OASIS Open: Committees

Defanging Proposal

Should we include the capability for "defanging" in STIX 2.0 / CybOX 3.0?

NOTE: The purpose of this ballot is to unify the TC and settle an issue that has been debated for the past few weeks. This is a non-binding ballot that can be reversed at any time in the future by simple majority vote of the TC.

Please consider this question separately from how defanging would be accomplished and whether it would be mandatory or optional. These debates would be considered if this ballot passes.

Elaboration:
============
Defanging refers to the practice of replacing "live ammo", i.e. a malicious IP address or binary, with an obfuscated representation that is no longer dangerous if inadvertently clicked or automatically processed in error.

Some of the community raised concerns that exchanging malicious information might lead to unintended consequences such as the infection of an analyst PC, the disruption of the flow of intelligence or the generation of false positives when using network detection / prevention controls. Pat Maroney summarized some of the failure modes well in this message, but both Paul Patrick and Allan Thomson�s messages from this thread are also worth reading when considering the positives of defanging.

https://www.oasis-open.org/apps/org/workgroup/cti/email/archives/201602/msg00372.html

Other members of the community are against the use of defanging, primarily for two reasons:

* At the Face-to-Face (F2F) we reached consensus that STIX and CybOX are primarily meant to be machine-to-machine data transfer specifications. If you agree with the assertion that defanging is primarily needed so that analysts do not expose themselves to danger, it should be the duty of the system processing STIX / CybOX content to defang malicious content before presenting it to an analyst via a UI or some other mechanism. Alex Foley�s message late last month was meant to summarize this theme, but Bret Jordan and others have written messages in the thread that emphasize this point as well.

https://www.oasis-open.org/apps/org/workgroup/cti/email/archives/201602/msg00338.html

* Allowing the use of defanging may challenge the ability to process content quickly in near-real time or query content after the fact. If a system is constantly required to "refang" content, this may slow down processing or create an extra hurdle when processing STIX / CybOX content. David Crawford�s message summarizes this very well, but Jason Keirstead and others have also provided valuable feedback addressing this point.

https://www.oasis-open.org/apps/org/workgroup/cti/email/archives/201602/msg00393.html

[ ]	Yes
[ ]	No
[ ]	Abstain

Opening:		Monday, 7 March 2016 @ 05:00 pm EST
Closing:		Monday, 14 March 2016 @ 05:00 pm EDT
Group:		OASIS Cyber Threat Intelligence (CTI) TC

Ballot has closed.

Referenced Items
Name	Type	Date	Action
02918: Defanging Proposal (59K)	Document	2016-03-14	Details

Voting Details

Voting Summary

Options with highest number of votes are bold

Option	# Votes	% of Total
Yes	0	0%
No	31	100%
Abstain	2

Eligible members who have voted:	31 of 67	46%
Eligible members who have abstained:	2 of 67	3%
Eligible members who have not voted:	34 of 67	51%

Voting Details

Voter	Company	Vote	Reference Document and/or Comment
Wei Huang	Anomali	--
Dean Thompson	Australia and New Zealand Banking Group (A...	No
Alexander Foley	Bank of America	No
Bret Jordan	Blue Coat Systems, Inc.	No	This is not a specification level issue. This is an implementation level issue.
Sarah Kelley	Center for Internet Security (CIS)	--
Jyoti Verma	Cisco Systems	--
Joey Peloquin	Citrix Systems	No	Mark Clancy voiced my exact thoughts on this issue. If we did choose to defang, we would have to preserve the original content for direct comparison with on-the-wire samples.
Doug DePeppe	Cyber Threat Intelligence Network, Inc. (C...	--
Jane Ginn	Cyber Threat Intelligence Network, Inc. (C...	No
Richard Struse	DHS Office of Cybersecurity and Communicat...	--
Marlon Taylor	DHS Office of Cybersecurity and Communicat...	No
Gordon Hundley	DTCC	--
Jeff Williams	Dell	--
Ravi Sharda	EMC	--
David Eilken	Financial Services Information Sharing and...	No
Ryusuke Masuoka	Fujitsu Limited	No
Eric Burger	Georgetown University	No	I would be amenable to a defanging OPTION, but then I would only be amenable to one and only one way of doing it.
Tomas Sander	Hewlett Packard Enterprise (HPE)	--
Ron Williams	IBM	--
Peter Clark	IBM	--
John Morris	IBM	--
Jason Keirstead	IBM	No
Peter Allor	IBM	No
Elysa Jones	Individual	--
Jerome Athias	Individual	--
Patrick Maroney	Integrated Networking Technologies, Inc.	Abstain	The question is framed incorrectly in my view. There are two distinct questions: (1) Should we require that actionable intelligence is accurately represented? : Yes (2) Should we provide mec
Kent Landfield	Intel Corporation	--
David Laurance	JPMorgan Chase Bank, N.A.	--
Pamela Smith	Johns Hopkins University Applied Physics L...	--
Mark Moss	Johns Hopkins University Applied Physics L...	--
Beth Pumo	Kaiser Permanente	--
Sean Barnum	Mitre Corporation	Abstain	I have heard valid arguments made on both sides of this issue but do not have full confidence that the concerns raised by a few folks within the TC are addressed by an answer of "let the tools handle
Jonathan Baker	Mitre Corporation	No
John Wunder	Mitre Corporation	No
Ivan Kirillov	Mitre Corporation	No
Richard Piazza	Mitre Corporation	No
Takahiro Kakumaru	NEC Corporation	--
Denise Anderson	National Council of ISACs (NCI)	No
Daniel Riedel	New Context Services, Inc.	--
Andrew Storms	New Context Services, Inc.	No
John-Mark Gurney	New Context Services, Inc.	No	There may be some defanging anyways due to JSON's lack of ability to handle binary data. I need to work up some text to handle this.
Cory Casanave	Object Management Group	--
Igor Baikalov	Securonix	No
Aishwarya Asok Kumar	Soltra	--
Daniel Dye	Soltra	--
Aharon Chernin	Soltra	No
Ali Khan	Soltra	No
Trey Darley	Soltra	No
Michael Butt	Soltra	No
Natalie Suarez	Soltra	No
Mark Davidson	Soltra	No
Mark Clancy	Soltra	No	The question is unfortunately phrased too narrowly. Observables should ALWAYS have a non-defanged representation in CTI data sets. We are trying to support automation of detection/mitigation after a
Terry MacDonald	Soltra	No	The information flow goes: Human <-> Tool <-> STIX <-> Tool <-> Human This shows that STIX is for tooling to talk to tooling. It is up to the tooling to not allow users to infect themselves with m
Mona Magathan	U.S. Bank	--
Mark Angel	U.S. Bank	--
Brad Butts	U.S. Bank	--
Gary Katz	US Department of Defense (DoD)	No
Justin Stekervetz	US Department of Homeland Security	--
Chris O'Brien	United Kingdom Cabinet Office	--
Mike McLellan	United Kingdom Cabinet Office	--
Chris Taylor	United Kingdom Cabinet Office	--
Iain Brown	United Kingdom Cabinet Office	No
Robert Coderre	VeriSign	No
Kyle Maxwell	VeriSign	No	I'd rather see implementations defang content when presenting it to a human analyst, but for machine-to-machine communications (processing and mitigation operations) this should not be necessary. Syst
Wilson Figueroa	ViaSat, Inc.	--
Anthony Rutkowski	Yaana Technologies, LLC	--
Paul Patrick	iSIGHT Partners, Inc.	--