[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Re: Asset: the missing piece in your puzzle
-"One Org B can be an asset or Org A (e.g. a country)" +"One Org B can be an asset of Org A (e.g. a country)" 2015-11-30 19:37 GMT+03:00 Jerome Athias <athiasjerome@gmail.com>: > From my experience: consider Organisations/Person/Automatons/Hardware > as top-level assets constructs > But I strongly recommend to have at least a minimal Organisation > construct (Person we have with CIQ) and IT-Assets we know them > (Hardware could be excluded for now) > > Benefits of Organisations identification or characterization (even > minimal construct): > Org-Vocabulary > Data-Org Provenance > Trust Management > Confidence Management > and A LOT MORE > > One Org B can be an asset or Org A (e.g. a country) > > Asset Identification specification is a very good starting point, imho > > > > > > > > > > > > 2015-11-30 18:13 GMT+03:00 Patrick Maroney <Pmaroney@specere.org>: >> It would be good to first agree on "what" an Asset "Is": >> >> (1). Aren't Assets "things" owned by, or of Interest to, >> Organizations/Entities? >> >> (2). Organizations/Entities may indeed be "Assets" as well, but only in the >> context of specific use cases? >> >> Sent from Outlook >> >> >> >> >> On Mon, Nov 30, 2015 at 6:43 AM -0800, "Jerome Athias" >> <athiasjerome@gmail.com> wrote: >> >> Fair enough we can keep that for later. >> I will try to list all the points in the current model offering a link to >> "assets" >> >> On Monday, 30 November 2015, Wunder, John A. <jwunder@mitre.org> wrote: >>> >>> Has somebody written up the use cases for asset information? I can think >>> of the following: >>> >>> 1. Representation of asset identity (or I suppose full characterizations?) >>> to coordinate incident response. (I believe this is part of what Joep is >>> saying) >>> 2. Representing *types* of assets that are targeted by a particular >>> TTP/attacker (MITRE laptops running Windows 7). Here I think we need to >>> disambiguate a few things: targeting of vulnerabilities/weaknesses >>> (CVE-XYZ), targeting of platforms (Win7), targeting of asset roles (web >>> servers), targeting of supported business or mission functions (financial >>> systems), targeting of supported employees/users (John Wunder at MITRE). (I >>> believe this covers the other part of what Joep was saying and what Pat was >>> saying in the other thread) >>> 3. Asset risk analysis & characterization (listed in the STIX use cases >>> wiki, though IMO it’s a bit of a crossover use case because risk >>> incorporates much more than just threat) >>> 4. What am I missing? >>> >>> I think once we further outline the use cases we could make more progress >>> on what that means for the language. For example, are existing mechanisms >>> (ITIL, the NIST specs) good enough? Is the current AffectedAssetType in STIX >>> good enough? >>> >>> I can write up a use case for #1 because it’s right in line with the work >>> that I do. Can anybody else tackle the others? In the meantime, maybe on the >>> lists we can close out the sightings and data markings topics before diving >>> too deep into this one? >>> >>> John >>> >>> On Nov 29, 2015, at 9:14 AM, Jerome Athias <athiasjerome@GMAIL.COM> wrote: >>> >>> Another good overview >>> >>> http://www.mitre.org/sites/default/files/publications/pr-15-2592-overview-of-mitre-cyber-situational-awareness-solutions.pdf >>> >>> On Saturday, 28 November 2015, Jordan, Bret <bret.jordan@bluecoat.com> >>> wrote: >>>> >>>> Good point Joep. Please offer up a proposal for what you would like to >>>> see based on your experience with your tool. I would love to see it and >>>> better understand it. >>>> >>>> Bret >>>> >>>> Sent from my Commodore 64 >>>> >>>> On Nov 28, 2015, at 7:49 AM, Joep Gommers <joep@eclecticiq.com> wrote: >>>> >>>> Hi All, >>>> >>>> This is a interesting discussion. My 0.02$: >>>> >>>> Rob McMillan from Gartner: >>>> “Threat Intelligence is evidence-based knowledge, including context, >>>> mechanisms, indicators, implications and actionable advice about an existing >>>> or emerging menace or hazard to assets that can be used to inform decisions >>>> regarding the subject’s response to that menace or hazard” >>>> >>>> Inspired by Robert M Clark: >>>> "Intelligence is about reducing uncertainty. Uncertainty in a situation >>>> of conflict or uncertainty around business objectives (also known as >>>> “business risk”). In the context of CTI