Bret and Richard’s replies were very diplomatic and well stated. I am going another direction because your assertion that sharing data about threats somehow
gives the bad guys an advantage, is ludicrous and I think extremely short sighted. Never mind all of the people you could have helped by sharing the information about a threat and how to mitigate it or defend against it, instead you are using the mass unaware
public as pawns in your imaginary game of chess with the APT’s of the world.
Yes there will be an arms race, but publishing intelligence protects people from the script kiddies of the world. Yes the big-time legitimate hackers will be
watching, you must always assume they are, and I hate to break it to you, even if you don’t publish it, they are aware enough to see that there IP’s aren’t working etc. and will shift their tactics anyway.
The FBI has an issue with their Infragaurd program where big corporations don’t want to share the details of how their network was breached because then their
competitors would know they’d been hacked.
We as security professionals need the intelligence in order to make decisions and act quickly to counter new threats. I can understand the vendors and software
company’s holding onto a vulnerabilities details until they have worked out a way to fix it, or have fixed it, but withholding attack details in hopes that you can catch the hackers, while they are allowed to wreak havoc and cost people their livelihoods sounds
a lot like you are using them as guinea pigs.
We are under attack. It isn’t just evil nerds anymore, now we have state sponsored attacks taking place. Security through obscurity is not a viable tactic.
Sharing the information will allow others to develop defenses and influence software development by security conscious companies. Withholding the information causes more people to get hacked and lose money, jobs, intellectual property and weakens the nation
they live in as a whole.
I know that many of us here do hard work to discover threat intel and we should be paid for that hard work. I am not saying that you should give it all away
for free yet. I think that corporations and the government should introduce bounty programs to reward researchers for their work.
Take what I say with a grain of salt, I don’t get paid to research these attacks, just to defend against them, so I am biased in regards to the availability of
intel. I admit that. I think that your stance is a necessary one as far as getting paid for researching….but it sounds sadly similar to the pharmaceutical corporations who charge a huge amount of money for life saving medicines that once having been researched
and developed, cost next to nothing to produce.
I don’t know how to solve this problem, but I’d hate to see STIX and TAXII get locked behind a pay wall, and prevent mom and pop shops from being able to be secure
just so we can turn a profit.
Anyway, there was my rant. I think I realized halfway through writing this that it is a hard spot to be in. We all want to be Batman, but none of us can afford
to be a selfless hero. Outside of government employees, I don’t know of anyone who gets paid to research things which will be free. Donations and kickstarters aside. I’d be interested in reading more on this topic if someone knows of a good article about
it.
Sorry to rant Kevin. You aren’t evil for wanting to be paid for your hard work. But I think a better way forward needs to be found if we are trying to prevent
people from being victimized.
From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org]
On Behalf Of Jordan, Bret
Sent: Thursday, September 24, 2015 12:28 AM
To: SOC
Cc: Kevin Conlan; Bhujang Systems; cti-users@lists.oasis-open.org
Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII
Interesting view points.. And this has come up a few times in the past.
In the TAXII SC we are very aware of this issue and another that you did not bring up, and that is the possibly of CTI repos being poisoned by a threat actor. We are currently working on these problems and trying to address them with a
TAXII 2.0. I would encourage you to join the TAXII SC and help us work through these issues. Your insight and knowledge would be very helpful.
Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
I think that STIX/TAXII actually can hurt your cyber defense security.
Hear me out here but there is an inherent problem in telling the
adversary that we know what they are up to. Don't think for a second
that the bad guys are not subscribing to these feeds. How else would
they know to change their binaries to avoid detection or relocate their
C2 servers to reclaim their bots that are not blacklisted because the IP
or domain has shown up in a TAXII feed somewhere or in some other post
or observation.
For this very reason and to collect intelligence on the adversary some
Threat Intel providers (us included) do not rush to publish the
information to the general public. If you subscribe to our service you
get that information immediately but it's marked non releasable even
though 95% of the time somebody forwards it anyway.
Until the people handling the IOC information stop blindly forwarding it
to everybody they know that works in the security realm this will
continue to be a problem.
Just think about it. The good guys play fair but the malicious actors
don't. STIX and TAXII are but tools whereas the real intelligence can be
gathered only if the adversary is unaware that we are watching them. As
soon as they know they are being monitored or they are found out they
change their tactics and go elsewhere (and the search then begins again).
So just another perspective here that I think some of you will find
interesting. I just blogged this today actually and thought I would
share my view on all of these standards that make sharing so easy.
Kevin Wetzel
CEO/Founder
Jigsaw Security Enterprise Inc
www.jigsawsecurityenterprise.com
(919)441-7353
On 9/23/2015 9:20 AM, Kevin Conlan wrote:
As a student of cybersecurity, with a keen interest in cyber
intelligence, I really appreciate getting to read such a piece. Great
insights into important issues, especially with regards to geopolitical
implications.
Kevin
On Sep 23, 2015 4:25 AM, "Bhujang Systems" <bhujang.systems@gmail.com
<mailto:bhujang.systems@gmail.com>> wrote:
Greetings all.
Here's an opinion piece of mine for The Tribune: North India's
prominent and oldest newspaper.
...wherein I ponder over the future of a blatantly balkanized
cyberspace and the structured cyber-intelligence revolution heralded
by STIX-TAXII.
“The liberal dream of a neutral cyberspace is dead and the foreign
threat detectors are conspiratorial and selective.”
http://www.tribuneindia.com/news/comment/managing-our-porous-digital-frontlines/135560.html
This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX. Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.
In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.
Subscribe: cti-users-subscribe@lists.oasis-open.org
Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org
Post: cti-users@lists.oasis-open.org
List help: cti-users-help@lists.oasis-open.org
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/