Re: [cti-users] My opinion piece mentioning STIX-TAXII

[SOC <soc@slcsecurity.com>]

I think that STIX/TAXII actually can hurt your cyber defense security.
Hear me out here but there is an inherent problem in telling the
adversary that we know what they are up to. Don't think for a second
that the bad guys are not subscribing to these feeds. How else would
they know to change their binaries to avoid detection or relocate their
C2 servers to reclaim their bots that are not blacklisted because the IP
or domain has shown up in a TAXII feed somewhere or in some other post
or observation.

For this very reason and to collect intelligence on the adversary some
Threat Intel providers (us included) do not rush to publish the
information to the general public. If you subscribe to our service you
get that information immediately but it's marked non releasable even
though 95% of the time somebody forwards it anyway.

Until the people handling the IOC information stop blindly forwarding it
to everybody they know that works in the security realm this will
continue to be a problem.

Just think about it. The good guys play fair but the malicious actors
don't. STIX and TAXII are but tools whereas the real intelligence can be
gathered only if the adversary is unaware that we are watching them. As
soon as they know they are being monitored or they are found out they
change their tactics and go elsewhere (and the search then begins again).

So just another perspective here that I think some of you will find
interesting. I just blogged this today actually and thought I would
share my view on all of these standards that make sharing so easy.

Kevin Wetzel
CEO/Founder
Jigsaw Security Enterprise Inc
www.jigsawsecurityenterprise.com
(919)441-7353

On 9/23/2015 9:20 AM, Kevin Conlan wrote:
> As a student of cybersecurity, with a keen interest in cyber
> intelligence, I really appreciate getting to read such a piece. Great
> insights into important issues, especially with regards to geopolitical
> implications.
> 
> Kevin
> 
> On Sep 23, 2015 4:25 AM, "Bhujang Systems" <bhujang.systems@gmail.com
> <mailto:bhujang.systems@gmail.com>> wrote:
> 
>     Greetings all.
> 
>     Here's an opinion piece of mine for The Tribune: North India's
>     prominent and oldest newspaper.
> 
>     ...wherein I ponder over the future of a blatantly balkanized
>     cyberspace and the structured cyber-intelligence revolution heralded
>     by STIX-TAXII.
> 
>     “The liberal dream of a neutral cyberspace is dead and the foreign
>     threat detectors are conspiratorial and selective.”
> 
>     http://www.tribuneindia.com/news/comment/managing-our-porous-digital-frontlines/135560.html
>