[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)
Pat’s statements here align with the opinions I have heard expressed over the last few years from organizations doing actual cyber threat intelligence or active incident response.
The assertions that I have heard are that scoring is a great concept but that any importance/criticality scoring (based on a myriad of potential factors like some that Pat names) asserted by a producer is rarely accurate or applicable within the context
of different consumers.
The way that I have had it characterized to me is typically along the lines of the following.
At best (in the rare cases where they are accurate) they may help a consumer prioritize one issue over another. Nominally, they are noise information for consumers drowning in information. At worst they are misleading and cause the wrong decisions/actions
to be taken (such as the case Pat describes below).
The preferred approach that I have heard is to give the consumer as much of the context for the information as possible to enable the consumer to determine their own scoring based also on their own internal context.
One possible approach for us might be to ensure that we can support conveying the appropriate level of context information in our normative standards and then provide some non-normative consensus suggestions/guidelines (separate from the standards themselves)
on how consumers could use that information to “score” threat information.
I am not arguing or asserting a “right” way to do this just pointing out that what Pat says here jibes with what I have heard from many others and should certainly take such considerations into account when thinking about this topic.
sean
From: <cti-users@lists.oasis-open.org> on behalf of Patrick Maroney <Pmaroney@Specere.org>
Date: Monday, October 26, 2015 at 10:33 AM To: Jerome Athias <athiasjerome@gmail.com>, Jason Lewis <jlewis@lgscout.com> Cc: "Jordan, Bret" <bret.jordan@bluecoat.com>, Bernd Grobauer <bernd.grobauer@siemens.com>, "cti-users@lists.oasis-open.org" <cti-users@lists.oasis-open.org> Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX) Relevance, Certainty, Validity, etc. along with other highly subjective measures like Business Impact (of mitigation/Blocking) are really not effective shared measures for IOCs with perhaps exceptions for widely seen common Malware/NuisanceWare/AdWare.
Point is that a majority of serious APT attacks against Sectors, Industries, Agencies, etc. are highly targeted. In some cases the attack packages and ephemeral TTPs are tailored uniquely to an individual
organization.
I can authoritatively cite an example: some of the most dangerous highly targeted APT threats are typically flagged by AV as "Low" priority/criticality/risk, which in turn leads to inadequate responses when detected. We've found evidence of relatively
early leading APT artifact AV detections in every APT Intrusion investigation since 2002. When asked why these leading indicators were ignored, without fail the response would be something along the lines of: "Oh we don't have the resources to investigate
thousands of AV detections, we only look at Med to High Risk", or "Oh we looked at it, it was flagged as low risk". AV Vendors when challenged on these rating methodologies would also respond without fail with something like: "That RAT/Backdoor was only reported
by 5 companies, it's low risk". Tell that to the 5 companies who spent millions cleaning up entrenched adversaries that could have been stopped early in the intrusion had the threat not been mischaracterized and investigated.
In my view (1) we should be sharing facts about sightings/observations, (2) analysis along with methods to "show your work" for any hypothesis for subjective conclusions, and (3) include Non-Attributional Source Path Traceability for directing RFIs and
Details on Sightings to the original Source(s). One can then compile "Earliest Seen", "Latest Seen" metrics along with Sector/Target specific Threat Characterization details to determine an effective measure of risk.
Patrick Maroney
_____________________________
From: Jerome Athias <athiasjerome@gmail.com> Sent: Sunday, October 25, 2015 10:04 PM Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX) To: Jason Lewis <jlewis@lgscout.com> Cc: Jordan, Bret <bret.jordan@bluecoat.com>, Grobauer, Bernd <bernd.grobauer@siemens.com>, <cti-users@lists.oasis-open.org> Yep the decay is interesting It could be evaluated as an option like the Valid_Time_Position where both have benefits depending the use case (e.g. Exercise scenario)
Regarding scoring, there is opportunity for researches based on STIX ;-)
On Monday, 26 October 2015, Jason Lewis < jlewis@lgscout.com> wrote: Just to point out some key differences from the FB format. Primarily |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]