Re: [cti-users] please remove me

[Randy Bachman <Randy.Bachman@fcc.gov>]

I did the remove instructions and it didn't work

Randy Bachman
Cybersecurity Engineer
Cybersecurity and Communications Reliability
Public Safety and Homeland Security Bureau
Federal Communications Commission
202-418-2410

________________________________________
From: cti-users@lists.oasis-open.org <cti-users@lists.oasis-open.org> on behalf of Mark Clancy <mclancy@soltra.com>
Sent: Friday, September 25, 2015 12:57 PM
To: Houston Hopkins; Hinkle, Jacob (LNG-SBO)
Cc: Jordan, Bret; SOC; Kevin Conlan; Bhujang Systems; cti-users@lists.oasis-open.org
Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII

So my $0.02 is we have to tackle the economics of the problem.  Indicators/Observable are the lower order CTI data.  Attackers can change these, but to do so requires them to perform some work effort vs. none by leaving the badness in situ on contested. The defenders today (prior to automation of CTI anyway) have large costs and time lags to respond to even the static Indicator/Observable in use and get harmed by them left and right today. Not all attackers are doing their own "Counter CTI" and for those who don't monitor sharing channels we get a win right away against those miscreants by even pervasive sharing of this data.  Such sharing may tip the miscreants off if they have "Counter CTI" and they can do a work cycle to change at modest cost, but if we have automation on the defender side the re-positioning cost in response to that cycle is reduced from the current state. If we share Indicator/Observable level data with Course of Action even more so.  Yes I totally believe in OpSec too so your most sensitive stuff should be close hold to those who can use it appropriately and not tip off the sophisticated miscreants pre-maturely, but let us be honest this is really a tiny subset of a much bigger world of CTI.

Where we really get value how ever is when we force the attackers to change things that are expensive for them and cheap for us.  This requires us to be sharing things way above the Indicator/Observable data which is the tonnage in the CTI world right now.  TTPs and Exploit Targets for example.If we force miscreants to change their methodology rather than specific compromised widget they get a lot less reuse leverage and have to do a more expensive work cycle to reacquire a target. The more we make it cost them the more they have to focus resources on objectives of high value.  Similarly if we are using CTI and automation to just 'handle" the less sophisticated/non-targeted stuff the more time we get back to make the advanced attackers job hard.  Even the public reporting outing APT groups forced them if for no other reason than internal politics to slow their tempo for a period of time which made our lives even if for just a moment easier.

The risk reward trade off question is how hard it to re-acquire the next generation of the threat vs the harm avoided by outing it... Does this drive unsustainable costs to our adversary and manageable costs to the defenders?

-Mark


Mark Clancy
Chief Executive Officer
SOLTRA | An FS-ISAC and DTCC Company
+1.813.470.2400 office | +1.610.659.6671 US mobile |​  +44 7823 626 535  UK mobile
mclancy@soltra.com | soltra.com

One organization's incident becomes everyone's defense.

​

________________________________________
From: cti-users@lists.oasis-open.org <cti-users@lists.oasis-open.org> on behalf of Houston Hopkins <houston.hopkins@gmail.com>
Sent: Thursday, September 24, 2015 10:26 AM
To: Hinkle, Jacob (LNG-SBO)
Cc: Jordan, Bret; SOC; Kevin Conlan; Bhujang Systems; cti-users@lists.oasis-open.org
Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII

I agree with Jacob here and glad someone spoke up.

Reality, you have to share intelligence to get better context.
Sharing, even in a very tight trust group, is paramount.
If anyone thinks that charging for intelligence will prevent the bad
guys from invading our space needs to do some research on their
budgets.

PS. Long Live Evil Nerds :)

