Re: [cti-stix] STIX 2.0 Architecture - Relationships, Sightings, and Targeting

[Trey Darley <trey@soltra.com>]

On 28.10.2015 13:39:16, Patrick Maroney wrote:
> In our World View and a majority of Use Cases, one needs to fully
> model all aspects of the Cyber-BattleSpace:
> 
> Adversaries
> Adversary TTP*s (Black Hat)
> 
> Intermediaries
> Intermediary TTPs (Grey Hat)
> 
> Targets
> Target TTPs (White Hat)
> 
> * TTPs include assets and infrastructure in this model.
> 
> Since we don't currently represent Targets and Intermediaries in the
> current CTI Model, then the proposed modeling of related "White/Grey
> Hat" TTP relations won't be as obvious
> 


Hi, Pat -

Perhaps I'm just congenitally slow between the ears, but could you
please explain to me in plain language exactly what problem(s) you're
trying to solve with all the above?

Using CTI to track blackhats, that I get.

Using CTI to track pentesters (whitehats) you're presumably paying
large sums of money to test your infrastructure seems to go against
the entire purpose of hiring professional pentesters.

As for what's a greyhat, well, that's basically identical to the
attribution problem.

Again, maybe I'm just being dense, but let's just focus on squelching
the blackhats for now. That's the critical issue and we've a very long
way yet to go.

-- 
Cheers,
Trey
--
Trey Darley
Senior Security Engineer
4DAA 0A88 34BC 27C9 FD2B  A97E D3C6 5C74 0FB7 E430
Soltra | An FS-ISAC & DTCC Company
www.soltra.com
--
"It is always possible to add another level of indirection." --RFC 1925

Attachment: signature.asc
Description: PGP signature