Re: [cti-stix] Re: Asset: the missing piece in your puzzle

[Jerome Athias <athiasjerome@gmail.com>]

From my experience: consider Organisations/Person/Automatons/Hardware
as top-level assets constructs
But I strongly recommend to have at least a minimal Organisation
construct (Person we have with CIQ) and IT-Assets we know them
(Hardware could be excluded for now)

Benefits of Organisations identification or characterization (even
minimal construct):
Org-Vocabulary
Data-Org Provenance
Trust Management
Confidence Management
and A LOT MORE

One Org B can be an asset or Org A (e.g. a country)

Asset Identification specification is a very good starting point, imho











2015-11-30 18:13 GMT+03:00 Patrick Maroney <Pmaroney@specere.org>:
> It would be good to first agree on "what" an Asset "Is":
>
> (1). Aren't Assets "things" owned by, or of Interest to,
> Organizations/Entities?
>
> (2). Organizations/Entities may indeed be "Assets" as well, but only in the
> context of specific use cases?
>
> Sent from Outlook
>
>
>
>
> On Mon, Nov 30, 2015 at 6:43 AM -0800, "Jerome Athias"
> <athiasjerome@gmail.com> wrote:
>
> Fair enough we can keep that for later.
> I will try to list all the points in the current model offering a link to
> "assets"
>
> On Monday, 30 November 2015, Wunder, John A. <jwunder@mitre.org> wrote:
>>
>> Has somebody written up the use cases for asset information? I can think
>> of the following:
>>
>> 1. Representation of asset identity (or I suppose full characterizations?)
>> to coordinate incident response. (I believe this is part of what Joep is
>> saying)
>> 2. Representing *types* of assets that are targeted by a particular
>> TTP/attacker (MITRE laptops running Windows 7). Here I think we need to
>> disambiguate a few things: targeting of vulnerabilities/weaknesses
>> (CVE-XYZ), targeting of platforms (Win7), targeting of asset roles (web
>> servers), targeting of supported business or mission functions (financial
>> systems), targeting of supported employees/users (John Wunder at MITRE). (I
>> believe this covers the other part of what Joep was saying and what Pat was
>> saying in the other thread)
>> 3. Asset risk analysis & characterization (listed in the STIX use cases
>> wiki, though IMO it’s a bit of a crossover use case because risk
>> incorporates much more than just threat)
>> 4. What am I missing?
>>
>> I think once we further outline the use cases we could make more progress
>> on what that means for the language. For example, are existing mechanisms
>> (ITIL, the NIST specs) good enough? Is the current AffectedAssetType in STIX
>> good enough?
>>
>> I can write up a use case for #1 because it’s right in line with the work
>> that I do. Can anybody else tackle the others? In the meantime, maybe on the
>> lists we can close out the sightings and data markings topics before diving
>> too deep into this one?
>>
>> John
>>
>> On Nov 29, 2015, at 9:14 AM, Jerome Athias <athiasjerome@GMAIL.COM> wrote:
>>
>> Another good overview
>>
>> http://www.mitre.org/sites/default/files/publications/pr-15-2592-overview-of-mitre-cyber-situational-awareness-solutions.pdf
>>
>> On Saturday, 28 November 2015, Jordan, Bret <bret.jordan@bluecoat.com>
>> wrote:
>>>
>>> Good point Joep.  Please offer up a proposal for what you would like to
>>> see based on your experience with your tool.  I would love to see it and
>>> better understand it.
>>>
>>> Bret
>>>
>>> Sent from my Commodore 64
>>>
>>> On Nov 28, 2015, at 7:49 AM, Joep Gommers <joep@eclecticiq.com> wrote:
>>>
>>> Hi All,
>>>
>>> This is a interesting discussion. My 0.02$:
>>>
>>> Rob McMillan from Gartner:
>>> “Threat Intelligence is evidence-based knowledge, including context,
>>> mechanisms, indicators, implications and actionable advice about an existing
>>> or emerging menace or hazard to assets that can be used to inform decisions
>>> regarding the subject’s response to that menace or hazard”
>>>
>>> Inspired by Robert M Clark:
>>> "Intelligence is about reducing uncertainty. Uncertainty in a situation
>>> of conflict or uncertainty around business objectives (also known as
>>> “business risk”). In the context of CTI cyber focus, conflict can consists
>>> of any competitive or opposing forces/action resulting from the divergence
