Re: [cti-stix] Results of the Campaign Mini-Group

[Paul Patrick <ppatrick@isightpartners.com>]

Gary,

Thanks for the clarification.  

Based on your clarifications and definitions, I can definitely support the proposal for Intrusion Sets


Paul Patrick




On 5/12/16, 9:14 AM, "Katz, Gary CTR DC3/DCCI" <Gary.Katz.ctr@dc3.mil> wrote:

>Paul,
>    I believe my comment was slightly mistaken, which is causing some confusion.  It is not that Campaigns and Intrusion Sets are nearly identical.  It is that the properties assigned to the STIX Campaign object and the properties assigned to the Intrusion Set object are nearly identical.  The purposes of capturing Campaigns and Intrusion Sets and their definitions are very different.
>
>Gary's attempt at definitions:
>Campaign: A set of incidents, usually occurring over a discrete time frame which have shared properties or objectives.
>Intrusion Set: A grouped set of activity or infrastructure with common properties that is believed to be orchestrated by a single organization.  An Intrusion Set may capture multiple campaigns that were all tied together by a shared TTPs.  
>Threat Actors: The individuals or organizations that are conducting the activity associated with a Campaign or Intrusion Set.
>
>Interested in your thoughts here.
>-G
>
>-----Original Message-----
>From: Jordan, Bret [mailto:bret.jordan@bluecoat.com] 
>Sent: Wednesday, May 11, 2016 10:39 PM
>To: Paul Patrick; Katz, Gary CTR DC3/DCCI
>Cc: cti-stix@lists.oasis-open.org
>Subject: [Non-DoD Source] Re: [cti-stix] Results of the Campaign Mini-Group
>
>I agree on the Threat Group, it seems like it is just a Threat Actor with a property that has an optional Group_Name.
>
>Gary Katz will need to speak to the Intrusion_Set.  
>
>
>
>Thanks,
>
>Bret
>
>
>
>Bret Jordan CISSP
>Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 
>
>
>	On May 11, 2016, at 20:20, Paul Patrick <ppatrick@isightpartners.com> wrote:
>
>	Why would need need a Threat Group since  a Threat Actor could be an individual or a group.  The identity associated with the Threat Actor should contain information about whether its a group or an individual.
>
>	With regards to Intrusion_Set, I’d like to better understand how that is nearly identical to Campaign.  Can someone provide their definition of an Intrusion_Set?
>
>
>	Paul Patrick
>
>
>	
>	From: <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com>
>	Date: Wednesday, May 11, 2016 at 9:26 PM
>	To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
>	Subject: [cti-stix] Re: Results of the Campaign Mini-Group
>	Resent-From: <Paul.Patrick@FireEye.com>
>	
>
>	
>
>		The Campaign mini-group also discussed two additional TLOs that the STIX SC might consider.  
>
>		1) Threat Group
>		My question is, is this really a different TLO, or should we make a property on the Threat Actor TLO that has a Group_Name property.  We could then allow Threat Actor TLOs to be related to other Threat Actor TLOs.  So Threat_Actor (A) could be a GROUP and Threat_Actor (B) and Threat_Actor (C) could be individuals that are related to the Group (Threat_Actor (A)).
>
>		2) Intrusion_Set
>		The idea behind this TLO is that it is nearly identical to the Campaign TLO but is used for relating a collection of Campaigns.  
>
>
>		
>		
>
>
>		Thanks,
>
>		Bret
>
>
>
>		Bret Jordan CISSP 
>		Director of Security Architecture and Standards | Office of the CTO
>		Blue Coat Systems
>		PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>		"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 
>
>
>			On May 11, 2016, at 17:26, Jordan, Bret <bret.jordan@BLUECOAT.COM> wrote:
>
>			All, 
>
>			Please see the following pre-draft document for the initial proposal coming out of the Campaign mini-group.. 
>
>			https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.bcqwxvu8zvzb
>
>			Please add suggestions / comments to the document.  
>			
>			
>			
>
>
>			Thanks,
>
>			Bret
>
>
>
>			Bret Jordan CISSP 
>			Director of Security Architecture and Standards | Office of the CTO
>			Blue Coat Systems
>			PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
>			"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 
>
>
>
>