail with something like: "That RAT/Backdoor was only reported by 5 companies, it's low risk".  Tell that to the 5 companies who spent millions cleaning up entrenched adversaries that could have been stopped early in the intrusion had the threat not been mischaracterized and investigated. 
In my view (1) we should be sharing facts about sightings/observations, (2) analysis along with methods to "show your work" for any hypothesis for subjective conclusions, and (3) include Non-Attributional Source Path Traceability for directing RFIs and Details on Sightings to the original Source(s).  One can then compile "Earliest Seen", "Latest Seen" metrics along with Sector/Target specific Threat Characterization details to determine an effective measure of risk.

Patrick Maroney

_____________________________
From: Jerome Athias <[hidden email]>
Sent: Sunday, October 25, 2015 10:04 PM
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)
To: Jason Lewis <[hidden email]>
Cc: Jordan, Bret <[hidden email]>, Grobauer, Bernd <[hidden email]>, <[hidden email]>


Yep the decay is interesting
It could be evaluated as an option like the Valid_Time_Position where both have benefits depending the use case (e.g. Exercise scenario)

Regarding scoring, there is opportunity for researches based on STIX ;-)


On Monday, 26 October 2015, Jason Lewis < [hidden email]> wrote:
Just to point out some key differences from the FB format.  Primarily
the topology support (networks, bgp, etc) and scoring.  Part of the
scoring is the decay, which becomes very important when dealing with
billions of elements.

On Wed, Oct 21, 2015 at 1:28 PM, Jordan, Bret < [hidden email]> wrote:
> Thanks for sending this out... It looks interesting. We will need to watch
> it closely, they have some neat things that are very similar to FB's threat
> exchange.
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE <a dir="ltr" href="tel:7415%200050" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="13"> 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
>
> On Oct 21, 2015, at 04:17, Grobauer, Bernd < [hidden email]>
> wrote:
>
> Hi,
>
> I found this news item (from yesterday) about a new Open Source effort on TI
> standardization
> and thought it might be of interest to the group:
>
> http://www.businesswire.com/news/home/20151020005120/en/LookingGlass-Introduces-Open-Threat-Partner-eXchange-OpenTPX
>
> Docs, JSON-schema, etc. on
>
> https://www.opentpx.org/
>
>
> According to the FAQ:
>
> Q: Does OpenTPX replace STIX?
>
> A: No. OpenTPX was designed primarily as a optimized mechanism for data
> exchange at large volume, high scale and high speed ingestion for a broader
> set of Internet intelligence and threat context. Aspects of data available
> in STIX (e.g. indicators) have direct mapping to OpenTPX.
>
> Kind regards,
>
> Bernd
>
>
> -------------
>
> Bernd Grobauer, Siemens CERT
>
>
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX.  Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: [hidden email]
> Unsubscribe: [hidden email]
> Post: [hidden email]
> List help: [hidden email]
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>
>

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/



Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Barnum, Sean D.
Pat’s statements here align with the opinions I have heard expressed over the last few years from organizations doing actual cyber threat intelligence or active incident response.
The assertions that I have heard are that scoring is a great concept but that any importance/criticality scoring (based on a myriad of potential factors like some that Pat names) asserted by a producer is rarely accurate or applicable within the context of different consumers. 
The way that I have had it characterized to me is typically along the lines of the following.
At best (in the rare cases where they are accurate) they may help a consumer prioritize one issue over another. Nominally, they are noise information for consumers drowning in information. At worst they are misleading and cause the wrong decisions/actions to be taken (such as the case Pat describes below).
The preferred approach that I have heard is to give the consumer as much of the context for the information as possible to enable the consumer to determine their own scoring based also on their own internal context.
One possible approach for us might be to ensure that we can support conveying the appropriate level of context information in our normative standards and then provide some non-normative consensus suggestions/guidelines (separate from the standards themselves) on how consumers could use that information to “score” threat information.

I am not arguing or asserting a “right” way to do this just pointing out that what Pat says here jibes with what I have heard from many others and should certainly take such considerations into account when thinking about this topic.

sean

From: <[hidden email]> on behalf of Patrick Maroney <[hidden email]>
Date: Monday, October 26, 2015 at 10:33 AM
To: Jerome Athias <[hidden email]>, Jason Lewis <[hidden email]>
Cc: "Jordan, Bret" <[hidden email]>, Bernd Grobauer <[hidden email]>, "[hidden email]" <[hidden email]>
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Relevance, Certainty, Validity, etc. along with other highly subjective measures like Business Impact (of mitigation/Blocking) are really not effective shared measures for IOCs with perhaps exceptions for widely seen common Malware/NuisanceWare/AdWare.
Point is that a majority of serious APT attacks against Sectors, Industries, Agencies, etc. are highly targeted. In some cases the attack packages and ephemeral TTPs are tailored uniquely to an individual organization.
I can authoritatively cite an example:  some of the most dangerous highly targeted APT threats are typically flagged by AV as "Low" priority/criticality/risk, which in turn leads to inadequate responses when detected.  We've found evidence of relatively early leading APT artifact AV detections in every APT Intrusion investigation since 2002.  When asked why these leading indicators were ignored, without fail the response would be something along the lines of: "Oh we don't have the resources to investigate thousands of AV detections, we only look at Med to High Risk", or "Oh we looked at it, it was flagged as low risk".  AV Vendors when challenged on these rating methodologies would also respond without fail with something like: "That RAT/Backdoor was only reported by 5 companies, it's low risk".  Tell that to the 5 companies who spent millions cleaning up entrenched adversaries that could have been stopped early in the intrusion had the threat not been mischaracterized and investigated. 
In my view (1) we should be sharing facts about sightings/observations, (2) analysis along with methods to "show your work" for any hypothesis for subjective conclusions, and (3) include Non-Attributional Source Path Traceability for directing RFIs and Details on Sightings to the original Source(s).  One can then compile "Earliest Seen", "Latest Seen" metrics along with Sector/Target specific Threat Characterization details to determine an effective measure of risk.

Patrick Maroney

_____________________________
From: Jerome Athias <[hidden email]>
Sent: Sunday, October 25, 2015 10:04 PM
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)
To: Jason Lewis <[hidden email]>
Cc: Jordan, Bret <[hidden email]>, Grobauer, Bernd <[hidden email]>, <[hidden email]>


Yep the decay is interesting
It could be evaluated as an option like the Valid_Time_Position where both have benefits depending the use case (e.g. Exercise scenario)

Regarding scoring, there is opportunity for researches based on STIX ;-)


On Monday, 26 October 2015, Jason Lewis < [hidden email]> wrote:
Just to point out some key differences from the FB format.  Primarily
the topology support (networks, bgp, etc) and scoring.  Part of the
scoring is the decay, which becomes very important when dealing with
billions of elements.

On Wed, Oct 21, 2015 at 1:28 PM, Jordan, Bret < [hidden email]> wrote:
> Thanks for sending this out... It looks interesting. We will need to watch
> it closely, they have some neat things that are very similar to FB's threat
> exchange.
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE <a dir="ltr" href="tel:7415%200050" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="13"> 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
>
> On Oct 21, 2015, at 04:17, Grobauer, Bernd < [hidden email]>
> wrote:
>
> Hi,
>
> I found this news item (from yesterday) about a new Open Source effort on TI
> standardization
> and thought it might be of interest to the group:
>
> http://www.businesswire.com/news/home/20151020005120/en/LookingGlass-Introduces-Open-Threat-Partner-eXchange-OpenTPX
>
> Docs, JSON-schema, etc. on
>
> https://www.opentpx.org/
>
>
> According to the FAQ:
>
> Q: Does OpenTPX replace STIX?
>
> A: No. OpenTPX was designed primarily as a optimized mechanism for data
> exchange at large volume, high scale and high speed ingestion for a broader
> set of Internet intelligence and threat context. Aspects of data available
> in STIX (e.g. indicators) have direct mapping to OpenTPX.
>
> Kind regards,
>
> Bernd
>
>
> -------------
>
> Bernd Grobauer, Siemens CERT
>
>
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX.  Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: [hidden email]
> Unsubscribe: [hidden email]
> Post: [hidden email]
> List help: [hidden email]
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>
>

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/



Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Jason Lewis
In reply to this post by pmaroney
One of the biggest struggles we had early on was the use of the word
"indicator".  Lots of people immediately categorize the word as
representing badness, due to the phrase "Indicators of Compromise".
We decided that a better term to describe the data we were
representing was "observable".  Observables have elements of time
included, so a decent definition is "facts about
sightings/observations".  We treat observables as immutable, so once
it's occurred, there is no modification to the event.  We modify data
about that observable, but not the element itself.  Essentially, the
data producer can tell me what risk/importance they recommend for the
data and I can modify that based on my needs.

With opentpx, I'm able to say I observed an event without confusing
the end user on if the event was good or bad.  There are different
levels of bad for different folks, so part of the format is allowing
the data provider to provide a score (or multiple "scores", risk,
criticality, etc).    Once the data is in our system, we are then able
to use the score provided by the data to present a computed score to
the end user.  This computed score is a combination of input from the
data itself, the user, and related observables.  The users are able to
 tweak knobs that allow them to elevate or reduce the score for
multiple elements.  For example, lowering the score for a feed,
raising the score for an IP, making the score for a network neutral.
The result addresses the scenario of User A not being concerned with
attacks that target power plants, while User B can make those attacks
the highest priority.

jas

On Mon, Oct 26, 2015 at 10:33 AM, Patrick Maroney <[hidden email]> wrote:

