OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [cti-stix] Results of the Campaign Mini-Group


Bret,
   Intrusion Sets are core piece of functionality used across the USG intelligence community, FVEY, the Defense Industrial Base (which is a larger sharing or as large community as FS-ISAC) and advanced cyber analytic commercial entities such as Mandiant (see the APT1 report).  In truth, for many of us, Intrusion Sets are of greater importance than Campaigns.  

   There is also an issue with just stating that an intrusion set is just a set of campaigns grouped together.  In some cases you may not be able to relate an incident back to a campaign but you can relate it back to an intrusion set.  You may acquire data from a source which is not associated with an incident.  For example you recognize that a known domain associated with APT6 used to point to a specific IP address but is now pointing to another IP address which is being used to park a number of domains so now you want to capture that new IP address and all of the domains also pointing to it as being associated with that Intrusion Set.  There's no campaign associated with that data, it's just new infrastructure that has been seen.  

   I understand the concern that some feel we are creating a lot of TLOs but please remember that it is our job to be able to provide the constructs so that cyber intelligence analysts can perform their job, not to determine what constructs that are heavily used should be allowed to be used in the future or not allowed to be used.

Hope this helps,
   -Gary

-----Original Message-----
From: Jordan, Bret [mailto:bret.jordan@bluecoat.com] 
Sent: Saturday, May 14, 2016 9:49 PM
To: Terry MacDonald
Cc: Paul Patrick; Katz, Gary CTR DC3/DCCI; cti-stix@lists.oasis-open.org
Subject: [Non-DoD Source] Re: [cti-stix] Results of the Campaign Mini-Group

That is a really good option Terry...  Another option is to just have a flag on a Campaign to say, is this an Intrusion Set...   

One question I would like to ask, is who needs Intrusion Set functionality in the near term...? 



Thanks,

Bret



Bret Jordan CISSP
Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg." 


	On May 14, 2016, at 17:05, Terry MacDonald <terry.macdonald@cosive.com> wrote:


	It strikes me that we are generating a lot of 'summary' objects at the moment, rather than using the relationships to hook things up together. I would see an intrusion set as being a set of campaign objects related together using a relationship type such as 'similar-to' or something like that. This ensures that all the campaigns are related together, yet avoids the need for a TLO.

	Cheers
	Terry MacDonald

	On 13/05/2016 07:21, "Paul Patrick" <ppatrick@isightpartners.com> wrote:
	

		Gary,
		
		Thanks for the clarification.
		
		Based on your clarifications and definitions, I can definitely support the proposal for Intrusion Sets
		
		
		Paul Patrick
		
		
		
		
		On 5/12/16, 9:14 AM, "Katz, Gary CTR DC3/DCCI" <Gary.Katz.ctr@dc3.mil> wrote:
		
		>Paul,
		>    I believe my comment was slightly mistaken, which is causing some confusion.  It is not that Campaigns and Intrusion Sets are nearly identical.  It is that the properties assigned to the STIX Campaign object and the properties assigned to the Intrusion Set object are nearly identical.  The purposes of capturing Campaigns and Intrusion Sets and their definitions are very different.
		>
		>Gary's attempt at definitions:
		>Campaign: A set of incidents, usually occurring over a discrete time frame which have shared properties or objectives.
		>Intrusion Set: A grouped set of activity or infrastructure with common properties that is believed to be orchestrated by a single organization.  An Intrusion Set may capture multiple campaigns that were all tied together by a shared TTPs.
		>Threat Actors: The individuals or organizations that are conducting the activity associated with a Campaign or Intrusion Set.
		>
		>Interested in your thoughts here.
		>-G
		>
		>-----Original Message-----
		>From: Jordan, Bret [mailto:bret.jordan@bluecoat.com]
		>Sent: Wednesday, May 11, 2016 10:39 PM
		>To: Paul Patrick; Katz, Gary CTR DC3/DCCI
		>Cc: cti-stix@lists.oasis-open.org
		>Subject: [Non-DoD Source] Re: [cti-stix] Results of the Campaign Mini-Group
		>
		>I agree on the Threat Group, it seems like it is just a Threat Actor with a property that has an optional Group_Name.
		>
		>Gary Katz will need to speak to the Intrusion_Set.
		>
		>
		>
		>Thanks,
		>
		>Bret
		>
		>
		>
		>Bret Jordan CISSP
		>Director of Security Architecture and Standards | Office of the CTO Blue Coat Systems PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050 "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
		>
		>
		>       On May 11, 2016, at 20:20, Paul Patrick <ppatrick@isightpartners.com> wrote:
		>
		>       Why would need need a Threat Group since  a Threat Actor could be an individual or a group.  The identity associated with the Threat Actor should contain information about whether its a group or an individual.
		>
		>       With regards to Intrusion_Set, I’d like to better understand how that is nearly identical to Campaign.  Can someone provide their definition of an Intrusion_Set?
		>
		>
		>       Paul Patrick
		>
		>
		>
		>       From: <cti-stix@lists.oasis-open.org> on behalf of "Jordan, Bret" <bret.jordan@bluecoat.com>
		>       Date: Wednesday, May 11, 2016 at 9:26 PM
		>       To: "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>
		>       Subject: [cti-stix] Re: Results of the Campaign Mini-Group
		>       Resent-From: <Paul.Patrick@FireEye.com>
		>
		>
		>
		>
		>               The Campaign mini-group also discussed two additional TLOs that the STIX SC might consider.
		>
		>               1) Threat Group
		>               My question is, is this really a different TLO, or should we make a property on the Threat Actor TLO that has a Group_Name property.  We could then allow Threat Actor TLOs to be related to other Threat Actor TLOs.  So Threat_Actor (A) could be a GROUP and Threat_Actor (B) and Threat_Actor (C) could be individuals that are related to the Group (Threat_Actor (A)).
		>
		>               2) Intrusion_Set
		>               The idea behind this TLO is that it is nearly identical to the Campaign TLO but is used for relating a collection of Campaigns.
		>
		>
		>
		>
		>
		>
		>               Thanks,
		>
		>               Bret
		>
		>
		>
		>               Bret Jordan CISSP
		>               Director of Security Architecture and Standards | Office of the CTO
		>               Blue Coat Systems
		>               PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
		>               "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
		>
		>
		>                       On May 11, 2016, at 17:26, Jordan, Bret <bret.jordan@BLUECOAT.COM> wrote:
		>
		>                       All,
		>
		>                       Please see the following pre-draft document for the initial proposal coming out of the Campaign mini-group..
		>
		>                       https://docs.google.com/document/d/1F1c05GgYaJFV1Z04B8c_T3vEE-LRQTPExF24LvOQAsk/edit#heading=h.bcqwxvu8zvzb
		>
		>                       Please add suggestions / comments to the document.
		>
		>
		>
		>
		>
		>                       Thanks,
		>
		>                       Bret
		>
		>
		>
		>                       Bret Jordan CISSP
		>                       Director of Security Architecture and Standards | Office of the CTO
		>                       Blue Coat Systems
		>                       PGP Fingerprint: 63B4 FC53 680A 6B7D 1447  F2C0 74F8 ACAE 7415 0050
		>                       "Without cryptography vihv vivc ce xhrnrw, however, the only thing that can not be unscrambled is an egg."
		>
		>
		>
		>
		




[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]