Re: [cti-stix] Re: Asset: the missing piece in your puzzle

[Jerome Athias <athiasjerome@gmail.com>]

I think this is representing AI spec

2015-11-30 19:38 GMT+03:00 Jerome Athias <athiasjerome@gmail.com>:
> -"One Org B can be an asset or Org A (e.g. a country)"
> +"One Org B can be an asset of Org A (e.g. a country)"
>
> 2015-11-30 19:37 GMT+03:00 Jerome Athias <athiasjerome@gmail.com>:
>> From my experience: consider Organisations/Person/Automatons/Hardware
>> as top-level assets constructs
>> But I strongly recommend to have at least a minimal Organisation
>> construct (Person we have with CIQ) and IT-Assets we know them
>> (Hardware could be excluded for now)
>>
>> Benefits of Organisations identification or characterization (even
>> minimal construct):
>> Org-Vocabulary
>> Data-Org Provenance
>> Trust Management
>> Confidence Management
>> and A LOT MORE
>>
>> One Org B can be an asset or Org A (e.g. a country)
>>
>> Asset Identification specification is a very good starting point, imho
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> 2015-11-30 18:13 GMT+03:00 Patrick Maroney <Pmaroney@specere.org>:
>>> It would be good to first agree on "what" an Asset "Is":
>>>
>>> (1). Aren't Assets "things" owned by, or of Interest to,
>>> Organizations/Entities?
>>>
>>> (2). Organizations/Entities may indeed be "Assets" as well, but only in the
>>> context of specific use cases?
>>>
>>> Sent from Outlook
>>>
>>>
>>>
>>>
>>> On Mon, Nov 30, 2015 at 6:43 AM -0800, "Jerome Athias"
>>> <athiasjerome@gmail.com> wrote:
>>>
>>> Fair enough we can keep that for later.
>>> I will try to list all the points in the current model offering a link to
>>> "assets"
>>>
>>> On Monday, 30 November 2015, Wunder, John A. <jwunder@mitre.org> wrote:
>>>>
>>>> Has somebody written up the use cases for asset information? I can think
>>>> of the following:
>>>>
>>>> 1. Representation of asset identity (or I suppose full characterizations?)
>>>> to coordinate incident response. (I believe this is part of what Joep is
>>>> saying)
>>>> 2. Representing *types* of assets that are targeted by a particular
>>>> TTP/attacker (MITRE laptops running Windows 7). Here I think we need to
>>>> disambiguate a few things: targeting of vulnerabilities/weaknesses
>>>> (CVE-XYZ), targeting of platforms (Win7), targeting of asset roles (web
>>>> servers), targeting of supported business or mission functions (financial
>>>> systems), targeting of supported employees/users (John Wunder at MITRE). (I
>>>> believe this covers the other part of what Joep was saying and what Pat was
>>>> saying in the other thread)
>>>> 3. Asset risk analysis & characterization (listed in the STIX use cases
>>>> wiki, though IMO it’s a bit of a crossover use case because risk
>>>> incorporates much more than just threat)
>>>> 4. What am I missing?
>>>>
>>>> I think once we further outline the use cases we could make more progress
>>>> on what that means for the language. For example, are existing mechanisms
>>>> (ITIL, the NIST specs) good enough? Is the current AffectedAssetType in STIX
>>>> good enough?
>>>>
>>>> I can write up a use case for #1 because it’s right in line with the work
>>>> that I do. Can anybody else tackle the others? In the meantime, maybe on the
>>>> lists we can close out the sightings and data markings topics before diving
>>>> too deep into this one?
>>>>
>>>> John
>>>>
>>>> On Nov 29, 2015, at 9:14 AM, Jerome Athias <athiasjerome@GMAIL.COM> wrote:
>>>>
>>>> Another good overview
>>>>
>>>> http://www.mitre.org/sites/default/files/publications/pr-15-2592-overview-of-mitre-cyber-situational-awareness-solutions.pdf
>>>>
>>>> On Saturday, 28 November 2015, Jordan, Bret <bret.jordan@bluecoat.com>
>>>> wrote:
>>>>>
>>>>> Good point Joep.  Please offer up a proposal for what you would like to
>>>>> see based on your experience with your tool.  I would love to see it and
>>>>> better understand it.
>>>>>
>>>>> Bret
>>>>>
>>>>> Sent from my Commodore 64
>>>>>
>>>>> On Nov 28, 2015, at 7:49 AM, Joep Gommers <joep@eclecticiq.com> wrote:
>>>>>
>>>>> Hi All,
>>>>>
>>>>> This is a interesting discussion. My 0.02$:
>>>>>
>>>>> Rob McMillan from Gartner:
>>>>> “Threat Intelligence is evidence-based knowledge, including context,
>>>>> mechanisms, indicators, implications and actionable advice about an existing
>>>>> or emerging menace or hazard to assets that can be used to inform decisions
>>>>> regarding the subject’s response to that menace or hazard”
>>>>>
>>>>> Inspired by Robert M Clark:
>>>>> "Intelligence is about reducing uncertainty. Uncertainty in a situation
>>>>> of conflict or uncertainty around business objectives (also known as
>>>>> “business risk”). In the context of CTI cyber focus, conflict can consists
>>>>> of any competitive or opposing forces/action resulting from the divergence
>>>>> of two or more parties’ ideas or interests. Example include uncertainty
>>>>> around topics of electronic crime, terrorism or espionage.