> Relevance, Certainty, Validity, etc. along with other highly subjective
> measures like Business Impact (of mitigation/Blocking) are really not
> effective shared measures for IOCs with perhaps exceptions for widely seen
> common Malware/NuisanceWare/AdWare.
> Point is that a majority of serious APT attacks against Sectors, Industries,
> Agencies, etc. are highly targeted. In some cases the attack packages and
> ephemeral TTPs are tailored uniquely to an individual organization.
> I can authoritatively cite an example:  some of the most dangerous highly
> targeted APT threats are typically flagged by AV as "Low"
> priority/criticality/risk, which in turn leads to inadequate responses when
> detected.  We've found evidence of relatively early leading APT artifact AV
> detections in every APT Intrusion investigation since 2002.  When asked why
> these leading indicators were ignored, without fail the response would be
> something along the lines of: "Oh we don't have the resources to investigate
> thousands of AV detections, we only look at Med to High Risk", or "Oh we
> looked at it, it was flagged as low risk".  AV Vendors when challenged on
> these rating methodologies would also respond without fail with something
> like: "That RAT/Backdoor was only reported by 5 companies, it's low risk".
> Tell that to the 5 companies who spent millions cleaning up entrenched
> adversaries that could have been stopped early in the intrusion had the
> threat not been mischaracterized and investigated.
> In my view (1) we should be sharing facts about sightings/observations, (2)
> analysis along with methods to "show your work" for any hypothesis for
> subjective conclusions, and (3) include Non-Attributional Source Path
> Traceability for directing RFIs and Details on Sightings to the original
> Source(s).  One can then compile "Earliest Seen", "Latest Seen" metrics
> along with Sector/Target specific Threat Characterization details to
> determine an effective measure of risk.
>
> Patrick Maroney
>
> _____________________________
> From: Jerome Athias <[hidden email]>
> Sent: Sunday, October 25, 2015 10:04 PM
> Subject: Re: [cti-users] Publication of another threat intelligence
> standard: Open Threat Partner eXchange (OpenTPX)
> To: Jason Lewis <[hidden email]>
> Cc: Jordan, Bret <[hidden email]>, Grobauer, Bernd
> <[hidden email]>, <[hidden email]>
>
>
>
> Yep the decay is interesting
> It could be evaluated as an option like the Valid_Time_Position where both
> have benefits depending the use case (e.g. Exercise scenario)
>
> Regarding scoring, there is opportunity for researches based on STIX ;-)
>
>
> On Monday, 26 October 2015, Jason Lewis < [hidden email]> wrote:
>>
>> Just to point out some key differences from the FB format.  Primarily
>> the topology support (networks, bgp, etc) and scoring.  Part of the
>> scoring is the decay, which becomes very important when dealing with
>> billions of elements.
>>
>> On Wed, Oct 21, 2015 at 1:28 PM, Jordan, Bret < [hidden email]>
>> wrote:
>> > Thanks for sending this out... It looks interesting. We will need to
>> > watch
>> > it closely, they have some neat things that are very similar to FB's
>> > threat
>> > exchange.
>> >
>> > Thanks,
>> >
>> > Bret
>> >
>> >
>> >
>> > Bret Jordan CISSP
>> > Director of Security Architecture and Standards | Office of the CTO
>> > Blue Coat Systems
>> > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>> > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
>> > can
>> > not be unscrambled is an egg."
>> >
>> > On Oct 21, 2015, at 04:17, Grobauer, Bernd < [hidden email]>
>> > wrote:
>> >
>> > Hi,
>> >
>> > I found this news item (from yesterday) about a new Open Source effort
>> > on TI
>> > standardization
>> > and thought it might be of interest to the group:
>> >
>> >
>> > http://www.businesswire.com/news/home/20151020005120/en/LookingGlass-Introduces-Open-Threat-Partner-eXchange-OpenTPX
>> >
>> > Docs, JSON-schema, etc. on
>> >
>> > https://www.opentpx.org/
>> >
>> >
>> > According to the FAQ:
>> >
>> > Q: Does OpenTPX replace STIX?
>> >
>> > A: No. OpenTPX was designed primarily as a optimized mechanism for data
>> > exchange at large volume, high scale and high speed ingestion for a
>> > broader
>> > set of Internet intelligence and threat context. Aspects of data
>> > available
>> > in STIX (e.g. indicators) have direct mapping to OpenTPX.
>> >
>> > Kind regards,
>> >
>> > Bernd
>> >
>> >
>> > -------------
>> >
>> > Bernd Grobauer, Siemens CERT
>> >
>> >
>> >
>> >
>> > This publicly archived list provides a forum for asking questions,
>> > offering answers, and discussing topics of interest on STIX,
>> > TAXII, and CybOX.  Users and developers of solutions that leverage
>> > STIX, TAXII and CybOX are invited to participate.
>> >
>> > In order to verify user consent to OASIS mailing list guidelines
>> > and to minimize spam in the list archive, subscription is required
>> > before posting.
>> >
>> > Subscribe: [hidden email]
>> > Unsubscribe: [hidden email]
>> > Post: [hidden email]
>> > List help: [hidden email]
>> > List archive: http://lists.oasis-open.org/archives/cti-users/
>> > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>> > CTI Technical Committee: https://www.oasis-open.org/committees/cti/
>> > Join OASIS: http://www.oasis-open.org/join/
>> >
>> >
>>
>> This publicly archived list provides a forum for asking questions,
>> offering answers, and discussing topics of interest on STIX,
>> TAXII, and CybOX.  Users and developers of solutions that leverage
>> STIX, TAXII and CybOX are invited to participate.
>>
>> In order to verify user consent to OASIS mailing list guidelines
>> and to minimize spam in the list archive, subscription is required
>> before posting.
>>
>> Subscribe: [hidden email]
>> Unsubscribe: [hidden email]
>> Post: [hidden email]
>> List help: [hidden email]
>> List archive: http://lists.oasis-open.org/archives/cti-users/
>> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
>> Join OASIS: http://www.oasis-open.org/join/
>>
>
>

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/

JA
Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

JA
In reply to this post by Barnum, Sean D.
I totally agree.


2015-10-26 17:59 GMT+03:00 Barnum, Sean D. <[hidden email]>:

> Pat’s statements here align with the opinions I have heard expressed over
> the last few years from organizations doing actual cyber threat intelligence
> or active incident response.
> The assertions that I have heard are that scoring is a great concept but
> that any importance/criticality scoring (based on a myriad of potential
> factors like some that Pat names) asserted by a producer is rarely accurate
> or applicable within the context of different consumers.
> The way that I have had it characterized to me is typically along the lines
> of the following.
> At best (in the rare cases where they are accurate) they may help a consumer
> prioritize one issue over another. Nominally, they are noise information for
> consumers drowning in information. At worst they are misleading and cause
> the wrong decisions/actions to be taken (such as the case Pat describes
> below).
> The preferred approach that I have heard is to give the consumer as much of
> the context for the information as possible to enable the consumer to
> determine their own scoring based also on their own internal context.
> One possible approach for us might be to ensure that we can support
> conveying the appropriate level of context information in our normative
> standards and then provide some non-normative consensus
> suggestions/guidelines (separate from the standards themselves) on how
> consumers could use that information to “score” threat information.
>
> I am not arguing or asserting a “right” way to do this just pointing out
> that what Pat says here jibes with what I have heard from many others and
> should certainly take such considerations into account when thinking about
> this topic.
>
> sean
>
> From: <[hidden email]> on behalf of Patrick Maroney
> <[hidden email]>
> Date: Monday, October 26, 2015 at 10:33 AM
> To: Jerome Athias <[hidden email]>, Jason Lewis <[hidden email]>
> Cc: "Jordan, Bret" <[hidden email]>, Bernd Grobauer
> <[hidden email]>, "[hidden email]"
> <[hidden email]>
>
> Subject: Re: [cti-users] Publication of another threat intelligence
> standard: Open Threat Partner eXchange (OpenTPX)
>
> Relevance, Certainty, Validity, etc. along with other highly subjective
> measures like Business Impact (of mitigation/Blocking) are really not
> effective shared measures for IOCs with perhaps exceptions for widely seen
> common Malware/NuisanceWare/AdWare.
> Point is that a majority of serious APT attacks against Sectors, Industries,
> Agencies, etc. are highly targeted. In some cases the attack packages and
> ephemeral TTPs are tailored uniquely to an individual organization.
> I can authoritatively cite an example:  some of the most dangerous highly
> targeted APT threats are typically flagged by AV as "Low"
> priority/criticality/risk, which in turn leads to inadequate responses when
> detected.  We've found evidence of relatively early leading APT artifact AV
> detections in every APT Intrusion investigation since 2002.  When asked why
> these leading indicators were ignored, without fail the response would be
> something along the lines of: "Oh we don't have the resources to investigate
> thousands of AV detections, we only look at Med to High Risk", or "Oh we
> looked at it, it was flagged as low risk".  AV Vendors when challenged on
> these rating methodologies would also respond without fail with something
> like: "That RAT/Backdoor was only reported by 5 companies, it's low risk".
> Tell that to the 5 companies who spent millions cleaning up entrenched
> adversaries that could have been stopped early in the intrusion had the
> threat not been mischaracterized and investigated.
> In my view (1) we should be sharing facts about sightings/observations, (2)
> analysis along with methods to "show your work" for any hypothesis for
> subjective conclusions, and (3) include Non-Attributional Source Path
> Traceability for directing RFIs and Details on Sightings to the original
> Source(s).  One can then compile "Earliest Seen", "Latest Seen" metrics
> along with Sector/Target specific Threat Characterization details to
> determine an effective measure of risk.
>
> Patrick Maroney
>
> _____________________________
> From: Jerome Athias <[hidden email]>
> Sent: Sunday, October 25, 2015 10:04 PM
> Subject: Re: [cti-users] Publication of another threat intelligence
> standard: Open Threat Partner eXchange (OpenTPX)
> To: Jason Lewis <[hidden email]>
> Cc: Jordan, Bret <[hidden email]>, Grobauer, Bernd
> <[hidden email]>, <[hidden email]>
>
>
> Yep the decay is interesting
> It could be evaluated as an option like the Valid_Time_Position where both
> have benefits depending the use case (e.g. Exercise scenario)
>
> Regarding scoring, there is opportunity for researches based on STIX ;-)
>
>
> On Monday, 26 October 2015, Jason Lewis < [hidden email]> wrote:
>>
>> Just to point out some key differences from the FB format.  Primarily
>> the topology support (networks, bgp, etc) and scoring.  Part of the
>> scoring is the decay, which becomes very important when dealing with
>> billions of elements.
>>
>> On Wed, Oct 21, 2015 at 1:28 PM, Jordan, Bret < [hidden email]>
>> wrote:
>> > Thanks for sending this out... It looks interesting. We will need to
>> > watch
>> > it closely, they have some neat things that are very similar to FB's
>> > threat
>> > exchange.
>> >
>> > Thanks,
>> >
>> > Bret
>> >
>> >
>> >
>> > Bret Jordan CISSP
>> > Director of Security Architecture and Standards | Office of the CTO
>> > Blue Coat Systems
>> > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>> > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
>> > can
>> > not be unscrambled is an egg."
>> >
>> > On Oct 21, 2015, at 04:17, Grobauer, Bernd < [hidden email]>
>> > wrote:
>> >
>> > Hi,
>> >
>> > I found this news item (from yesterday) about a new Open Source effort
>> > on TI
>> > standardization
>> > and thought it might be of interest to the group:
>> >
>> >
>> > http://www.businesswire.com/news/home/20151020005120/en/LookingGlass-Introduces-Open-Threat-Partner-eXchange-OpenTPX
>> >
>> > Docs, JSON-schema, etc. on
>> >
>> > https://www.opentpx.org/
>> >
>> >
>> > According to the FAQ:
>> >
>> > Q: Does OpenTPX replace STIX?
>> >
>> > A: No. OpenTPX was designed primarily as a optimized mechanism for data
>> > exchange at large volume, high scale and high speed ingestion for a
>> > broader
>> > set of Internet intelligence and threat context. Aspects of data
>> > available
>> > in STIX (e.g. indicators) have direct mapping to OpenTPX.
>> >
>> > Kind regards,
>> >
>> > Bernd
>> >
>> >
>> > -------------
>> >
>> > Bernd Grobauer, Siemens CERT
>> >
>> >
>> >
>> >
>> > This publicly archived list provides a forum for asking questions,
>> > offering answers, and discussing topics of interest on STIX,
>> > TAXII, and CybOX.  Users and developers of solutions that leverage
>> > STIX, TAXII and CybOX are invited to participate.
>> >
>> > In order to verify user consent to OASIS mailing list guidelines
>> > and to minimize spam in the list archive, subscription is required
>> > before posting.
>> >
>> > Subscribe: [hidden email]
>> > Unsubscribe: [hidden email]
>> > Post: [hidden email]
>> > List help: [hidden email]
>> > List archive: http://lists.oasis-open.org/archives/cti-users/
>> > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>> > CTI Technical Committee: https://www.oasis-open.org/committees/cti/
>> > Join OASIS: http://www.oasis-open.org/join/
>> >
>> >
>>
>> This publicly archived list provides a forum for asking questions,
>> offering answers, and discussing topics of interest on STIX,
>> TAXII, and CybOX.  Users and developers of solutions that leverage
>> STIX, TAXII and CybOX are invited to participate.
>>
>> In order to verify user consent to OASIS mailing list guidelines
>> and to minimize spam in the list archive, subscription is required
>> before posting.
>>
>> Subscribe: [hidden email]
>> Unsubscribe: [hidden email]
>> Post: [hidden email]
>> List help: [hidden email]
>> List archive: http://lists.oasis-open.org/archives/cti-users/
>> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
>> Join OASIS: http://www.oasis-open.org/join/
>>
>
>

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/

Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Wunder, John A.
In reply to this post by Barnum, Sean D.
I think this is true for cross-organizational sharing but just to add another perspective, one of the groups that I’m working with involves a “cyber analysis center” sending some intelligence to a “cyber operations center” at the same organization. That information ideally includes an assessment of the severity of that threat activity to the organization. So I understand that severity may not make sense for cross-organizational sharing, but if one of the STIX use cases is to support sharing among centers/tools/sub-organizations in the same organization I think we need to consider it.

