[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Proposal - Admiralty Code + ACH
All: What if we combine Terry's suggestions about the Admiralty Code with a more classical interpretation of Analysis of Competing Hypotheses (ACH) as has been used in the intelligence community? This concept is outlined in this chapter of "The Psychology of Intelligence Analysis" from the CIA: https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/psychology-of-intelligence-analysis/art11.html This would address the Use Case that Patrick outlined below... (which BTW, really coincides with some of the threat intel sharing cases I've observed), while at the same time moves us away from a poorly understood description of "confidence"...that seems to be problematic because of the different assumptions each User brings to the table. I would see the ACH factor as a Third Dimension to what we've been discussing with respect to Information Reliability. Realize that I'm looking at this from the POV of the Analyst/User that is trying to take IoCs & cyber observables and any other clues and assemble the bigger picture...without a lot of certainty about the Threat Actor, the motivation, the targeted systems, etc.... In this context speculations about competing hypotheses and how they might be assembled in, for example, a Report object, might be useful.... Where an Information Reliability/ACH measure might be applied (e.g., at the CybOX object level) then becomes useful in interpretation by the Human Analysts of the STIX/CybOX information. Jane Ginn On 7/29/2015 5:16 PM, Terry MacDonald
wrote:
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]