I will choose to argue that if you have any level of context, then by definition you have some level of Reliability / Confidence / or what ever end up calling it.
Thanks,
Bret Bret Jordan CISSPDirector of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
Re: "One comment, if you have no confidence in the accuracy of something, meaning you have not done any due diligence on your end, should you really be sharing it? Isn't this the whole problem with the Internet today? People spewing forth crap that is
just wrong, and then it gets archived in Google as Gospel. "
Sharing unfiltered, unvetted intelligence on Emerging Threats/Previously Unrecognized Threats is extremely valuable in many of the communities I participate in. The critical element is to properly mark it. For example one community uses "Investigating"
to flag something as preliminary (say I've analyzed 100% 0Day APT Malware, and I run Strings on the binary and get 50 IP Addresses and Domains. Yet the Malware was only observed to attempt communication with 6/50. By sharing this type of intelligence [WITH
CONTEXT] with the community others can be aware and say, Hey!!! I didn't see the vectors you did, but I did see a different subset of 6 out of your 50. We ran it in an air gapped sandbox and when the test access to Google.com failed the Malware beaconing
switched to these different IPs and Ports. Let's mark these 6 new IOCs as actionable and let everyone know the malware may behave differently in different environments and to keep an eye out for the other 38 IOCs."
Capturing and retaining properly marked indicators has also revealed key discoveries years later: for example: "Hey we were investigating something else and our search revealed APT Actor "X" was indeed using nameyourfavoritecommoditybotnet back in 2011!!!!
We didn't realize we had actionable indicators at the time. Thanks for posting those informational Strings back in 2011!!!!!
Filtering Intelligence will significantly impede detection of multi-Stage exploitation and variants of RATs deployed in the Entrenchment phase of lateral movement once adversary has established their initial beachhead and begins deploying. The key is
to ensure you convey all of the context you've developed (and "show your work" to back any of your assertions).
Understand in these assertions that, as always, other world views/use cases, methods are equally valid.
I was thinking back to the Admiralty Code ( https://en.wikipedia.org/wiki/Admiralty_code) regarding reliability and credibility when I wrote that. The idea was if someone had learned
from a 3rd party that there was a relationship between Threat Group A and Threat Group B, but had not yet been able to determine the reliability/truthfulness of what that third party had said. They may want to send out that relationship, as kind of a 'something
we've heard but not had a chance to verify ourselves'. That's where I was headed with the Unknown option.
|
Rating |
Description |
1 |
Confirmed |
Logical, consistent with other relevant information, confirmed by independent sources. |
2 |
Probably true |
Logical, consistent with other relevant information, not confirmed. |
3 |
Possibly true |
Reasonably logical, agrees with some relevant information, not confirmed. |
4 |
Doubtfully true |
Not logical but possible, no other information on the subject, not confirmed. |
5 |
Improbable |
Not logical, contradicted by other relevant information. |
6 |
Cannot be judged |
The validity of the information can not be determined.
|
|