There might also be use cases where a threat intel provider provides scored threat information tuned to a consumer. Lots of small and mid-sized businesses with an online presence probably don’t have in-house analysis capabilities to determine their own scores but could still use some rough guidance about severity from their vendors.

This isn’t to disagree with Pat and Sean, I agree that for sharing data between organizations (in particular advanced organizations) where the orgs have that analysis capability that approach will lead to better results. Just wanted to expand our horizons a bit beyond that use case include some less ideal scenarios that may be prevalent in the real world.

John

On Oct 26, 2015, at 10:59 AM, Barnum, Sean D. <[hidden email]> wrote:

Pat’s statements here align with the opinions I have heard expressed over the last few years from organizations doing actual cyber threat intelligence or active incident response.
The assertions that I have heard are that scoring is a great concept but that any importance/criticality scoring (based on a myriad of potential factors like some that Pat names) asserted by a producer is rarely accurate or applicable within the context of different consumers. 
The way that I have had it characterized to me is typically along the lines of the following.
At best (in the rare cases where they are accurate) they may help a consumer prioritize one issue over another. Nominally, they are noise information for consumers drowning in information. At worst they are misleading and cause the wrong decisions/actions to be taken (such as the case Pat describes below).
The preferred approach that I have heard is to give the consumer as much of the context for the information as possible to enable the consumer to determine their own scoring based also on their own internal context.
One possible approach for us might be to ensure that we can support conveying the appropriate level of context information in our normative standards and then provide some non-normative consensus suggestions/guidelines (separate from the standards themselves) on how consumers could use that information to “score” threat information.

I am not arguing or asserting a “right” way to do this just pointing out that what Pat says here jibes with what I have heard from many others and should certainly take such considerations into account when thinking about this topic.

sean

From: <[hidden email]> on behalf of Patrick Maroney <[hidden email]>
Date: Monday, October 26, 2015 at 10:33 AM
To: Jerome Athias <[hidden email]>, Jason Lewis <[hidden email]>
Cc: "Jordan, Bret" <[hidden email]>, Bernd Grobauer <[hidden email]>, "[hidden email]" <[hidden email]>
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Relevance, Certainty, Validity, etc. along with other highly subjective measures like Business Impact (of mitigation/Blocking) are really not effective shared measures for IOCs with perhaps exceptions for widely seen common Malware/NuisanceWare/AdWare.
Point is that a majority of serious APT attacks against Sectors, Industries, Agencies, etc. are highly targeted. In some cases the attack packages and ephemeral TTPs are tailored uniquely to an individual organization.
I can authoritatively cite an example:  some of the most dangerous highly targeted APT threats are typically flagged by AV as "Low" priority/criticality/risk, which in turn leads to inadequate responses when detected.  We've found evidence of relatively early leading APT artifact AV detections in every APT Intrusion investigation since 2002.  When asked why these leading indicators were ignored, without fail the response would be something along the lines of: "Oh we don't have the resources to investigate thousands of AV detections, we only look at Med to High Risk", or "Oh we looked at it, it was flagged as low risk".  AV Vendors when challenged on these rating methodologies would also respond without fail with something like: "That RAT/Backdoor was only reported by 5 companies, it's low risk".  Tell that to the 5 companies who spent millions cleaning up entrenched adversaries that could have been stopped early in the intrusion had the threat not been mischaracterized and investigated. 
In my view (1) we should be sharing facts about sightings/observations, (2) analysis along with methods to "show your work" for any hypothesis for subjective conclusions, and (3) include Non-Attributional Source Path Traceability for directing RFIs and Details on Sightings to the original Source(s).  One can then compile "Earliest Seen", "Latest Seen" metrics along with Sector/Target specific Threat Characterization details to determine an effective measure of risk.

Patrick Maroney

_____________________________
From: Jerome Athias <[hidden email]>
Sent: Sunday, October 25, 2015 10:04 PM
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)
To: Jason Lewis <[hidden email]>
Cc: Jordan, Bret <[hidden email]>, Grobauer, Bernd <[hidden email]>, <[hidden email]>


Yep the decay is interesting
It could be evaluated as an option like the Valid_Time_Position where both have benefits depending the use case (e.g. Exercise scenario)

Regarding scoring, there is opportunity for researches based on STIX ;-)


On Monday, 26 October 2015, Jason Lewis < [hidden email]> wrote:
Just to point out some key differences from the FB format.  Primarily
the topology support (networks, bgp, etc) and scoring.  Part of the
scoring is the decay, which becomes very important when dealing with
billions of elements.

On Wed, Oct 21, 2015 at 1:28 PM, Jordan, Bret < [hidden email]> wrote:
> Thanks for sending this out... It looks interesting. We will need to watch
> it closely, they have some neat things that are very similar to FB's threat
> exchange.
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE <a dir="ltr" href="tel:7415%200050" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="13" class=""> 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
>
> On Oct 21, 2015, at 04:17, Grobauer, Bernd < [hidden email]>
> wrote:
>
> Hi,
>
> I found this news item (from yesterday) about a new Open Source effort on TI
> standardization
> and thought it might be of interest to the group:
>
> http://www.businesswire.com/news/home/20151020005120/en/LookingGlass-Introduces-Open-Threat-Partner-eXchange-OpenTPX
>
> Docs, JSON-schema, etc. on
>
> https://www.opentpx.org/
>
>
> According to the FAQ:
>
> Q: Does OpenTPX replace STIX?
>
> A: No. OpenTPX was designed primarily as a optimized mechanism for data
> exchange at large volume, high scale and high speed ingestion for a broader
> set of Internet intelligence and threat context. Aspects of data available
> in STIX (e.g. indicators) have direct mapping to OpenTPX.
>
> Kind regards,
>
> Bernd
>
>
> -------------
>
> Bernd Grobauer, Siemens CERT
>
>
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX.  Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: [hidden email]
> Unsubscribe: [hidden email]
> Post: [hidden email]
> List help: [hidden email]
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>
>

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/




Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Barnum, Sean D.
In reply to this post by Jason Lewis

Comments inline

On 10/26/15, 11:06 AM, "[hidden email] on behalf of Jason Lewis" <[hidden email] on behalf of [hidden email]> wrote:

One of the biggest struggles we had early on was the use of the word
"indicator".  Lots of people immediately categorize the word as
representing badness, due to the phrase "Indicators of Compromise".
We decided that a better term to describe the data we were
representing was "observable".  Observables have elements of time
included, so a decent definition is "facts about
sightings/observations".  We treat observables as immutable, so once
it's occurred, there is no modification to the event.  We modify data
about that observable, but not the element itself.  Essentially, the
data producer can tell me what risk/importance they recommend for the
data and I can modify that based on my needs.

With opentpx, I'm able to say I observed an event without confusing
the end user on if the event was good or bad.  

[sean]Just a clarifying FYI in regards to the current STIX ontology/data-model and its intent: What you describe above is the exact intent for the STIX Observable construct (which leverages CybOX) expressing an observable instance or, if you prefer, an observation. It is an immutable statement of something that was observed to have occurred either through direct observation (Event/Action) or through observation of its effects (Object). These observations very explicitly do not assert context such as good or bad. They are just the facts.
If you wish to assert and characterize a negative context for an observable you would do this using an Indicator that asserts a mapping between a particular observable pattern (derived from one or more observable instances) and a particular TTP. This is where the negative context comes in. The semantic meaning for the Indicator construct is at its root a relationship assertion saying that observation of observable pattern 1 INDICATES TTP 2.
It should be noted that the current STIX semantics automatically apply a negative denotation to any TTP and thereby to any Indicator. It has been proposed in the past that the sorts of things characterized using TTP could also be Tactics, Techniques and Procedures leveraged by defenders not just attackers and that it may be useful to abstract TTP to characterize the concept in general with specific Adverserial_TTP and Defender_TTP derivations or at least a property letting you assert the “polarity”. This would in turn allow Indicators to be leveraged to describe patterns that indicate good things in addition to bad things. This is just an idea that has not been explored in depth but should probably be on the table for consideration in STIX 2.0

There are different
levels of bad for different folks, so part of the format is allowing
the data provider to provide a score (or multiple "scores", risk,
criticality, etc).    Once the data is in our system, we are then able
to use the score provided by the data to present a computed score to
the end user.  This computed score is a combination of input from the
data itself, the user, and related observables.  The users are able to
tweak knobs that allow them to elevate or reduce the score for
multiple elements.  For example, lowering the score for a feed,
raising the score for an IP, making the score for a network neutral.
The result addresses the scenario of User A not being concerned with
attacks that target power plants, while User B can make those attacks
the highest priority.

[sean]I think this sort of approach allowing the consumer to blend context asserted by the producer with their own context to determine scoring makes sense.
It sounds like you are describing specific functionality implemented within your tools use. I think it is less clear (though not complete opaque) where the dividing line lies for what should go in STIX and what should be handled by tooling (such as yours) at the consumer end.


jas

On Mon, Oct 26, 2015 at 10:33 AM, Patrick Maroney <[hidden email]> wrote:
Relevance, Certainty, Validity, etc. along with other highly subjective
measures like Business Impact (of mitigation/Blocking) are really not
effective shared measures for IOCs with perhaps exceptions for widely seen
common Malware/NuisanceWare/AdWare.
Point is that a majority of serious APT attacks against Sectors, Industries,
Agencies, etc. are highly targeted. In some cases the attack packages and
ephemeral TTPs are tailored uniquely to an individual organization.
I can authoritatively cite an example:  some of the most dangerous highly
targeted APT threats are typically flagged by AV as "Low"
priority/criticality/risk, which in turn leads to inadequate responses when
detected.  We've found evidence of relatively early leading APT artifact AV
detections in every APT Intrusion investigation since 2002.  When asked why
these leading indicators were ignored, without fail the response would be
something along the lines of: "Oh we don't have the resources to investigate
thousands of AV detections, we only look at Med to High Risk", or "Oh we
looked at it, it was flagged as low risk".  AV Vendors when challenged on
these rating methodologies would also respond without fail with something
like: "That RAT/Backdoor was only reported by 5 companies, it's low risk".
Tell that to the 5 companies who spent millions cleaning up entrenched
adversaries that could have been stopped early in the intrusion had the
threat not been mischaracterized and investigated.
In my view (1) we should be sharing facts about sightings/observations, (2)
analysis along with methods to "show your work" for any hypothesis for
subjective conclusions, and (3) include Non-Attributional Source Path
Traceability for directing RFIs and Details on Sightings to the original
Source(s).  One can then compile "Earliest Seen", "Latest Seen" metrics
along with Sector/Target specific Threat Characterization details to
determine an effective measure of risk.

