Re: [cti-cybox] IP Address Notation (or: I Love CIDR When It's Talking A

cti-cybox message

Subject: Re: [cti-cybox] IP Address Notation (or: I Love CIDR When It's Talking About More Than One IP Address)

From: "Jordan, Bret" <bret.jordan@bluecoat.com>

To: "Foley, Alexander - GIS" <alexander.foley@bankofamerica.com>

Date: Fri, 15 Jan 2016 04:28:26 +0000

I think it is completely reasonable for the UI tool to add a /32 to an address. People should not be creating these objects by hand. Further, I also think it is also reasonable to to say that if no /32 is found, then it is just an IP address and the standard should allow for that. Hopefully, long term, all tools will just do that for the user behind the scenes, but until then, I think it is okay for the standard to just allow it.

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

On Jan 14, 2016, at 15:13, Foley, Alexander - GIS <alexander.foley@bankofamerica.com> wrote:

I thought I’d provide some context of how everyday threat intelligence analysts share IP addresses. On one fairly popular email list with ~650 active participants, there were about 5,370 messages that contained tens of thousands of indicators of compromise (IOCs). In these messages:

·        Analysts shared individual IP addresses 4,695 times
·        Analysts shared a CIDR block 124 times
·        Of these 124 times, only 6 times were they referring to an individual IP address
·        Of these 6 individual CIDR blocks with /32, they were only one analyst ever referred to an IP this way

I continue to believe that, while it’s certainly a fine way to represent an individual IP address, most analysts don’t think to add it at the end when they’re talking about an individual IP. My personal preference would be for the language to assume that if an IP address object doesn’t have a slash in the address or a CIDR property that it is assumed to be an individual IP address and neither the user nor the tool needs to know to write /32 at the end of it.

I’m not intentionally trying to start a flame war, but I do continue to believe that (at least as long as people are still developing the tools that use CybOX / STIX) we will have humans making it or consuming it manually / by hand.

Alex
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail