[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: STIX Sightings
Dear list,
My view on sightings:
Threat Intelligence is in part about moving unknown unknown’s to known unknown, e.g. discovery new “threats” (ignoring for just a second the analytical construct of it). Part moving these
known unknown, to known knowns, by understanding the problem well enough to meet stakeholder’s information needs in whatever spectrum of deterrence, defeat or prevention they are working. For example; the SOC (deter) requires indicator and warning information,
the IR teams (defeat) require ad-hoc intelligence support and/or executives/commanders need strategic intelligence reports (prevention).
The emerging threat intelligence or threat management function in the large enterprise and government institution revolves around Threat Management. In effect some variation of the above process with the additional strategic questions; are we “managing”
/ “in control” of the threats we identified. This is done in part by validating if your constituency is informed, effected and if – or to what extent – they have deference, defeat or preventive measures in place.
Sightings play a part in this process, by ensuring a Threat Management capability can validate if – based on current information position – the constituency is potentially effected or not. Further analysis will determine if incident management is required
to really judge if the organization is affected or not and to what extent it is managed. For me this implies a couple of things for STIX Sightings:
Lastly, at EclecticIQ we’ve actually implemented a Sightings Object alongside the world of STIX objects that behaves in much of the way I describe above – with success.
I’ll try and find time in the next two weeks to share more real-world lessons learned to inform STIX 2.0.
Best regards,
Joep
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]