Patrick Maroney

_____________________________
From: Jerome Athias <[hidden email]>
Sent: Sunday, October 25, 2015 10:04 PM
Subject: Re: [cti-users] Publication of another threat intelligence
standard: Open Threat Partner eXchange (OpenTPX)
To: Jason Lewis <[hidden email]>
Cc: Jordan, Bret <[hidden email]>, Grobauer, Bernd



Yep the decay is interesting
It could be evaluated as an option like the Valid_Time_Position where both
have benefits depending the use case (e.g. Exercise scenario)

Regarding scoring, there is opportunity for researches based on STIX ;-)


On Monday, 26 October 2015, Jason Lewis < [hidden email]> wrote:

Just to point out some key differences from the FB format.  Primarily
the topology support (networks, bgp, etc) and scoring.  Part of the
scoring is the decay, which becomes very important when dealing with
billions of elements.

On Wed, Oct 21, 2015 at 1:28 PM, Jordan, Bret < [hidden email]>
wrote:
> Thanks for sending this out... It looks interesting. We will need to
> watch
> it closely, they have some neat things that are very similar to FB's
> threat
> exchange.
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
> can
> not be unscrambled is an egg."
>
> On Oct 21, 2015, at 04:17, Grobauer, Bernd < [hidden email]>
> wrote:
>
> Hi,
>
> I found this news item (from yesterday) about a new Open Source effort
> on TI
> standardization
> and thought it might be of interest to the group:
>
>
>
> Docs, JSON-schema, etc. on
>
>
>
> According to the FAQ:
>
> Q: Does OpenTPX replace STIX?
>
> A: No. OpenTPX was designed primarily as a optimized mechanism for data
> exchange at large volume, high scale and high speed ingestion for a
> broader
> set of Internet intelligence and threat context. Aspects of data
> available
> in STIX (e.g. indicators) have direct mapping to OpenTPX.
>
> Kind regards,
>
> Bernd
>
>
> -------------
>
> Bernd Grobauer, Siemens CERT
>
>
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX.  Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: [hidden email]
> Unsubscribe: [hidden email]
> List help: [hidden email]
>
>

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
List help: [hidden email]




This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
List help: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Barnum, Sean D.
In reply to this post by Wunder, John A.
I definitely agree.
The tighter the scope and homogeneity of context among the producer and consumer the more accurate and relevant any scoring would likely be.

Sean’s personal opinion: For the sorts of use cases John describes here and others I do think that STIX needs to consider the issues around “scoring” and provide some level of support for them. To me the key is to enable providing of the context that went into any producer asserted scoring rather than just a opaque “score” property. Another useful thing may be the ability to explicitly characterize consumer context assumptions relevant for a given asserted “score” enabling a consumer to determine how much to trust a “score” based on how well they fit the asserted context assumptions and how much they trust the producer. 

sean

From: <[hidden email]> on behalf of John Wunder <[hidden email]>
Date: Monday, October 26, 2015 at 11:33 AM
To: "[hidden email]" <[hidden email]>
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

I think this is true for cross-organizational sharing but just to add another perspective, one of the groups that I’m working with involves a “cyber analysis center” sending some intelligence to a “cyber operations center” at the same organization. That information ideally includes an assessment of the severity of that threat activity to the organization. So I understand that severity may not make sense for cross-organizational sharing, but if one of the STIX use cases is to support sharing among centers/tools/sub-organizations in the same organization I think we need to consider it.

There might also be use cases where a threat intel provider provides scored threat information tuned to a consumer. Lots of small and mid-sized businesses with an online presence probably don’t have in-house analysis capabilities to determine their own scores but could still use some rough guidance about severity from their vendors.

This isn’t to disagree with Pat and Sean, I agree that for sharing data between organizations (in particular advanced organizations) where the orgs have that analysis capability that approach will lead to better results. Just wanted to expand our horizons a bit beyond that use case include some less ideal scenarios that may be prevalent in the real world.

John

On Oct 26, 2015, at 10:59 AM, Barnum, Sean D. <[hidden email]> wrote:

Pat’s statements here align with the opinions I have heard expressed over the last few years from organizations doing actual cyber threat intelligence or active incident response.
The assertions that I have heard are that scoring is a great concept but that any importance/criticality scoring (based on a myriad of potential factors like some that Pat names) asserted by a producer is rarely accurate or applicable within the context of different consumers. 
The way that I have had it characterized to me is typically along the lines of the following.
At best (in the rare cases where they are accurate) they may help a consumer prioritize one issue over another. Nominally, they are noise information for consumers drowning in information. At worst they are misleading and cause the wrong decisions/actions to be taken (such as the case Pat describes below).
The preferred approach that I have heard is to give the consumer as much of the context for the information as possible to enable the consumer to determine their own scoring based also on their own internal context.
One possible approach for us might be to ensure that we can support conveying the appropriate level of context information in our normative standards and then provide some non-normative consensus suggestions/guidelines (separate from the standards themselves) on how consumers could use that information to “score” threat information.

I am not arguing or asserting a “right” way to do this just pointing out that what Pat says here jibes with what I have heard from many others and should certainly take such considerations into account when thinking about this topic.

sean

From: <[hidden email]> on behalf of Patrick Maroney <[hidden email]>
Date: Monday, October 26, 2015 at 10:33 AM
To: Jerome Athias <[hidden email]>, Jason Lewis <[hidden email]>
Cc: "Jordan, Bret" <[hidden email]>, Bernd Grobauer <[hidden email]>, "[hidden email]" <[hidden email]>
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Relevance, Certainty, Validity, etc. along with other highly subjective measures like Business Impact (of mitigation/Blocking) are really not effective shared measures for IOCs with perhaps exceptions for widely seen common Malware/NuisanceWare/AdWare.
Point is that a majority of serious APT attacks against Sectors, Industries, Agencies, etc. are highly targeted. In some cases the attack packages and ephemeral TTPs are tailored uniquely to an individual organization.
I can authoritatively cite an example:  some of the most dangerous highly targeted APT threats are typically flagged by AV as "Low" priority/criticality/risk, which in turn leads to inadequate responses when detected.  We've found evidence of relatively early leading APT artifact AV detections in every APT Intrusion investigation since 2002.  When asked why these leading indicators were ignored, without fail the response would be something along the lines of: "Oh we don't have the resources to investigate thousands of AV detections, we only look at Med to High Risk", or "Oh we looked at it, it was flagged as low risk".  AV Vendors when challenged on these rating methodologies would also respond without fail with something like: "That RAT/Backdoor was only reported by 5 companies, it's low risk".  Tell that to the 5 companies who spent millions cleaning up entrenched adversaries that could have been stopped early in the intrusion had the threat not been mischaracterized and investigated. 
In my view (1) we should be sharing facts about sightings/observations, (2) analysis along with methods to "show your work" for any hypothesis for subjective conclusions, and (3) include Non-Attributional Source Path Traceability for directing RFIs and Details on Sightings to the original Source(s).  One can then compile "Earliest Seen", "Latest Seen" metrics along with Sector/Target specific Threat Characterization details to determine an effective measure of risk.

Patrick Maroney

_____________________________
From: Jerome Athias <[hidden email]>
Sent: Sunday, October 25, 2015 10:04 PM
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)
To: Jason Lewis <[hidden email]>
Cc: Jordan, Bret <[hidden email]>, Grobauer, Bernd <[hidden email]>, <[hidden email]>


Yep the decay is interesting
It could be evaluated as an option like the Valid_Time_Position where both have benefits depending the use case (e.g. Exercise scenario)

Regarding scoring, there is opportunity for researches based on STIX ;-)


On Monday, 26 October 2015, Jason Lewis < [hidden email]> wrote:
Just to point out some key differences from the FB format.  Primarily
the topology support (networks, bgp, etc) and scoring.  Part of the
scoring is the decay, which becomes very important when dealing with
billions of elements.

On Wed, Oct 21, 2015 at 1:28 PM, Jordan, Bret < [hidden email]> wrote:
> Thanks for sending this out... It looks interesting. We will need to watch
> it closely, they have some neat things that are very similar to FB's threat
> exchange.
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE <a dir="ltr" href="tel:7415%200050" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="13" class=""> 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
>
> On Oct 21, 2015, at 04:17, Grobauer, Bernd < [hidden email]>
> wrote:
>
> Hi,
>
> I found this news item (from yesterday) about a new Open Source effort on TI
> standardization
> and thought it might be of interest to the group:
>
> http://www.businesswire.com/news/home/20151020005120/en/LookingGlass-Introduces-Open-Threat-Partner-eXchange-OpenTPX
>
> Docs, JSON-schema, etc. on
>
> https://www.opentpx.org/
>
>
> According to the FAQ:
>
> Q: Does OpenTPX replace STIX?
>
> A: No. OpenTPX was designed primarily as a optimized mechanism for data
> exchange at large volume, high scale and high speed ingestion for a broader
> set of Internet intelligence and threat context. Aspects of data available
> in STIX (e.g. indicators) have direct mapping to OpenTPX.
>
> Kind regards,
>
> Bernd
>
>
> -------------
>
> Bernd Grobauer, Siemens CERT
>
>
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX.  Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: [hidden email]
> Unsubscribe: [hidden email]
> Post: [hidden email]
> List help: [hidden email]
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>
>

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/




JA
Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

JA
I would suggest to keep this area out of scope for STIX.
Otherwise, we would have to cover (support mechanisms for) Risk
Analysis, Risk Scoring/Rating, Factors, Methodology, Scoring Systems,
Formulas...
But, (external) researches around the fact that interesting scores
could be produced based on STIX due to the fact that it
provides/supports a lot of what is needed to do so, for many use cases
(examples on requests)...
and yes, basically because it provides/supports CONTEXT

One common factor, already identified as needing review/update is the Sighting.
So, imho, this should be prioritized.





2015-10-26 19:02 GMT+03:00 Barnum, Sean D. <[hidden email]>:

