Ballot Details: Defanging Proposal (CLOSED)
|Ballot Question||Should we include the capability for "defanging" in STIX 2.0 / CybOX 3.0?|
|Ballot Description||NOTE: The purpose of this ballot is to unify the TC and settle an issue that has been debated for the past few weeks. This is a non-binding ballot that can be reversed at any time in the future by simple majority vote of the TC.
Please consider this question separately from how defanging would be accomplished and whether it would be mandatory or optional. These debates would be considered if this ballot passes.
Defanging refers to the practice of replacing "live ammo", i.e. a malicious IP address or binary, with an obfuscated representation that is no longer dangerous if inadvertently clicked or automatically processed in error.
Some of the community raised concerns that exchanging malicious information might lead to unintended consequences such as the infection of an analyst PC, the disruption of the flow of intelligence or the generation of false positives when using network detection / prevention controls. Pat Maroney summarized some of the failure modes well in this message, but both Paul Patrick and Allan Thomson’s messages from this thread are also worth reading when considering the positives of defanging.
Other members of the community are against the use of defanging, primarily for two reasons:
* At the Face-to-Face (F2F) we reached consensus that STIX and CybOX are primarily meant to be machine-to-machine data transfer specifications. If you agree with the assertion that defanging is primarily needed so that analysts do not expose themselves to danger, it should be the duty of the system processing STIX / CybOX content to defang malicious content before presenting it to an analyst via a UI or some other mechanism. Alex Foley’s message late last month was meant to summarize this theme, but Bret Jordan and others have written messages in the thread that emphasize this point as well.
* Allowing the use of defanging may challenge the ability to process content quickly in near-real time or query content after the fact. If a system is constantly required to "refang" content, this may slow down processing or create an extra hurdle when processing STIX / CybOX content. David Crawford’s message summarizes this very well, but Jason Keirstead and others have also provided valuable feedback addressing this point.
VOTING CLOSED: Monday, 14 March 2016 @ 5:00 pm EDT
|Open Date||Monday, 7 March 2016 @ 5:00 pm EST|
|Close Date||Monday, 14 March 2016 @ 5:00 pm EDT|
|Ballot Type||Official, as defined by organization policies and procedures|
|Number of votes cast (excluding abstentions)||31|
|Eligible members who have voted||33 of 67||49.254%|
|Eligible members who have not voted||34 of 67||50.746%|
|Options with highest number of votes are bold|
|Option||# Votes||% of Total|
|Voter Name||Company||Vote||Time (UTC)||Comments|
|Allor, Peter||IBM||No||2016-03-08 13:59:00|
|Anderson, Denise||National Council of ISACs (NCI)||No||2016-03-07 22:59:00|
|Baikalov, Igor||Securonix||No||2016-03-08 02:14:00|
|Baker, Jonathan||Mitre Corporation||No||2016-03-10 12:49:00|
|Brown, Iain||United Kingdom Cabinet Office||No||2016-03-10 15:56:00|
|Burger, Eric||Georgetown University||No||2016-03-07 22:10:00||1|
|Butt, Michael||Soltra||No||2016-03-08 13:31:00|
|Chernin, Aharon||Soltra||No||2016-03-07 22:12:00|
|Clancy, Mark||Soltra||No||2016-03-08 13:38:00||1|
|Coderre, Robert||VeriSign||No||2016-03-10 18:07:00|
|Darley, Trey||Soltra||No||2016-03-08 08:42:00|
|Davidson, Mark||Soltra||No||2016-03-08 01:47:00|
|Eilken, David||Financial Services Information Sharing and...||No||2016-03-10 16:23:00|
|Foley, Alexander||Bank of America||No||2016-03-07 22:00:00|
|Ginn, Jane||Cyber Threat Intelligence Network, Inc. (C...||No||2016-03-08 22:34:00|
|Gurney, John-Mark||New Context Services, Inc.||No||2016-03-08 00:54:00||1|
|Jordan, Bret||Blue Coat Systems, Inc.||No||2016-03-07 22:55:00||1|
|Katz, Gary||US Department of Defense (DoD)||No||2016-03-14 18:22:00|
|Keirstead, Jason||IBM||No||2016-03-08 13:28:00|
|Khan, Ali||Soltra||No||2016-03-08 14:36:00|
|Kirillov, Ivan||Mitre Corporation||No||2016-03-08 00:05:00|
|MacDonald, Terry||Soltra||No||2016-03-10 21:14:00||1|
