RE: [cti-stix] Possible solution to conundrum of how to do patterns for Infrastructure and Malware

[Aharon Chernin <aharon@perchsecurity.com>]

Jason – I agree with what you are saying. Every day we deal with feeds that are automatically populated from malware sandboxes and honeypots. We have begun a process of identifying the producers of this content, filtering it out from detection, and simply using these sources as additional context (we once saw this come from Feed X). Patterns vs looking for things directly is not our first problem, it’s the lack of context provided by automated content producers. If you have ever received an indicator titled, “Scanning port 80 - 32540 times (External Fast Scan)”, you will know what I mean. If an indicator producer creates good context about what to look for directly, then all is well with the world.

 

As for patterns, I enjoy them, it allows us to detect more behavioral type indicators than static ones. There are entire communities that only share patterns today. But, if the context around the pattern is bad, then we are not going to have fun when we detect it.

 

As for the state of the content market: I don’t think we will have a day where we have a ton of content producers. This is not because the market is lazy. It’s just the nature of the beast. One only needs to look at the past, to see what will happen here. Vulnerability management has been around for 20 years? What percentage of world businesses employ a dedicated vulnerability management person? Maybe 1%?

 

Aharon

 

From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Jason Keirstead
Sent: Thursday, May 25, 2017 7:22 AM
To: cti-stix@lists.oasis-open.org
Subject: [cti-stix] Possible solution to conundrum of how to do patterns for Infrastructure and Malware

 

Yesterday a major discussion at the face-to-face was around trying to work out the end to end workflow by which the indicators come out of the malware.

Myself (and it seems several others as well) are concerned that if malware sandboxes automatically start sharing tons of “malware” objects via TAXII, or sensors start producing “infrastructure” objects linked to observations, then software vendors are just going to code their implementations to look for those things directly… indicators will never “show up” because either there is no one to make them, and/or people don’t want to do things twice (they don’t want to make an Infrastructure object with observations *and* maintain a pattern for those observations and constantly update them both and keep them in sync as they mature - it is going to be a large headache.

Folks seem to be having this implicit assumption that either (a) humans will make and maintain all of these indicators from the tool output “just because”, or (b) vendors will change their tools to output indicators because someone (?) is asking for the indicators. This to me flies in the face of the fact that the market is lazy and always seeks the shortest path to success; if that path is to just write code to directly search and alert on malware and infrastructure observations, then that is what is going to happen…. after all, the vast majority of what people share on threat intel feeds are pointers to malware or infrastructure.

The danger is that indicators become not very useful and we end up with somewhat crippled STIX implementations everywhere since no one can look for anything complicated, because they can’t use patterns… we end up with STIX 1.X.

I have been thinking about this problem last night and am wondering if a possible solution is to add an operator to allow patterns to somehow reference STIX objects directly.

IE you would have something like

[stix-object:malware-12345-aaaaa-bbbbb-ccccc.sample_metadata[*].hashes.“SHA-256" = ‘aec070645fe53ee3b3763059376134f058cc337247c978add178b6ccdfb0019f’]

This pattern would mean “you want to look for the hashes defined in this specific STIX object“

If we had this, then I think it is an answer to what I think is an obvious problem. This way the actual definition of the object is what is referred to in the indicator. It also makes it much easier to create patterns from malware and infrastructure, and also eliminates the problem of having to constantly sync patterns with these objects.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security

Without data, all you are is just another person with an opinion - Unknown

	Aharon Chernin / CEO and Founder aharon@perchsecurity.com / +1 8133358965 PERCH http://www.perchsecurity.com
This e-mail message may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is prohibited. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates with us by e-mail is deemed to have accepted these risks. Perch Security is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this message and any attachment are solely those of the author and do not necessarily represent those of the company.