OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)


I totally agree.


2015-10-26 17:59 GMT+03:00 Barnum, Sean D. <sbarnum@mitre.org>:
> Pat’s statements here align with the opinions I have heard expressed over
> the last few years from organizations doing actual cyber threat intelligence
> or active incident response.
> The assertions that I have heard are that scoring is a great concept but
> that any importance/criticality scoring (based on a myriad of potential
> factors like some that Pat names) asserted by a producer is rarely accurate
> or applicable within the context of different consumers.
> The way that I have had it characterized to me is typically along the lines
> of the following.
> At best (in the rare cases where they are accurate) they may help a consumer
> prioritize one issue over another. Nominally, they are noise information for
> consumers drowning in information. At worst they are misleading and cause
> the wrong decisions/actions to be taken (such as the case Pat describes
> below).
> The preferred approach that I have heard is to give the consumer as much of
> the context for the information as possible to enable the consumer to
> determine their own scoring based also on their own internal context.
> One possible approach for us might be to ensure that we can support
> conveying the appropriate level of context information in our normative
> standards and then provide some non-normative consensus
> suggestions/guidelines (separate from the standards themselves) on how
> consumers could use that information to “score” threat information.
>
> I am not arguing or asserting a “right” way to do this just pointing out
> that what Pat says here jibes with what I have heard from many others and
> should certainly take such considerations into account when thinking about
> this topic.
>
> sean
>
> From: <cti-users@lists.oasis-open.org> on behalf of Patrick Maroney
> <Pmaroney@Specere.org>
> Date: Monday, October 26, 2015 at 10:33 AM
> To: Jerome Athias <athiasjerome@gmail.com>, Jason Lewis <jlewis@lgscout.com>
> Cc: "Jordan, Bret" <bret.jordan@bluecoat.com>, Bernd Grobauer
> <bernd.grobauer@siemens.com>, "cti-users@lists.oasis-open.org"
> <cti-users@lists.oasis-open.org>
>
> Subject: Re: [cti-users] Publication of another threat intelligence
> standard: Open Threat Partner eXchange (OpenTPX)
>
> Relevance, Certainty, Validity, etc. along with other highly subjective
> measures like Business Impact (of mitigation/Blocking) are really not
> effective shared measures for IOCs with perhaps exceptions for widely seen
> common Malware/NuisanceWare/AdWare.
> Point is that a majority of serious APT attacks against Sectors, Industries,
> Agencies, etc. are highly targeted. In some cases the attack packages and
> ephemeral TTPs are tailored uniquely to an individual organization.
> I can authoritatively cite an example:  some of the most dangerous highly
> targeted APT threats are typically flagged by AV as "Low"
> priority/criticality/risk, which in turn leads to inadequate responses when
> detected.  We've found evidence of relatively early leading APT artifact AV
> detections in every APT Intrusion investigation since 2002.  When asked why
> these leading indicators were ignored, without fail the response would be
> something along the lines of: "Oh we don't have the resources to investigate
> thousands of AV detections, we only look at Med to High Risk", or "Oh we
> looked at it, it was flagged as low risk".  AV Vendors when challenged on
> these rating methodologies would also respond without fail with something
> like: "That RAT/Backdoor was only reported by 5 companies, it's low risk".
> Tell that to the 5 companies who spent millions cleaning up entrenched
> adversaries that could have been stopped early in the intrusion had the
> threat not been mischaracterized and investigated.
> In my view (1) we should be sharing facts about sightings/observations, (2)
> analysis along with methods to "show your work" for any hypothesis for
> subjective conclusions, and (3) include Non-Attributional Source Path
> Traceability for directing RFIs and Details on Sightings to the original
> Source(s).  One can then compile "Earliest Seen", "Latest Seen" metrics
> along with Sector/Target specific Threat Characterization details to
> determine an effective measure of risk.