> I definitely agree.
> The tighter the scope and homogeneity of context among the producer and
> consumer the more accurate and relevant any scoring would likely be.
>
> Sean’s personal opinion: For the sorts of use cases John describes here and
> others I do think that STIX needs to consider the issues around “scoring”
> and provide some level of support for them. To me the key is to enable
> providing of the context that went into any producer asserted scoring rather
> than just a opaque “score” property. Another useful thing may be the ability
> to explicitly characterize consumer context assumptions relevant for a given
> asserted “score” enabling a consumer to determine how much to trust a
> “score” based on how well they fit the asserted context assumptions and how
> much they trust the producer.
>
> sean
>
> From: <[hidden email]> on behalf of John Wunder
> <[hidden email]>
> Date: Monday, October 26, 2015 at 11:33 AM
> To: "[hidden email]" <[hidden email]>
>
> Subject: Re: [cti-users] Publication of another threat intelligence
> standard: Open Threat Partner eXchange (OpenTPX)
>
> I think this is true for cross-organizational sharing but just to add
> another perspective, one of the groups that I’m working with involves a
> “cyber analysis center” sending some intelligence to a “cyber operations
> center” at the same organization. That information ideally includes an
> assessment of the severity of that threat activity to the organization. So I
> understand that severity may not make sense for cross-organizational
> sharing, but if one of the STIX use cases is to support sharing among
> centers/tools/sub-organizations in the same organization I think we need to
> consider it.
>
> There might also be use cases where a threat intel provider provides scored
> threat information tuned to a consumer. Lots of small and mid-sized
> businesses with an online presence probably don’t have in-house analysis
> capabilities to determine their own scores but could still use some rough
> guidance about severity from their vendors.
>
> This isn’t to disagree with Pat and Sean, I agree that for sharing data
> between organizations (in particular advanced organizations) where the orgs
> have that analysis capability that approach will lead to better results.
> Just wanted to expand our horizons a bit beyond that use case include some
> less ideal scenarios that may be prevalent in the real world.
>
> John
>
> On Oct 26, 2015, at 10:59 AM, Barnum, Sean D. <[hidden email]> wrote:
>
> Pat’s statements here align with the opinions I have heard expressed over
> the last few years from organizations doing actual cyber threat intelligence
> or active incident response.
> The assertions that I have heard are that scoring is a great concept but
> that any importance/criticality scoring (based on a myriad of potential
> factors like some that Pat names) asserted by a producer is rarely accurate
> or applicable within the context of different consumers.
> The way that I have had it characterized to me is typically along the lines
> of the following.
> At best (in the rare cases where they are accurate) they may help a consumer
> prioritize one issue over another. Nominally, they are noise information for
> consumers drowning in information. At worst they are misleading and cause
> the wrong decisions/actions to be taken (such as the case Pat describes
> below).
> The preferred approach that I have heard is to give the consumer as much of
> the context for the information as possible to enable the consumer to
> determine their own scoring based also on their own internal context.
> One possible approach for us might be to ensure that we can support
> conveying the appropriate level of context information in our normative
> standards and then provide some non-normative consensus
> suggestions/guidelines (separate from the standards themselves) on how
> consumers could use that information to “score” threat information.
>
> I am not arguing or asserting a “right” way to do this just pointing out
> that what Pat says here jibes with what I have heard from many others and
> should certainly take such considerations into account when thinking about
> this topic.
>
> sean
>
> From: <[hidden email]> on behalf of Patrick Maroney
> <[hidden email]>
> Date: Monday, October 26, 2015 at 10:33 AM
> To: Jerome Athias <[hidden email]>, Jason Lewis <[hidden email]>
> Cc: "Jordan, Bret" <[hidden email]>, Bernd Grobauer
> <[hidden email]>, "[hidden email]"
> <[hidden email]>
> Subject: Re: [cti-users] Publication of another threat intelligence
> standard: Open Threat Partner eXchange (OpenTPX)
>
> Relevance, Certainty, Validity, etc. along with other highly subjective
> measures like Business Impact (of mitigation/Blocking) are really not
> effective shared measures for IOCs with perhaps exceptions for widely seen
> common Malware/NuisanceWare/AdWare.
> Point is that a majority of serious APT attacks against Sectors, Industries,
> Agencies, etc. are highly targeted. In some cases the attack packages and
> ephemeral TTPs are tailored uniquely to an individual organization.
> I can authoritatively cite an example:  some of the most dangerous highly
> targeted APT threats are typically flagged by AV as "Low"
> priority/criticality/risk, which in turn leads to inadequate responses when
> detected.  We've found evidence of relatively early leading APT artifact AV
> detections in every APT Intrusion investigation since 2002.  When asked why
> these leading indicators were ignored, without fail the response would be
> something along the lines of: "Oh we don't have the resources to investigate
> thousands of AV detections, we only look at Med to High Risk", or "Oh we
> looked at it, it was flagged as low risk".  AV Vendors when challenged on
> these rating methodologies would also respond without fail with something
> like: "That RAT/Backdoor was only reported by 5 companies, it's low risk".
> Tell that to the 5 companies who spent millions cleaning up entrenched
> adversaries that could have been stopped early in the intrusion had the
> threat not been mischaracterized and investigated.
> In my view (1) we should be sharing facts about sightings/observations, (2)
> analysis along with methods to "show your work" for any hypothesis for
> subjective conclusions, and (3) include Non-Attributional Source Path
> Traceability for directing RFIs and Details on Sightings to the original
> Source(s).  One can then compile "Earliest Seen", "Latest Seen" metrics
> along with Sector/Target specific Threat Characterization details to
> determine an effective measure of risk.
>
> Patrick Maroney
>
> _____________________________
> From: Jerome Athias <[hidden email]>
> Sent: Sunday, October 25, 2015 10:04 PM
> Subject: Re: [cti-users] Publication of another threat intelligence
> standard: Open Threat Partner eXchange (OpenTPX)
> To: Jason Lewis <[hidden email]>
> Cc: Jordan, Bret <[hidden email]>, Grobauer, Bernd
> <[hidden email]>, <[hidden email]>
>
>
> Yep the decay is interesting
> It could be evaluated as an option like the Valid_Time_Position where both
> have benefits depending the use case (e.g. Exercise scenario)
>
> Regarding scoring, there is opportunity for researches based on STIX ;-)
>
>
> On Monday, 26 October 2015, Jason Lewis < [hidden email]> wrote:
>>
>> Just to point out some key differences from the FB format.  Primarily
>> the topology support (networks, bgp, etc) and scoring.  Part of the
>> scoring is the decay, which becomes very important when dealing with
>> billions of elements.
>>
>> On Wed, Oct 21, 2015 at 1:28 PM, Jordan, Bret < [hidden email]>
>> wrote:
>> > Thanks for sending this out... It looks interesting. We will need to
>> > watch
>> > it closely, they have some neat things that are very similar to FB's
>> > threat
>> > exchange.
>> >
>> > Thanks,
>> >
>> > Bret
>> >
>> >
>> >
>> > Bret Jordan CISSP
>> > Director of Security Architecture and Standards | Office of the CTO
>> > Blue Coat Systems
>> > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>> > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
>> > can
>> > not be unscrambled is an egg."
>> >
>> > On Oct 21, 2015, at 04:17, Grobauer, Bernd < [hidden email]>
>> > wrote:
>> >
>> > Hi,
>> >
>> > I found this news item (from yesterday) about a new Open Source effort
>> > on TI
>> > standardization
>> > and thought it might be of interest to the group:
>> >
>> >
>> > http://www.businesswire.com/news/home/20151020005120/en/LookingGlass-Introduces-Open-Threat-Partner-eXchange-OpenTPX
>> >
>> > Docs, JSON-schema, etc. on
>> >
>> > https://www.opentpx.org/
>> >
>> >
>> > According to the FAQ:
>> >
>> > Q: Does OpenTPX replace STIX?
>> >
>> > A: No. OpenTPX was designed primarily as a optimized mechanism for data
>> > exchange at large volume, high scale and high speed ingestion for a
>> > broader
>> > set of Internet intelligence and threat context. Aspects of data
>> > available
>> > in STIX (e.g. indicators) have direct mapping to OpenTPX.
>> >
>> > Kind regards,
>> >
>> > Bernd
>> >
>> >
>> > -------------
>> >
>> > Bernd Grobauer, Siemens CERT
>> >
>> >
>> >
>> >
>> > This publicly archived list provides a forum for asking questions,
>> > offering answers, and discussing topics of interest on STIX,
>> > TAXII, and CybOX.  Users and developers of solutions that leverage
>> > STIX, TAXII and CybOX are invited to participate.
>> >
>> > In order to verify user consent to OASIS mailing list guidelines
>> > and to minimize spam in the list archive, subscription is required
>> > before posting.
>> >
>> > Subscribe: [hidden email]
>> > Unsubscribe: [hidden email]
>> > Post: [hidden email]
>> > List help: [hidden email]
>> > List archive: http://lists.oasis-open.org/archives/cti-users/
>> > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>> > CTI Technical Committee: https://www.oasis-open.org/committees/cti/
>> > Join OASIS: http://www.oasis-open.org/join/
>> >
>> >
>>
>> This publicly archived list provides a forum for asking questions,
>> offering answers, and discussing topics of interest on STIX,
>> TAXII, and CybOX.  Users and developers of solutions that leverage
>> STIX, TAXII and CybOX are invited to participate.
>>
>> In order to verify user consent to OASIS mailing list guidelines
>> and to minimize spam in the list archive, subscription is required
>> before posting.
>>
>> Subscribe: [hidden email]
>> Unsubscribe: [hidden email]
>> Post: [hidden email]
>> List help: [hidden email]
>> List archive: http://lists.oasis-open.org/archives/cti-users/
>> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
>> Join OASIS: http://www.oasis-open.org/join/
>>
>
>
>

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/

Reply | Threaded
Open this post in threaded view
|

RE: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Cory Casanave
In reply to this post by Barnum, Sean D.

Re: The tighter the scope and homogeneity of context among the producer and consumer the more accurate and relevant any scoring would likely be.

 

We ran into a similar problem in a very different domain (score metrics for inmates of correctional institutions). There is no one standard test or score metric and even where there was – individual institutions or individuals may have their own “spin” on how to come up with the final score. Who did the assessment and in what organization was important. Yet, with all this fuzziness, they want to communicate scores – things like mental health, danger to society, violence, drug use, very hard stuff to nail down.

 

What we came up with was: A score was part of an assessment where the individual and institution doing the assessment was provided (such an assessment could have lots of scores). We defined a “score” and a referenced “score  basis”.  The score basis categorized the score and would have a text description of the score basis along with as much detail as they have - the range of the metrics, the typical value, the evaluation system used and any doc on their score evaluation system. So I think this provides the “context”.

 

In the CTI context the “assessment” seems to be the report of an observation or suspected intrusion. The score and score basis seems much the same.

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Barnum, Sean D.
Sent: Monday, October 26, 2015 12:03 PM
To: Wunder, John A.; [hidden email]
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

 

I definitely agree.

The tighter the scope and homogeneity of context among the producer and consumer the more accurate and relevant any scoring would likely be.

 

Sean’s personal opinion: For the sorts of use cases John describes here and others I do think that STIX needs to consider the issues around “scoring” and provide some level of support for them. To me the key is to enable providing of the context that went into any producer asserted scoring rather than just a opaque “score” property. Another useful thing may be the ability to explicitly characterize consumer context assumptions relevant for a given asserted “score” enabling a consumer to determine how much to trust a “score” based on how well they fit the asserted context assumptions and how much they trust the producer. 

 

sean

 

From: <[hidden email]> on behalf of John Wunder <[hidden email]>
Date: Monday, October 26, 2015 at 11:33 AM
To: "[hidden email]" <[hidden email]>
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

 

I think this is true for cross-organizational sharing but just to add another perspective, one of the groups that I’m working with involves a “cyber analysis center” sending some intelligence to a “cyber operations center” at the same organization. That information ideally includes an assessment of the severity of that threat activity to the organization. So I understand that severity may not make sense for cross-organizational sharing, but if one of the STIX use cases is to support sharing among centers/tools/sub-organizations in the same organization I think we need to consider it.

 

There might also be use cases where a threat intel provider provides scored threat information tuned to a consumer. Lots of small and mid-sized businesses with an online presence probably don’t have in-house analysis capabilities to determine their own scores but could still use some rough guidance about severity from their vendors.

 

This isn’t to disagree with Pat and Sean, I agree that for sharing data between organizations (in particular advanced organizations) where the orgs have that analysis capability that approach will lead to better results. Just wanted to expand our horizons a bit beyond that use case include some less ideal scenarios that may be prevalent in the real world.

 

John

 

On Oct 26, 2015, at 10:59 AM, Barnum, Sean D. <[hidden email]> wrote:

 

Pat’s statements here align with the opinions I have heard expressed over the last few years from organizations doing actual cyber threat intelligence or active incident response.

The assertions that I have heard are that scoring is a great concept but that any importance/criticality scoring (based on a myriad of potential factors like some that Pat names) asserted by a producer is rarely accurate or applicable within the context of different consumers. 

The way that I have had it characterized to me is typically along the lines of the following.

At best (in the rare cases where they are accurate) they may help a consumer prioritize one issue over another. Nominally, they are noise information for consumers drowning in information. At worst they are misleading and cause the wrong decisions/actions to be taken (such as the case Pat describes below).

The preferred approach that I have heard is to give the consumer as much of the context for the information as possible to enable the consumer to determine their own scoring based also on their own internal context.

