[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Campaign Mini-Group Working Session
Can you explain a little about the distinction between “Activity” and “Course of Action”? It seems to me that if the old course of action definition is too narrow to capture other types of activity against a campaign we should just expand it. Why have
two different ways of representing actions that we take? It seems to me like “report to law enforcement” or “publish a threat report to out the campaign” or “take offensive actions” is just as valid a course of action as applying some patches (obviously different
options are legally open to different entities).
Also, what would you extend the generic ActivityType with?
From: <cti-stix@lists.oasis-open.org> on behalf of Paul Patrick <ppatrick@isightpartners.com>
Date: Wednesday, May 11, 2016 at 7:11 PM To: "Maxwell, Kyle" <kmaxwell@verisign.com>, "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: Re: [cti-stix] Campaign Mini-Group Working Session Here is a few comments as I couldn’t make today’s mini call:
Understand that campaigns must be planned out; they don’t just happen. Therefore a campaign has a lifecycle, in some way similar to the concept of a kill chain. So to effectively mediate a campaign requires one to disrupt the threat actor’s planning
lifecycle, often referred to as the Threat Actor OODA (Observe, Orient, Decide Act). By understanding the TTPs of a campaign, you can being to take defensive actions to make it harder for the threat actor to achieve their objectives because you able to
force them to change their ‘modus operandi’ as illustrated through the TTPs that are used as part of a campaign. That is why understanding the attack pattern and targets TTPs are so critical.
I hope this helps adds some clarity to this discussion. In general, I believe that the definition of Campaign in STIX 1.2. * is actually correct. I would also assert, as was stated on the #campaign slack channel, that the concept of intended effects
is actually best represented by an assertion.
Paul Patrick
Chief Architect
FireEye Intelligence Business Unit
From: <cti-stix@lists.oasis-open.org> on behalf of "Maxwell, Kyle" <kmaxwell@verisign.com>
Date: Wednesday, May 11, 2016 at 1:13 PM To: "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: RE: [cti-stix] Campaign Mini-Group Working Session Resent-From: <Paul.Patrick@FireEye.com>
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]