Bret Jordan, MS, CISSP

To defend against threat actors and their tactics, techniques, and procedures organizations need to detect, investigate, prevent, mitigate, and remediate threats in cyber relevant time. To do this, organizations need to identify, create, document, and test the orchestration steps needed to achieve these outcomes. These steps, when grouped together, form a cyber security playbook that can be used to protect organizational systems, networks, data, and users.

This specification defines the… Show more

To defend against threat actors and their tactics, techniques, and procedures organizations need to detect, investigate, prevent, mitigate, and remediate threats in cyber relevant time. To do this, organizations need to identify, create, document, and test the orchestration steps needed to achieve these outcomes. These steps, when grouped together, form a cyber security playbook that can be used to protect organizational systems, networks, data, and users.

This specification defines the schema and taxonomy for collaborative automated course of action operations (CACAO) for cyber security playbooks and describes how these playbooks can be created, documented, and shared in a structured and standardized way across organizational boundaries and technological solutions. Show less

This specification enables JSON data to be digitally signed and enables many critical features. The first contribution was submitted to ITU-T SG17 as C-217 for consideration as a new work item at the meeting in Geneva, 21 Feb - 3 Mar 2023. It was approved as a new work item at that meeting. A revised baseline text was submitted as C-401 for consent to the meeting in Goyang, 29 August - 8 September 2023.

This session will cover the most important, interesting and impactful technical standards, hot off the press and *so* 2022. From the internet and all its things, to the latest cybersecurity defenses, including 5G updates (yes, it’s not finished yet!) and more acronyms than one can shake a stick at, this session has it covered. Join to learn about the newest technologies and play standards bingo.

Motivated by the introduction of CACAO, the first open standard that harmonizes the way we document courses of action in a machine-readable format for interoperability, and the benefits for cybersecurity operations derived from utilizing, and coupling and sharing course of action playbooks with cyber threat intelligence, we introduce a uniform metadata template that supports managing and integrating course of action playbooks into knowledge representation and knowledge management systems. We… Show more

Motivated by the introduction of CACAO, the first open standard that harmonizes the way we document courses of action in a machine-readable format for interoperability, and the benefits for cybersecurity operations derived from utilizing, and coupling and sharing course of action playbooks with cyber threat intelligence, we introduce a uniform metadata template that supports managing and integrating course of action playbooks into knowledge representation and knowledge management systems. We demonstrate the applicability of our approach through two use-case implementations. We utilize the playbook metadata template to introduce functionality and integrate course of action playbooks, such as CACAO, into the MISP threat intelligence platform and the OASIS Threat Actor Context ontology. Show less

Structured Threat Information Expression (STIX™) is a language for expressing cyber threat and observable information. This document defines concepts that apply across all of STIX and defines the overall structure of the STIX language.

Trusted Automated eXchange of Intelligence Information (TAXII™) is an application layer protocol
for the communication of cyber threat information in a simple and scalable manner. This
specification defines the TAXII RESTful API and its resources along with the requirements for
TAXII Client and Server implementations.

Cryptographic operations like hashing and signing need the data to be expressed in an invariant format so that the operations are reliably repeatable. One way to address this is to create a canonical representation of the data. Canonicalization also permits data to be exchanged in its original form on the "wire" while cryptographic operations performed on the canonicalized counterpart of the data in the producer and consumer endpoints generate consistent results.

This document… Show more

Cryptographic operations like hashing and signing need the data to be expressed in an invariant format so that the operations are reliably repeatable. One way to address this is to create a canonical representation of the data. Canonicalization also permits data to be exchanged in its original form on the "wire" while cryptographic operations performed on the canonicalized counterpart of the data in the producer and consumer endpoints generate consistent results.

This document describes the JSON Canonicalization Scheme (JCS). This specification defines how to create a canonical representation of JSON data by building on the strict serialization methods for JSON primitives defined by ECMAScript, constraining JSON data to the Internet JSON (I-JSON) subset, and by using deterministic property sorting. Show less

Current efforts to increase privacy by encrypting everything is surprisingly leaving networks, users and data at risk. TLS1.3, Encrypted SNI, DNSSEC and more all have many security and privacy benefits. However, they can also increase risks of phishing and other attacks evading detection. This talk will cover these emerging standards, counterintuitive risks and next steps standards bodies are considering.

Today, cyber defenders typically have to manually identify and process prevention, mitigation, and remediation steps in order to protect their systems and networks and address and contain problems identified during and after an incident response.

Due to the increase and sophistication of cyber attacks from Threat Actors and Intrusion Sets the need for a secure mechanism that would enable system and network operators to respond to incidents in machine relevant time has raised… Show more

Today, cyber defenders typically have to manually identify and process prevention, mitigation, and remediation steps in order to protect their systems and networks and address and contain problems identified during and after an incident response.

Due to the increase and sophistication of cyber attacks from Threat Actors and Intrusion Sets the need for a secure mechanism that would enable system and network operators to respond to incidents in machine relevant time has raised significantly. While some attacks may be well known to certain security experts and cyber researchers they are often not documented in a way that would enable automated mitigation or remediation. A documented way of describing prevention, mitigation, and remediation actions is critical for cyber defenders to respond more quickly and reduce the exposure from an attack.