cyber focus, conflict can consists >>>> of any competitive or opposing forces/action resulting from the divergence >>>> of two or more parties’ ideas or interests. Example include uncertainty >>>> around topics of electronic crime, terrorism or espionage. >>>> >>>> Reducing uncertainty requires that intelligence obtain information that >>>> the opponent in a conflict prefers to conceal – directly or indirectly >>>> through analysis of available information. A typical goal of intelligence, >>>> also seen with the users of CTI, is to establish facts and then to develop >>>> precise, reliable, and valid inferences (hypotheses, estimations, >>>> conclusions and/or predictions) for use in decision making or operational >>>> planning or actions.” >>>> >>>> Key to expressing applicability of intelligence is being able to include >>>> assertions on what “blue” components are impacted by “red” forces. This >>>> includes victim information (like we do in TTP), asset classes impacted >>>> (like we do in Incident), etc. I think it is a grave misconception that >>>> threat information does not include information about what potentially is >>>> impacted by a threat and how that might evolve in the future. The closer an >>>> intelligence producer is to the impacted entity, the more granular they can >>>> describe what is impacted. All within the realm of responsibility of a >>>> threat analyst, of threat intelligence practice and of threat management >>>> process. For example being able to express that certain threat impacts any >>>> organization with online banking services, or payment processing facilities >>>> or software of a certain version etc. or the database behind URL online >>>> banking.com/x.aspx or any computer behind a firewall running windows 95 or >>>> anybody in the oil and extraction industry or anybody in belgium between >>>> april-15 and may-15 etc etc. >>>> >>>> If this should allow detailed modeling of asset technically, I have no >>>> opinion on. But the fact that any of the above examples need to be able to >>>> be communicated in a uniform way as part of a CTI standard for me is a >>>> no-brainer. >>>> >>>> Real-life examples: in our architectures, we are forced to use additional >>>> proprietary protocol exchange between platforms not using STIX because some >>>> of these “affected” or “targeting” statements are difficult to impossible to >>>> make in STIX. While all done by threat analyst, in a threat management >>>> context, inside a threat intelligence contract for a threat management >>>> budget informing the state of threat of an organization. >>>> >>>> So I wouldn’t personally wave more first level entities from the “blue” >>>> world away as quickly as that. I might even argue that having them part of >>>> other entities sometimes makes things more complex and hard to understand >>>> and apply. Nor do I nessecary agree with a “Asset” entity.. Simply providing >>>> some context IMO. >>>> >>>> J- >>>> >>>> >>>> >>>> >>>> >>>> From: <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" >>>> <bret.jordan@bluecoat.com> >>>> Date: Friday, November 27, 2015 at 5:30 PM >>>> To: Richard Struse <Richard.Struse@HQ.DHS.GOV> >>>> Cc: Aharon Chernin <achernin@soltra.com>, Patrick Maroney >>>> <Pmaroney@Specere.org>, Jason Keirstead <jason.keirstead@ca.ibm.com>, Jerome >>>> Athias <athiasjerome@gmail.com>, "cti-stix@lists.oasis-open.org" >>>> <cti-stix@lists.oasis-open.org> >>>> Subject: Re: [cti-stix] Asset: the missing piece in your puzzle >>>> >>>> +1 Rich... We have a hard enough time coming to consensus on seemingly >>>> easy things. Lets first build a bridge that solves the issues we know with >>>> the current idioms and then lets gain massive adoption. Once we have those >>>> two things, we can look at other things. >>>> >>>> Lets not put the freeways before the horse and buggy, or even lets not >>>> put the cart before the horse. Or more in line of where we really are at, >>>> lets first figure out how to ride and tame a horse. >>>> >>>> >>>> Thanks, >>>> >>>> Bret >>>> >>>> >>>> >>>> Bret Jordan CISSP >>>> Director of Security Architecture and Standards | Office of the CTO >>>> Blue Coat Systems >>>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447 F2C0 74F8 ACAE 7415 0050 >>>> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that >>>> can not be unscrambled is an egg." >>>> >>>> On Nov 27, 2015, at 07:14, Struse, Richard <Richard.Struse@HQ.DHS.GOV> >>>> wrote: >>>> >>>> I