Re: [cti-stix] Threat actor classification info for today's meeting

[Jerome Athias <athiasjerome@gmail.com>]

Tim,

Thanks for sharing 

A small group of us pushed for a long time for both the use of proper classifications/categorizations (aka Taxonomies/Controlled Vocabularies) and Cybersecurity Ontology approach.

I personally highlighted some time ago that the concept of Threat Agent (as used in OWASP for example, and Business Continuity or Threat Modeling), more general than Threat Actor (basically Person/Person Group(s) so Organisation - see Asset Identification in the SCAP family), including, for example, Acts of God, is a really interesting concept for the use of CTI (STIX concepts/subjects/objects) based interchange format, for a broader audience (understand sectors) for fast, efficient at scale automated (M2M) exchange of information (such as Incident data)

So again, thanks for sharing.

PS: if interested, we collected a list of various taxonomies applying to the domain (e.g. Cybercrime)

Best regards 

On Thursday, 7 July 2016, Casey, Timothy P <timothy.p.casey@intel.com> wrote:

Everyone,

 

Here is the research I mentioned in the CTI meeting today regarding threat actor characterization.  As I mentioned, for some time my team has been studying human threats as a class.  We could not find a system that characterized threat actors objectively and orthogonally, so drawing on available research we developed our own taxonomy to describe human threat.  It describes threat at the strategic level, so we do not need attributes for every low-level activity such as “Steals designs for new products” and “Copies secret recipe,” instead we use the more inclusive “Gain technical advantage.”

 

From the taxonomy we created a library of 23 threat actor classes, which we call "threat agents" to differentiate from actual people.  The Library is intended to be universal in application without bias towards terrorism, hacktivism, etc., or to organization such as LEOs or government agencies.  It contains well-defined characters such as Government Spy, Data Miner, Disgruntled Employee, Radical Activist, Cyber Vandal, etc.  We also couldn't find a fully orthogonal and comprehensive classification for motivation, so drawing on LEO and psychology research we developed a 10-point Motivation classification: Accidental, Coercion, Disgruntlement, Dominance, Ideology, Notoriety, Organizational Gain, Personal Financial Gain, Personal Satisfaction, and Unpredictable.

A number of organizations are now using the Library and the supporting taxonomy and motivation parameters for their risk assessment and management systems, including the U.S. Dept. of Homeland Security.  The papers defining those are attached, as well as our Field Guide to Insider Threat as one example of how this methodology can be used.

I propose the working group consider drawing on our research and application of human threat analysis in updating the Threat Actor object for clearer and more actionable attributes.  This is public info, there is no licensing or fee involved.

 

Respectfully,

 

Tim

 

 

 

Tim Casey

Senior Strategic Risk Analyst

Threat Intelligence & Infrastructure Protection

Intel Corporation

Chandler, AZ  USA

480-552-0222

tim.casey@intel.com

@timcaseycyber