[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII
Richard,
I don't have much to add to what you tell, except that I fully agree
with your explanation.
Often people simplify the information sharing discussion to something
black or white mixing everything together.
However there is a clear distinction between tools/formats and the data itself.
The tools and formats are only a technique to carry the information
from one place to another (and make our life easier in automating it).
They are not there to tell us with who we need to share out info, and
definitely not telling us that we need to share all our information in
public (TLP:White).
Kind regards
Christophe
(the creator of MISP)
On 24 September 2015 at 04:12, Struse, Richard
<Richard.Struse@hq.dhs.gov> wrote:
> Kevin,
>
> This is a perspective I've heard expressed over the past few years and while I am sympathetic to the viewpoint I think there are some other factors at play. First I'll point out that your point is really independent of STIX/TAXII. Any cyber threat intelligence sharing network can and will exhibit some of the issues you raise. But onto the points you make.
>
> The existence of tools to facilitate CTI sharing doesn't necessarily imply that we then all use those tools to share everything with everyone. I think if you look at the various sharing communities out there, you will find numerous trust communities, some large, some small and the information that is shared within each likely differs. I think your point is that once a sharing community gets sufficiently large, the probability of various adversaries gaining access to that intelligence begins to be an issue - this is true. That is why the most sensitive information is often shared only in the most tightly-controlled trust communities. However, it is also important to remember that one of the things that automated CTI exchange is trying to do is to change the economics for the adversary. If we can efficiently share actionable indicators in near-real-time and automate their implementation, then we may force the adversary to have to constantly adapt because the half-life of their tools and infrastructure becomes very short. I would argue that this is better than the current state of affairs when organizations routinely get owned using exploits or infrastructure that have been known for years. Finally, there is nothing about automated CTI exchange that requires anything to be pushed to the "general public".
>
> Thanks for sharing your perspective and let's keep the conversation going. In the end I think that this isn't about the existence of standards for automated sharing of CTI, it's really about how we choose to use them.
>
> Regards,
> Rich
>
> Richard J. Struse
> Chair, OASIS Cyber Threat Intelligence (CTI) Technical Committee
>
> Chief Advanced Technology Officer
> National Cybersecurity and Communications Integration Center (NCCIC) and
> Stakeholder Engagement and Cyber Infrastructure Resiliency (SECIR)
> Cyber Security & Communications
> U.S. Department of Homeland Security
>
> e-mail: Richard.Struse@dhs.gov
> Phone: 202-527-2361
>
>
>
> -----Original Message-----
> From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of SOC
> Sent: Wednesday, September 23, 2015 9:53 PM
> To: Kevin Conlan; Bhujang Systems
> Cc: cti-users@lists.oasis-open.org
> Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII
>
> I think that STIX/TAXII actually can hurt your cyber defense security.
> Hear me out here but there is an inherent problem in telling the adversary that we know what they are up to. Don't think for a second that the bad guys are not subscribing to these feeds. How else would they know to change their binaries to avoid detection or relocate their
> C2 servers to reclaim their bots that are not blacklisted because the IP or domain has shown up in a TAXII feed somewhere or in some other post or observation.
>
> For this very reason and to collect intelligence on the adversary some Threat Intel providers (us included) do not rush to publish the information to the general public. If you subscribe to our service you get that information immediately but it's marked non releasable even though 95% of the time somebody forwards it anyway.
>
> Until the people handling the IOC information stop blindly forwarding it to everybody they know that works in the security realm this will continue to be a problem.
>
> Just think about it. The good guys play fair but the malicious actors don't. STIX and TAXII are but tools whereas the real intelligence can be gathered only if the adversary is unaware that we are watching them. As soon as they know they are being monitored or they are found out they change their tactics and go elsewhere (and the search then begins again).
>
> So just another perspective here that I think some of you will find interesting. I just blogged this today actually and thought I would share my view on all of these standards that make sharing so easy.
>
> Kevin Wetzel
> CEO/Founder
> Jigsaw Security Enterprise Inc
> www.jigsawsecurityenterprise.com
> (919)441-7353
>
> On 9/23/2015 9:20 AM, Kevin Conlan wrote:
>> As a student of cybersecurity, with a keen interest in cyber
>> intelligence, I really appreciate getting to read such a piece. Great
>> insights into important issues, especially with regards to
>> geopolitical implications.
>>
>> Kevin
>>
>> On Sep 23, 2015 4:25 AM, "Bhujang Systems" <bhujang.systems@gmail.com
>> <mailto:bhujang.systems@gmail.com>> wrote:
>>
>> Greetings all.
>>
>> Here's an opinion piece of mine for The Tribune: North India's
>> prominent and oldest newspaper.
>>
>> ...wherein I ponder over the future of a blatantly balkanized
>> cyberspace and the structured cyber-intelligence revolution heralded
>> by STIX-TAXII.
>>
>> “The liberal dream of a neutral cyberspace is dead and the foreign
>> threat detectors are conspiratorial and selective.”
>>
>>
>> http://www.tribuneindia.com/news/comment/managing-our-porous-digital-f
>> rontlines/135560.html
>>
>
> This publicly archived list provides a forum for asking questions,offering answers, and discussing topics of interest on STIX,TAXII, and CybOX. Users and developers of solutions that leverageSTIX, TAXII and CybOX are invited to participate.In order to verify user consent to OASIS mailing list guidelinesand to minimize spam in the list archive, subscription is requiredbefore posting.Subscribe: cti-users-subscribe@lists.oasis-open.orgUnsubscribe: cti-users-unsubscribe@lists.oasis-open.orgPost: cti-users@lists.oasis-open.orgList help: cti-users-help@lists.oasis-open.orgList archive: http://lists.oasis-open.org/archives/cti-users/List Guidelines: http://www.oasis-open.org/maillists/guidelines.phpCTI Technical Committee: https://www.oasis-open.org/committees/cti/Join OASIS: http://www.oasis-open.org/join/
>
This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX. Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.
In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.
Subscribe: cti-users-subscribe@lists.oasis-open.org
Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org
Post: cti-users@lists.oasis-open.org
List help: cti-users-help@lists.oasis-open.org
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]