|Masuoka, Ryusuke||Fujitsu Limited||No||2016-03-11 01:25:00|
|Maxwell, Kyle||VeriSign||No||2016-03-14 15:34:00||1|
|Peloquin, Joey||Citrix Systems||No||2016-03-14 16:34:00||1|
|Piazza, Richard||Mitre Corporation||No||2016-03-14 15:48:00|
|Storms, Andrew||New Context Services, Inc.||No||2016-03-08 04:40:00|
|Suarez, Natalie||Soltra||No||2016-03-08 13:47:00|
|Taylor, Marlon||DHS Office of Cybersecurity and Communicat...||No||2016-03-10 21:22:00|
|Thompson, Dean||Australia and New Zealand Banking Group (A...||No||2016-03-09 05:02:00|
|Wunder, John||Mitre Corporation||No||2016-03-08 16:31:00|
|Barnum, Sean||Mitre Corporation||Abstain||2016-03-14 14:52:00||1|
|Maroney, Patrick||Integrated Networking Technologies, Inc.||Abstain||2016-03-11 18:20:00||1|
|Angel, Mark||U.S. Bank||--|
|Asok Kumar, Aishwarya||Soltra||--|
|Butts, Brad||U.S. Bank||--|
|Casanave, Cory||Object Management Group||--|
|DePeppe, Doug||Cyber Threat Intelligence Network, Inc. (C...||--|
|Figueroa, Wilson||ViaSat, Inc.||--|
|Kakumaru, Takahiro||NEC Corporation||--|
|Kelley, Sarah||Center for Internet Security (CIS)||--|
|Landfield, Kent||Intel Corporation||--|
|Laurance, David||JPMorgan Chase Bank, N.A.||--|
|Magathan, Mona||U.S. Bank||--|
|McLellan, Mike||United Kingdom Cabinet Office||--|
|Moss, Mark||Johns Hopkins University Applied Physics L...||--|
|O'Brien, Chris||United Kingdom Cabinet Office||--|
|Patrick, Paul||iSIGHT Partners, Inc.||--|
|Pumo, Beth||Kaiser Permanente||--|
|Riedel, Daniel||New Context Services, Inc.||--|
|Rutkowski, Anthony||Yaana Technologies, LLC||--|
|Sander, Tomas||Hewlett Packard Enterprise (HPE)||--|
|Smith, Pamela||Johns Hopkins University Applied Physics L...||--|
|Stekervetz, Justin||US Department of Homeland Security||--|
|Struse, Richard||DHS Office of Cybersecurity and Communicat...||--|
|Taylor, Chris||United Kingdom Cabinet Office||--|
|Verma, Jyoti||Cisco Systems||--|
|No||The information flow goes:
Human <-> Tool <-> STIX <-> Tool <-> Human
This shows that STIX is for tooling to talk to tooling. It is up to the tooling to not allow users to infect themselves with malware and maliciousness.
|No||I'd rather see implementations defang content when presenting it to a human analyst, but for machine-to-machine communications (processing and mitigation operations) this should not be necessary. Systems should already treat unvalidated input data as "hostile", so there should not be an additional security concern.
|No||Mark Clancy voiced my exact thoughts on this issue. If we did choose to defang, we would have to preserve the original content for direct comparison with on-the-wire samples.
New Context Services, Inc.
|No||There may be some defanging anyways due to JSON's lack of ability to handle binary data. I need to work up some text to handle this.
|No||I would be amenable to a defanging OPTION, but then I would only be amenable to one and only one way of doing it.
Blue Coat Systems, Inc.
|No||This is not a specification level issue. This is an implementation level issue.
|No||The question is unfortunately phrased too narrowly. Observables should ALWAYS have a non-defanged representation in CTI data sets. We are trying to support automation of detection/mitigation after all and having Observables that don't match "on the wire" observations make them well not actually Observables
The key question is do we add additional optional Observable types for “de-fanged” representations of this content or do we require output of the Observable to do the “de-fanging” for presentation to humans vs. machines
|Abstain||I have heard valid arguments made on both sides of this issue but do not have full confidence that the concerns raised by a few folks within the TC are addressed by an answer of "let the tools handle it".
I also agree with Mark Clancy and Pat Maroney that the questions in play on this issue are more complicated than a simple single question of should we include the capability for "defanging" in STIX 2.0/CybOX 3.0.
Integrated Networking Technologies, Inc.
|Abstain||The question is framed incorrectly in my view. There are two distinct questions:
(1) Should we require that actionable intelligence is accurately represented? : Yes
(2) Should we provide mechanisoms in CTI Interexchange for "Live Ammo"?: Yes