RE: [cti-users] My opinion piece mentioning STIX-TAXII

[<pankaj.anand@wipro.com>]

I agree to the point that this information must be shared as open platform so that maximum defenders can make use of this. As there are no confined boundaries in internet, so there will be adversaries looking into this. This is for more generic attacks and should be consumed without boundaries. In today's world I think generic attacks are random and adversaries are also not investing too much time and effort to change tactics. So as long as we can change faster than adversaries TTP, we shall continue to be on advantage and discourage adversaries to add efforts and cost for an attack. Even if this gets into commercial boundaries, adversaries can still have access, so keeping it open source or not, doesn't matter.

Other concept is time lag between information exchange. As in industry not much organizations have matured threat intel platform and have substantial lag time for sharing and even for utilization. Unless it's near real time the usage may not be as effective (considering Verizon DBIR - most of this information is short lived and almost more than 90% changes within a day). So how fast information gets exchanged and implemented also matters. Is attach speed faster or threat sharing faster? I assume that's also one of the reason that the overlap of information between various inbound threat channels is very less (3%).

By using STIX/TAXI we are getting into basic building blocks where majority of industry has yet to adapt.

Thanks,

Pankaj Anand


-----Original Message-----
From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org] On Behalf Of Mark Clancy
Sent: Friday, September 25, 2015 10:28 PM
To: Houston Hopkins <houston.hopkins@gmail.com>; Hinkle, Jacob (LNG-SBO) <jacob.hinkle@lexisnexis.com>
Cc: Jordan, Bret <bret.jordan@bluecoat.com>; SOC <soc@slcsecurity.com>; Kevin Conlan <kevin.conlan24@gmail.com>; Bhujang Systems <bhujang.systems@gmail.com>; cti-users@lists.oasis-open.org
Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII

So my $0.02 is we have to tackle the economics of the problem.  Indicators/Observable are the lower order CTI data.  Attackers can change these, but to do so requires them to perform some work effort vs. none by leaving the badness in situ on contested. The defenders today (prior to automation of CTI anyway) have large costs and time lags to respond to even the static Indicator/Observable in use and get harmed by them left and right today. Not all attackers are doing their own "Counter CTI" and for those who don't monitor sharing channels we get a win right away against those miscreants by even pervasive sharing of this data.  Such sharing may tip the miscreants off if they have "Counter CTI" and they can do a work cycle to change at modest cost, but if we have automation on the defender side the re-positioning cost in response to that cycle is reduced from the current state. If we share Indicator/Observable level data with Course of Action even more so.  Yes I totally believe in OpSec too so your most sensitive stuff should be close hold to those who can use it appropriately and not tip off the sophisticated miscreants pre-maturely, but let us be honest this is really a tiny subset of a much bigger world of CTI.

Where we really get value how ever is when we force the attackers to change things that are expensive for them and cheap for us.  This requires us to be sharing things way above the Indicator/Observable data which is the tonnage in the CTI world right now.  TTPs and Exploit Targets for example.If we force miscreants to change their methodology rather than specific compromised widget they get a lot less reuse leverage and have to do a more expensive work cycle to reacquire a target. The more we make it cost them the more they have to focus resources on objectives of high value.  Similarly if we are using CTI and automation to just 'handle" the less sophisticated/non-targeted stuff the more time we get back to make the advanced attackers job hard.  Even the public reporting outing APT groups forced them if for no other reason than internal politics to slow their tempo for a period of time which made our lives even if for just a moment easier.

The risk reward trade off question is how hard it to re-acquire the next generation of the threat vs the harm avoided by outing it... Does this drive unsustainable costs to our adversary and manageable costs to the defenders?

-Mark


Mark Clancy
Chief Executive Officer
SOLTRA | An FS-ISAC and DTCC Company
+1.813.470.2400 office | +1.610.659.6671 US mobile |​  +44 7823 626 535
+UK mobile
mclancy@soltra.com | soltra.com

One organization's incident becomes everyone's defense.

​

________________________________________
From: cti-users@lists.oasis-open.org <cti-users@lists.oasis-open.org> on behalf of Houston Hopkins <houston.hopkins@gmail.com>
Sent: Thursday, September 24, 2015 10:26 AM
To: Hinkle, Jacob (LNG-SBO)
Cc: Jordan, Bret; SOC; Kevin Conlan; Bhujang Systems; cti-users@lists.oasis-open.org
Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII

I agree with Jacob here and glad someone spoke up.