On Thu, Sep 24, 2015 at 8:32 AM, Hinkle, Jacob (LNG-SBO)
<jacob.hinkle@lexisnexis.com> wrote:
> Bret and Richard’s replies were very diplomatic and well stated.  I am going
> another direction because your assertion that sharing data about threats
> somehow gives the bad guys an advantage, is ludicrous and I think extremely
> short sighted.  Never mind all of the people you could have helped by
> sharing the information about a threat and how to mitigate it or defend
> against it, instead you are using the mass unaware public as pawns in your
> imaginary game of chess with the APT’s of the world.
>
>
>
> Yes there will be an arms race, but publishing intelligence protects people
> from the script kiddies of the world.  Yes the big-time legitimate hackers
> will be watching, you must always assume they are, and I hate to break it to
> you, even if you don’t publish it, they are aware enough to see that there
> IP’s aren’t working etc. and will shift their tactics anyway.
>
>
>
> The FBI has an issue with their Infragaurd program where big corporations
> don’t want to share the details of how their network was breached because
> then their competitors would know they’d been hacked.
>
>
>
> We as security professionals need the intelligence in order to make
> decisions and act quickly to counter new threats.  I can understand the
> vendors and software company’s holding onto a vulnerabilities details until
> they have worked out a way to fix it, or have fixed it, but withholding
> attack details in hopes that you can catch the hackers, while they are
> allowed to wreak havoc and cost people their livelihoods sounds a lot like
> you are using them as guinea pigs.
>
>
>
> We are under attack.  It isn’t just evil nerds anymore, now we have state
> sponsored attacks taking place.  Security through obscurity is not a viable
> tactic.  Sharing the information will allow others to develop defenses and
> influence software development by security conscious companies.  Withholding
> the information causes more people to get hacked and lose money, jobs,
> intellectual property and weakens the nation they live in as a whole.
>
>
>
> I know that many of us here do hard work to discover threat intel and we
> should be paid for that hard work.  I am not saying that you should give it
> all away for free yet.  I think that corporations and the government should
> introduce bounty programs to reward researchers for their work.
>
>
>
> Take what I say with a grain of salt, I don’t get paid to research these
> attacks, just to defend against them, so I am biased in regards to the
> availability of intel.  I admit that.  I think that your stance is a
> necessary one as far as getting paid for researching….but it sounds sadly
> similar to the pharmaceutical corporations who charge a huge amount of money
> for life saving medicines that once having been researched and developed,
> cost next to nothing to produce.
>
>
>
> I don’t know how to solve this problem, but I’d hate to see STIX and TAXII
> get locked behind a pay wall, and prevent mom and pop shops from being able
> to be secure just so we can turn a profit.
>
>
>
> Anyway, there was my rant.  I think I realized halfway through writing this
> that it is a hard spot to be in.  We all want to be Batman, but none of us
> can afford to be a selfless hero.  Outside of government employees, I don’t
> know of anyone who gets paid to research things which will be free.
> Donations and kickstarters aside.  I’d be interested in reading more on this
> topic if someone knows of a good article about it.
>
>
>
> Sorry to rant Kevin.  You aren’t evil for wanting to be paid for your hard
> work.  But I think a better way forward needs to be found if we are trying
> to prevent people from being victimized.
>
>
>
> From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org]
> On Behalf Of Jordan, Bret
> Sent: Thursday, September 24, 2015 12:28 AM
> To: SOC
> Cc: Kevin Conlan; Bhujang Systems; cti-users@lists.oasis-open.org
> Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII
>
>
>
> Interesting view points..  And this has come up a few times in the past.
>
>
>
> In the TAXII SC we are very aware of this issue and another that you did not
> bring up, and that is the possibly of CTI repos being poisoned by a threat
> actor.  We are currently working on these problems and trying to address
> them with a TAXII 2.0.  I would encourage you to join the TAXII SC and help
> us work through these issues.  Your insight and knowledge would be very
> helpful.
>
>
>
>
>
> Thanks,
>
>
>
> Bret
>
>
>
>
>
>
>
> Bret Jordan CISSP
>
> Director of Security Architecture and Standards | Office of the CTO
>
> Blue Coat Systems
>
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
>
>
>
> On Sep 23, 2015, at 19:52, SOC <soc@slcsecurity.com> wrote:
>
>
>
> I think that STIX/TAXII actually can hurt your cyber defense security.
> Hear me out here but there is an inherent problem in telling the
> adversary that we know what they are up to. Don't think for a second
> that the bad guys are not subscribing to these feeds. How else would
> they know to change their binaries to avoid detection or relocate their
> C2 servers to reclaim their bots that are not blacklisted because the IP
> or domain has shown up in a TAXII feed somewhere or in some other post
> or observation.
>
> For this very reason and to collect intelligence on the adversary some
> Threat Intel providers (us included) do not rush to publish the
> information to the general public. If you subscribe to our service you
> get that information immediately but it's marked non releasable even
> though 95% of the time somebody forwards it anyway.
>
> Until the people handling the IOC information stop blindly forwarding it
> to everybody they know that works in the security realm this will
> continue to be a problem.
>
> Just think about it. The good guys play fair but the malicious actors
> don't. STIX and TAXII are but tools whereas the real intelligence can be
> gathered only if the adversary is unaware that we are watching them. As
> soon as they know they are being monitored or they are found out they
> change their tactics and go elsewhere (and the search then begins again).
>
> So just another perspective here that I think some of you will find
> interesting. I just blogged this today actually and thought I would
> share my view on all of these standards that make sharing so easy.
>
> Kevin Wetzel
> CEO/Founder
> Jigsaw Security Enterprise Inc
> www.jigsawsecurityenterprise.com
> (919)441-7353
>
> On 9/23/2015 9:20 AM, Kevin Conlan wrote:
>
> As a student of cybersecurity, with a keen interest in cyber
> intelligence, I really appreciate getting to read such a piece. Great
> insights into important issues, especially with regards to geopolitical
> implications.
>
> Kevin
>
> On Sep 23, 2015 4:25 AM, "Bhujang Systems" <bhujang.systems@gmail.com
> <mailto:bhujang.systems@gmail.com>> wrote:
>
>    Greetings all.
>
>    Here's an opinion piece of mine for The Tribune: North India's
>    prominent and oldest newspaper.
>
>    ...wherein I ponder over the future of a blatantly balkanized
>    cyberspace and the structured cyber-intelligence revolution heralded
>    by STIX-TAXII.
>
>    “The liberal dream of a neutral cyberspace is dead and the foreign
>    threat detectors are conspiratorial and selective.”
>
>
> http://www.tribuneindia.com/news/comment/managing-our-porous-digital-frontlines/135560.html
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX.  Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: cti-users-subscribe@lists.oasis-open.org
> Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org
> Post: cti-users@lists.oasis-open.org
> List help: cti-users-help@lists.oasis-open.org
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>
>

This publicly archived list provides a forum for asking questions,

offering answers, and discussing topics of interest on STIX,

TAXII, and CybOX.  Users and developers of solutions that leverage

STIX, TAXII and CybOX are invited to participate.



In order to verify user consent to OASIS mailing list guidelines

and to minimize spam in the list archive, subscription is required

before posting.



Subscribe: cti-users-subscribe@lists.oasis-open.org

Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org

Post: cti-users@lists.oasis-open.org

List help: cti-users-help@lists.oasis-open.org

List archive: http://lists.oasis-open.org/archives/cti-users/

List Guidelines: http://www.oasis-open.org/maillists/guidelines.php

CTI Technical Committee: https://www.oasis-open.org/committees/cti/

Join OASIS: http://www.oasis-open.org/join/