RE: [cti-users] My opinion piece mentioning STIX-TAXII

["Struse, Richard" <Richard.Struse@HQ.DHS.GOV>]

Kevin,

This is a perspective I've heard expressed over the past few years and while I am sympathetic to the viewpoint I think there are some other factors at play.  First I'll point out that your point is really independent of STIX/TAXII.  Any cyber threat intelligence sharing network can and will exhibit some of the issues you raise.  But onto the points you make.

The existence of tools to facilitate CTI sharing doesn't necessarily imply that we then all use those tools to share everything with everyone.  I think if you look at the various sharing communities out there, you will find numerous trust communities, some large, some small and the information that is shared within each likely differs.  I think your point is that once a sharing community gets sufficiently large, the probability of various adversaries gaining access to that intelligence begins to be an issue - this is true.  That is why the most sensitive information is often shared only in the most tightly-controlled trust communities.  However, it is also important to remember that one of the things that automated CTI exchange is trying to do is to change the economics for the adversary.  If we can efficiently share actionable indicators in near-real-time and automate their implementation, then we may force the adversary to have to constantly adapt because the half-life of their tools and infrastructure becomes very short.   I would argue that this is better than the current state of affairs when organizations routinely get owned using exploits or infrastructure that have been known for years.  Finally, there is nothing about automated CTI exchange that requires anything to be pushed to the "general public".  

Thanks for sharing your perspective and let's keep the conversation going.  In the end I think that this isn't about the existence of standards for automated sharing of CTI, it's really about how we choose to use them.

Regards,
Rich

Richard J. Struse 
Chair, OASIS Cyber Threat Intelligence (CTI) Technical Committee

Chief Advanced Technology Officer
National Cybersecurity and Communications Integration Center (NCCIC) and
Stakeholder Engagement and Cyber Infrastructure Resiliency (SECIR)
Cyber Security & Communications
U.S. Department of Homeland Security

e-mail:  Richard.Struse@dhs.gov
Phone:  202-527-2361



-----Original Message-----
From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of SOC
Sent: Wednesday, September 23, 2015 9:53 PM
To: Kevin Conlan; Bhujang Systems
Cc: cti-users@lists.oasis-open.org
Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII

I think that STIX/TAXII actually can hurt your cyber defense security.
Hear me out here but there is an inherent problem in telling the adversary that we know what they are up to. Don't think for a second that the bad guys are not subscribing to these feeds. How else would they know to change their binaries to avoid detection or relocate their
C2 servers to reclaim their bots that are not blacklisted because the IP or domain has shown up in a TAXII feed somewhere or in some other post or observation.

For this very reason and to collect intelligence on the adversary some Threat Intel providers (us included) do not rush to publish the information to the general public. If you subscribe to our service you get that information immediately but it's marked non releasable even though 95% of the time somebody forwards it anyway.

Until the people handling the IOC information stop blindly forwarding it to everybody they know that works in the security realm this will continue to be a problem.

Just think about it. The good guys play fair but the malicious actors don't. STIX and TAXII are but tools whereas the real intelligence can be gathered only if the adversary is unaware that we are watching them. As soon as they know they are being monitored or they are found out they change their tactics and go elsewhere (and the search then begins again).

So just another perspective here that I think some of you will find interesting. I just blogged this today actually and thought I would share my view on all of these standards that make sharing so easy.

Kevin Wetzel
CEO/Founder
Jigsaw Security Enterprise Inc
www.jigsawsecurityenterprise.com
(919)441-7353

On 9/23/2015 9:20 AM, Kevin Conlan wrote:
> As a student of cybersecurity, with a keen interest in cyber 
> intelligence, I really appreciate getting to read such a piece. Great 
> insights into important issues, especially with regards to 
> geopolitical implications.
> 
> Kevin
> 
> On Sep 23, 2015 4:25 AM, "Bhujang Systems" <bhujang.systems@gmail.com 
> <mailto:bhujang.systems@gmail.com>> wrote:
> 
>     Greetings all.
> 
>     Here's an opinion piece of mine for The Tribune: North India's
>     prominent and oldest newspaper.
> 
>     ...wherein I ponder over the future of a blatantly balkanized
>     cyberspace and the structured cyber-intelligence revolution heralded
>     by STIX-TAXII.
> 
>     “The liberal dream of a neutral cyberspace is dead and the foreign
>     threat detectors are conspiratorial and selective.”
> 
>     
> http://www.tribuneindia.com/news/comment/managing-our-porous-digital-f
> rontlines/135560.html
> 

This publicly archived list provides a forum for asking questions,offering answers, and discussing topics of interest on STIX,TAXII, and CybOX.  Users and developers of solutions that leverageSTIX, TAXII and CybOX are invited to participate.In order to verify user consent to OASIS mailing list guidelinesand to minimize spam in the list archive, subscription is requiredbefore posting.Subscribe: cti-users-subscribe@lists.oasis-open.orgUnsubscribe: cti-users-unsubscribe@lists.oasis-open.orgPost: cti-users@lists.oasis-open.orgList help: cti-users-help@lists.oasis-open.orgList archive: http://lists.oasis-open.org/archives/cti-users/List Guidelines: http://www.oasis-open.org/maillists/guidelines.phpCTI Technical Committee: https://www.oasis-open.org/committees/cti/Join OASIS: http://www.oasis-open.org/join/

Attachment: smime.p7s
Description: S/MIME cryptographic signature