>>> of two or more parties’ ideas or interests. Example include uncertainty
>>> around topics of electronic crime, terrorism or espionage.
>>>
>>> Reducing uncertainty requires that intelligence obtain information that
>>> the opponent in a conflict prefers to conceal – directly or indirectly
>>> through analysis of available information. A typical goal of intelligence,
>>> also seen with the users of CTI, is to establish facts and then to develop
>>> precise, reliable, and valid inferences (hypotheses, estimations,
>>> conclusions and/or predictions) for use in decision making or operational
>>> planning or actions.”
>>>
>>> Key to expressing applicability of intelligence is being able to include
>>> assertions on what “blue” components are impacted by “red” forces. This
>>> includes victim information (like we do in TTP), asset classes impacted
>>> (like we do in Incident), etc. I think it is a grave misconception that
>>> threat information does not include information about what potentially is
>>> impacted by a threat and how that might evolve in the future. The closer an
>>> intelligence producer is to the impacted entity, the more granular they can
>>> describe what is impacted. All within the realm of responsibility of a
>>> threat analyst, of threat intelligence practice and of threat management
>>> process. For example being able to express that certain threat impacts any
>>> organization with online banking services, or payment processing facilities
>>> or software of a certain version etc. or the database behind URL online
>>> banking.com/x.aspx or any computer behind a firewall running windows 95 or
>>> anybody in the oil and extraction industry or anybody in belgium between
>>> april-15 and may-15 etc etc.
>>>
>>> If this should allow detailed modeling of asset technically, I have no
>>> opinion on. But the fact that any of the above examples need to be able to
>>> be communicated in a uniform way as part of a CTI standard for me is a
>>> no-brainer.
>>>
>>> Real-life examples: in our architectures, we are forced to use additional
>>> proprietary protocol exchange between platforms not using STIX because some
>>> of these “affected” or “targeting” statements are difficult to impossible to
>>> make in STIX. While all done by threat analyst, in a threat management
>>> context, inside a threat intelligence contract for a threat management
>>> budget informing the state of threat of an organization.
>>>
>>> So I wouldn’t personally wave more first level entities from the “blue”
>>> world away as quickly as that. I might even argue that having them part of
>>> other entities sometimes makes things more complex and hard to understand
>>> and apply. Nor do I nessecary agree with a “Asset” entity.. Simply providing
>>> some context IMO.
>>>
>>> J-
>>>
>>>
>>>
>>>
>>>
>>> From: <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret"
>>> <bret.jordan@bluecoat.com>
>>> Date: Friday, November 27, 2015 at 5:30 PM
>>> To: Richard Struse <Richard.Struse@HQ.DHS.GOV>
>>> Cc: Aharon Chernin <achernin@soltra.com>, Patrick Maroney
>>> <Pmaroney@Specere.org>, Jason Keirstead <jason.keirstead@ca.ibm.com>, Jerome
>>> Athias <athiasjerome@gmail.com>, "cti-stix@lists.oasis-open.org"
>>> <cti-stix@lists.oasis-open.org>
>>> Subject: Re: [cti-stix] Asset: the missing piece in your puzzle
>>>
>>> +1 Rich...  We have a hard enough time coming to consensus on seemingly
>>> easy things.  Lets first build a bridge that solves the issues we know with
>>> the current idioms and then lets gain massive adoption.  Once we have those
>>> two things, we can look at other things.
>>>
>>> Lets not put the freeways before the horse and buggy, or even lets not
>>> put the cart before the horse.  Or more in line of where we really are at,
>>> lets first figure out how to ride and tame a horse.
>>>
>>>
>>> Thanks,
>>>
>>> Bret
>>>
>>>
>>>
>>> Bret Jordan CISSP
>>> Director of Security Architecture and Standards | Office of the CTO
>>> Blue Coat Systems
>>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>>> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
>>> can not be unscrambled is an egg."
>>>
>>> On Nov 27, 2015, at 07:14, Struse, Richard <Richard.Struse@HQ.DHS.GOV>
>>> wrote:
>>>
