[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] STIX Sightings
Jason:
Here are some thoughts as to why H2H communications through a Threat Intel Platform works better than through encrypted email:
1. Trust circle conditions have already been worked out in advance for each of the members that have been onboarded onto a platform... therefore the human analyst can stay focused (in real time) on the problem at hand (e.g., incident response, data enrichment, TTP analysis, attribution elements synthesis, etc..) and once he/she has some information (or data) for responding to an RFI...he/she can just do it, without having to create a distribution list.
2. Trust circle conditions that have been worked out on advance may include such things as: security level data classifications (i.e., data markings), confidence intervals (stemming from the reliability and credibility of the source), classifications for the type of information being shared (e.g., situational awareness reports, IoCs, malware artifacts, etc...). Again... if all of this is worked out in advance it saves the analyst time and energy and makes the process more efficient.
3. The size of the membership of an ISAC or ISAO may be such that an email with a large distribution list may be detected as spam ... and filtered out of a recipient's in-box.
4. The Threat Intelligence Platform can be designed to have streamlined interfaces with other network tools so findings from an RFI can be immediately uploaded to a network device (e.g., a Snort snippet).
There are other reasons, as well, I'm sure. These are just a few off the top of my head.
Jane Ginn, MSIA, MRP
Cyber Threat Intelligence Network, Inc.
jg@ctin.us
(1) Analyst from member company of ISAC "X" detects SpearPhish, DDOS, Scanning, etc. and want's more information from other members within ISAC "X"
(2) ISAC "X" Analysts send an RFI through an intermediary like the NCI (National Council of ISACs) to all other NCI Member Sector ISACs. What do you know about "Y", Have you seen "Z", etc.
(3) Analyst "A" has Malware sample and needs to submit it to Agency "B" to establish actionable IOCs ASAP.
I feel like the use case around RFI is not clearly fleshed out.
What parties and systems would be issuing RFI requests and under what circumstances?
What parties and systems would be responding to said requests?
Only once those two things are well documented and understood by all can we understand how to best service such a request.
As an example of why this is important... I believe only a tiny fraction of potential TAXII client systems would ever have an ability to respond to historical RFI requests... Most would not. So maybe this RFI capability should be limited to only TAXII servers who implement a "repository" specification.
Sent from IBM Verse
Aharon Chernin --- Re: [cti-stix] RE: STIX Sightings ---
From: | "Aharon Chernin" <achernin@soltra.com> |
To: | "Trey Darley" <trey@soltra.com>, "Terry MacDonald" <terry@soltra.com> |
Cc: | "Barnum, Sean D." <sbarnum@mitre.org>, "Patrick Maroney" <Pmaroney@Specere.org>, "Davidson II, Mark S" <mdavidson@mitre.org>, "Joep Gommers" <joep@eclecticiq.com>, "Jonathan Bush (DTCC)" <jbush@dtcc.com>, cti-stix@lists.oasis-open.org |
Date: | Fri, Oct 30, 2015 11:38 AM |
Subject: | Re: [cti-stix] RE: STIX Sightings |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]