OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-stix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Threat actor classification info for today's meeting

Everyone,

 

Here is the research I mentioned in the CTI meeting today regarding threat actor characterization.  As I mentioned, for some time my team has been studying human threats as a class.  We could not find a system that characterized threat actors objectively and orthogonally, so drawing on available research we developed our own taxonomy to describe human threat.  It describes threat at the strategic level, so we do not need attributes for every low-level activity such as “Steals designs for new products” and “Copies secret recipe,” instead we use the more inclusive “Gain technical advantage.”

 

From the taxonomy we created a library of 23 threat actor classes, which we call "threat agents" to differentiate from actual people.  The Library is intended to be universal in application without bias towards terrorism, hacktivism, etc., or to organization such as LEOs or government agencies.  It contains well-defined characters such as Government Spy, Data Miner, Disgruntled Employee, Radical Activist, Cyber Vandal, etc.  We also couldn't find a fully orthogonal and comprehensive classification for motivation, so drawing on LEO and psychology research we developed a 10-point Motivation classification: Accidental, Coercion, Disgruntlement, Dominance, Ideology, Notoriety, Organizational Gain, Personal Financial Gain, Personal Satisfaction, and Unpredictable.


A number of organizations are now using the Library and the supporting taxonomy and motivation parameters for their risk assessment and management systems, including the U.S. Dept. of Homeland Security.  The papers defining those are attached, as well as our Field Guide to Insider Threat as one example of how this methodology can be used.


I propose the working group consider drawing on our research and application of human threat analysis in updating the Threat Actor object for clearer and more actionable attributes.  This is public info, there is no licensing or fee involved.

 

Respectfully,

 

Tim

 

 

 

Tim Casey

Senior Strategic Risk Analyst

Threat Intelligence & Infrastructure Protection

Intel Corporation

Chandler, AZ  USA

480-552-0222

tim.casey@intel.com

@timcaseycyber

 

 

 

 

 

Attachment: Intel Corp_Threat Agent Library_Sep2007.pdf
Description: Intel Corp_Threat Agent Library_Sep2007.pdf

Attachment: Intel Corp_Threat Agent Motivations_Feb2015.pdf
Description: Intel Corp_Threat Agent Motivations_Feb2015.pdf

Attachment: A Field Guide to Insider Threat_Intel Corp_Oct 2015.pdf
Description: A Field Guide to Insider Threat_Intel Corp_Oct 2015.pdf

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]