>
> Patrick Maroney
>
> _____________________________
> From: Jerome Athias <athiasjerome@gmail.com>
> Sent: Sunday, October 25, 2015 10:04 PM
> Subject: Re: [cti-users] Publication of another threat intelligence
> standard: Open Threat Partner eXchange (OpenTPX)
> To: Jason Lewis <jlewis@lgscout.com>
> Cc: Jordan, Bret <bret.jordan@bluecoat.com>, Grobauer, Bernd
> <bernd.grobauer@siemens.com>, <cti-users@lists.oasis-open.org>
>
>
> Yep the decay is interesting
> It could be evaluated as an option like the Valid_Time_Position where both
> have benefits depending the use case (e.g. Exercise scenario)
>
> Regarding scoring, there is opportunity for researches based on STIX ;-)
>
>
> On Monday, 26 October 2015, Jason Lewis < jlewis@lgscout.com> wrote:
>>
>> Just to point out some key differences from the FB format.  Primarily
>> the topology support (networks, bgp, etc) and scoring.  Part of the
>> scoring is the decay, which becomes very important when dealing with
>> billions of elements.
>>
>> On Wed, Oct 21, 2015 at 1:28 PM, Jordan, Bret < bret.jordan@bluecoat.com>
>> wrote:
>> > Thanks for sending this out... It looks interesting. We will need to
>> > watch
>> > it closely, they have some neat things that are very similar to FB's
>> > threat
>> > exchange.
>> >
>> > Thanks,
>> >
>> > Bret
>> >
>> >
>> >
>> > Bret Jordan CISSP
>> > Director of Security Architecture and Standards | Office of the CTO
>> > Blue Coat Systems
>> > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>> > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
>> > can
>> > not be unscrambled is an egg."
>> >
>> > On Oct 21, 2015, at 04:17, Grobauer, Bernd < Bernd.Grobauer@siemens.com>
>> > wrote:
>> >
>> > Hi,
>> >
>> > I found this news item (from yesterday) about a new Open Source effort
>> > on TI
>> > standardization
>> > and thought it might be of interest to the group:
>> >
>> >
>> > http://www.businesswire.com/news/home/20151020005120/en/LookingGlass-Introduces-Open-Threat-Partner-eXchange-OpenTPX
>> >
>> > Docs, JSON-schema, etc. on
>> >
>> > https://www.opentpx.org/
>> >
>> >
>> > According to the FAQ:
>> >
>> > Q: Does OpenTPX replace STIX?
>> >
>> > A: No. OpenTPX was designed primarily as a optimized mechanism for data
>> > exchange at large volume, high scale and high speed ingestion for a
>> > broader
>> > set of Internet intelligence and threat context. Aspects of data
>> > available
>> > in STIX (e.g. indicators) have direct mapping to OpenTPX.
>> >
>> > Kind regards,
>> >
>> > Bernd
>> >
>> >
>> > -------------
>> >
>> > Bernd Grobauer, Siemens CERT
>> >
>> >
>> >
>> >
>> > This publicly archived list provides a forum for asking questions,
>> > offering answers, and discussing topics of interest on STIX,
>> > TAXII, and CybOX.  Users and developers of solutions that leverage
>> > STIX, TAXII and CybOX are invited to participate.
>> >
>> > In order to verify user consent to OASIS mailing list guidelines
>> > and to minimize spam in the list archive, subscription is required
>> > before posting.
>> >
>> > Subscribe: cti-users-subscribe@lists.oasis-open.org
>> > Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org
>> > Post: cti-users@lists.oasis-open.org
>> > List help: cti-users-help@lists.oasis-open.org
>> > List archive: http://lists.oasis-open.org/archives/cti-users/
>> > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>> > CTI Technical Committee: https://www.oasis-open.org/committees/cti/
>> > Join OASIS: http://www.oasis-open.org/join/
>> >
>> >
>>
>> This publicly archived list provides a forum for asking questions,
>> offering answers, and discussing topics of interest on STIX,
>> TAXII, and CybOX.  Users and developers of solutions that leverage
>> STIX, TAXII and CybOX are invited to participate.
>>
>> In order to verify user consent to OASIS mailing list guidelines
>> and to minimize spam in the list archive, subscription is required
>> before posting.
>>
>> Subscribe: cti-users-subscribe@lists.oasis-open.org
>> Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org
>> Post: cti-users@lists.oasis-open.org
>> List help: cti-users-help@lists.oasis-open.org
>> List archive: http://lists.oasis-open.org/archives/cti-users/
>> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
>> Join OASIS: http://www.oasis-open.org/join/
>>
>
>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]