[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Asset TLO discussion
I do not think we should use a boolean flag to say an Asset is malicious. As that means that Asset is always malicious. What we talked about today on the call was collapsing down Asset and Malicious-Infrastructure in to a single Asset object... Then using the relationships to tie an Asset to a Campaign or Threat Actor with a verb link "used maliciously". This would enable us to tie the relationship to a point in time and assign a confidence score to it.
Bret
From: cti-stix@lists.oasis-open.org <cti-stix@lists.oasis-open.org> on behalf of Jerome Athias <athiasjerome@gmail.com>
Sent: Tuesday, June 14, 2016 1:53 PM To: Piazza, Rich Cc: cti-stix@lists.oasis-open.org Subject: Re: [cti-stix] Asset TLO discussion Asset is a top level concept (note the difference with object (or subject wich is potentially better term semantically for what is currently called object...))
I tried to highlight that as a concept, an infrastructure could be a target/victim asset in one context (i.e. For one Organization) or/and a TTP asset in another context (or Organization)
The point being that it should be avoided to have the same concept/object called differently in various places/objects when the concept is the same, and the only difference is the 'boolean' malicious or not
Org A could use a laptop to target a laptop of Org B
Is laptop A a TTP and laptop B a Target?
(Laptop A is an asset of Org A. Laptop B is an asset of Org B)
(Replace laptop by infrastructure...)
IMHO they would have the same properties
(Eg IP address)On Tuesday, 14 June 2016, Piazza, Rich <rpiazza@mitre.org> wrote:
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]