OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-taxii message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-taxii] Questioning the wisdom of using DNS SRV records for TAXII 2.0 Discovery


On 30.10.2015 21:59:46, Patrick Maroney wrote:
> 
> In my experience of directly observing APT and increasingly
> dangerous asymmetric warfare cyber-adversaries: Anyone who stands up
> a public facing TAXII Gateway which globally exposes any level of
> sensitive intelligence longer than what is minimally required to
> securely transit any such externally facing/exposed gateway,
> deserves the same societal condemnation as those who are similarly
> exposing critical infrastructure Industrial Control Systems, Power
> Grid, Chemical Plants, Refineries, Water Treatment, Communications
> Infrastructure, PII Data, etc. Have we learned nothing?
> 

Hear, hear, Pat! Couldn't agree more! :-)

> 
> There is nothing wrong (in my view) with providing the means to find
> resources globally, provided said resources have the hardened
> security infrastructure commensurate with the level of sensitivity
> of the information and services they provide. Also, to the points
> made by others, for the reasons alluded to above, there will be
> environments where there are physical air-gaps between participants.
> The CTI standards need to be agnostic in this regard and not presume
> TAXII Gateways will serve universally as transport for STIX
> Packages.
> 

I've worked in air-gapped environments, have experience architecting
and implementing cross-domain solutions, and am well aware of the
challenges posed by the higher confidentiality requirements some face.
Every classified environment is governed by different data-handling
policies. For sure, somewhere in the world are some poor folks reduced
to exchanging STIX files burned on CD-ROMs inside of a SCIF. We need
to bear those folks in mind but since there's so much policy variance
between classified environments, we can't completely solve these sorts
of challenges at the OASIS standards body level.

There are ongoing discussions around how to make CTI work across, for
example, one-way data diodes. These types of environments represent
*extremely important* edge cases but I would argue that for OASIS
purposes they are *nevertheless* edge cases.

If the W3C had got stuck trying to figure out how to make the web work
in air-gapped environments, there would be no web today. Metcalf's Law
[0] is a thing. The web gained traction in the open internet, the
secret squirrel folks saw the value, and vendors created appropriate
point solutions to adapt the web to air-gapped environments. Apologies
to Tony for over-simplifying history, but I think the metaphor is
nonetheless valid.

(One upside to your typical classified environment is that there are
point solutions to address a lot of the cross-domain architectural
challenges *and* there's typically an above-average budget for
infosec.)

[0]: Value of a network is proportional to the square of the number of
     participants in said network.

-- 
Cheers,
Trey
--
Trey Darley
Senior Security Engineer
4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430
Soltra | An FS-ISAC & DTCC Company
www.soltra.com
--
"Every networking problem always takes longer to solve than it seems
like it should." --RFC 1925

Attachment: signature.asc
Description: PGP signature



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]