OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] STIX Sightings


Here are some thoughts as to why H2H communications through a Threat Intel Platform works better than through encrypted email:

1. Trust circle conditions have already been worked out in advance for each of the members that have been onboarded onto a platform... therefore the human analyst can stay focused (in real time) on the problem at hand (e.g., incident response, data enrichment, TTP analysis, attribution elements synthesis, etc..) and once he/she has some information (or data) for responding to an RFI...he/she can just do it, without having to create a distribution list.

2. Trust circle conditions that have been worked out on advance may include such things as: security level data classifications  (i.e., data markings), confidence intervals (stemming from the reliability and credibility of the source), classifications for the type of information being shared (e.g., situational awareness reports, IoCs, malware artifacts, etc...). Again... if all of this is worked out in advance it saves the analyst time and energy and makes the process more efficient.

3. The size of the membership of an ISAC or ISAO may be such that an email with a large distribution list may be detected as spam ... and filtered out of a recipient's in-box.

4. The Threat Intelligence Platform can be designed to have streamlined interfaces with other network tools so findings from an RFI can be immediately uploaded to a network device (e.g., a Snort snippet).

There are other reasons, as well, I'm sure. These are just a few off the top of my head.

Jane Ginn, MSIA, MRP
Cyber Threat Intelligence Network, Inc.

-------- Original Message --------
From: Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Sent: Friday, October 30, 2015 10:36 AM
To: "Jordan, Bret" <bret.jordan@bluecoat.com>
Subject: Re: [cti-stix] STIX Sightings
CC: Aharon Chernin <achernin@soltra.com>,cti-stix@lists.oasis-open.org,"Jonathan Bush (DTCC)" <jbush@dtcc.com>,Joep Gommers <joep@eclecticiq.com>,Mark Davidson <mdavidson@mitre.org>,Patrick Maroney <Pmaroney@Specere.org>,"Sean D. Barnum" <sbarnum@mitre.org>,Terry MacDonald <terry@soltra.com>,Trey Darley <trey@soltra.com>

So essentially the primary use case is H2H. AKA:

It feels to me like it is a re-invention of Email?

"But they use free form data blobs over email and IM. "

Is the solution to simply use STIX over SMTP?

I am trying to envision what the protocol is here, that makes this data flow work any better than an encrypted email.

Jason Keirstead
Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown

Inactive hide details for "Jordan, Bret" ---2015/10/30 12:49:37 PM---The biggest use case I see is the human to human over STIX"Jordan, Bret" ---2015/10/30 12:49:37 PM---The biggest use case I see is the human to human over STIX and TAXII. We have a large threat resear

From: "Jordan, Bret" <bret.jordan@bluecoat.com>
To: Jason Keirstead/CanEast/IBM@IBMCA
Cc: Aharon Chernin <achernin@soltra.com>, Trey Darley <trey@soltra.com>, Terry MacDonald <terry@soltra.com>, "Sean D. Barnum" <sbarnum@mitre.org>, Patrick Maroney <Pmaroney@Specere.org>, Mark Davidson <mdavidson@mitre.org>, Joep Gommers <joep@eclecticiq.com>, "Jonathan Bush (DTCC)" <jbush@dtcc.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Date: 2015/10/30 12:49 PM
Subject: Re: [cti-stix] STIX Sightings

The biggest use case I see is the human to human over STIX and TAXII. We have a large threat research team and they do this sort of thing every day. But they use free form data blobs over email and IM.

It would be so nice if there was a TAXII server in the sky, amazon cloud or rackspace, that threat researchers could connect to and build micro eco-systems around. Using our TAXII API Base concept we have talked about. Then they could have a heavy client or web client hooked up to some tools. As they document certain things they are finding they could push a button to share or ask your peers if they know something about this.

Obviously some of this is spec related, some is implementation / deployment / process related.



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
[attachment "signature.asc" deleted by Jason Keirstead/CanEast/IBM]

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]