One possible approach for us might be to ensure that we can support conveying the appropriate level of context information in our normative standards and then provide some non-normative consensus suggestions/guidelines (separate from the standards themselves) on how consumers could use that information to “score” threat information.

 

I am not arguing or asserting a “right” way to do this just pointing out that what Pat says here jibes with what I have heard from many others and should certainly take such considerations into account when thinking about this topic.

 

sean

 

From: <[hidden email]> on behalf of Patrick Maroney <[hidden email]>
Date: Monday, October 26, 2015 at 10:33 AM
To: Jerome Athias <[hidden email]>, Jason Lewis <[hidden email]>
Cc: "Jordan, Bret" <[hidden email]>, Bernd Grobauer <[hidden email]>, "[hidden email]" <[hidden email]>
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

 

Relevance, Certainty, Validity, etc. along with other highly subjective measures like Business Impact (of mitigation/Blocking) are really not effective shared measures for IOCs with perhaps exceptions for widely seen common Malware/NuisanceWare/AdWare.

Point is that a majority of serious APT attacks against Sectors, Industries, Agencies, etc. are highly targeted. In some cases the attack packages and ephemeral TTPs are tailored uniquely to an individual organization.

I can authoritatively cite an example:  some of the most dangerous highly targeted APT threats are typically flagged by AV as "Low" priority/criticality/risk, which in turn leads to inadequate responses when detected.  We've found evidence of relatively early leading APT artifact AV detections in every APT Intrusion investigation since 2002.  When asked why these leading indicators were ignored, without fail the response would be something along the lines of: "Oh we don't have the resources to investigate thousands of AV detections, we only look at Med to High Risk", or "Oh we looked at it, it was flagged as low risk".  AV Vendors when challenged on these rating methodologies would also respond without fail with something like: "That RAT/Backdoor was only reported by 5 companies, it's low risk".  Tell that to the 5 companies who spent millions cleaning up entrenched adversaries that could have been stopped early in the intrusion had the threat not been mischaracterized and investigated. 

In my view (1) we should be sharing facts about sightings/observations, (2) analysis along with methods to "show your work" for any hypothesis for subjective conclusions, and (3) include Non-Attributional Source Path Traceability for directing RFIs and Details on Sightings to the original Source(s).  One can then compile "Earliest Seen", "Latest Seen" metrics along with Sector/Target specific Threat Characterization details to determine an effective measure of risk.

 

Patrick Maroney

 

_____________________________
From: Jerome Athias <[hidden email]>
Sent: Sunday, October 25, 2015 10:04 PM
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)
To: Jason Lewis <[hidden email]>
Cc: Jordan, Bret <[hidden email]>, Grobauer, Bernd <[hidden email]>, <[hidden email]>


Yep the decay is interesting

It could be evaluated as an option like the Valid_Time_Position where both have benefits depending the use case (e.g. Exercise scenario)

 

Regarding scoring, there is opportunity for researches based on STIX ;-)

 


On Monday, 26 October 2015, Jason Lewis < [hidden email]> wrote:

Just to point out some key differences from the FB format.  Primarily
the topology support (networks, bgp, etc) and scoring.  Part of the
scoring is the decay, which becomes very important when dealing with
billions of elements.

On Wed, Oct 21, 2015 at 1:28 PM, Jordan, Bret < [hidden email]> wrote:
> Thanks for sending this out... It looks interesting. We will need to watch
> it closely, they have some neat things that are very similar to FB's threat
> exchange.
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE <a href="tel:7415%200050"> 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
>
> On Oct 21, 2015, at 04:17, Grobauer, Bernd < [hidden email]>
> wrote:
>
> Hi,
>
> I found this news item (from yesterday) about a new Open Source effort on TI
> standardization
> and thought it might be of interest to the group:
>
> http://www.businesswire.com/news/home/20151020005120/en/LookingGlass-Introduces-Open-Threat-Partner-eXchange-OpenTPX
>
> Docs, JSON-schema, etc. on
>
> https://www.opentpx.org/
>
>
> According to the FAQ:
>
> Q: Does OpenTPX replace STIX?
>
> A: No. OpenTPX was designed primarily as a optimized mechanism for data
> exchange at large volume, high scale and high speed ingestion for a broader
> set of Internet intelligence and threat context. Aspects of data available
> in STIX (e.g. indicators) have direct mapping to OpenTPX.
>
> Kind regards,
>
> Bernd
>
>
> -------------
>
> Bernd Grobauer, Siemens CERT
>
>
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX.  Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: [hidden email]
> Unsubscribe: [hidden email]
> Post: [hidden email]
> List help: [hidden email]
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>
>

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/

 

 

Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Barnum, Sean D.
In reply to this post by JA
The following is a comment received from a member of the community who is not currently at liberty to post directly. They wished to contribute a thought to the thread. The comment is provided as is with no editing.

"A Trust Community Broker (entity that is authorized by two sharing communities to broker information between the two communities) is also in a unique position to assign useful scores because a broker understands the following about both communities it serves:
  • the context of the originator and/or the originating community (which may not be allowed to be visible externally) plus
  • the context and business needs of the consumer community"


sean


On 10/26/15, 12:23 PM, "Jerome Athias" <[hidden email]> wrote:

I would suggest to keep this area out of scope for STIX.
Otherwise, we would have to cover (support mechanisms for) Risk
Analysis, Risk Scoring/Rating, Factors, Methodology, Scoring Systems,
Formulas...
But, (external) researches around the fact that interesting scores
could be produced based on STIX due to the fact that it
provides/supports a lot of what is needed to do so, for many use cases
(examples on requests)...
and yes, basically because it provides/supports CONTEXT

One common factor, already identified as needing review/update is the Sighting.
So, imho, this should be prioritized.





2015-10-26 19:02 GMT+03:00 Barnum, Sean D. <[hidden email]>:
I definitely agree.
The tighter the scope and homogeneity of context among the producer and
consumer the more accurate and relevant any scoring would likely be.

Sean’s personal opinion: For the sorts of use cases John describes here and
others I do think that STIX needs to consider the issues around “scoring”
and provide some level of support for them. To me the key is to enable
providing of the context that went into any producer asserted scoring rather
than just a opaque “score” property. Another useful thing may be the ability
to explicitly characterize consumer context assumptions relevant for a given
asserted “score” enabling a consumer to determine how much to trust a
“score” based on how well they fit the asserted context assumptions and how
much they trust the producer.

sean

From: <[hidden email]> on behalf of John Wunder
Date: Monday, October 26, 2015 at 11:33 AM

Subject: Re: [cti-users] Publication of another threat intelligence
standard: Open Threat Partner eXchange (OpenTPX)

I think this is true for cross-organizational sharing but just to add
another perspective, one of the groups that I’m working with involves a
“cyber analysis center” sending some intelligence to a “cyber operations
center” at the same organization. That information ideally includes an
assessment of the severity of that threat activity to the organization. So I
understand that severity may not make sense for cross-organizational
sharing, but if one of the STIX use cases is to support sharing among
centers/tools/sub-organizations in the same organization I think we need to
consider it.

There might also be use cases where a threat intel provider provides scored
threat information tuned to a consumer. Lots of small and mid-sized
businesses with an online presence probably don’t have in-house analysis
capabilities to determine their own scores but could still use some rough
guidance about severity from their vendors.

This isn’t to disagree with Pat and Sean, I agree that for sharing data
between organizations (in particular advanced organizations) where the orgs
have that analysis capability that approach will lead to better results.
Just wanted to expand our horizons a bit beyond that use case include some
less ideal scenarios that may be prevalent in the real world.

John

On Oct 26, 2015, at 10:59 AM, Barnum, Sean D. <[hidden email]> wrote:

Pat’s statements here align with the opinions I have heard expressed over
the last few years from organizations doing actual cyber threat intelligence
or active incident response.
The assertions that I have heard are that scoring is a great concept but
that any importance/criticality scoring (based on a myriad of potential
factors like some that Pat names) asserted by a producer is rarely accurate
or applicable within the context of different consumers.
The way that I have had it characterized to me is typically along the lines
of the following.
At best (in the rare cases where they are accurate) they may help a consumer
prioritize one issue over another. Nominally, they are noise information for
consumers drowning in information. At worst they are misleading and cause
the wrong decisions/actions to be taken (such as the case Pat describes
below).
The preferred approach that I have heard is to give the consumer as much of
the context for the information as possible to enable the consumer to
determine their own scoring based also on their own internal context.
One possible approach for us might be to ensure that we can support
conveying the appropriate level of context information in our normative
standards and then provide some non-normative consensus
suggestions/guidelines (separate from the standards themselves) on how
consumers could use that information to “score” threat information.

I am not arguing or asserting a “right” way to do this just pointing out
that what Pat says here jibes with what I have heard from many others and
should certainly take such considerations into account when thinking about
this topic.

sean

From: <[hidden email]> on behalf of Patrick Maroney
Date: Monday, October 26, 2015 at 10:33 AM
To: Jerome Athias <[hidden email]>, Jason Lewis <[hidden email]>
Cc: "Jordan, Bret" <[hidden email]>, Bernd Grobauer
Subject: Re: [cti-users] Publication of another threat intelligence
standard: Open Threat Partner eXchange (OpenTPX)

Relevance, Certainty, Validity, etc. along with other highly subjective
measures like Business Impact (of mitigation/Blocking) are really not
effective shared measures for IOCs with perhaps exceptions for widely seen
common Malware/NuisanceWare/AdWare.
Point is that a majority of serious APT attacks against Sectors, Industries,
Agencies, etc. are highly targeted. In some cases the attack packages and
ephemeral TTPs are tailored uniquely to an individual organization.
I can authoritatively cite an example:  some of the most dangerous highly
targeted APT threats are typically flagged by AV as "Low"
priority/criticality/risk, which in turn leads to inadequate responses when
detected.  We've found evidence of relatively early leading APT artifact AV
detections in every APT Intrusion investigation since 2002.  When asked why
these leading indicators were ignored, without fail the response would be
something along the lines of: "Oh we don't have the resources to investigate
thousands of AV detections, we only look at Med to High Risk", or "Oh we
looked at it, it was flagged as low risk".  AV Vendors when challenged on
these rating methodologies would also respond without fail with something
like: "That RAT/Backdoor was only reported by 5 companies, it's low risk".
Tell that to the 5 companies who spent millions cleaning up entrenched
adversaries that could have been stopped early in the intrusion had the
threat not been mischaracterized and investigated.
In my view (1) we should be sharing facts about sightings/observations, (2)
analysis along with methods to "show your work" for any hypothesis for
subjective conclusions, and (3) include Non-Attributional Source Path
Traceability for directing RFIs and Details on Sightings to the original
Source(s).  One can then compile "Earliest Seen", "Latest Seen" metrics
along with Sector/Target specific Threat Characterization details to
determine an effective measure of risk.

Patrick Maroney

_____________________________
From: Jerome Athias <[hidden email]>
Sent: Sunday, October 25, 2015 10:04 PM
Subject: Re: [cti-users] Publication of another threat intelligence
standard: Open Threat Partner eXchange (OpenTPX)
To: Jason Lewis <[hidden email]>
Cc: Jordan, Bret <[hidden email]>, Grobauer, Bernd


Yep the decay is interesting
It could be evaluated as an option like the Valid_Time_Position where both
have benefits depending the use case (e.g. Exercise scenario)

Regarding scoring, there is opportunity for researches based on STIX ;-)


On Monday, 26 October 2015, Jason Lewis < [hidden email]> wrote:

Just to point out some key differences from the FB format.  Primarily
the topology support (networks, bgp, etc) and scoring.  Part of the
scoring is the decay, which becomes very important when dealing with
billions of elements.

