[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti] CybOX Datatype Refactoring/Deprecation
|
So just to clarify, what we’re discussing here is obfuscation of data in CybOX Object fields. In CybOX 2.1.x, an Object field could have the following properties:
It sounds like there are some questions about the utility of having a boolean flag defining whether a field is obfuscated, as it wouldn’t really impact processing workflows. I think there’s also the question of where one would actually use/share Obfuscated
data in STIX. Perhaps in Observations associated with Incidents? If that’s the case, then perhaps obfuscation should really be defined at the Observation level and not at the CybOX Object level?
Regards,
Ivan
From: Patrick Maroney <Pmaroney@Specere.org>
Date: Friday, March 25, 2016 at 1:47 PM To: Jason Keirstead <jason.keirstead@ca.ibm.com>, John-Mark Gurney <jmg@newcontext.com> Cc: "'cti@lists.oasis-open.org'" <cti@lists.oasis-open.org>, Ivan Kirillov <ikirillov@mitre.org> Subject: Re: [cti] CybOX Datatype Refactoring/Deprecation Another existing Use Case is when multiple organizations individually report incidents relating to the same campaign to a central agency. The central agency often uses a consistent set of tokenizations to describe the events in a global context: SectorCompany-A,
B, and D were all targeted...targeted employees all work in Sourcing/Procurement and similarly themed messages....
Patrick Maroney
President Integrated Networking Technologies, Inc. Desk: (856)983-0001 Cell: (609)841-5104 Email: pmaroney@specere.org I hesitate to jump in, but will describe the Use Cases for Obfuscation, Tokenization, Redaction. Please note that this is not an attempt to advocate here/now for same.
When sharing Attacker TTPs, especially in a real-time community of trust within a given sector/target group, providing the detailed log events on the Attacker targeting patterns and timing are very valuable for (1) targeting analysis: Did all of the targets
attend a specific conference, are they all members of a specific professional organization, are they all in similar fields/roles, (2) Attribution: Actor X has used the same exact multi-organizational distribution list/ordering for the last n Campaigns, (3)
Attacker Tool Set Fingerprinting: Tool "x" sends each email separately, Tool "y" sends each email in blocks of 128 addressees, Tool "z" sends one email every 10 seconds, (4) Early warning Identification of new campaign by actor "x".
Since these detailed logs contain specific Employee, Infrastructure, Organizational target details, most organizations will need to redact, tokenize, obfuscate portions of the detailed logs before externally sharing.
John.Smith@bigco.com ==> <Redacted>
These are deep topics on the "Implementation details" side of the house and I'm not trying to go down this rabbit-hole. The objective is to outline scenarios where Obfuscation, Tokenization, Redaction Object Properties might provide value.
Patrick Maroney
President Integrated Networking Technologies, Inc. Desk: (856)983-0001 Cell: (609)841-5104 Email: pmaroney@specere.org _____________________________
From: John-Mark Gurney <jmg@newcontext.com> Sent: Friday, March 25, 2016 1:32 PM Subject: Re: [cti] CybOX Datatype Refactoring/Deprecation To: Jason Keirstead <jason.keirstead@ca.ibm.com> Cc: 'cti@lists.oasis-open.org' <cti@lists.oasis-open.org>, Kirillov, Ivan A. <ikirillov@mitre.org> Jason Keirstead wrote this message on Tue, Mar 22, 2016 at 10:54 -0400: > I understand the encoding one, but not the obfuscated one. If someone wants > to obfuscate (either reversibly or irreversibly) an email or URL before > publishing it, we can't prevent that. I am not sure what is meant by > "support" in this case. I could possibly see a flag that lets the consumer know that this value was changed from the original, but IMO, there isn't much value in obfuscating things... You don't want to obfuscate TTP or Campaigns, etc. You don't want to obfuscate an Indicator... The only things I can think of that you'd want to obfuscate is Observations, but in that case, we have sightings, so you can instead sight it and just not publish it. > From: "Kirillov, Ivan A." <ikirillov@mitre.org> > To: "'cti@lists.oasis-open.org'" <cti@lists.oasis-open.org> > Date: 03/22/2016 11:29 AM > Subject: Re: [cti] CybOX Datatype Refactoring/Deprecation > Sent by: <cti@lists.oasis-open.org> > > > > Now that we’ve voted to not support defanging, the question remains as to > whether we should support obfuscation and capture of observed encoding on > CybOX Object fields: > Obfuscation example: XXXX@yahoo.com or YYYY@comcast.com. Also used > for URLs. > Observed encoding: utf-8, etc. Mostly relevant for malware analysis > and attribution, e.g., if an actor is known to use a particular > encoding in their comment strings. -- John-Mark --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]