Reality, you have to share intelligence to get better context.
Sharing, even in a very tight trust group, is paramount.
If anyone thinks that charging for intelligence will prevent the bad guys from invading our space needs to do some research on their budgets.

PS. Long Live Evil Nerds :)

On Thu, Sep 24, 2015 at 8:32 AM, Hinkle, Jacob (LNG-SBO) <jacob.hinkle@lexisnexis.com> wrote:
> Bret and Richard’s replies were very diplomatic and well stated.  I am
> going another direction because your assertion that sharing data about
> threats somehow gives the bad guys an advantage, is ludicrous and I
> think extremely short sighted.  Never mind all of the people you could
> have helped by sharing the information about a threat and how to
> mitigate it or defend against it, instead you are using the mass
> unaware public as pawns in your imaginary game of chess with the APT’s of the world.
>
>
>
> Yes there will be an arms race, but publishing intelligence protects
> people from the script kiddies of the world.  Yes the big-time
> legitimate hackers will be watching, you must always assume they are,
> and I hate to break it to you, even if you don’t publish it, they are
> aware enough to see that there IP’s aren’t working etc. and will shift their tactics anyway.
>
>
>
> The FBI has an issue with their Infragaurd program where big
> corporations don’t want to share the details of how their network was
> breached because then their competitors would know they’d been hacked.
>
>
>
> We as security professionals need the intelligence in order to make
> decisions and act quickly to counter new threats.  I can understand
> the vendors and software company’s holding onto a vulnerabilities
> details until they have worked out a way to fix it, or have fixed it,
> but withholding attack details in hopes that you can catch the
> hackers, while they are allowed to wreak havoc and cost people their
> livelihoods sounds a lot like you are using them as guinea pigs.
>
>
>
> We are under attack.  It isn’t just evil nerds anymore, now we have
> state sponsored attacks taking place.  Security through obscurity is
> not a viable tactic.  Sharing the information will allow others to
> develop defenses and influence software development by security
> conscious companies.  Withholding the information causes more people
> to get hacked and lose money, jobs, intellectual property and weakens the nation they live in as a whole.
>
>
>
> I know that many of us here do hard work to discover threat intel and
> we should be paid for that hard work.  I am not saying that you should
> give it all away for free yet.  I think that corporations and the
> government should introduce bounty programs to reward researchers for their work.
>
>
>
> Take what I say with a grain of salt, I don’t get paid to research
> these attacks, just to defend against them, so I am biased in regards
> to the availability of intel.  I admit that.  I think that your stance
> is a necessary one as far as getting paid for researching….but it
> sounds sadly similar to the pharmaceutical corporations who charge a
> huge amount of money for life saving medicines that once having been
> researched and developed, cost next to nothing to produce.
>
>
>
> I don’t know how to solve this problem, but I’d hate to see STIX and
> TAXII get locked behind a pay wall, and prevent mom and pop shops from
> being able to be secure just so we can turn a profit.
>
>
>
> Anyway, there was my rant.  I think I realized halfway through writing
> this that it is a hard spot to be in.  We all want to be Batman, but
> none of us can afford to be a selfless hero.  Outside of government
> employees, I don’t know of anyone who gets paid to research things which will be free.
> Donations and kickstarters aside.  I’d be interested in reading more
> on this topic if someone knows of a good article about it.
>
>
>
> Sorry to rant Kevin.  You aren’t evil for wanting to be paid for your
> hard work.  But I think a better way forward needs to be found if we
> are trying to prevent people from being victimized.
>
>
>
> From: cti-users@lists.oasis-open.org
> [mailto:cti-users@lists.oasis-open.org]
> On Behalf Of Jordan, Bret
> Sent: Thursday, September 24, 2015 12:28 AM
> To: SOC
> Cc: Kevin Conlan; Bhujang Systems; cti-users@lists.oasis-open.org
> Subject: Re: [cti-users] My opinion piece mentioning STIX-TAXII
>
>
>
> Interesting view points..  And this has come up a few times in the past.
>
>
>
> In the TAXII SC we are very aware of this issue and another that you
> did not bring up, and that is the possibly of CTI repos being poisoned
> by a threat actor.  We are currently working on these problems and
> trying to address them with a TAXII 2.0.  I would encourage you to
> join the TAXII SC and help us work through these issues.  Your insight
> and knowledge would be very helpful.
>
>
>
>
>
> Thanks,
>
>
>
> Bret
>
>
>
>
>
>
>
> Bret Jordan CISSP
>
> Director of Security Architecture and Standards | Office of the CTO
>
> Blue Coat Systems
>
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing
> that can not be unscrambled is an egg."
>
>
>
> On Sep 23, 2015, at 19:52, SOC <soc@slcsecurity.com> wrote:
>
>
>
> I think that STIX/TAXII actually can hurt your cyber defense security.
> Hear me out here but there is an inherent problem in telling the
> adversary that we know what they are up to. Don't think for a second
> that the bad guys are not subscribing to these feeds. How else would
> they know to change their binaries to avoid detection or relocate
> their
> C2 servers to reclaim their bots that are not blacklisted because the
> IP or domain has shown up in a TAXII feed somewhere or in some other
> post or observation.
>
> For this very reason and to collect intelligence on the adversary some
> Threat Intel providers (us included) do not rush to publish the
> information to the general public. If you subscribe to our service you
> get that information immediately but it's marked non releasable even
> though 95% of the time somebody forwards it anyway.
>
> Until the people handling the IOC information stop blindly forwarding
> it to everybody they know that works in the security realm this will
> continue to be a problem.
>
> Just think about it. The good guys play fair but the malicious actors
> don't. STIX and TAXII are but tools whereas the real intelligence can
> be gathered only if the adversary is unaware that we are watching
> them. As soon as they know they are being monitored or they are found
> out they change their tactics and go elsewhere (and the search then begins again).
>
> So just another perspective here that I think some of you will find
> interesting. I just blogged this today actually and thought I would
> share my view on all of these standards that make sharing so easy.
>
> Kevin Wetzel
> CEO/Founder
> Jigsaw Security Enterprise Inc
> www.jigsawsecurityenterprise.com
> (919)441-7353
>
> On 9/23/2015 9:20 AM, Kevin Conlan wrote:
>
> As a student of cybersecurity, with a keen interest in cyber
> intelligence, I really appreciate getting to read such a piece. Great
> insights into important issues, especially with regards to
> geopolitical implications.
>
> Kevin
>
> On Sep 23, 2015 4:25 AM, "Bhujang Systems" <bhujang.systems@gmail.com
> <mailto:bhujang.systems@gmail.com>> wrote:
>
>    Greetings all.
>
>    Here's an opinion piece of mine for The Tribune: North India's
>    prominent and oldest newspaper.
>
>    ...wherein I ponder over the future of a blatantly balkanized
>    cyberspace and the structured cyber-intelligence revolution heralded
>    by STIX-TAXII.
>
>    “The liberal dream of a neutral cyberspace is dead and the foreign
>    threat detectors are conspiratorial and selective.”
>
>
> http://www.tribuneindia.com/news/comment/managing-our-porous-digital-f
> rontlines/135560.html
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX, TAXII,
> and CybOX.  Users and developers of solutions that leverage STIX,
> TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines and
> to minimize spam in the list archive, subscription is required before
> posting.
>
> Subscribe: cti-users-subscribe@lists.oasis-open.org
> Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org
> Post: cti-users@lists.oasis-open.org
> List help: cti-users-help@lists.oasis-open.org
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>
>

This publicly archived list provides a forum for asking questions,

offering answers, and discussing topics of interest on STIX,

TAXII, and CybOX.  Users and developers of solutions that leverage

STIX, TAXII and CybOX are invited to participate.



In order to verify user consent to OASIS mailing list guidelines

and to minimize spam in the list archive, subscription is required

before posting.



Subscribe: cti-users-subscribe@lists.oasis-open.org

Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org

Post: cti-users@lists.oasis-open.org

List help: cti-users-help@lists.oasis-open.org

List archive: http://lists.oasis-open.org/archives/cti-users/

List Guidelines: http://www.oasis-open.org/maillists/guidelines.php

CTI Technical Committee: https://www.oasis-open.org/committees/cti/

Join OASIS: http://www.oasis-open.org/join/
The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com