On Wed, Oct 21, 2015 at 1:28 PM, Jordan, Bret < [hidden email]>
wrote:
> Thanks for sending this out... It looks interesting. We will need to
> watch
> it closely, they have some neat things that are very similar to FB's
> threat
> exchange.
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
> can
> not be unscrambled is an egg."
>
> On Oct 21, 2015, at 04:17, Grobauer, Bernd < [hidden email]>
> wrote:
>
> Hi,
>
> I found this news item (from yesterday) about a new Open Source effort
> on TI
> standardization
> and thought it might be of interest to the group:
>
>
>
> Docs, JSON-schema, etc. on
>
>
>
> According to the FAQ:
>
> Q: Does OpenTPX replace STIX?
>
> A: No. OpenTPX was designed primarily as a optimized mechanism for data
> exchange at large volume, high scale and high speed ingestion for a
> broader
> set of Internet intelligence and threat context. Aspects of data
> available
> in STIX (e.g. indicators) have direct mapping to OpenTPX.
>
> Kind regards,
>
> Bernd
>
>
> -------------
>
> Bernd Grobauer, Siemens CERT
>
>
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX.  Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: [hidden email]
> Unsubscribe: [hidden email]
> List help: [hidden email]
>
>

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
List help: [hidden email]





Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Jordan, Bret
In reply to this post by Wunder, John A.
I completely agree with this John.  Another element that would make this valuable is for consumers to rate the threat feeds they get.  If threat provider ISAC-foo sends a bunch of content down with a rating of Low and the consumer finds that most of that information for them is High, then that is also very valuable for an analytics engine inside of the consumers org.  

<putting on vendor hat>
We have been doing this rating thing for some time now and all of our customers, which are most of the people that you all represent love it.  It allows us to do some very interesting proprietary things with the data that all of the end orgs (banks, government agencies, industrial control facilities, etc etc etc) make use of.
</taking off hat>


Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Oct 26, 2015, at 08:33, Wunder, John A. <[hidden email]> wrote:

I think this is true for cross-organizational sharing but just to add another perspective, one of the groups that I’m working with involves a “cyber analysis center” sending some intelligence to a “cyber operations center” at the same organization. That information ideally includes an assessment of the severity of that threat activity to the organization. So I understand that severity may not make sense for cross-organizational sharing, but if one of the STIX use cases is to support sharing among centers/tools/sub-organizations in the same organization I think we need to consider it.

There might also be use cases where a threat intel provider provides scored threat information tuned to a consumer. Lots of small and mid-sized businesses with an online presence probably don’t have in-house analysis capabilities to determine their own scores but could still use some rough guidance about severity from their vendors.

This isn’t to disagree with Pat and Sean, I agree that for sharing data between organizations (in particular advanced organizations) where the orgs have that analysis capability that approach will lead to better results. Just wanted to expand our horizons a bit beyond that use case include some less ideal scenarios that may be prevalent in the real world.

John

On Oct 26, 2015, at 10:59 AM, Barnum, Sean D. <[hidden email]> wrote:

Pat’s statements here align with the opinions I have heard expressed over the last few years from organizations doing actual cyber threat intelligence or active incident response.
The assertions that I have heard are that scoring is a great concept but that any importance/criticality scoring (based on a myriad of potential factors like some that Pat names) asserted by a producer is rarely accurate or applicable within the context of different consumers. 
The way that I have had it characterized to me is typically along the lines of the following.
At best (in the rare cases where they are accurate) they may help a consumer prioritize one issue over another. Nominally, they are noise information for consumers drowning in information. At worst they are misleading and cause the wrong decisions/actions to be taken (such as the case Pat describes below).
The preferred approach that I have heard is to give the consumer as much of the context for the information as possible to enable the consumer to determine their own scoring based also on their own internal context.
One possible approach for us might be to ensure that we can support conveying the appropriate level of context information in our normative standards and then provide some non-normative consensus suggestions/guidelines (separate from the standards themselves) on how consumers could use that information to “score” threat information.

I am not arguing or asserting a “right” way to do this just pointing out that what Pat says here jibes with what I have heard from many others and should certainly take such considerations into account when thinking about this topic.

sean

From: <[hidden email]> on behalf of Patrick Maroney <[hidden email]>
Date: Monday, October 26, 2015 at 10:33 AM
To: Jerome Athias <[hidden email]>, Jason Lewis <[hidden email]>
Cc: "Jordan, Bret" <[hidden email]>, Bernd Grobauer <[hidden email]>, "[hidden email]" <[hidden email]>
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Relevance, Certainty, Validity, etc. along with other highly subjective measures like Business Impact (of mitigation/Blocking) are really not effective shared measures for IOCs with perhaps exceptions for widely seen common Malware/NuisanceWare/AdWare.
Point is that a majority of serious APT attacks against Sectors, Industries, Agencies, etc. are highly targeted. In some cases the attack packages and ephemeral TTPs are tailored uniquely to an individual organization.
I can authoritatively cite an example:  some of the most dangerous highly targeted APT threats are typically flagged by AV as "Low" priority/criticality/risk, which in turn leads to inadequate responses when detected.  We've found evidence of relatively early leading APT artifact AV detections in every APT Intrusion investigation since 2002.  When asked why these leading indicators were ignored, without fail the response would be something along the lines of: "Oh we don't have the resources to investigate thousands of AV detections, we only look at Med to High Risk", or "Oh we looked at it, it was flagged as low risk".  AV Vendors when challenged on these rating methodologies would also respond without fail with something like: "That RAT/Backdoor was only reported by 5 companies, it's low risk".  Tell that to the 5 companies who spent millions cleaning up entrenched adversaries that could have been stopped early in the intrusion had the threat not been mischaracterized and investigated. 
In my view (1) we should be sharing facts about sightings/observations, (2) analysis along with methods to "show your work" for any hypothesis for subjective conclusions, and (3) include Non-Attributional Source Path Traceability for directing RFIs and Details on Sightings to the original Source(s).  One can then compile "Earliest Seen", "Latest Seen" metrics along with Sector/Target specific Threat Characterization details to determine an effective measure of risk.

Patrick Maroney

_____________________________
From: Jerome Athias <[hidden email]>
Sent: Sunday, October 25, 2015 10:04 PM
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)
To: Jason Lewis <[hidden email]>
Cc: Jordan, Bret <[hidden email]>, Grobauer, Bernd <[hidden email]>, <[hidden email]>


Yep the decay is interesting
It could be evaluated as an option like the Valid_Time_Position where both have benefits depending the use case (e.g. Exercise scenario)

Regarding scoring, there is opportunity for researches based on STIX ;-)


On Monday, 26 October 2015, Jason Lewis < [hidden email]> wrote:
Just to point out some key differences from the FB format.  Primarily
the topology support (networks, bgp, etc) and scoring.  Part of the
scoring is the decay, which becomes very important when dealing with
billions of elements.

On Wed, Oct 21, 2015 at 1:28 PM, Jordan, Bret < [hidden email]> wrote:
> Thanks for sending this out... It looks interesting. We will need to watch
> it closely, they have some neat things that are very similar to FB's threat
> exchange.
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE <a dir="ltr" href="tel:7415%200050" x-apple-data-detectors="true" x-apple-data-detectors-type="telephone" x-apple-data-detectors-result="13" class=""> 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
>
> On Oct 21, 2015, at 04:17, Grobauer, Bernd < [hidden email]>
> wrote:
>
> Hi,
>
> I found this news item (from yesterday) about a new Open Source effort on TI
> standardization
> and thought it might be of interest to the group:
>
> http://www.businesswire.com/news/home/20151020005120/en/LookingGlass-Introduces-Open-Threat-Partner-eXchange-OpenTPX
>
> Docs, JSON-schema, etc. on
>
> https://www.opentpx.org/
>
>
> According to the FAQ:
>
> Q: Does OpenTPX replace STIX?
>
> A: No. OpenTPX was designed primarily as a optimized mechanism for data
> exchange at large volume, high scale and high speed ingestion for a broader
> set of Internet intelligence and threat context. Aspects of data available
> in STIX (e.g. indicators) have direct mapping to OpenTPX.
>
> Kind regards,
>
> Bernd
>
>
> -------------
>
> Bernd Grobauer, Siemens CERT
>
>
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX.  Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: [hidden email]
> Unsubscribe: [hidden email]
> Post: [hidden email]
> List help: [hidden email]
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>
>

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/






signature.asc (859 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

pmaroney
In reply to this post by Barnum, Sean D.
[This thread has become bifurcated so there's no good place to insert this...]


This also directly relates/applies to the concept of Source Pathway Traceability.  The ability for one to establish a non-attributional pathway through Aggregators, ISACs/ISAOs, Third Party entities like the NCI (National Council of ISACs), etc.

I also forgot to highlight the critical need to establish non-attributional Source Identifiers for all objects  (e.g. One way hash of NameSpace and Indicator/Attribute to generate GUID).  So updated suggetion is

In my view we should be sharing:

(1)  Facts about sightings/observations.
(2) Analysis results along with methods to "show your work" for any hypothesis and/or subjective conclusions.
(3) Non-Attributional Source Path Traceability for directing RFIs and Details on Sightings to the original Source(s). 
(4) Non-attributional Source Identifiers for all objects 

BTW: Inserting a comment specific to the arguments there is a need for "Voting on 'Stuff'":  This fits directly and precisely within 2.  You wish to publish/share your Ratings...this is ultimately the product of subjective analysis.  

There's no difference in whether this analysis and related findings come from an individual Analyst, an entire organization, an aggregator, or value added intelligence service.

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Office:  (856)983-0001
Cell:      (609)841-5104

From: <[hidden email]> on behalf of Sean Barnum <[hidden email]>
Date: Monday, October 26, 2015 at 1:10 PM
To: Jerome Athias <[hidden email]>
Cc: John Wunder <[hidden email]>, "[hidden email]" <[hidden email]>
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

The following is a comment received from a member of the community who is not currently at liberty to post directly. They wished to contribute a thought to the thread. The comment is provided as is with no editing.

"A Trust Community Broker (entity that is authorized by two sharing communities to broker information between the two communities) is also in a unique position to assign useful scores because a broker understands the following about both communities it serves:
  • the context of the originator and/or the originating community (which may not be allowed to be visible externally) plus
  • the context and business needs of the consumer community"

Reply | Threaded
Open this post in threaded view
|

RE: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Collie, Byron S.
In reply to this post by Jordan, Bret

Rating intelligence sources and reporting is well understood in NATO, the IC, military and in law enforcement.  There is a *standard* scale for this called the Admiralty Scale that is well tested and understood and I continue to wonder why we have to reinvent things.   https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability

 

Good, solid, reliable sources will sometimes give you questionable information.  The big issue is whether they clearly articulate the questionability. That’s part of assessing the maturity and reliability of the source. We as an organization want that questionable report, identified as such, as we may have other sources that can add context and validity to it.  We will then re-rate the reporting.

 

Byron

 

=====================================
Byron Collie
Technology Fellow, Director of Cyber Intelligence
Goldman Sachs

200 West Street, 23rd Floor

New York NY 10282 USA
Off Tel: + 1 212-357-1207
Cell Tel: + 1 551-358-3848

P Please consider the environment before printing this e-mail.
NOTICE TO RECIPIENTS: This message may contain information that is confidential or privileged.  If you are not the intended recipient, please advise the sender immediately and delete this message.  See http://www.gs.com/disclaimer/email  for further information on confidentiality and the risks inherent in electronic communication.