>>> I agree completely.  Just because something (like asset information) is
>>> important and could be helpful in understanding the potential impact of a
>>> threat doesn’t mean that STIX or any component of CTI needs to define that
>>> information model.   We need to keep a laser-like focus on Cyber Threat and
>>> build bridges to other communities that are looking at asset, configuration
>>> or vulnerability information.
>>>
>>> From: cti-stix@lists.oasis-open.org
>>> [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Aharon Chernin
>>> Sent: Friday, November 27, 2015 8:31 AM
>>> To: Patrick Maroney; Jason Keirstead; Jerome Athias
>>> Cc: cti-stix@lists.oasis-open.org
>>> Subject: Re: [cti-stix] Asset: the missing piece in your puzzle
>>>
>>> I am 100% behind giving us the ability to communicate asset information.
>>> Just not sure it should be in STIX, or OASIS CTI for that matter. If we can
>>> do this at a higher level than CTI, then we can use the same asset standard
>>> for vulnerability, compliance, and threats. We could even use it outside of
>>> the information security space.
>>>
>>> I say we continue using exploit target until we can figure out how to get
>>> STIX out of the asset business.
>>>
>>> Aharon
>>>
>>> From: <cti-stix@lists.oasis-open.org> on behalf of Patrick Maroney
>>> <Pmaroney@Specere.org>
>>> Date: Friday, November 27, 2015 at 7:18 AM
>>> To: Jason Keirstead <jason.keirstead@ca.ibm.com>, Jerome Athias
>>> <athiasjerome@gmail.com>
>>> Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
>>> Subject: Re: [cti-stix] Asset: the missing piece in your puzzle
>>>
>>>
>>> ExploitTarget only represents where the "pointy end" of the stick is
>>> pointed (attack surface/vulnerability), not the organization or assets
>>> behind same.  Some of us share the view that there needs to be a top level
>>> object that represents the Victim(s) and their Assets.
>>>
>>> Patrick Maroney
>>> President
>>> Integrated Networking Technologies, Inc.
>>> Desk: (856)983-0001
>>> Cell: (609)841-5104
>>> Email: pmaroney@specere.org
>>>
>>> _____________________________
>>> From: Jason Keirstead <jason.keirstead@ca.ibm.com>
>>> Sent: Friday, November 27, 2015 8:08 AM
>>> Subject: Re: [cti-stix] Asset: the missing piece in your puzzle
>>> To: Jerome Athias <athiasjerome@gmail.com>
>>> Cc: <cti-stix@lists.oasis-open.org>
>>>
>>>
>>>
>>> Wouldn't an asset just be linked using the already existing facility of
>>> @idref on ExploitTarget?
>>>
>>> Not sure something new needs to be created...
>>>
>>> -
>>> Jason Keirstead
>>> Product Architect, Security Intelligence, IBM Security Systems
>>> www.ibm.com/security | www.securityintelligence.com
>>>
>>> Without data, all you are is just another person with an opinion -
>>> Unknown
>>>
>>>
>>> <image001.gif>Jerome Athias ---11/27/2015 01:49:35 AM---From
>>> https://www.sans.org/critical-security-controls to ISO 27001, through the
>>> NIST CSF (#1 Identify
>>>
>>> From: Jerome Athias <athiasjerome@gmail.com>
>>> To: cti-stix@lists.oasis-open.org
>>> Date: 11/27/2015 01:49 AM
>>> Subject: [cti-stix] Asset: the missing piece in your puzzle
>>> Sent by: <cti-stix@lists.oasis-open.org>
>>>
>>> ________________________________
>>>
>>>
>>>
>>>
>>> From https://www.sans.org/critical-security-controls
>>> to ISO 27001, through the NIST CSF (#1 Identify), NIST Risk Management
>>> Framework, SP 800-53... ...
>>> If you don't properly manage your Assets in cybersecurity: you will FAIL.
>>>
>>> Information obtained from the data that you will manipulate and
>>> exchange need to be linked to your Assets, the Assets of others
>>> (Supply Chain or Adversaries).
>>>
>>> So -again-, I invite you to look at
>>> http://scap.nist.gov/specifications/ai/
>>>
>>> NB: While not perfect, and I can comment further with pleasure on
>>> where/why, the Asset concept/construct or relationships (i.e. through
>>> GUIDs) is, imho, NEEDED.
>>>
>>> PS: I will try to put effort on documenting where the current model(s)
>>> are currently weak regarding this domain
>>>
>>> Best regards
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe from this mail list, you must leave the OASIS TC that
>>> generates this mail.  Follow this link to all your TCs in OASIS at:
>>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>>
>>>
>>
>