[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [cti-stix] Threat actor classification info for today's meeting
FYI, this Taxonomy (used in TARA from what I know) was highlighted (by Jane) some time ago in 'this' working group. http://making-security-measurable.1364806.n2.nabble.com/STIX-Report-Template-for-Threat-Intelligence-and-Incident-Response-td7587454.html (and there http://fr.slideshare.net/jeromeathias/threat-modeling-capecwebapplication ) While I reviewed and used these documents as part of a personal research project, I can tell that I found interesting elements in it. Moreover, while I used quite a lot of resources regarding the discussed domain, I would argue that the interesting identified elements have been validated and consolidated against other researches. With that said, I have to say that I tried to highlight concepts like "Threat Agents" (vs "Threat Actor" in STIX, or just "Actor" in, i.e. OMG) while more commonly used as a term for this concept in the (numerous) documents (including international standards...)/researches I've reviewed. The same for "Assets" or "IT Assets". Facts are that I have the feeling that due to the different background, experience of focus/objectives of our members today, these "abstracted concepts" are still not commonly understood, or the benefits (such as an easier mapping of the information/data exchanged in "CTI objects" with other domains' formats, international standards/frameworks concepts and terminology) of using these terms, as abstracted terms/concepts/objects is not currently understood by the majority of our members. My current feeling is that an effort of "simplification" through a visual representation of the Cyber Information Model would help to save time for the community, for common understanding and consensus. A small group of us are currently (or in a near future) working on it using a conceptual modeling (mind map) methodology approach... Another small group initiated (and tried to promote) an Ontology approach... But some questions, regarding this specific topic: - Is TAL available as an XML, or Excel file? (I mean something directly machine-usable other than PDF) - Is there a "License" around it? - Would it be envisioned to make it available, for example, as a IANA registry? (- Did you do any mapping with other taxonomies, for example VERIS?) - Same questions for TARA... Best regards 2016-07-07 20:40 GMT+03:00 Casey, Timothy P <timothy.p.casey@intel.com>: > Jerome, thanks for the insights. I hope that the Working Group can utilize > the taxonomy, possibly even just dropping it (mostly) in place for some of > the parameters in the Threat Actor object. The advantages are that the TA > taxonomy has been used in many places so it would have some continuity with > existing systems, especially in the US DHS. This taxonomy also has been > developed and tested over time, and the feedback has been very strong that > this is more comprehensive and unbiased than many other approaches. Many > such descriptors are focused mostly on hacktivism or terrorism, but there > are far more types of attackers than just those two that corporations have > to deal with. > > > > While any one particular threat actor report may not have a great deal of > value for a responding to a particular incident, the data we collect over > time could be very valuable. Just as we all spend a great deal on business > competitive analysis, we need security competitive analysis as well, helping > to understand our adversaries in security every bit as well as our business > competitors. And do it for the same reasons as business CI – to strategize > a better defense and react quickly when changes occur. Well-formatted, > detailed information about the adversary can help provide some of that > intelligence to help us better identify and defend our targeted assets. > > > > By carefully defining Threat Actor object, I believe we have the opportunity > to further elevate its usefulness as an essential part of our collective > intelligence network for both reactive and proactive security. > > > > Tim > > > > From: Jerome Athias [mailto:athiasjerome@gmail.com] > Sent: Thursday, July 07, 2016 9:19 AM > To: Casey, Timothy P <timothy.p.casey@intel.com> > Cc: cti-stix@lists.oasis-open.org > Subject: Re: [cti-stix] Threat actor classification info for today's meeting > > > > Tim, > > > > Thanks for sharing > > A small group of us pushed for a long time for both the use of proper > classifications/categorizations (aka Taxonomies/Controlled Vocabularies) and > Cybersecurity Ontology approach. > > I personally highlighted some time ago that the concept of Threat Agent (as > used in OWASP for example, and Business Continuity or Threat Modeling), more > general than Threat Actor (basically Person/Person Group(s) so Organisation > - see Asset Identification in the SCAP family), including, for example, Acts > of God, is a really interesting concept for the use of CTI (STIX > concepts/subjects/objects) based interchange format, for a broader audience > (understand sectors) for fast, efficient at scale automated (M2M) exchange > of information (such as Incident data) > > So again, thanks for sharing. > > PS: if interested, we collected a list of various taxonomies applying to the > domain (e.g. Cybercrime) > > > > Best regards > > On Thursday, 7 July 2016, Casey, Timothy P <timothy.p.casey@intel.com> > wrote: > > Everyone, > > > > Here is the research I mentioned in the CTI meeting today regarding threat > actor characterization. As I mentioned, for some time my team has been > studying human threats as a class. We could not find a system that > characterized threat actors objectively and orthogonally, so drawing on > available research we developed our own taxonomy to describe human threat. > It describes threat at the strategic level, so we do not need attributes for > every low-level activity such as “Steals designs for new products” and > “Copies secret recipe,” instead we use the more inclusive “Gain technical > advantage.” > > > > From the taxonomy we created a library of 23 threat actor classes, which we > call "threat agents" to differentiate from actual people. The Library is > intended to be universal in application without bias towards terrorism, > hacktivism, etc., or to organization such as LEOs or government agencies. > It contains well-defined characters such as Government Spy, Data Miner, > Disgruntled Employee, Radical Activist, Cyber Vandal, etc. We also couldn't > find a fully orthogonal and comprehensive classification for motivation, so > drawing on LEO and psychology research we developed a 10-point Motivation > classification: Accidental, Coercion, Disgruntlement, Dominance, Ideology, > Notoriety, Organizational Gain, Personal Financial Gain, Personal > Satisfaction, and Unpredictable. > > > A number of organizations are now using the Library and the supporting > taxonomy and motivation parameters for their risk assessment and management > systems, including the U.S. Dept. of Homeland Security. The papers defining > those are attached, as well as our Field Guide to Insider Threat as one > example of how this methodology can be used. > > > I propose the working group consider drawing on our research and application > of human threat analysis in updating the Threat Actor object for clearer and > more actionable attributes. This is public info, there is no licensing or > fee involved. > > > > Respectfully, > > > > Tim > > > > > > > > Tim Casey > > Senior Strategic Risk Analyst > > Threat Intelligence & Infrastructure Protection > > Intel Corporation > > Chandler, AZ USA > > 480-552-0222 > > tim.casey@intel.com > > @timcaseycyber > > > > > > > > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]