I hesitate to jump in, but will describe the Use Cases for Obfuscation, Tokenization, Redaction. Please note that this is not an attempt to advocate here/now for same.
When sharing Attacker TTPs, especially in a real-time community of trust within a given sector/target group, providing the detailed log events on the Attacker targeting patterns and timing are very valuable for (1) targeting analysis: Did all of the targets
attend a specific conference, are they all members of a specific professional organization, are they all in similar fields/roles, (2) Attribution: Actor X has used the same exact multi-organizational distribution list/ordering for the last n Campaigns, (3)
Attacker Tool Set Fingerprinting: Tool "x" sends each email separately, Tool "y" sends each email in blocks of 128 addressees, Tool "z" sends one email every 10 seconds, (4) Early warning Identification of new campaign by actor "x".
Since these detailed logs contain specific Employee, Infrastructure, Organizational target details, most organizations will need to redact, tokenize, obfuscate portions of the detailed logs before externally sharing.
These are deep topics on the "Implementation details" side of the house and I'm not trying to go down this rabbit-hole. The objective is to outline scenarios where Obfuscation, Tokenization, Redaction Object Properties might provide value.
From: John-Mark Gurney <firstname.lastname@example.org
Sent: Friday, March 25, 2016 1:32 PM
Subject: Re: [cti] CybOX Datatype Refactoring/Deprecation
To: Jason Keirstead <email@example.com
Kirillov, Ivan A. <firstname.lastname@example.org
Jason Keirstead wrote this message on Tue, Mar 22, 2016 at 10:54 -0400:
> I understand the encoding one, but not the obfuscated one. If someone wants
> to obfuscate (either reversibly or irreversibly) an email or URL before
> publishing it, we can't prevent that. I am not sure what is meant by
> "support" in this case.
I could possibly see a flag that lets the consumer know that this value
was changed from the original,
but IMO, there isn't much value in obfuscating things... You don't want
to obfuscate TTP or Campaigns, etc. You don't want to obfuscate an
The only things I can think of that you'd want to obfuscate is
Observations, but in that case, we have sightings, so you can instead
sight it and just not publish it.
> From: "Kirillov, Ivan A." <email@example.com
> To: "'firstname.lastname@example.org
> Date: 03/22/2016 11:29 AM
> Subject: Re: [cti] CybOX Datatype Refactoring/Deprecation
> Sent by: <email@example.com
> Now that we’ve voted to not support defanging, the question remains as to
> whether we should support obfuscation and capture of observed encoding on
> CybOX Object fields:
> Obfuscation example:
. Also used
> for URLs.
> Observed encoding: utf-8, etc. Mostly relevant for malware analysis
> and attribution, e.g., if an actor is known to use a particular
> encoding in their comment strings.
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. Follow this link to all your TCs in OASIS at: