I think that STIX/TAXII actually can hurt your cyber defense security.
Hear me out here but there is an inherent problem in telling the
adversary that we know what they are up to. Don't think for a second
that the bad guys are not subscribing to these feeds. How else would
they know to change their binaries to avoid detection or relocate their
C2 servers to reclaim their bots that are not blacklisted because the IP
or domain has shown up in a TAXII feed somewhere or in some other post
or observation.
For this very reason and to collect intelligence on the adversary some
Threat Intel providers (us included) do not rush to publish the
information to the general public. If you subscribe to our service you
get that information immediately but it's marked non releasable even
though 95% of the time somebody forwards it anyway.
Until the people handling the IOC information stop blindly forwarding it
to everybody they know that works in the security realm this will
continue to be a problem.
Just think about it. The good guys play fair but the malicious actors
don't. STIX and TAXII are but tools whereas the real intelligence can be
gathered only if the adversary is unaware that we are watching them. As
soon as they know they are being monitored or they are found out they
change their tactics and go elsewhere (and the search then begins again).
So just another perspective here that I think some of you will find
interesting. I just blogged this today actually and thought I would
share my view on all of these standards that make sharing so easy.
Kevin Wetzel
CEO/Founder
Jigsaw Security Enterprise Inc
www.jigsawsecurityenterprise.com(919)441-7353
On 9/23/2015 9:20 AM, Kevin Conlan wrote:
As a student of cybersecurity, with a keen interest in cyber
intelligence, I really appreciate getting to read such a piece. Great
insights into important issues, especially with regards to geopolitical
implications.
Kevin
On Sep 23, 2015 4:25 AM, "Bhujang Systems" <bhujang.systems@gmail.com
<mailto:bhujang.systems@gmail.com>> wrote:
Greetings all.
Here's an opinion piece of mine for The Tribune: North India's
prominent and oldest newspaper.
...wherein I ponder over the future of a blatantly balkanized
cyberspace and the structured cyber-intelligence revolution heralded
by STIX-TAXII.
“The liberal dream of a neutral cyberspace is dead and the foreign
threat detectors are conspiratorial and selective.”
http://www.tribuneindia.com/news/comment/managing-our-porous-digital-frontlines/135560.html
This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX. Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.
In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.
Subscribe: cti-users-subscribe@lists.oasis-open.org
Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org
Post: cti-users@lists.oasis-open.org
List help: cti-users-help@lists.oasis-open.org
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/