 

 

 

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Jordan, Bret
Sent: Monday, October 26, 2015 1:29 PM
To: Wunder, John A.
Cc: [hidden email]
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

 

I completely agree with this John.  Another element that would make this valuable is for consumers to rate the threat feeds they get.  If threat provider ISAC-foo sends a bunch of content down with a rating of Low and the consumer finds that most of that information for them is High, then that is also very valuable for an analytics engine inside of the consumers org.  

 

<putting on vendor hat>

We have been doing this rating thing for some time now and all of our customers, which are most of the people that you all represent love it.  It allows us to do some very interesting proprietary things with the data that all of the end orgs (banks, government agencies, industrial control facilities, etc etc etc) make use of.

</taking off hat>

 

Thanks,

 

Bret

 

 

 

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

 

On Oct 26, 2015, at 08:33, Wunder, John A. <[hidden email]> wrote:

 

I think this is true for cross-organizational sharing but just to add another perspective, one of the groups that I’m working with involves a “cyber analysis center” sending some intelligence to a “cyber operations center” at the same organization. That information ideally includes an assessment of the severity of that threat activity to the organization. So I understand that severity may not make sense for cross-organizational sharing, but if one of the STIX use cases is to support sharing among centers/tools/sub-organizations in the same organization I think we need to consider it.

 

There might also be use cases where a threat intel provider provides scored threat information tuned to a consumer. Lots of small and mid-sized businesses with an online presence probably don’t have in-house analysis capabilities to determine their own scores but could still use some rough guidance about severity from their vendors.

 

This isn’t to disagree with Pat and Sean, I agree that for sharing data between organizations (in particular advanced organizations) where the orgs have that analysis capability that approach will lead to better results. Just wanted to expand our horizons a bit beyond that use case include some less ideal scenarios that may be prevalent in the real world.

 

John

 

On Oct 26, 2015, at 10:59 AM, Barnum, Sean D. <[hidden email]> wrote:

 

Pat’s statements here align with the opinions I have heard expressed over the last few years from organizations doing actual cyber threat intelligence or active incident response.

The assertions that I have heard are that scoring is a great concept but that any importance/criticality scoring (based on a myriad of potential factors like some that Pat names) asserted by a producer is rarely accurate or applicable within the context of different consumers. 

The way that I have had it characterized to me is typically along the lines of the following.

At best (in the rare cases where they are accurate) they may help a consumer prioritize one issue over another. Nominally, they are noise information for consumers drowning in information. At worst they are misleading and cause the wrong decisions/actions to be taken (such as the case Pat describes below).

The preferred approach that I have heard is to give the consumer as much of the context for the information as possible to enable the consumer to determine their own scoring based also on their own internal context.

One possible approach for us might be to ensure that we can support conveying the appropriate level of context information in our normative standards and then provide some non-normative consensus suggestions/guidelines (separate from the standards themselves) on how consumers could use that information to “score” threat information.

 

I am not arguing or asserting a “right” way to do this just pointing out that what Pat says here jibes with what I have heard from many others and should certainly take such considerations into account when thinking about this topic.

 

sean

 

From: <[hidden email]> on behalf of Patrick Maroney <[hidden email]>
Date: Monday, October 26, 2015 at 10:33 AM
To: Jerome Athias <[hidden email]>, Jason Lewis <[hidden email]>
Cc: "Jordan, Bret" <[hidden email]>, Bernd Grobauer <[hidden email]>, "[hidden email]" <[hidden email]>
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

 

Relevance, Certainty, Validity, etc. along with other highly subjective measures like Business Impact (of mitigation/Blocking) are really not effective shared measures for IOCs with perhaps exceptions for widely seen common Malware/NuisanceWare/AdWare.

Point is that a majority of serious APT attacks against Sectors, Industries, Agencies, etc. are highly targeted. In some cases the attack packages and ephemeral TTPs are tailored uniquely to an individual organization.

I can authoritatively cite an example:  some of the most dangerous highly targeted APT threats are typically flagged by AV as "Low" priority/criticality/risk, which in turn leads to inadequate responses when detected.  We've found evidence of relatively early leading APT artifact AV detections in every APT Intrusion investigation since 2002.  When asked why these leading indicators were ignored, without fail the response would be something along the lines of: "Oh we don't have the resources to investigate thousands of AV detections, we only look at Med to High Risk", or "Oh we looked at it, it was flagged as low risk".  AV Vendors when challenged on these rating methodologies would also respond without fail with something like: "That RAT/Backdoor was only reported by 5 companies, it's low risk".  Tell that to the 5 companies who spent millions cleaning up entrenched adversaries that could have been stopped early in the intrusion had the threat not been mischaracterized and investigated. 

In my view (1) we should be sharing facts about sightings/observations, (2) analysis along with methods to "show your work" for any hypothesis for subjective conclusions, and (3) include Non-Attributional Source Path Traceability for directing RFIs and Details on Sightings to the original Source(s).  One can then compile "Earliest Seen", "Latest Seen" metrics along with Sector/Target specific Threat Characterization details to determine an effective measure of risk.

 

Patrick Maroney

 

_____________________________
From: Jerome Athias <[hidden email]>
Sent: Sunday, October 25, 2015 10:04 PM
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)
To: Jason Lewis <[hidden email]>
Cc: Jordan, Bret <[hidden email]>, Grobauer, Bernd <[hidden email]>, <[hidden email]>


Yep the decay is interesting

It could be evaluated as an option like the Valid_Time_Position where both have benefits depending the use case (e.g. Exercise scenario)

 

Regarding scoring, there is opportunity for researches based on STIX ;-)

 


On Monday, 26 October 2015, Jason Lewis < [hidden email]> wrote:

Just to point out some key differences from the FB format.  Primarily
the topology support (networks, bgp, etc) and scoring.  Part of the
scoring is the decay, which becomes very important when dealing with
billions of elements.

On Wed, Oct 21, 2015 at 1:28 PM, Jordan, Bret < [hidden email]> wrote:
> Thanks for sending this out... It looks interesting. We will need to watch
> it closely, they have some neat things that are very similar to FB's threat
> exchange.
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE <a href="tel:7415%200050"> 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
>
> On Oct 21, 2015, at 04:17, Grobauer, Bernd < [hidden email]>
> wrote:
>
> Hi,
>
> I found this news item (from yesterday) about a new Open Source effort on TI
> standardization
> and thought it might be of interest to the group:
>
> http://www.businesswire.com/news/home/20151020005120/en/LookingGlass-Introduces-Open-Threat-Partner-eXchange-OpenTPX
>
> Docs, JSON-schema, etc. on
>
> https://www.opentpx.org/
>
>
> According to the FAQ:
>
> Q: Does OpenTPX replace STIX?
>
> A: No. OpenTPX was designed primarily as a optimized mechanism for data
> exchange at large volume, high scale and high speed ingestion for a broader
> set of Internet intelligence and threat context. Aspects of data available
> in STIX (e.g. indicators) have direct mapping to OpenTPX.
>
> Kind regards,
>
> Bernd
>
>
> -------------
>
> Bernd Grobauer, Siemens CERT
>
>
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX.  Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: [hidden email]
> Unsubscribe: [hidden email]
> Post: [hidden email]
> List help: [hidden email]
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>
>

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/

 

 

 

Reply | Threaded
Open this post in threaded view
|

RE: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

Terry MacDonald-3
In reply to this post by pmaroney

+1.

 

Terry MacDonald

Senior STIX Subject Matter Expert

SOLTRA | An FS-ISAC and DTCC Company

+61 (407) 203 206 | [hidden email]

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Patrick Maroney
Sent: Tuesday, 27 October 2015 1:34 AM
To: Jerome Athias <[hidden email]>; Jason Lewis <[hidden email]>
Cc: Jordan, Bret <[hidden email]>; Grobauer, Bernd <[hidden email]>; [hidden email]
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)

 

Relevance, Certainty, Validity, etc. along with other highly subjective measures like Business Impact (of mitigation/Blocking) are really not effective shared measures for IOCs with perhaps exceptions for widely seen common Malware/NuisanceWare/AdWare.

Point is that a majority of serious APT attacks against Sectors, Industries, Agencies, etc. are highly targeted. In some cases the attack packages and ephemeral TTPs are tailored uniquely to an individual organization.

I can authoritatively cite an example:  some of the most dangerous highly targeted APT threats are typically flagged by AV as "Low" priority/criticality/risk, which in turn leads to inadequate responses when detected.  We've found evidence of relatively early leading APT artifact AV detections in every APT Intrusion investigation since 2002.  When asked why these leading indicators were ignored, without fail the response would be something along the lines of: "Oh we don't have the resources to investigate thousands of AV detections, we only look at Med to High Risk", or "Oh we looked at it, it was flagged as low risk".  AV Vendors when challenged on these rating methodologies would also respond without fail with something like: "That RAT/Backdoor was only reported by 5 companies, it's low risk".  Tell that to the 5 companies who spent millions cleaning up entrenched adversaries that could have been stopped early in the intrusion had the threat not been mischaracterized and investigated. 

In my view (1) we should be sharing facts about sightings/observations, (2) analysis along with methods to "show your work" for any hypothesis for subjective conclusions, and (3) include Non-Attributional Source Path Traceability for directing RFIs and Details on Sightings to the original Source(s).  One can then compile "Earliest Seen", "Latest Seen" metrics along with Sector/Target specific Threat Characterization details to determine an effective measure of risk.

 

Patrick Maroney

 

_____________________________
From: Jerome Athias <[hidden email]>
Sent: Sunday, October 25, 2015 10:04 PM
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)
To: Jason Lewis <[hidden email]>
Cc: Jordan, Bret <[hidden email]>, Grobauer, Bernd <[hidden email]>, <[hidden email]>


Yep the decay is interesting

It could be evaluated as an option like the Valid_Time_Position where both have benefits depending the use case (e.g. Exercise scenario)

 

Regarding scoring, there is opportunity for researches based on STIX ;-)

 


On Monday, 26 October 2015, Jason Lewis < [hidden email]> wrote:

Just to point out some key differences from the FB format.  Primarily
the topology support (networks, bgp, etc) and scoring.  Part of the
scoring is the decay, which becomes very important when dealing with
billions of elements.

On Wed, Oct 21, 2015 at 1:28 PM, Jordan, Bret < [hidden email]> wrote:
> Thanks for sending this out... It looks interesting. We will need to watch
> it closely, they have some neat things that are very similar to FB's threat
> exchange.
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE <a href="tel:7415%200050"> 7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
>
> On Oct 21, 2015, at 04:17, Grobauer, Bernd < [hidden email]>
> wrote:
>
> Hi,
>
> I found this news item (from yesterday) about a new Open Source effort on TI
> standardization
> and thought it might be of interest to the group:
>
> http://www.businesswire.com/news/home/20151020005120/en/LookingGlass-Introduces-Open-Threat-Partner-eXchange-OpenTPX
>
> Docs, JSON-schema, etc. on
>
> https://www.opentpx.org/
>
>
> According to the FAQ:
>
> Q: Does OpenTPX replace STIX?
>
> A: No. OpenTPX was designed primarily as a optimized mechanism for data
> exchange at large volume, high scale and high speed ingestion for a broader
> set of Internet intelligence and threat context. Aspects of data available
> in STIX (e.g. indicators) have direct mapping to OpenTPX.
>
> Kind regards,
>
> Bernd
>
>
> -------------
>
> Bernd Grobauer, Siemens CERT
>
>
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX.  Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: [hidden email]
> Unsubscribe: [hidden email]
> Post: [hidden email]
> List help: [hidden email]
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>
>

This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX.  Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.

In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.

Subscribe: [hidden email]
Unsubscribe: [hidden email]
Post: [hidden email]
List help: [hidden email]
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/