Re: [cti-cybox] Network Connection Object TCP Extension

[Patrick Maroney <Pmaroney@Specere.org>]

Just as a point of fact (understanding full well that many of our use cases are not typical):  We captured, processed, and stored 2-4 TerraBytes of External Ingress/Egress Raw Packet Data every day.  As anyone who has dealt directly with entrenched Determined Adversaries can tell you, investigations, forensics collection/analysis, reporting, etc. for a given event can extend from months to years.   This is a massive amount of data that requires a lot of analysis to narrow it to manageable levels.  A single 1 TB LT-05 tape of raw packet data took 4 hours just to initially re-process (locally with high speed DAS/NAS storage). 

Metadata drives effective analysis.  Sharing of same drives effective community analysis.  Along with the practical/physical limits of sharing raw packet data once you get to Enterprise scale, there are a number of Employee/Customer Privacy, IP Protection, and Confidentiality considerations when sharing raw packet data.   Where we do share this data once vetted (which can take quite a bit of time) the metadata helps us isolate which packets are relevant.

Again, understand this represents only a small overall portion of the community.  However, 10GBs to 40Gbs pipes in our network cores and cloud infrastructures are increasingly the norm for many larger organizations.

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org

On Wed, Aug 31, 2016 at 1:24 PM -0400, "Jordan, Bret" <bret.jordan@bluecoat.com> wrote:

Yes, my Ultimate Data Exfiltration Toolkit mutilates headers from layer2 to layer7, but I see most of this information being captured in STIX with a pointer to a CybOX object that contains an artifact of a libpcap or libpcap-ng data blob. 

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Aug 31, 2016, at 06:17, Patrick Maroney <Pmaroney@Specere.org> wrote:

A quick comment: the Inter-exchange and analysis of TCP and IP Header metadata is very valuable for a number of covert channel, side-channel analysis , exfiltration, attribution, fingerprinting, and detection use cases.  

The "bad guys" have some really nasty tricks up their sleeves including a number of TCP and IP Header manipulations.  Check out "Trend 3 -Attacks on Networking Devices" in the Fireeye 2016 M-Trends report:

 https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf

This type of very sophisticated activity from Determined Adversaries is just starting to get public exposure.

We need to ensure we can express this type of data in a standard community format.  Note that I'm not arguing to extend this now, just that we leave our options open for doing so down the road.

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org

On Wed, Aug 31, 2016 at 7:56 AM -0400, "Trey Darley" <trey@kingfisherops.com> wrote:

On 30.08.2016 20:46:16, Jordan, Bret wrote:
> 
> I would propose that it does not make sense to have this TCP
> extension with just 2 properties that are flags, when the port
> information was merged down to the base object.
> 

Good catch, Bret. Ivan and I already discussed this on an editorial
call last week but forgot to add a TODO comment in the draft spec.
Just added that now.

My inclination is to rename the two fields and merge them into the
base object but let's address this on one of today's calls.

-- 
Cheers,
Trey
++--------------------------------------------------------------------------++
Kingfisher Operations, sprl
gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4  5B9B B30D DD6E 62C8 6C1D
++--------------------------------------------------------------------------++
--
"Irrationality is the square root of all evil" -- Douglas Hofstadter