[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Campaign Mini-Group Working Session
Regarding activity…I talked with a few colleagues and some other people and learned a bit about the history of activity. Apparently it was added for specific people and has not really been used.
I had kind of latched on and thought that Activity, reworked to a COA relationship, might be used to capture law enforcement action or other proactive activities against a campaign but, thinking more, that’s probably better directed against a threat actor.
So unless anyone else has any objections, given I was the one who suggested this, I’d like to withdraw that suggestion and instead suggest we just remove activity type completely.
Thanks,
John
From: <cti-stix@lists.oasis-open.org> on behalf of "Wunder, John A." <jwunder@mitre.org>
Date: Thursday, May 12, 2016 at 8:25 AM To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: Re: [cti-stix] Campaign Mini-Group Working Session Can you explain a little about the distinction between “Activity” and “Course of Action”? It seems to me that if the old course of action definition is too narrow to capture other types of activity against a campaign we should just expand it. Why have
two different ways of representing actions that we take? It seems to me like “report to law enforcement” or “publish a threat report to out the campaign” or “take offensive actions” is just as valid a course of action as applying some patches (obviously different
options are legally open to different entities).
Also, what would you extend the generic ActivityType with?
From: <cti-stix@lists.oasis-open.org> on behalf of Paul Patrick <ppatrick@isightpartners.com>
Date: Wednesday, May 11, 2016 at 7:11 PM To: "Maxwell, Kyle" <kmaxwell@verisign.com>, "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: Re: [cti-stix] Campaign Mini-Group Working Session Here is a few comments as I couldn’t make today’s mini call:
Understand that campaigns must be planned out; they don’t just happen. Therefore a campaign has a lifecycle, in some way similar to the concept of a kill chain. So to effectively mediate a campaign requires one to disrupt the threat actor’s planning
lifecycle, often referred to as the Threat Actor OODA (Observe, Orient, Decide Act). By understanding the TTPs of a campaign, you can being to take defensive actions to make it harder for the threat actor to achieve their objectives because you able to
force them to change their ‘modus operandi’ as illustrated through the TTPs that are used as part of a campaign. That is why understanding the attack pattern and targets TTPs are so critical.
I hope this helps adds some clarity to this discussion. In general, I believe that the definition of Campaign in STIX 1.2. * is actually correct. I would also assert, as was stated on the #campaign slack channel, that the concept of intended effects
is actually best represented by an assertion.
Paul Patrick
Chief Architect
FireEye Intelligence Business Unit
From: <cti-stix@lists.oasis-open.org> on behalf of "Maxwell, Kyle" <kmaxwell@verisign.com>
Date: Wednesday, May 11, 2016 at 1:13 PM To: "Jordan, Bret" <bret.jordan@bluecoat.com>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org> Subject: RE: [cti-stix] Campaign Mini-Group Working Session Resent-From: <Paul.Patrick@FireEye.com>
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]