[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] RE: STIX Sightings
Source: RFI: Have you seen this?
Recipient: No.
...Or more nuanced:
Recipient: No I looked over this period of time using this method and have this level of certainty we've not had anything matching this pattern.
Patrick Maroney
President Integrated Networking Technologies, Inc. Desk: (856)983-0001 Cell: (609)841-5104 Email: pmaroney@specere.org A “negative sighting”? Mind = Blown!
Can you talk about that some more?
From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Joep Gommers
Dear list,
My view on sightings:
Threat Intelligence is in part about moving unknown unknown’s to known unknown, e.g. discovery new “threats” (ignoring for just a second the analytical construct of it). Part moving these known unknown, to known knowns, by understanding the problem well enough to meet stakeholder’s information needs in whatever spectrum of deterrence, defeat or prevention they are working. For example; the SOC (deter) requires indicator and warning information, the IR teams (defeat) require ad-hoc intelligence support and/or executives/commanders need strategic intelligence reports (prevention).
The emerging threat intelligence or threat management function in the large enterprise and government institution revolves around Threat Management. In effect some variation of the above process with the additional strategic questions; are we “managing” / “in control” of the threats we identified. This is done in part by validating if your constituency is informed, effected and if – or to what extent – they have deference, defeat or preventive measures in place.
Sightings play a part in this process, by ensuring a Threat Management capability can validate if – based on current information position – the constituency is potentially effected or not. Further analysis will determine if incident management is required to really judge if the organization is affected or not and to what extent it is managed. For me this implies a couple of things for STIX Sightings:
Lastly, at EclecticIQ we’ve actually implemented a Sightings Object alongside the world of STIX objects that behaves in much of the way I describe above – with success.
I’ll try and find time in the next two weeks to share more real-world lessons learned to inform STIX 2.0.
Best regards, Joep
DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]