[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)
I totally agree. 2015-10-26 17:59 GMT+03:00 Barnum, Sean D. <sbarnum@mitre.org>: > Pat’s statements here align with the opinions I have heard expressed over > the last few years from organizations doing actual cyber threat intelligence > or active incident response. > The assertions that I have heard are that scoring is a great concept but > that any importance/criticality scoring (based on a myriad of potential > factors like some that Pat names) asserted by a producer is rarely accurate > or applicable within the context of different consumers. > The way that I have had it characterized to me is typically along the lines > of the following. > At best (in the rare cases where they are accurate) they may help a consumer > prioritize one issue over another. Nominally, they are noise information for > consumers drowning in information. At worst they are misleading and cause > the wrong decisions/actions to be taken (such as the case Pat describes > below). > The preferred approach that I have heard is to give the consumer as much of > the context for the information as possible to enable the consumer to > determine their own scoring based also on their own internal context. > One possible approach for us might be to ensure that we can support > conveying the appropriate level of context information in our normative > standards and then provide some non-normative consensus > suggestions/guidelines (separate from the standards themselves) on how > consumers could use that information to “score” threat information. > > I am not arguing or asserting a “right” way to do this just pointing out > that what Pat says here jibes with what I have heard from many others and > should certainly take such considerations into account when thinking about > this topic. > > sean > > From: <cti-users@lists.oasis-open.org> on behalf of Patrick Maroney > <Pmaroney@Specere.org> > Date: Monday, October 26, 2015 at 10:33 AM > To: Jerome Athias <athiasjerome@gmail.com>, Jason Lewis <jlewis@lgscout.com> > Cc: "Jordan, Bret" <bret.jordan@bluecoat.com>, Bernd Grobauer > <bernd.grobauer@siemens.com>, "cti-users@lists.oasis-open.org" > <cti-users@lists.oasis-open.org> > > Subject: Re: [cti-users] Publication of another threat intelligence > standard: Open Threat Partner eXchange (OpenTPX) > > Relevance, Certainty, Validity, etc. along with other highly subjective > measures like Business Impact (of mitigation/Blocking) are really not > effective shared measures for IOCs with perhaps exceptions for widely seen > common Malware/NuisanceWare/AdWare. > Point is that a majority of serious APT attacks against Sectors, Industries, > Agencies, etc. are highly targeted. In some cases the attack packages and > ephemeral TTPs are tailored uniquely to an individual organization. > I can authoritatively cite an example: some of the most dangerous highly > targeted APT threats are typically flagged by AV as "Low" > priority/criticality/risk, which in turn leads to inadequate responses when > detected. We've found evidence of relatively early leading APT artifact AV > detections in every APT Intrusion investigation since 2002. When asked why > these leading indicators were ignored, without fail the response would be > something along the lines of: "Oh we don't have the resources to investigate > thousands of AV detections, we only look at Med to High Risk", or "Oh we > looked at it, it was flagged as low risk". AV Vendors when challenged on > these rating methodologies would also respond without fail with something > like: "That RAT/Backdoor was only reported by 5 companies, it's low risk". > Tell that to the 5 companies who spent millions cleaning up entrenched > adversaries that could have been stopped early in the intrusion had the > threat not been mischaracterized and investigated. > In my view (1) we should be sharing facts about sightings/observations, (2) > analysis along with methods to "show your work" for any hypothesis for > subjective conclusions, and (3) include Non-Attributional Source Path > Traceability for directing RFIs and Details on Sightings to the original > Source(s). One can then compile "Earliest Seen", "Latest Seen" metrics > along with Sector/Target specific Threat Characterization details to > determine an effective measure of risk. > > Patrick Maroney > > _____________________________ > From: Jerome Athias <athiasjerome@gmail.com> > Sent: Sunday, October 25, 2015 10:04 PM > Subject: Re: [cti-users] Publication of another threat intelligence > standard: Open Threat Partner eXchange (OpenTPX) > To: Jason Lewis <jlewis@lgscout.com> > Cc: Jordan, Bret <bret.jordan@bluecoat.com>, Grobauer, Bernd > <bernd.grobauer@siemens.com>, <cti-users@lists.oasis-open.org> > > > Yep the decay is interesting > It could be evaluated as an option like the Valid_Time_Position where both > have benefits depending the use case (e.g. Exercise scenario) > > Regarding scoring, there is opportunity for researches based on STIX ;-) > > > On Monday, 26 October 2015, Jason Lewis < jlewis@lgscout.com> wrote: >> >> Just to point out some key differences from the FB format. Primarily >> the topology support (networks, bgp, etc) and scoring. Part of the >> scoring is the decay, which becomes very important when dealing with >> billions of elements. >> >> On Wed, Oct 21, 2015 at 1:28 PM, Jordan, Bret < bret.jordan@bluecoat.com> >> wrote: >> > Thanks for sending this out... It looks interesting. We will need to >> > watch >> > it closely, they have some neat things that are very similar to FB's >> > threat >> > exchange. >> > >> > Thanks, >> > >> > Bret >> > >> > >> > >> > Bret Jordan CISSP >> > Director of Security Architecture and Standards | Office of the CTO >> > Blue Coat Systems >> > PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 >> > "Without cryptography vihv vivc ce xhrnrw, however, the only thing that >> > can >> > not be unscrambled is an egg." >> > >> > On Oct 21, 2015, at 04:17, Grobauer, Bernd < Bernd.Grobauer@siemens.com> >> > wrote: >> > >> > Hi, >> > >> > I found this news item (from yesterday) about a new Open Source effort >> > on TI >> > standardization >> > and thought it might be of interest to the group: >> > >> > >> > http://www.businesswire.com/news/home/20151020005120/en/LookingGlass-Introduces-Open-Threat-Partner-eXchange-OpenTPX >> > >> > Docs, JSON-schema, etc. on >> > >> > https://www.opentpx.org/ >> > >> > >> > According to the FAQ: >> > >> > Q: Does OpenTPX replace STIX? >> > >> > A: No. OpenTPX was designed primarily as a optimized mechanism for data >> > exchange at large volume, high scale and high speed ingestion for a >> > broader >> > set of Internet intelligence and threat context. Aspects of data >> > available >> > in STIX (e.g. indicators) have direct mapping to OpenTPX. >> > >> > Kind regards, >> > >> > Bernd >> > >> > >> > ------------- >> > >> > Bernd Grobauer, Siemens CERT >> > >> > >> > >> > >> > This publicly archived list provides a forum for asking questions, >> > offering answers, and discussing topics of interest on STIX, >> > TAXII, and CybOX. Users and developers of solutions that leverage >> > STIX, TAXII and CybOX are invited to participate. >> > >> > In order to verify user consent to OASIS mailing list guidelines >> > and to minimize spam in the list archive, subscription is required >> > before posting. >> > >> > Subscribe: cti-users-subscribe@lists.oasis-open.org >> > Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org >> > Post: cti-users@lists.oasis-open.org >> > List help: cti-users-help@lists.oasis-open.org >> > List archive: http://lists.oasis-open.org/archives/cti-users/ >> > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php >> > CTI Technical Committee: https://www.oasis-open.org/committees/cti/ >> > Join OASIS: http://www.oasis-open.org/join/ >> > >> > >> >> This publicly archived list provides a forum for asking questions, >> offering answers, and discussing topics of interest on STIX, >> TAXII, and CybOX. Users and developers of solutions that leverage >> STIX, TAXII and CybOX are invited to participate. >> >> In order to verify user consent to OASIS mailing list guidelines >> and to minimize spam in the list archive, subscription is required >> before posting. >> >> Subscribe: cti-users-subscribe@lists.oasis-open.org >> Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org >> Post: cti-users@lists.oasis-open.org >> List help: cti-users-help@lists.oasis-open.org >> List archive: http://lists.oasis-open.org/archives/cti-users/ >> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php >> CTI Technical Committee: https://www.oasis-open.org/committees/cti/ >> Join OASIS: http://www.oasis-open.org/join/ >> > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]