[IntelMQ-dev] Feedback on IEP04 exchange data format between IntelMQ instances

Pavel Kácha ph at cesnet.cz
Thu Apr 29 15:52:13 CEST 2021


> From: Bernhard Reiter <bernhard at intevation.de>, Date: dub 22, 2021
>
> == Do instances trust each other fully?
> 
> Shouldn't a concept about event exchange include a consideration of trust of 
> the instances? While I believe there are very good relations between many CERT 
> organisations, the trust of instances they or others may run is not endless. 
> (Example: An IntelMQ server gets compromised, e.g. by an previously unknown 
> hardware defect and the attackers want to obstruct the network. They enter bad 
> metadata and may want to achieve that some CERTs do not get some events. Okay, 
> far fetched.)
> 
> In my imagination it makes sense that each instance will have their own set
> of sources and this may have a different piece of info than the others (like a 
> restricted national feed) and may only like to share a part of this info.

   There are multiple facets of trust in this field, all with their own
possible set of solutions and can of worms. :)

 1, How do we trust the detection method or external source of the data?
    (Aka possible ratio of false positives or malfunction.)

 2, How do we trust the fellow peer org for the data they produce?
    (Similar to 1 in fact.)

 3, How do we trust the fellow peer org for the data they transfer/relay?
    (Here we might end up delving into signing the data, or even partial
    signatures, and all the related PKI stuff.)

 4, How do we trust the fellow peer org it will not disclose information we
    have send there if we do not want to? (Aka honoring the TLP.)

-- Pavel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20210429/b40a9798/attachment.sig>


More information about the IntelMQ-dev mailing list