Ballot Details: Defanging Proposal (CLOSED)

Ballot Question Should we include the capability for "defanging" in STIX 2.0 / CybOX 3.0?
Ballot Description NOTE: The purpose of this ballot is to unify the TC and settle an issue that has been debated for the past few weeks. This is a non-binding ballot that can be reversed at any time in the future by simple majority vote of the TC.

Please consider this question separately from how defanging would be accomplished and whether it would be mandatory or optional. These debates would be considered if this ballot passes.

Elaboration:
============
Defanging refers to the practice of replacing "live ammo", i.e. a malicious IP address or binary, with an obfuscated representation that is no longer dangerous if inadvertently clicked or automatically processed in error.

Some of the community raised concerns that exchanging malicious information might lead to unintended consequences such as the infection of an analyst PC, the disruption of the flow of intelligence or the generation of false positives when using network detection / prevention controls. Pat Maroney summarized some of the failure modes well in this message, but both Paul Patrick and Allan Thomson’s messages from this thread are also worth reading when considering the positives of defanging.

https://www.oasis-open.org/apps/org/workgroup/cti/email/archives/201602/msg00372.html

Other members of the community are against the use of defanging, primarily for two reasons:

* At the Face-to-Face (F2F) we reached consensus that STIX and CybOX are primarily meant to be machine-to-machine data transfer specifications. If you agree with the assertion that defanging is primarily needed so that analysts do not expose themselves to danger, it should be the duty of the system processing STIX / CybOX content to defang malicious content before presenting it to an analyst via a UI or some other mechanism. Alex Foley’s message late last month was meant to summarize this theme, but Bret Jordan and others have written messages in the thread that emphasize this point as well.

https://www.oasis-open.org/apps/org/workgroup/cti/email/archives/201602/msg00338.html

* Allowing the use of defanging may challenge the ability to process content quickly in near-real time or query content after the fact. If a system is constantly required to "refang" content, this may slow down processing or create an extra hurdle when processing STIX / CybOX content. David Crawford’s message summarizes this very well, but Jason Keirstead and others have also provided valuable feedback addressing this point.

https://www.oasis-open.org/apps/org/workgroup/cti/email/archives/201602/msg00393.html
Ballot Options
VOTING CLOSED: Monday, 14 March 2016 @ 5:00 pm EDT
Yes 0 0
No 31 100
Abstain 2
Open Date Monday, 7 March 2016 @ 5:00 pm EST
Close Date Monday, 14 March 2016 @ 5:00 pm EDT
Ballot Type Official, as defined by organization policies and procedures

Voting Statistics

Number of votes cast (excluding abstentions) 31
Eligible members who have voted 33 of 67 49.254%
Eligible members who have not voted 34 of 67 50.746%

Voting Summary by Option

Options with highest number of votes are bold
Option # Votes % of Total
Yes 0 0%
No 31 100%
Abstain 2

