[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Threat actor classification info for today's meeting
Everyone,
Here is the research I mentioned in the CTI meeting today regarding threat actor characterization. As I mentioned, for some time my team has been studying human threats as a class. We could not find a system that characterized threat actors objectively and orthogonally, so drawing on available research we developed our own taxonomy to describe human threat. It describes threat at the strategic level, so we do not need attributes for every low-level activity such as “Steals designs for new products” and “Copies secret recipe,” instead we use the more inclusive “Gain technical advantage.”
From the taxonomy we created a library of 23 threat actor classes, which we call "threat agents" to differentiate from actual people. The Library is intended to be universal in application without bias towards terrorism, hacktivism, etc., or to organization such as LEOs or government agencies. It contains well-defined characters such as Government Spy, Data Miner, Disgruntled Employee, Radical Activist, Cyber Vandal, etc. We also couldn't find a fully orthogonal and comprehensive classification for motivation, so drawing on LEO and psychology research we developed a 10-point Motivation classification: Accidental, Coercion, Disgruntlement, Dominance, Ideology, Notoriety, Organizational Gain, Personal Financial Gain, Personal Satisfaction, and Unpredictable.
A number of organizations are now using the Library and the supporting taxonomy and motivation parameters for their risk assessment and management systems, including the U.S. Dept. of Homeland Security. The papers defining those are attached, as well as our Field Guide to Insider Threat as one example of how this methodology can be used.
I propose the working group consider drawing on our research and application of human threat analysis in updating the Threat Actor object for clearer and more actionable attributes. This is public info, there is no licensing or fee involved.
Respectfully,
Tim
Tim Casey
Senior Strategic Risk Analyst
Threat Intelligence & Infrastructure Protection
Intel Corporation
Chandler, AZ USA
480-552-0222
@timcaseycyber
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]