Re: [cti-cybox] Network Connection Object TCP Extension

[Terry MacDonald <terry.macdonald@cosive.com>]

This maybe true if you are the one collecting the data for yourself, but I doubt that many organizations will want to distribute their internal network packet captures automatically out to their trust groups. There is way too much chance of data leakage if the packet capture contains some intellectual property or something the organization wants to keep secret.

I believe they would be much more likely to send out the interesting parts using objects that can describe the detail, I.e TCP level attacks described using TCP object, IP level  attacks using IP object, ARP level attacks using an ARP object, etc. Way less chance for data leakage then.

Cheers
Terry MacDonald
Cosive

On 1/09/2016 05:24, "Jordan, Bret" <bret.jordan@bluecoat.com> wrote:

Yes, my Ultimate Data Exfiltration Toolkit mutilates headers from layer2 to layer7, but I see most of this information being captured in STIX with a pointer to a CybOX object that contains an artifact of a libpcap or libpcap-ng data blob. 

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

On Aug 31, 2016, at 06:17, Patrick Maroney <Pmaroney@Specere.org> wrote:

A quick comment: the Inter-exchange and analysis of TCP and IP Header metadata is very valuable for a number of covert channel, side-channel analysis , exfiltration, attribution, fingerprinting, and detection use cases.  

The "bad guys" have some really nasty tricks up their sleeves including a number of TCP and IP Header manipulations.  Check out "Trend 3 -Attacks on Networking Devices" in the Fireeye 2016 M-Trends report:

 https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf

This type of very sophisticated activity from Determined Adversaries is just starting to get public exposure.

We need to ensure we can express this type of data in a standard community format.  Note that I'm not arguing to extend this now, just that we leave our options open for doing so down the road.

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org

On Wed, Aug 31, 2016 at 7:56 AM -0400, "Trey Darley" <trey@kingfisherops.com> wrote:

On 30.08.2016 20:46:16, Jordan, Bret wrote:
> 
> I would propose that it does not make sense to have this TCP
> extension with just 2 properties that are flags, when the port
> information was merged down to the base object.
> 

Good catch, Bret. Ivan and I already discussed this on an editorial
call last week but forgot to add a TODO comment in the draft spec.
Just added that now.

My inclination is to rename the two fields and merge them into the
base object but let's address this on one of today's calls.

-- 
Cheers,
Trey
++--------------------------------------------------------------------------++
Kingfisher Operations, sprl
gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4  5B9B B30D DD6E 62C8 6C1D
++--------------------------------------------------------------------------++
--
"Irrationality is the square root of all evil" -- Douglas Hofstadter