Re: [cti] Question on indicator patterns

It would be an AMAZING problem to have, to have so many vendors out there doing STIX/CybOX and TAXII that we need to build a layered certification and assessment program. But for the next 2 years or so, the reality is, we just need people to adopt these standards and start doing things with them.

The market will ultimately decide how much of the certification and assessment we need to end up doing. If everyone's products work well with each other, and users do not complain to us that all of the solutions are broken, then things are good.

The biggest areas I can see us working on are:

1) If I send you a Object FOO, and then request that Object back, is it hash perfect? Do this for a whole library of objects.

2) For data markings over TAXII, if I tell you I can only support TLP AMBER, can I get a document that I know is TLP RED

things like that.. I am sure we can easily come up with a list of 15-20 simple tests that vendors can do, to verify their solutions work.

Thanks,

Bret

Bret Jordan CISSP

Director of Security Architecture and Standards | Office of the CTO

Blue Coat Systems

PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050

"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."

On Jul 18, 2016, at 07:18, Trey Darley <trey@kingfisherops.com> wrote:

On 18.07.2016 08:50:23, Terry MacDonald wrote:
Maybe this is where we need to separate the STIX certification into
different categories to enable that differentiation to be recorded?

Full STIX compliance: full STIX including full CybOX objects and
patterning.

Partial STIX compliance: STIX implementation of more than the
specialized STIX compliance but not a full implementation of all
parts of STIX.

Specialized STIX compliance: STIX and CybOX only focused on a
specific subset of the language, and designed for a single purpose.

The CybOX Patterning language was created to encompass matching on
both network and endpoint-related data. Yara does a fine job on the
endpoint as does Snort on the network, but the CybOX SC as could find
no open standard patterning language addressing both, the CybOX
Patterning language was developed.

Now clearly one would expect that a SIEM claiming to support STIX
Indicators would have the capability to handle matching on both
network and endpoint-related data. But one would *not* expect (for
example) a web proxy to know what to do with Windows Registry Keys but
a web proxy claiming to support STIX Indicators *should* be able to do
something sensible (and well-defined) upon receiving a STIX Indicator,
containing a CybOX Pattern enumerating URLs, IP addresses, etc.

From the perspective of claiming conformance to the standards, there's
obviously some variance to be accounted for depending on what type of
tool or product you're talking about

Currently we addressed this by inserting this text into the STIX
Indicator spec: "...and MUST be supported, as described by the CybOX
Patterning conformance specification."

We worked furiously on the CybOX Patterning spec last week but ran out
of time to address this. There is currently no text in the CybOX
Patterning spec describing conformance in these distinctly different
use cases but this is a known issue and one which we will be working
to address this week.

Hope that clears things up a bit! ^_^

--
Cheers,
Trey
++--------------------------------------------------------------------------++
Kingfisher Operations, sprl
gpg fingerprint: 85F3 5F54 4A2A B4CD 33C4 5B9B B30D DD6E 62C8 6C1D
++--------------------------------------------------------------------------++
--
"Every networking problem always takes longer to solve than it seems
like it should." --RFC 1925

cti message