[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Proposal - Admiralty Code + ACH
Bret & All: Here is a rough 3-dimensional drawing of what I was trying to get at in my previous post on combining the Admiralty Code with an Analysis of Competing Hypotheses (ACH) approach. Note that we don't want to have our CybOX or STIX data in the lower left of the Reliability/Credibility 2-dimensional plane [5F - Improbable & Reliability cannot be judged]. Rather, we want our data to be in the top right (where I've placed an Orange Star) if at all possible [1A - Completely reliable & Confirmed by other sources]. But, if it is not there (yet), we can convey a much finer level of detail to our consumers of the data using this 2-factor system. Then, on the 3rd dimension we may need to construct a typology to characterize how an Incident Responder or Analyst is thinking about a problem at a certain point in time. [Hypothesis-1 (e.g., This is a Foo APT); Hypothesis-2 (This is an Foobar Backdoor); Hypothesis-n (Fill in the Blanks)]. So as more data comes in from sharing partners in an ISAO or ISAC (i.e., Sightings) and is associated through Relationships with the Campaign, the Threat Actor, the TTP or ExploitTarget (etc...)... it is enriched along the Reliability/Credibility continuum and competing hypotheses fall away. Jane Ginn, MSIA, MRP Cyber Threat Intelligence Network, Inc. rjg@ctin.us On 7/30/2015 9:40 AM, Jordan, Bret
wrote:
Can you spell this out in a table format with options so we can better understand what is being proposed? Like what we are doing in the relationship object discussion? -- Jane Ginn, MSIA, MRP Cyber Threat Intelligence Network, Inc. jg@ctin.us |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]