Re: [cti-cybox] Network Connection Object TCP Extension

[Patrick Maroney <Pmaroney@Specere.org>]

A quick comment: the Inter-exchange and analysis of TCP and IP Header metadata is very valuable for a number of covert channel, side-channel analysis , exfiltration, attribution, fingerprinting, and detection use cases.  

The "bad guys" have some really nasty tricks up their sleeves including a number of TCP and IP Header manipulations.  Check out "Trend 3 -Attacks on Networking Devices" in the Fireeye 2016 M-Trends report:

 https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf

This type of very sophisticated activity from Determined Adversaries is just starting to get public exposure.

We need to ensure we can express this type of data in a standard community format.  Note that I'm not arguing to extend this now, just that we leave our options open for doing so down the road.

Patrick Maroney
President
Integrated Networking Technologies, Inc.
Desk: (856)983-0001
Cell: (609)841-5104
Email: pmaroney@specere.org

On Wed, Aug 31, 2016 at 7:56 AM -0400, "Trey Darley" <trey@kingfisherops.com> wrote:

On 30.08.2016 20:46:16, Jordan, Bret wrote:
>
> I would propose that it does not make sense to have this TCP
> extension with just 2 properties that are flags, when the port
> information was merged down to the base object.
>

Good catch, Bret. Ivan and I already discussed this on an editorial
call last week but forgot to add a TODO comment in the draft spec.
Just added that now.

My inclination is to rename the two fields and merge them into the
base object but let's address this on one of today's calls.

--
Cheers,
Trey
++--------------------------------------------------------------------------++
Kingfisher Operations, sprl
gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4  5B9B B30D DD6E 62C8 6C1D
++--------------------------------------------------------------------------++
--
"Irrationality is the square root of all evil" -- Douglas Hofstadter