[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [cti-stix] Need for Investigation/Tag object?
Terry, Jane, (and perhaps Jyoti), Would you be able to describe the use case a little more? I’m thinking along the lines of what’s been started on the STIX use cases wiki [1] – nominally including
a description and a main success scenario. That would help me understand who takes which actions when and in what order, which in turn would help me form an opinion about how well proposed solutions meet the use case. At the data model level, this sounds like a possible use of a top level relationship object. Just throwing something against the wall here (I’m not a cyber analyst
and I don’t play one on TV), but could this use case be accomplished by relating multiple objects to a campaign with a low confidence? Thank you. -Mark [1] https://github.com/STIXProject/use-cases/wiki From: cti-stix@lists.oasis-open.org [mailto:cti-stix@lists.oasis-open.org]
On Behalf Of Jane Ginn - jg@ctin.us Terry & All: This is an actual Use Case that I've seen operationally in one of the ISAOs I participate in. It is not theoretical. .. and the real-time nature of this helps the non-targeted members of the ISAO to take proactive actions in response
to what is known (shared) about the Threat Actor, the IoCs, and the TTPs. Offensive countermeasures in action. I could see this Use Case evolving into a very important one for driving adoption of threat intel platforms... especially if the CybOX objects are extracted, used in other tools for enrichment, then reconstructed as STIX again. Thus
later permutation aligns with the Use Case Jyoti introduced in the CybOX Subcommittee call today. Jane Ginn, MSIA, MRP
Hi All,
Sarah’s email below reminded me of some thoughts that have been bubbling around for a while.
I think there is a need for us to support describing and sharing Threat intelligence while it is still under investigation. Historically STIX has been used by Organizations who are
generally sharing information about attacks after they have finished. It seems to me that we are rapidly moving towards an automated future where Organizations are sharing information about attacks
while they are happening. This change is a subtle one, but one that has implications for STIX.
At present we have no way for an Organizations to temporarily ‘group’ different STIX objects together. When one is conducting an investigation into a series of suspicious events prompted
by your Organization’s monitoring processes, we often want to tag/relate these events together, without actually creating an official ‘Incident’ (as we’re not sure anything has actually happened yet). The Incident object is where one would put the information
when it is confirmed there is a problem, but I believe we at least need a way of ‘tagging’ and ‘grouping’ potentially related items together.
Does anyone else see the need for something like this?
Cheers
Terry MacDonald
Senior STIX Subject Matter Expert
SOLTRA | An FS-ISAC and DTCC Company
+61 (407) 203 206 |
terry@soltra.com
From: Sarah Kelley [mailto:Sarah.Kelley@cisecurity.org]
I am a huge proponent of letting (almost) anything link to anything. In fact, limiting what can have an association/link/relationship with what is my current biggest frustration with
Stix (we use workarounds to get around this limitation).
I would add the possible use cases:
My org observed 3 instances of this threat actor hitting our network
My org observed 12 instances of the Poison Ivy TTP on our network
Or even (though weaker):
My org was hit by this particular campaign 27 times
Sarah Kelley
Senior CERT Analyst
Center for Internet Security (CIS)
Integrated Intelligence Center (IIC)
Multi-State Information Sharing and Analysis Center (MS-ISAC)
1-866-787-4722 (7×24 SOC)
Email: cert@cisecurity.org
Follow us @CISecurity
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]