Voting Details

Voter Name Company Vote * Time (UTC) Comments
* Allor, Peter IBM No 2016-03-08 13:59:00
* Anderson, Denise National Council of ISACs (NCI) No 2016-03-07 22:59:00
* Baikalov, Igor Securonix No 2016-03-08 02:14:00
* Baker, Jonathan Mitre Corporation No 2016-03-10 12:49:00
* Brown, Iain United Kingdom Cabinet Office No 2016-03-10 15:56:00
* Burger, Eric Georgetown University No 2016-03-07 22:10:00 1
* Butt, Michael Soltra No 2016-03-08 13:31:00
* Chernin, Aharon Soltra No 2016-03-07 22:12:00
* Clancy, Mark Soltra No 2016-03-08 13:38:00 1
* Coderre, Robert VeriSign No 2016-03-10 18:07:00
* Darley, Trey Soltra No 2016-03-08 08:42:00
* Davidson, Mark Soltra No 2016-03-08 01:47:00
* Eilken, David Financial Services Information Sharing and... No 2016-03-10 16:23:00
* Foley, Alexander Bank of America No 2016-03-07 22:00:00
* Ginn, Jane Cyber Threat Intelligence Network, Inc. (C... No 2016-03-08 22:34:00
* Gurney, John-Mark New Context Services, Inc. No 2016-03-08 00:54:00 1
* Jordan, Bret Blue Coat Systems, Inc. No 2016-03-07 22:55:00 1
* Katz, Gary US Department of Defense (DoD) No 2016-03-14 18:22:00
* Keirstead, Jason IBM No 2016-03-08 13:28:00
* Khan, Ali Soltra No 2016-03-08 14:36:00
* Kirillov, Ivan Mitre Corporation No 2016-03-08 00:05:00
* MacDonald, Terry Soltra No 2016-03-10 21:14:00 1
* Masuoka, Ryusuke Fujitsu Limited No 2016-03-11 01:25:00
* Maxwell, Kyle VeriSign No 2016-03-14 15:34:00 1
* Peloquin, Joey Citrix Systems No 2016-03-14 16:34:00 1
* Piazza, Richard Mitre Corporation No 2016-03-14 15:48:00
* Storms, Andrew New Context Services, Inc. No 2016-03-08 04:40:00
* Suarez, Natalie Soltra No 2016-03-08 13:47:00
* Taylor, Marlon DHS Office of Cybersecurity and Communicat... No 2016-03-10 21:22:00
* Thompson, Dean Australia and New Zealand Banking Group (A... No 2016-03-09 05:02:00
* Wunder, John Mitre Corporation No 2016-03-08 16:31:00
* Barnum, Sean Mitre Corporation Abstain 2016-03-14 14:52:00 1
* Maroney, Patrick Integrated Networking Technologies, Inc. Abstain 2016-03-11 18:20:00 1
* Angel, Mark U.S. Bank --
* Asok Kumar, Aishwarya Soltra --
* Athias, Jerome Individual --
* Butts, Brad U.S. Bank --
* Casanave, Cory Object Management Group --
* Clark, Peter IBM --
* DePeppe, Doug Cyber Threat Intelligence Network, Inc. (C... --
* Dye, Daniel Soltra --
* Figueroa, Wilson ViaSat, Inc. --
* Huang, Wei Anomali --
* Hundley, Gordon DTCC --
* Jones, Elysa Individual --
* Kakumaru, Takahiro NEC Corporation --
* Kelley, Sarah Center for Internet Security (CIS) --
* Landfield, Kent Intel Corporation --
* Laurance, David JPMorgan Chase Bank, N.A. --
* Magathan, Mona U.S. Bank --
* McLellan, Mike United Kingdom Cabinet Office --
* Morris, John IBM --
* Moss, Mark Johns Hopkins University Applied Physics L... --
* O'Brien, Chris United Kingdom Cabinet Office --
* Patrick, Paul iSIGHT Partners, Inc. --
* Pumo, Beth Kaiser Permanente --
* Riedel, Daniel New Context Services, Inc. --
* Rutkowski, Anthony Yaana Technologies, LLC --
* Sander, Tomas Hewlett Packard Enterprise (HPE) --
* Sharda, Ravi EMC --
* Smith, Pamela Johns Hopkins University Applied Physics L... --
* Stekervetz, Justin US Department of Homeland Security --
* Struse, Richard DHS Office of Cybersecurity and Communicat... --
* Taylor, Chris United Kingdom Cabinet Office --
* Verma, Jyoti Cisco Systems --
* Williams, Jeff Dell --
* Williams, Ron IBM --

Voter Comments

Submitter Vote Comment
MacDonald, Terry
Soltra
No The information flow goes:
Human <-> Tool <-> STIX <-> Tool <-> Human

This shows that STIX is for tooling to talk to tooling. It is up to the tooling to not allow users to infect themselves with malware and maliciousness.
Maxwell, Kyle
VeriSign
No I'd rather see implementations defang content when presenting it to a human analyst, but for machine-to-machine communications (processing and mitigation operations) this should not be necessary. Systems should already treat unvalidated input data as "hostile", so there should not be an additional security concern.
Peloquin, Joey
Citrix Systems
No Mark Clancy voiced my exact thoughts on this issue. If we did choose to defang, we would have to preserve the original content for direct comparison with on-the-wire samples.
Gurney, John-Mark
New Context Services, Inc.
No There may be some defanging anyways due to JSON's lack of ability to handle binary data. I need to work up some text to handle this.
Burger, Eric
Georgetown University
No I would be amenable to a defanging OPTION, but then I would only be amenable to one and only one way of doing it.
Jordan, Bret
Blue Coat Systems, Inc.
No This is not a specification level issue. This is an implementation level issue.
Clancy, Mark
Soltra
No The question is unfortunately phrased too narrowly. Observables should ALWAYS have a non-defanged representation in CTI data sets. We are trying to support automation of detection/mitigation after all and having Observables that don't match "on the wire" observations make them well not actually Observables

The key question is do we add additional optional Observable types for “de-fanged” representations of this content or do we require output of the Observable to do the “de-fanging” for presentation to humans vs. machines
Barnum, Sean
Mitre Corporation
Abstain I have heard valid arguments made on both sides of this issue but do not have full confidence that the concerns raised by a few folks within the TC are addressed by an answer of "let the tools handle it".

I also agree with Mark Clancy and Pat Maroney that the questions in play on this issue are more complicated than a simple single question of should we include the capability for "defanging" in STIX 2.0/CybOX 3.0.
Maroney, Patrick
Integrated Networking Technologies, Inc.
Abstain The question is framed incorrectly in my view. There are two distinct questions:

(1) Should we require that actionable intelligence is accurately represented? : Yes

(2) Should we provide mechanisoms in CTI Interexchange for "Live Ammo"?: Yes