NOTE: The purpose of this ballot is to unify the TC and settle an issue that has been debated for the past few weeks. This is a non-binding ballot that can be reversed at any time in the future by simple majority vote of the TC.
Please consider this question separately from how defanging would be accomplished and whether it would be mandatory or optional. These debates would be considered if this ballot passes.
Elaboration:
============
Defanging refers to the practice of replacing "live ammo", i.e. a malicious IP address or binary, with an obfuscated representation that is no longer dangerous if inadvertently clicked or automatically processed in error.
Some of the community raised concerns that exchanging malicious information might lead to unintended consequences such as the infection of an analyst PC, the disruption of the flow of intelligence or the generation of false positives when using network detection / prevention controls. Pat Maroney summarized some of the failure modes well in this message, but both Paul Patrick and Allan Thomson’s messages from this thread are also worth reading when considering the positives of defanging.
https://www.oasis-open.org/apps/org/workgroup/cti/email/archives/201602/msg00372.html
Other members of the community are against the use of defanging, primarily for two reasons:
* At the Face-to-Face (F2F) we reached consensus that STIX and CybOX are primarily meant to be machine-to-machine data transfer specifications. If you agree with the assertion that defanging is primarily needed so that analysts do not expose themselves to danger, it should be the duty of the system processing STIX / CybOX content to defang malicious content before presenting it to an analyst via a UI or some other mechanism. Alex Foley’s message late last month was meant to summarize this theme, but Bret Jordan and others have written messages in the thread that emphasize this point as well.
https://www.oasis-open.org/apps/org/workgroup/cti/email/archives/201602/msg00338.html
* Allowing the use of defanging may challenge the ability to process content quickly in near-real time or query content after the fact. If a system is constantly required to "refang" content, this may slow down processing or create an extra hurdle when processing STIX / CybOX content. David Crawford’s message summarizes this very well, but Jason Keirstead and others have also provided valuable feedback addressing this point.
https://www.oasis-open.org/apps/org/workgroup/cti/email/archives/201602/msg00393.html |
