[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-stix] Threat actor classification info for today's meeting
Jerome, thanks for the insights. I hope that the Working Group can utilize the taxonomy, possibly even just dropping it (mostly) in place for some of the parameters in the
Threat Actor object. The advantages are that the TA taxonomy has been used in many places so it would have some continuity with existing systems, especially in the US DHS. This taxonomy also has been developed and tested over time, and the feedback has been
very strong that this is more comprehensive and unbiased than many other approaches. Many such descriptors are focused mostly on hacktivism or terrorism, but there are far more types of attackers than just those two that corporations have to deal with.
While any one particular threat actor report may not have a great deal of value for a responding to a particular incident, the data we collect over time could be very valuable.
Just as we all spend a great deal on business competitive analysis, we need security competitive analysis as well, helping to understand our adversaries in security every bit as well as our business competitors. And do it for the same reasons as business
CI – to strategize a better defense and react quickly when changes occur. Well-formatted, detailed information about the adversary can help provide some of that intelligence to help us better identify and defend our targeted assets.
By carefully defining Threat Actor object, I believe we have the opportunity to further elevate its usefulness as an essential part of our collective intelligence network for
both reactive and proactive security. Tim From: Jerome Athias [mailto:athiasjerome@gmail.com]
Tim, Thanks for sharing A small group of us pushed for a long time for both the use of proper classifications/categorizations (aka Taxonomies/Controlled Vocabularies) and Cybersecurity Ontology approach. I personally highlighted some time ago that the concept of Threat Agent (as used in OWASP for example, and Business Continuity or Threat Modeling), more general than Threat Actor (basically Person/Person Group(s) so Organisation - see Asset
Identification in the SCAP family), including, for example, Acts of God, is a really interesting concept for the use of CTI (STIX concepts/subjects/objects) based interchange format, for a broader audience (understand sectors) for fast, efficient at scale
automated (M2M) exchange of information (such as Incident data) So again, thanks for sharing. PS: if interested, we collected a list of various taxonomies applying to the domain (e.g. Cybercrime) Best regards
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]