agree completely. Just because something (like asset information) is >>>> important and could be helpful in understanding the potential impact of a >>>> threat doesn’t mean that STIX or any component of CTI needs to define that >>>> information model. We need to keep a laser-like focus on Cyber Threat and >>>> build bridges to other communities that are looking at asset, configuration >>>> or vulnerability information. >>>> >>>> From: cti-stix@lists.oasis-open.org >>>> [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Aharon Chernin >>>> Sent: Friday, November 27, 2015 8:31 AM >>>> To: Patrick Maroney; Jason Keirstead; Jerome Athias >>>> Cc: cti-stix@lists.oasis-open.org >>>> Subject: Re: [cti-stix] Asset: the missing piece in your puzzle >>>> >>>> I am 100% behind giving us the ability to communicate asset information. >>>> Just not sure it should be in STIX, or OASIS CTI for that matter. If we can >>>> do this at a higher level than CTI, then we can use the same asset standard >>>> for vulnerability, compliance, and threats. We could even use it outside of >>>> the information security space. >>>> >>>> I say we continue using exploit target until we can figure out how to get >>>> STIX out of the asset business. >>>> >>>> Aharon >>>> >>>> From: <cti-stix@lists.oasis-open.org> on behalf of Patrick Maroney >>>> <Pmaroney@Specere.org> >>>> Date: Friday, November 27, 2015 at 7:18 AM >>>> To: Jason Keirstead <jason.keirstead@ca.ibm.com>, Jerome Athias >>>> <athiasjerome@gmail.com> >>>> Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> >>>> Subject: Re: [cti-stix] Asset: the missing piece in your puzzle >>>> >>>> >>>> ExploitTarget only represents where the "pointy end" of the stick is >>>> pointed (attack surface/vulnerability), not the organization or assets >>>> behind same. Some of us share the view that there needs to be a top level >>>> object that represents the Victim(s) and their Assets. >>>> >>>> Patrick Maroney >>>> President >>>> Integrated Networking Technologies, Inc. >>>> Desk: (856)983-0001 >>>> Cell: (609)841-5104 >>>> Email: pmaroney@specere.org >>>> >>>> _____________________________ >>>> From: Jason Keirstead <jason.keirstead@ca.ibm.com> >>>> Sent: Friday, November 27, 2015 8:08 AM >>>> Subject: Re: [cti-stix] Asset: the missing piece in your puzzle >>>> To: Jerome Athias <athiasjerome@gmail.com> >>>> Cc: <cti-stix@lists.oasis-open.org> >>>> >>>> >>>> >>>> Wouldn't an asset just be linked using the already existing facility of >>>> @idref on ExploitTarget? >>>> >>>> Not sure something new needs to be created... >>>> >>>> - >>>> Jason Keirstead >>>> Product Architect, Security Intelligence, IBM Security Systems >>>> www.ibm.com/security | www.securityintelligence.com >>>> >>>> Without data, all you are is just another person with an opinion - >>>> Unknown >>>> >>>> >>>> <image001.gif>Jerome Athias ---11/27/2015 01:49:35 AM---From >>>> https://www.sans.org/critical-security-controls to ISO 27001, through the >>>> NIST CSF (#1 Identify >>>> >>>> From: Jerome Athias <athiasjerome@gmail.com> >>>> To: cti-stix@lists.oasis-open.org >>>> Date: 11/27/2015 01:49 AM >>>> Subject: [cti-stix] Asset: the missing piece in your puzzle >>>> Sent by: <cti-stix@lists.oasis-open.org> >>>> >>>> ________________________________ >>>> >>>> >>>> >>>> >>>> From https://www.sans.org/critical-security-controls >>>> to ISO 27001, through the NIST CSF (#1 Identify), NIST Risk Management >>>> Framework, SP 800-53... ... >>>> If you don't properly manage your Assets in cybersecurity: you will FAIL. >>>> >>>> Information obtained from the data that you will manipulate and >>>> exchange need to be linked to your Assets, the Assets of others >>>> (Supply Chain or Adversaries). >>>> >>>> So -again-, I invite you to look at >>>> http://scap.nist.gov/specifications/ai/ >>>> >>>> NB: While not perfect, and I can comment further with pleasure on >>>> where/why, the Asset concept/construct or relationships (i.e. through >>>> GUIDs) is, imho, NEEDED. >>>> >>>> PS: I will try to put effort on documenting where the current model(s) >>>> are currently weak regarding this domain >>>> >>>> Best regards >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe from this mail list, you must leave the OASIS TC that >>>> generates this mail. Follow this link to all your TCs in OASIS at: >>>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php >>>> >>>> >>> >>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]