Additionally, understanding what the other sharing community members think of particular threat intelligence assertions is key too. Threat Intel Analysts are rare. Not every organization will have access to them. We need to give organizations the ability to receive guidance from other organizations they trust to enable them to better protect themselves. We need the ability for community members to tell others that they think a threat intel assertion is good or bad. Other Organizations with new analysts, or no analysts will then be able to learn from these assertions who to trust... effectively crowdsourcing their knowledge from the opinions of others.
If I am a consumer and I see that there are a lot of opinion objects from community members disagreeing with Threat Intel from Vendor A, then I am less likely to trust what they say. If there are opinion objects from community members agreeing with Vendor B's threat intel, then I am more likely to trust what they say.
Both Confidence and the Opinion object will have a profound effect on how people will use their threat intel, and on whose threat intel they trust.
If I have received a low confidence domain name indicator associated with a threat actor I care about, but I don't trust the content creator very much, I am not likely to block it on the firewall, but I might be likely to add it to my IDS sensor alert.
If I have a high confidence domain name indicator associated with a threat actor I care about, from a content creator I do trust highly, then I am more likely to throw it in my firewall block list, or in my DNS RPZ blocklist.
This can all happen without Digital Signatures, as the sharing communities now do the same thing between organizations they trust over email. Digital signatures only become important when we try to do this over open, public, unvetted sharing communities. And while these communities are needed eventually, they are not needed now. Which is why I believe digital signatures can wait for STIX 2.2.
Cheers
Terry MacDonald | Chief Product Officer
On Tue, Aug 23, 2016 at 4:54 AM, Jordan, Bret <bret.jordan@bluecoat.com> wrote:
Confidence does not really make sense before we have digital signatures, neither does the opinion object.. Without digital signatures first, there is no "real" confidence or opinion as everything could be faked.Thanks,BretBret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTOBlue Coat SystemsPGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."On Aug 22, 2016, at 01:34, Trey Darley <trey@kingfisherops.com> wrote:On 20.08.2016 08:22:15, Terry MacDonald wrote:My wish list for 2.1:
+1 for Terry's list of STIX 2.1/2.2 priorities
--
Cheers,
Trey
++---------------------------------------------------------- ----------------++
Kingfisher Operations, sprl
gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4 5B9B B30D DD6E 62C8 6C1D
++---------------------------------------------------------- ----------------++
--
"All systems, regardless of composition, do one of three things: blow
up, oscillate, or stay about the same." --anonymous