>>>>>
>>>>> Reducing uncertainty requires that intelligence obtain information that
>>>>> the opponent in a conflict prefers to conceal – directly or indirectly
>>>>> through analysis of available information. A typical goal of intelligence,
>>>>> also seen with the users of CTI, is to establish facts and then to develop
>>>>> precise, reliable, and valid inferences (hypotheses, estimations,
>>>>> conclusions and/or predictions) for use in decision making or operational
>>>>> planning or actions.”
>>>>>
>>>>> Key to expressing applicability of intelligence is being able to include
>>>>> assertions on what “blue” components are impacted by “red” forces. This
>>>>> includes victim information (like we do in TTP), asset classes impacted
>>>>> (like we do in Incident), etc. I think it is a grave misconception that
>>>>> threat information does not include information about what potentially is
>>>>> impacted by a threat and how that might evolve in the future. The closer an
>>>>> intelligence producer is to the impacted entity, the more granular they can
>>>>> describe what is impacted. All within the realm of responsibility of a
>>>>> threat analyst, of threat intelligence practice and of threat management
>>>>> process. For example being able to express that certain threat impacts any
>>>>> organization with online banking services, or payment processing facilities
>>>>> or software of a certain version etc. or the database behind URL online
>>>>> banking.com/x.aspx or any computer behind a firewall running windows 95 or
>>>>> anybody in the oil and extraction industry or anybody in belgium between
>>>>> april-15 and may-15 etc etc.
>>>>>
>>>>> If this should allow detailed modeling of asset technically, I have no
>>>>> opinion on. But the fact that any of the above examples need to be able to
>>>>> be communicated in a uniform way as part of a CTI standard for me is a
>>>>> no-brainer.
>>>>>
>>>>> Real-life examples: in our architectures, we are forced to use additional
>>>>> proprietary protocol exchange between platforms not using STIX because some
>>>>> of these “affected” or “targeting” statements are difficult to impossible to
>>>>> make in STIX. While all done by threat analyst, in a threat management
>>>>> context, inside a threat intelligence contract for a threat management
>>>>> budget informing the state of threat of an organization.
>>>>>
>>>>> So I wouldn’t personally wave more first level entities from the “blue”
>>>>> world away as quickly as that. I might even argue that having them part of
>>>>> other entities sometimes makes things more complex and hard to understand
>>>>> and apply. Nor do I nessecary agree with a “Asset” entity.. Simply providing
>>>>> some context IMO.
>>>>>
>>>>> J-
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> From: <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret"
>>>>> <bret.jordan@bluecoat.com>
>>>>> Date: Friday, November 27, 2015 at 5:30 PM
>>>>> To: Richard Struse <Richard.Struse@HQ.DHS.GOV>
>>>>> Cc: Aharon Chernin <achernin@soltra.com>, Patrick Maroney
>>>>> <Pmaroney@Specere.org>, Jason Keirstead <jason.keirstead@ca.ibm.com>, Jerome
>>>>> Athias <athiasjerome@gmail.com>, "cti-stix@lists.oasis-open.org"
>>>>> <cti-stix@lists.oasis-open.org>
>>>>> Subject: Re: [cti-stix] Asset: the missing piece in your puzzle
>>>>>
>>>>> +1 Rich...  We have a hard enough time coming to consensus on seemingly
>>>>> easy things.  Lets first build a bridge that solves the issues we know with
>>>>> the current idioms and then lets gain massive adoption.  Once we have those
>>>>> two things, we can look at other things.
>>>>>
>>>>> Lets not put the freeways before the horse and buggy, or even lets not
>>>>> put the cart before the horse.  Or more in line of where we really are at,
>>>>> lets first figure out how to ride and tame a horse.
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Bret
>>>>>
>>>>>
>>>>>
>>>>> Bret Jordan CISSP
>>>>> Director of Security Architecture and Standards | Office of the CTO
>>>>> Blue Coat Systems
>>>>> PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>>>>> "Without cryptography vihv vivc ce xhrnrw, however, the only thing that
>>>>> can not be unscrambled is an egg."
>>>>>
>>>>> On Nov 27, 2015, at 07:14, Struse, Richard <Richard.Struse@HQ.DHS.GOV>
>>>>> wrote:
>>>>>
>>>>> I agree completely.  Just because something (like asset information) is
>>>>> important and could be helpful in understanding the potential impact of a
>>>>> threat doesn’t mean that STIX or any component of CTI needs to define that
>>>>> information model.   We need to keep a laser-like focus on Cyber Threat and
>>>>> build bridges to other communities that are looking at asset, configuration
>>>>> or vulnerability information.
