[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Kill Chains in STIX
Hey Allan, I agree w/ you that we can’t standardize on a single kill chain. The idea behind the open vocabulary would be to let people use whichever kill chain they want to use, or multiple kill chains.
For example, you could do something like this: { "type": "bundle", "indicators": [ { "type": "indicator", "id": "indicator--8445a039-6ba6-4e42-9011-467093d5b29e", "spec_version": "2.0", "created_time": "2016-05-27T15:47:14Z", "modified_time": "2016-05-27T15:47:14Z", "created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", "revision": 1, "title": "Downloader URLs", "labels": ["malicious-activity"], "pattern": "url.value = 'http://example.com/download.exe'", "kill_chain_phases": [ { "kill_chain_name": "lockheed-martin-cyber-kill-chain", "phase_name": "delivery" }, { "kill_chain_name": "mandiant-cyber-attack-lifecycle", "phase_name": "initial-compromise" } ] } ] } So I definitely agree that while it would be great for us all to agree on a single kill chain to use it seems unrealistic. At the same time, people using the LMCO kill chain, the Mandiant
kill chain, or the Gartner kill chain (or communities using a different one) should be able to use STIX to standardize on their use of it. So, to me, it seems like a good use case for an open vocab. We could help ensure standardization by extending our open
vocab concept to have vocabs for common kill chains defined across the kill_chain_name and phase_name fields. In terms of machine usage, I see it most often used for categorization and prioritization of other intelligence (indicators, malware, attack patterns, etc). Basically just a way of binning
things…for example, MITRE uses it to categorize attack patterns in ATT&CK (https://attack.mitre.org/wiki/Main_Page). John From:
Allan Thomson <athomson@lookingglasscyber.com> Option 3 followed by Option 2. The reason for preferring Option 3 is that there are multiple kill chains out there and which one is used by STIX will likely not be standardized. So if we choose a controlled vocab then
which kill chain definition are you going to use? Gartner? Lockheed-Martin? My preference is to not burden MVP with this issue and consider it a future issue. If folks need kill-chain then I would suggest what does a machine or a human do with this information
where other TLOs already provide sufficient information to consider mitigation approaches.
That said, if someone can argue a compelling machine-to-machine reason to include kill chain information then I would prefer it to be a vocab not objects. So definitely not Option 1. Regards Allan From:
"cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com> From your great examples, Option 1 represents a lot of bloat and will enable multiple people to define the same thing. I would be in favor of Option 2. Thanks, Bret Bret Jordan CISSP Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]