[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-users] My opinion piece mentioning STIX-TAXII
After having visited your site and read some of your blog posts, I found one that seems to go against what you have just said. On September 18th you posted a blog post called "Thoughts on Executive Order 13636" in which you detailed your thoughts on the aforementioned EO. You had this to say as one of your criticisms of the order: " 2. Give us the data - Stop holding onto the data. If you don't share it then we can't stop the badness from happening and we don't trust you enough to share that information with you. See how that works?" This seems to contradict what you said on this newsgroup about the sharing of data. I'd argue that we should not take the low hanging fruit of blacklisting IP's and domains as a "solution" and should instead detect and thwart attacks based on the types of activity the attacker is attempting to perform and use better security practices (DMZ's and IPS systems) in order to defend. True APT's and hackers will modify their activity regardless, and by sharing the threats you force them to work harder. Perhaps eventually we can make hacking so much work, that the work to payoff ratios will make hacking so difficult that only state sponsored actors can afford to spend time on it. -----Original Message----- From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of SOC Sent: Wednesday, September 23, 2015 9:53 PM To: Kevin Conlan; Bhujang Systems Cc: cti-users@lists.oasis-open.org Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII I think that STIX/TAXII actually can hurt your cyber defense security. Hear me out here but there is an inherent problem in telling the adversary that we know what they are up to. Don't think for a second that the bad guys are not subscribing to these feeds. How else would they know to change their binaries to avoid detection or relocate their C2 servers to reclaim their bots that are not blacklisted because the IP or domain has shown up in a TAXII feed somewhere or in some other post or observation. For this very reason and to collect intelligence on the adversary some Threat Intel providers (us included) do not rush to publish the information to the general public. If you subscribe to our service you get that information immediately but it's marked non releasable even though 95% of the time somebody forwards it anyway. Until the people handling the IOC information stop blindly forwarding it to everybody they know that works in the security realm this will continue to be a problem. Just think about it. The good guys play fair but the malicious actors don't. STIX and TAXII are but tools whereas the real intelligence can be gathered only if the adversary is unaware that we are watching them. As soon as they know they are being monitored or they are found out they change their tactics and go elsewhere (and the search then begins again). So just another perspective here that I think some of you will find interesting. I just blogged this today actually and thought I would share my view on all of these standards that make sharing so easy. Kevin Wetzel CEO/Founder Jigsaw Security Enterprise Inc www.jigsawsecurityenterprise.com (919)441-7353 On 9/23/2015 9:20 AM, Kevin Conlan wrote: > As a student of cybersecurity, with a keen interest in cyber > intelligence, I really appreciate getting to read such a piece. Great > insights into important issues, especially with regards to > geopolitical implications. > > Kevin > > On Sep 23, 2015 4:25 AM, "Bhujang Systems" <bhujang.systems@gmail.com > <mailto:bhujang.systems@gmail.com>> wrote: > > Greetings all. > > Here's an opinion piece of mine for The Tribune: North India's > prominent and oldest newspaper. > > ...wherein I ponder over the future of a blatantly balkanized > cyberspace and the structured cyber-intelligence revolution heralded > by STIX-TAXII. > > “The liberal dream of a neutral cyberspace is dead and the foreign > threat detectors are conspiratorial and selective.” > > > http://www.tribuneindia.com/news/comment/managing-our-porous-digital-f > rontlines/135560.html > This publicly archived list provides a forum for asking questions,offering answers, and discussing topics of interest on STIX,TAXII, and CybOX. Users and developers of solutions that leverageSTIX, TAXII and CybOX are invited to participate.In order to verify user consent to OASIS mailing list guidelinesand to minimize spam in the list archive, subscription is requiredbefore posting.Subscribe: cti-users-subscribe@lists.oasis-open.orgUnsubscribe: cti-users-unsubscribe@lists.oasis-open.orgPost: cti-users@lists.oasis-open.orgList help: cti-users-help@lists.oasis-open.orgList archive: http://lists.oasis-open.org/archives/cti-users/List Guidelines: http://www.oasis-open.org/maillists/guidelines.phpCTI Technical Committee: https://www.oasis-open.org/committees/cti/Join OASIS: http://www.oasis-open.org/join/
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]