Bret & All:
Here is a rough 3-dimensional drawing of what I was trying to get at
in my previous post on combining the Admiralty Code with an Analysis
of Competing Hypotheses (ACH) approach.
Note that we don't want to have our CybOX or STIX data in the lower
left of the Reliability/Credibility 2-dimensional plane [5F -
Improbable & Reliability cannot be judged]. Rather, we want our
data to be in the top right (where I've placed an Orange Star) if at
all possible [1A - Completely reliable & Confirmed by other
sources]. But, if it is not there (yet), we can convey a much finer
level of detail to our consumers of the data using this 2-factor
system.
Then, on the 3rd dimension we may need to construct a typology to
characterize how an Incident Responder or Analyst is thinking about
a problem at a certain point in time. [Hypothesis-1 (e.g., This is a
Foo APT); Hypothesis-2 (This is an Foobar Backdoor); Hypothesis-n
(Fill in the Blanks)].
<DiagramAdandACH.jpg>
So as more data comes in from sharing partners in an ISAO or ISAC
(i.e., Sightings) and is associated through Relationships with the
Campaign, the Threat Actor, the TTP or ExploitTarget (etc...)... it
is enriched along the Reliability/Credibility continuum and
competing hypotheses fall away.
Jane Ginn, MSIA, MRP
Cyber Threat Intelligence Network, Inc.
rjg@ctin.us
On 7/30/2015 9:40 AM, Jordan, Bret
wrote:
Can you spell this out in a table format with options so we can
better understand what is being proposed? Like what we are doing
in the relationship object discussion?
Thanks,
Bret
Bret
Jordan CISSP
Director of
Security Architecture and
Standards | Office of the
CTO
Blue Coat Systems
PGP Fingerprint:
63B4 FC53 680A 6B7D 1447
F2C0 74F8 ACAE 7415 0050
"Without
cryptography vihv vivc ce
xhrnrw, however, the only
thing that can not be
unscrambled is an egg."
On Jul 30, 2015, at 09:53, JG on CTI-TC <
jg@ctin.us>
wrote:
All:
What if we combine Terry's suggestions about the Admiralty
Code with a more classical interpretation of Analysis of
Competing Hypotheses (ACH) as has been used in the
intelligence community? This concept is outlined in this
chapter of "The Psychology of Intelligence Analysis" from
the CIA:
https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/psychology-of-intelligence-analysis/art11.html
This would address the Use Case that Patrick outlined
below... (which BTW, really coincides with some of the
threat intel sharing cases I've observed), while at the
same time moves us away from a poorly understood
description of "confidence"...that seems to be problematic
because of the different assumptions each User brings to
the table.
I would see the ACH factor as a Third Dimension to what
we've been discussing with respect to Information
Reliability.
Realize that I'm looking at this from the POV of the
Analyst/User that is trying to take IoCs & cyber
observables and any other clues and assemble the bigger
picture...without a lot of certainty about the Threat
Actor, the motivation, the targeted systems, etc.... In
this context speculations about competing hypotheses and
how they might be assembled in, for example, a Report
object, might be useful.... Where an Information
Reliability/ACH measure might be applied (e.g., at the
CybOX object level) then becomes useful in interpretation
by the Human Analysts of the STIX/CybOX information.
Jane Ginn
On 7/29/2015 5:16 PM, Terry
MacDonald wrote:
--
Jane Ginn, MSIA, MRP
Cyber Threat Intelligence Network, Inc.
jg@ctin.us