This talk will focus on a new technology standard that works with STIX 2.x and TAXII 2.x for creating playbooks and collaborative automated course of action operations for cyber security. This standard combines CTI with the ability to define preventive, mitigative, and remediate steps for effective deployment of security. Show less

This BOF discussion will address requirements and examples for automated courses of action / playbooks for cybersecurity. We will be discussing core architectural requirements, functional elements and other key requirements needed to ensure collaborative courses of action that can be deployed and used in machine relevant time. Participants should consider bringing example playbooks as examples. Attendance is strictly limited to allow for a small group experience.

Current efforts to increase privacy by encrypting everything is surprisingly leaving networks, users and data at risk. TLS1.3, Encrypted SNI, DNSSEC and more all have many security and privacy benefits. However, they can also increase risks of phishing and other attacks evading detection. This talk will cover these emerging standards, counterintuitive risks and next steps standards bodies are considering.

Archived at:… Show more

Current efforts to increase privacy by encrypting everything is surprisingly leaving networks, users and data at risk. TLS1.3, Encrypted SNI, DNSSEC and more all have many security and privacy benefits. However, they can also increase risks of phishing and other attacks evading detection. This talk will cover these emerging standards, counterintuitive risks and next steps standards bodies are considering.

Archived at: https://published-prd.lanyonevents.com/published/rsaus19/sessionsFiles/13890/BAC-W10-Hacked-by-Crypto.pdf Show less

This document describes the need for defining a standardized language and associated protocols to capture and automate a collection of coordinated cyber security actions and responses. This collection of actions is called a Course of Action (COA) Project.

ITU Workshop on Advanced Cybersecurity Attacks and Ransomware
Geneva, Switzerland, 28 August 2018

The tools and methods used for modern cyber defense are no longer keeping up with the rapidly evolving threats and more sophisticated attacks plaguing our networks. Furthermore, consolidation of security staff and SOC personnel greatly limits the time and attention that can be given to day-to-day cyber defense. The SOC of the future needs a more efficient and better way to provide an active cyber defense. To make this happen, we need shared actionable intelligence that can be implemented across… Show more

The tools and methods used for modern cyber defense are no longer keeping up with the rapidly evolving threats and more sophisticated attacks plaguing our networks. Furthermore, consolidation of security staff and SOC personnel greatly limits the time and attention that can be given to day-to-day cyber defense. The SOC of the future needs a more efficient and better way to provide an active cyber defense. To make this happen, we need shared actionable intelligence that can be implemented across our networks and enclaves in near-real time. Show less

Structured Threat Information Expression (STIX™) is a language for expressing cyber threat and
observable information. This document defines concepts that apply across all of STIX and defines
the overall structure of the STIX language.

Trusted Automated eXchange of Intelligence Information (TAXII™) is an application layer protocol
for the communication of cyber threat information in a simple and scalable manner. This
specification defines the TAXII RESTful API and its resources along with the requirements for
TAXII Client and Server implementations.

Cyber-defense strategies are transitioning from the monolithic “complete” solutions toward systems with modular functional blocks that may be distributed. This model will facilitate sharing of cyberthreats, situational awareness and enable coordinated response to cyberattacks. This presentation will show how STIX, TAXII and OpenC2 can enable real-time cyber-defense.

Archived here:… Show more

Cyber-defense strategies are transitioning from the monolithic “complete” solutions toward systems with modular functional blocks that may be distributed. This model will facilitate sharing of cyberthreats, situational awareness and enable coordinated response to cyberattacks. This presentation will show how STIX, TAXII and OpenC2 can enable real-time cyber-defense.

Archived here: https://www.scribd.com/document/463883443/AIR-F01-Modern-Cyber-Defense-with-Automated-Real-Time-Response-A-Standards-Update-2 Show less

The Trusted Automated eXchange of Indicator Information (TAXII™) specifies mechanisms for exchanging structured cyber threat information between parties over the network. This document describes TAXII's Capabilities, Services, Messages, and Message Exchanges.

Amid privacy concerns and after a decade-long battle, the U.S. Cybersecurity Information Sharing Act (CISA) of 2015 was passed. Critics claim CISA is a surveillance bill in disguise; proponents claim the act provides a needed legal framework for information sharing. Can CISA actually improve cyberdefense without risking privacy? Are there unforeseen roadblocks? What about STIX/TAXII?

Archived here:… Show more

Amid privacy concerns and after a decade-long battle, the U.S. Cybersecurity Information Sharing Act (CISA) of 2015 was passed. Critics claim CISA is a surveillance bill in disguise; proponents claim the act provides a needed legal framework for information sharing. Can CISA actually improve cyberdefense without risking privacy? Are there unforeseen roadblocks? What about STIX/TAXII?

Archived here: https://www.slideshare.net/cisoplatform7/stix-taxii-cisa-impact-of-the-cybersecurity-information-sharing-act-of-2015 Show less

At the University of Utah back in 2002-2003 a few of us designed and built the first wide scale 802.1X network. This network was designed for the campus community and supported roaming authenticating via RADIUS realms. Meaning it allows individual departments and colleges to maintain their own authentication systems while using a distributed campus wide wireless network. We were later told by the architects of Eduroam that they had read our white paper and used the designs and models we called… Show more

At the University of Utah back in 2002-2003 a few of us designed and built the first wide scale 802.1X network. This network was designed for the campus community and supported roaming authenticating via RADIUS realms. Meaning it allows individual departments and colleges to maintain their own authentication systems while using a distributed campus wide wireless network. We were later told by the architects of Eduroam that they had read our white paper and used the designs and models we called out for their cross university roaming that later became Eduroam. Show less