The issue here is IMHO an implementation-level problem i.e. that implementations from vendors need to be able to ignore Credential Dump information (or encrypt it, or obfuscate it) if their customers require them to. This is at a different level from us adding support for Credential Dump object within STIX. I believe we need to provide the ability for organizations within jurisdictions that allow the sharing of credential information for remediation purposes to actually transmit and receive this kind of information so that the good guys and gals can be effective in their responses to intrusions. We need to be able to work as a group to provide this sort of information back as quickly as possible to the organizations that have been breached so that they can respond to the issue and minimize the damage to them and their customers.
Cheers
Terry MacDonald
Cosive
On 16 January 2017 at 05:32, Jason Keirstead <Jason.Keirstead@ca.ibm.com> wrote:
Its worth investigating most certainly; but I agree with Brett that we have to tread carefully.
As an example of why this is dangerous - downloading credential dumps (which normally house PII) is essentially illegal for organizations in many countries with strong privacy laws (example, Canada), and even when it is not illegal it is often blocked by policy (sites blocked by their proxy firewalls) in many large organizations for fear of legal repercussions. Therefore, if any given TAXII feed has the potential to house credential dumps, then it might lock people out of that TAXII server, unless they have some way to easily filter them out of their view (which we don't have right now in TAXII)
-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security| www.securityintelligence.com
Without data, all you are is just another person with an opinion - Unknown
From: Terry MacDonald <terry.macdonald@gmail.com>
To: Bret Jordan <Bret_Jordan@symantec.com>
Cc: cti-cybox@lists.oasis-open.org , cti-stix@lists.oasis-open.org, Terry MacDonald <terry.macdonald@cosive.com>, "cti-users@lists.oasis-open.org " <cti-users@lists.oasis-open.org >
Date: 01/14/2017 03:25 PM
Subject: Re: [cti-users] Re: [cti-cybox] STIX 2.1 Cyber Observable Proposal - Credential Dump Object
Sent by: <cti-users@lists.oasis-open.org >
I'm not sure how this could derail everything, as this information is already shared via trust group mailing lists. Surely people would already be assured of our was that dangerous?
It's also important to realise that sharing happens outside of the US legal system, and the rules in other countries may allow for credential dump sharing in situations the US does not.
It's at least worth investigating further IMHO...
Cheers
Terry MacDonald
Cosive
On 14 Jan. 2017 15:56, "Bret Jordan" <Bret_Jordan@symantec.com> wrote:
I really worry about this. CTI is already a concern for privacy groups. I know we need to figure this out, but I would like to make sure our ship sales and we get positive news/feedback before we try and do something like this. We just need to be super careful, something like this could derail the entire effort before it actually takes off.Bret
From: cti-cybox@lists.oasis-open.org< cti-cybox@lists.oasis-open.org > on behalf of Terry MacDonald <terry.macdonald@cosive.com>
Sent: Thursday, January 5, 2017 1:51:29 AM
To: OASIS CTI TC CybOX SC list; cti-stix@lists.oasis-open.org; cti-users@lists.oasis-open.org
Subject: [cti-cybox] STIX 2.1 Cyber Observable Proposal - Credential Dump Object
Hi All,
In the spirit of gift giving at this time of year, I have yet another proposal to offer the grou pfor discussion at the upcoming F2F...
2.7.Credential Dump Object
Type Name: credential-dump
The Credential Dump Object represents credential dump containing username and password information that attackers have gained access to and dumped somewhere on the web in public or traded for money. It is primarily to enable the sharing of credential dump information to allow the remediation of affected users.
If you wish to comment, please do so as a reply to this email, or leave a comment on the Google Doc here: https://docs.google.com/document/d/1u9z0XB6A- 0q5CZnC9rx0rGfRJpP5u6jS1sio6w1 OrJ0/edit?usp=sharing
PDF version attached for those who prefer those.....
Cheers
Terry MacDonald | Chief Product Officer
M: +64 211 918 814
E: terry.macdonald@cosive.com
W: www.cosive.com
