OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-stix] Campaign Mini-Group Working Session

Regarding activity…I talked with a few colleagues and some other people and learned a bit about the history of activity. Apparently it was added for specific people and has not really been used.

I had kind of latched on and thought that Activity, reworked to a COA relationship, might be used to capture law enforcement action or other proactive activities against a campaign but, thinking more, that’s probably better directed against a threat actor. So unless anyone else has any objections, given I was the one who suggested this, I’d like to withdraw that suggestion and instead suggest we just remove activity type completely.


From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org>
Date: Thursday, May 12, 2016 at 8:25 AM
To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Campaign Mini-Group Working Session

Can you explain a little about the distinction between “Activity” and “Course of Action”? It seems to me that if the old course of action definition is too narrow to capture other types of activity against a campaign we should just expand it. Why have two different ways of representing actions that we take? It seems to me like “report to law enforcement” or “publish a threat report to out the campaign” or “take offensive actions” is just as valid a course of action as applying some patches (obviously different options are legally open to different entities).

Also, what would you extend the generic ActivityType with?

From: <cti-stix@lists.oasis-open.org> on behalf of Paul Patrick <ppatrick@isightpartners.com>
Date: Wednesday, May 11, 2016 at 7:11 PM
To: "Maxwell, Kyle" <kmaxwell@verisign.com>, "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: Re: [cti-stix] Campaign Mini-Group Working Session

Here is a few comments as I couldn’t make today’s mini call:

  • If it often helpful to associate a specific campaign with other campaigns, but not duplicate ones.  Campaigns, especially by nation states often reoccur on a periodic basis and are not one time instances.  A re-occurring campaign is NOT a duplicate and the fact that it re-occurs is a key aspect of intelligence about a campaign
  • Campaigns generally leverage TTPs since the TTP characterizes how the campaign evolves/is played out, who it targets, what types of exploits it utilizes, identifies patterns or sequences of attack steps, etc.  So a campaign need to have a reference to TTPs that are leveraged or related to the campaign.  Remember it may not be possible to identify the threat actor(s) to which the campaign is able to be attributed to and yet characterization of how the campaign ‘functions’ are identifiable, so you can’t rely upon getting to the TTPs of the campaign via attribution to a threat actor(s).
  • Characterizing a campaign requires relationships from the campaign to the indicators used to detect the campaign, not observations, and from the campaign to incidents that were reportedly as a result of the campaign.  Clearly there inverse relationship between campaign, indicator, and incident is also true.  But having only a relationship from those items to the campaign makes it very difficult to describe a characterization of the campaign is a straightforward manner.
  • There is only an indirect relationship between a Campaign and one or more corresponding Courses of Actions.  Its indirect because you can not directly mediate a campaign, only the exploits that are leveraged by a campaign.  The exploits that are targeted by a campaign are defined through the use of TTPs, thus the relationship is Campaign—> TTP —> Exploit Target.  I believe there is confusion about the purpose of the Activity property and the use of Courses of Action as COAs are meant to represent corrective actions and preventative steps (remediation or countermeasures).  The activity property is used to capture just generic actions that is meant to be extended.
Understand that campaigns must be planned out; they don’t just happen. Therefore a campaign has a lifecycle, in some way similar to the concept of a kill chain.   So to effectively mediate a campaign requires one to disrupt the threat actor’s planning lifecycle, often referred to as the Threat Actor OODA (Observe, Orient, Decide Act).    By understanding the TTPs of a campaign, you can being to take defensive actions to make it harder for the threat actor to achieve their objectives because you able to force them to change their ‘modus operandi’ as illustrated through the TTPs that are used as part of a campaign.  That is why understanding the attack pattern and targets TTPs are so critical.

I hope this helps adds some clarity to this discussion.    In general, I believe that the definition of Campaign in STIX 1.2. * is actually correct.  I would also assert, as was stated on the #campaign slack channel, that the concept of intended effects is actually best represented by an assertion.

Paul Patrick
Chief Architect
FireEye Intelligence Business Unit

From: <cti-stix@lists.oasis-open.org> on behalf of "Maxwell, Kyle" <kmaxwell@verisign.com>
Date: Wednesday, May 11, 2016 at 1:13 PM
To: "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
Subject: RE: [cti-stix] Campaign Mini-Group Working Session
Resent-From: <Paul.Patrick@FireEye.com>

I should be on the call, but if not, here are some additional relationships to think about:

  • Campaign targets a Victim (organization or vertical)
  • If ThreatActor and ThreatGroup are not identical, Campaigns may be attributed to the latter
  • Campaign uses a TTP

Kyle Maxwell [kmaxwell@verisign.com]

iDefense Senior Analyst

From:cti-stix@lists.oasis-open.org [cti-stix@lists.oasis-open.org] on behalf of Jordan, Bret [bret.jordan@bluecoat.com]
Sent: Tuesday, May 10, 2016 19:20
To: cti-stix@lists.oasis-open.org
Subject: [cti-stix] Campaign Mini-Group Working Session

For our discussion tomorrow on campaigns, here is a diagram I put together for Campaign Relationships in STIX 2.0.  This should help us better identify and understand where things are missing. 

[cti-stix] Campaign Mini-Group Working Session

Scheduled: May 11, 2016, 13:00 to 14:00

Location: Online Meeting

Invitees: Jordan, Bret, cti-stix@lists.oasis-open.org


The campaign mini-group wants to have a discussion to finalize their proposal to the broader SC. No need to join unless you want to influence this early stage development on the campaign TLO.



Join online meeting <https://meet.mitre.org/jwunder/HRTBLWS0>


Join by Phone

+1 (781) 271-2020

+1 (703) 983-2020

Find a local number <https://dialin.mitre.org>

Conference ID: 7622872

Forgot your dial-in PIN? <https://dialin.mitre.org> | First online meeting? <http://r.office.microsoft.com/r/rlidOC10?clid=1033&p1=4&p2=1041&pc=oc&ver=4&subver=0&bld=7185&bldver=0>




Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO
Blue Coat Systems
PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
"Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]