>>>>>
>>>>> From: cti-stix@lists.oasis-open.org
>>>>> [mailto:cti-stix@lists.oasis-open.org] On Behalf Of Aharon Chernin
>>>>> Sent: Friday, November 27, 2015 8:31 AM
>>>>> To: Patrick Maroney; Jason Keirstead; Jerome Athias
>>>>> Cc: cti-stix@lists.oasis-open.org
>>>>> Subject: Re: [cti-stix] Asset: the missing piece in your puzzle
>>>>>
>>>>> I am 100% behind giving us the ability to communicate asset information.
>>>>> Just not sure it should be in STIX, or OASIS CTI for that matter. If we can
>>>>> do this at a higher level than CTI, then we can use the same asset standard
>>>>> for vulnerability, compliance, and threats. We could even use it outside of
>>>>> the information security space.
>>>>>
>>>>> I say we continue using exploit target until we can figure out how to get
>>>>> STIX out of the asset business.
>>>>>
>>>>> Aharon
>>>>>
>>>>> From: <cti-stix@lists.oasis-open.org> on behalf of Patrick Maroney
>>>>> <Pmaroney@Specere.org>
>>>>> Date: Friday, November 27, 2015 at 7:18 AM
>>>>> To: Jason Keirstead <jason.keirstead@ca.ibm.com>, Jerome Athias
>>>>> <athiasjerome@gmail.com>
>>>>> Cc: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
>>>>> Subject: Re: [cti-stix] Asset: the missing piece in your puzzle
>>>>>
>>>>>
>>>>> ExploitTarget only represents where the "pointy end" of the stick is
>>>>> pointed (attack surface/vulnerability), not the organization or assets
>>>>> behind same.  Some of us share the view that there needs to be a top level
>>>>> object that represents the Victim(s) and their Assets.
>>>>>
>>>>> Patrick Maroney
>>>>> President
>>>>> Integrated Networking Technologies, Inc.
>>>>> Desk: (856)983-0001
>>>>> Cell: (609)841-5104
>>>>> Email: pmaroney@specere.org
>>>>>
>>>>> _____________________________
>>>>> From: Jason Keirstead <jason.keirstead@ca.ibm.com>
>>>>> Sent: Friday, November 27, 2015 8:08 AM
>>>>> Subject: Re: [cti-stix] Asset: the missing piece in your puzzle
>>>>> To: Jerome Athias <athiasjerome@gmail.com>
>>>>> Cc: <cti-stix@lists.oasis-open.org>
>>>>>
>>>>>
>>>>>
>>>>> Wouldn't an asset just be linked using the already existing facility of
>>>>> @idref on ExploitTarget?
>>>>>
>>>>> Not sure something new needs to be created...
>>>>>
>>>>> -
>>>>> Jason Keirstead
>>>>> Product Architect, Security Intelligence, IBM Security Systems
>>>>> www.ibm.com/security | www.securityintelligence.com
>>>>>
>>>>> Without data, all you are is just another person with an opinion -
>>>>> Unknown
>>>>>
>>>>>
>>>>> <image001.gif>Jerome Athias ---11/27/2015 01:49:35 AM---From
>>>>> https://www.sans.org/critical-security-controls to ISO 27001, through the
>>>>> NIST CSF (#1 Identify
>>>>>
>>>>> From: Jerome Athias <athiasjerome@gmail.com>
>>>>> To: cti-stix@lists.oasis-open.org
>>>>> Date: 11/27/2015 01:49 AM
>>>>> Subject: [cti-stix] Asset: the missing piece in your puzzle
>>>>> Sent by: <cti-stix@lists.oasis-open.org>
>>>>>
>>>>> ________________________________
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> From https://www.sans.org/critical-security-controls
>>>>> to ISO 27001, through the NIST CSF (#1 Identify), NIST Risk Management
>>>>> Framework, SP 800-53... ...
>>>>> If you don't properly manage your Assets in cybersecurity: you will FAIL.
>>>>>
>>>>> Information obtained from the data that you will manipulate and
>>>>> exchange need to be linked to your Assets, the Assets of others
>>>>> (Supply Chain or Adversaries).
>>>>>
>>>>> So -again-, I invite you to look at
>>>>> http://scap.nist.gov/specifications/ai/
>>>>>
>>>>> NB: While not perfect, and I can comment further with pleasure on
>>>>> where/why, the Asset concept/construct or relationships (i.e. through
>>>>> GUIDs) is, imho, NEEDED.
>>>>>
>>>>> PS: I will try to put effort on documenting where the current model(s)
>>>>> are currently weak regarding this domain
>>>>>
>>>>> Best regards
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe from this mail list, you must leave the OASIS TC that
>>>>> generates this mail.  Follow this link to all your TCs in OASIS at:
>>>>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>>>>
>>>>>
>>>>
>>>

Attachment: ASSET_XORCISM01.jpeg
Description: JPEG image