+1.
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 |
terry@soltra.com
From: cti-users@lists.oasis-open.org [mailto:cti-users@lists.oasis-open.org]
On Behalf Of Patrick Maroney
Sent: Tuesday, 27 October 2015 1:34 AM
To: Jerome Athias <athiasjerome@gmail.com>; Jason Lewis <jlewis@lgscout.com>
Cc: Jordan, Bret <bret.jordan@bluecoat.com>; Grobauer, Bernd <bernd.grobauer@siemens.com>; cti-users@lists.oasis-open.org
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)
Relevance, Certainty, Validity, etc. along with other highly subjective measures like Business Impact (of mitigation/Blocking) are really not effective shared measures for IOCs with perhaps exceptions for widely seen common Malware/NuisanceWare/AdWare.
Point is that a majority of serious APT attacks against Sectors, Industries, Agencies, etc. are highly targeted. In some cases the attack packages and ephemeral TTPs are tailored uniquely to an individual organization.
I can authoritatively cite an example: some of the most dangerous highly targeted APT threats are typically flagged by AV as "Low" priority/criticality/risk, which in turn leads to inadequate responses when detected. We've found evidence
of relatively early leading APT artifact AV detections in every APT Intrusion investigation since 2002. When asked why these leading indicators were ignored, without fail the response would be something along the lines of: "Oh we don't have the resources
to investigate thousands of AV detections, we only look at Med to High Risk", or "Oh we looked at it, it was flagged as low risk". AV Vendors when challenged on these rating methodologies would also respond without fail with something like: "That RAT/Backdoor
was only reported by 5 companies, it's low risk". Tell that to the 5 companies who spent millions cleaning up entrenched adversaries that could have been stopped early in the intrusion had the threat not been mischaracterized and investigated.
In my view (1) we should be sharing facts about sightings/observations, (2) analysis along with methods to "show your work" for any hypothesis for subjective conclusions, and (3) include Non-Attributional Source Path Traceability for directing
RFIs and Details on Sightings to the original Source(s). One can then compile "Earliest Seen", "Latest Seen" metrics along with Sector/Target specific Threat Characterization details to determine an effective measure of risk.
_____________________________
From: Jerome Athias <athiasjerome@gmail.com>
Sent: Sunday, October 25, 2015 10:04 PM
Subject: Re: [cti-users] Publication of another threat intelligence standard: Open Threat Partner eXchange (OpenTPX)
To: Jason Lewis <jlewis@lgscout.com>
Cc: Jordan, Bret <bret.jordan@bluecoat.com>, Grobauer, Bernd <bernd.grobauer@siemens.com>, <cti-users@lists.oasis-open.org>
Yep the decay is interesting
It could be evaluated as an option like the Valid_Time_Position where both have benefits depending the use case (e.g. Exercise scenario)
Regarding scoring, there is opportunity for researches based on STIX ;-)
On Monday, 26 October 2015, Jason Lewis < jlewis@lgscout.com> wrote:
Just to point out some key differences from the FB format. Primarily
the topology support (networks, bgp, etc) and scoring. Part of the
scoring is the decay, which becomes very important when dealing with
billions of elements.
On Wed, Oct 21, 2015 at 1:28 PM, Jordan, Bret <
bret.jordan@bluecoat.com> wrote:
> Thanks for sending this out... It looks interesting. We will need to watch
> it closely, they have some neat things that are very similar to FB's threat
> exchange.
>
> Thanks,
>
> Bret
>
>
>
> Bret Jordan CISSP
> Director of Security Architecture and Standards | Office of the CTO
> Blue Coat Systems
> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE
7415 0050
> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can
> not be unscrambled is an egg."
>
> On Oct 21, 2015, at 04:17, Grobauer, Bernd <
Bernd.Grobauer@siemens.com>
> wrote:
>
> Hi,
>
> I found this news item (from yesterday) about a new Open Source effort on TI
> standardization
> and thought it might be of interest to the group:
>
>
http://www.businesswire.com/news/home/20151020005120/en/LookingGlass-Introduces-Open-Threat-Partner-eXchange-OpenTPX
>
> Docs, JSON-schema, etc. on
>
> https://www.opentpx.org/
>
>
> According to the FAQ:
>
> Q: Does OpenTPX replace STIX?
>
> A: No. OpenTPX was designed primarily as a optimized mechanism for data
> exchange at large volume, high scale and high speed ingestion for a broader
> set of Internet intelligence and threat context. Aspects of data available
> in STIX (e.g. indicators) have direct mapping to OpenTPX.
>
> Kind regards,
>
> Bernd
>
>
> -------------
>
> Bernd Grobauer, Siemens CERT
>
>
>
>
> This publicly archived list provides a forum for asking questions,
> offering answers, and discussing topics of interest on STIX,
> TAXII, and CybOX. Users and developers of solutions that leverage
> STIX, TAXII and CybOX are invited to participate.
>
> In order to verify user consent to OASIS mailing list guidelines
> and to minimize spam in the list archive, subscription is required
> before posting.
>
> Subscribe: cti-users-subscribe@lists.oasis-open.org
> Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org
> Post: cti-users@lists.oasis-open.org
> List help: cti-users-help@lists.oasis-open.org
> List archive: http://lists.oasis-open.org/archives/cti-users/
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> CTI Technical Committee: https://www.oasis-open.org/committees/cti/
> Join OASIS: http://www.oasis-open.org/join/
>
>
This publicly archived list provides a forum for asking questions,
offering answers, and discussing topics of interest on STIX,
TAXII, and CybOX. Users and developers of solutions that leverage
STIX, TAXII and CybOX are invited to participate.
In order to verify user consent to OASIS mailing list guidelines
and to minimize spam in the list archive, subscription is required
before posting.
Subscribe: cti-users-subscribe@lists.oasis-open.org
Unsubscribe: cti-users-unsubscribe@lists.oasis-open.org
Post: cti-users@lists.oasis-open.org
List help: cti-users-help@lists.oasis-open.org
List archive: http://lists.oasis-open.org/archives/cti-users/
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
CTI Technical Committee: https://www.oasis-open.org/committees/cti/
Join OASIS: http://www.oasis-open.org/join/
|