Proper Tools
Hard Problems Made Legible

Moving Beyond “Threatbutt”

FIRST Technical Colloquium — Munich, Germany
23–25 February 2016
Event page

Transcript of remarks delivered 25 February 2016 at the FIRST Cyber Threat Intelligence Symposium in Munich, Germany examining cyber threat intelligence, standards, cultural adaptation to the 2038 epoch rollover, and the long arc of cybersecurity maturity. Minor formatting edits for clarity.

Transcript

Good morning, y’all, and thanks for the opportunity to speak to you today.

When I submitted my talk proposal some months ago, I imagined that my talk would go something like this:

  • here’s a bunch of criticism that’s been leveled at CTI;
  • some of that criticism is wrong, here are rebuttals;
  • some of that criticism is right, here are proposals for how we should respond as a community.

In the interim, after much consideration, my thinking evolved. The talk I’m giving today bears little resemblance to the one I imagined when I submitted the proposal.

I promise I will get into technical matters related to CTI in a few minutes. But before we get there, allow me to frame this discussion in a broader context.

The Internet is Rickety

A few weeks ago I heard a typical infosec “threat landscape” talk. Everything is vulnerable, the world is going to hell in a handbasket, and therefore you should buy our product.

During that talk, someone joked about the impending Unix epoch rollover in 2038. It made me wonder what a “2039 threat landscape” talk might look like. I suspect it would look nothing like the fear-driven narratives we hear today.

Fear is compelling. So here’s the scary part.

The internet is rickety. Imagine stepping gingerly across stones in a stream, testing each one before shifting your weight. As a civilization, we have placed our center of gravity on an unsteady rock called the internet — and there’s no easy way back.

The attackers currently have the advantage. We cannot find all the bugs faster than they can exploit them. The installed base problem compounds everything. Even if we rewrote all software tomorrow, replacing vulnerable embedded systems would take decades.

Metcalfe’s Law tells us network value scales with connected endpoints. In a world of ubiquitous vulnerable systems, the attack surface scales similarly.

And yet — the worst case scenario almost never happens.

Technological Convulsions & Cultural Adaptation

Throughout history, technology has outpaced culture’s ability to adapt.

  • Printing press → religious upheaval → Thirty Years’ War.
  • Industrialization → WWI.
  • Nuclear physics → Hiroshima, Cold War.

And yet cultures adapt. Not perfectly. Not painlessly. But adaptation occurs.

So what does 2039 look like?

One possibility: cybermalaise — unplugging, retreating from networks.

The other — and I believe more likely — is cultural phase transition. Not just better technical controls, but cultural maturity catching up to technological complexity.

As geeks, we obsess over crypto and threat sharing. But history suggests cultural evolution matters more than technical elegance.

Eventually, nation-states will recognize mutual interest in peaceful coexistence in cyberspace. Treaty frameworks will emerge. Collaboration will improve.

It may take painful events to get there. But we will get there.

Moving Beyond “Threatbutt”

The title of this talk references Threatbutt — a parody of cyber-intelligence vendor hype.

CTI is not a panacea. Neither was antivirus. Nor SIEM. These are tools.

The question is: how do we sharpen them?

OASIS, STIX, and the Standards Problem

In 2015, control of STIX, CybOX, and TAXII transitioned to OASIS. This was a meaningful governance shift: from DHS oversight to open international stewardship.

STIX is not the only standard. OpenIOC, OpenTPX, IODEF, and others all exist. Standards proliferate.

The goal is not monopoly but lingua franca — something closer to UTF-8 than ISO-8859 chaos.

STIX historically has been producer-friendly but parser-hostile. Too many optional paths. Too much indirection.

We moved from XML to JSON. Made TAXII RESTful. Introduced first-class relationships. Sought clarity.

CybOX, unglamorous but foundational, required refactoring toward a coherent taxonomy.

Reality Check: What Is Actually Being Shared?

Data from multiple ISACs showed:

  • 96% of STIX objects were Indicators.
  • Only 17 of 88 CybOX observable types were widely used.
  • Most usage centered on Address, DomainName, File, URI.

Higher-order constructs — attribution, campaigns, incidents — were rarely shared broadly.

Trust does not scale easily.

Maturity Gaps

CTI is only useful if baseline security hygiene exists:

  • Asset visibility
  • Baseline telemetry
  • Endpoint instrumentation
  • Correlating infrastructure (SIEM)

Many organizations lack even this.

The real work is raising maturity across communities.

The Cultural Lever

Higher-maturity organizations must help lower-maturity peers grow. Share not just IOCs, but metrics. War stories. Tool performance data.

Stop saying “You’re doing it wrong.” Start educating.

Standards alone won’t save us. Culture will.

To abuse Paul Watzlawick: the situation is serious, but not hopeless.

CTI is one tool among many. Its success depends on community participation and intellectual honesty.

There’s never enough time. Thank you for yours.