Re: [cti-stix] Threat actor classification info for today's meeting

[Jerome Athias <athiasjerome@gmail.com>]

FYI, this Taxonomy (used in TARA from what I know) was highlighted (by
Jane) some time ago in 'this' working group.

http://making-security-measurable.1364806.n2.nabble.com/STIX-Report-Template-for-Threat-Intelligence-and-Incident-Response-td7587454.html

(and there http://fr.slideshare.net/jeromeathias/threat-modeling-capecwebapplication
)

While I reviewed and used these documents as part of a personal
research project, I can tell that I found interesting elements in it.
Moreover, while I used quite a lot of resources regarding the
discussed domain, I would argue that the interesting identified
elements have been validated and consolidated against other
researches.
With that said, I have to say that I tried to highlight concepts like
"Threat Agents" (vs "Threat Actor" in STIX, or just "Actor" in, i.e.
OMG) while more commonly used as a term for this concept in the
(numerous) documents (including international standards...)/researches
I've reviewed.
The same for "Assets" or "IT Assets".
Facts are that I have the feeling that due to the different
background, experience of focus/objectives of our members today, these
"abstracted concepts" are still not commonly understood, or the
benefits (such as an easier mapping of the information/data exchanged
in "CTI objects" with other domains' formats, international
standards/frameworks concepts and terminology) of using these terms,
as abstracted terms/concepts/objects is not currently understood by
the majority of our members.

My current feeling is that an effort of "simplification" through a
visual representation of the Cyber Information Model would help to
save time for the community, for common understanding and consensus.
A small group of us are currently (or in a near future) working on it
using a conceptual modeling (mind map) methodology approach...
Another small group initiated (and tried to promote) an Ontology approach...

But some questions, regarding this specific topic:
- Is TAL available as an XML, or Excel file? (I mean something
directly machine-usable other than PDF)
- Is there a "License" around it?
- Would it be envisioned to make it available, for example, as a IANA registry?
(- Did you do any mapping with other taxonomies, for example VERIS?)

- Same questions for TARA...

Best regards












2016-07-07 20:40 GMT+03:00 Casey, Timothy P <timothy.p.casey@intel.com>:
> Jerome, thanks for the insights.  I hope that the Working Group can utilize
> the taxonomy, possibly even just dropping it (mostly) in place for some of
> the parameters in the Threat Actor object.  The advantages are that the TA
> taxonomy has been used in many places so it would have some continuity with
> existing systems, especially in the US DHS.  This taxonomy also has been
> developed and tested over time, and the feedback has been very strong that
> this is more comprehensive and unbiased than many other approaches.  Many
> such descriptors are focused mostly on hacktivism or terrorism, but there
> are far more types of attackers than just those two that corporations have
> to deal with.
>
>
>
> While any one particular threat actor report may not have a great deal of
> value for a responding to a particular incident, the data we collect over
> time could be very valuable.  Just as we all spend a great deal on business
> competitive analysis, we need security competitive analysis as well, helping
> to understand our adversaries in security every bit as well as our business
> competitors.  And do it for the same reasons as business CI – to strategize
> a better defense and react quickly when changes occur.  Well-formatted,
> detailed information about the adversary can help provide some of that
> intelligence to help us better identify and defend our targeted assets.
>
>
>
> By carefully defining Threat Actor object, I believe we have the opportunity
> to further elevate its usefulness as an essential part of our collective
> intelligence network for both reactive and proactive security.
>
>
>
> Tim
>
>
>
> From: Jerome Athias [mailto:athiasjerome@gmail.com]
> Sent: Thursday, July 07, 2016 9:19 AM
> To: Casey, Timothy P <timothy.p.casey@intel.com>
> Cc: cti-stix@lists.oasis-open.org
> Subject: Re: [cti-stix] Threat actor classification info for today's meeting
>
>
>
> Tim,
>
>
>
> Thanks for sharing
>
> A small group of us pushed for a long time for both the use of proper
> classifications/categorizations (aka Taxonomies/Controlled Vocabularies) and
> Cybersecurity Ontology approach.
>
> I personally highlighted some time ago that the concept of Threat Agent (as
> used in OWASP for example, and Business Continuity or Threat Modeling), more
> general than Threat Actor (basically Person/Person Group(s) so Organisation
> - see Asset Identification in the SCAP family), including, for example, Acts
> of God, is a really interesting concept for the use of CTI (STIX
> concepts/subjects/objects) based interchange format, for a broader audience
> (understand sectors) for fast, efficient at scale automated (M2M) exchange
> of information (such as Incident data)
>
> So again, thanks for sharing.
>
> PS: if interested, we collected a list of various taxonomies applying to the
> domain (e.g. Cybercrime)
>
>
>
> Best regards
>
> On Thursday, 7 July 2016, Casey, Timothy P <timothy.p.casey@intel.com>
> wrote:
>
> Everyone,
>
>
>
> Here is the research I mentioned in the CTI meeting today regarding threat
> actor characterization.  As I mentioned, for some time my team has been
> studying human threats as a class.  We could not find a system that
> characterized threat actors objectively and orthogonally, so drawing on
> available research we developed our own taxonomy to describe human threat.
> It describes threat at the strategic level, so we do not need attributes for
> every low-level activity such as “Steals designs for new products” and
> “Copies secret recipe,” instead we use the more inclusive “Gain technical
> advantage.”
>
>
>
> From the taxonomy we created a library of 23 threat actor classes, which we
> call "threat agents" to differentiate from actual people.  The Library is
> intended to be universal in application without bias towards terrorism,
> hacktivism, etc., or to organization such as LEOs or government agencies.
> It contains well-defined characters such as Government Spy, Data Miner,
> Disgruntled Employee, Radical Activist, Cyber Vandal, etc.  We also couldn't
> find a fully orthogonal and comprehensive classification for motivation, so
> drawing on LEO and psychology research we developed a 10-point Motivation
> classification: Accidental, Coercion, Disgruntlement, Dominance, Ideology,
> Notoriety, Organizational Gain, Personal Financial Gain, Personal
> Satisfaction, and Unpredictable.
>
>
> A number of organizations are now using the Library and the supporting
> taxonomy and motivation parameters for their risk assessment and management
> systems, including the U.S. Dept. of Homeland Security.  The papers defining
> those are attached, as well as our Field Guide to Insider Threat as one
> example of how this methodology can be used.
>
>
> I propose the working group consider drawing on our research and application
> of human threat analysis in updating the Threat Actor object for clearer and
> more actionable attributes.  This is public info, there is no licensing or
> fee involved.
>
>
>
> Respectfully,
>
>
>
> Tim
>
>
>
>
>
>
>
> Tim Casey
>
> Senior Strategic Risk Analyst
>
> Threat Intelligence & Infrastructure Protection
>
> Intel Corporation
>
> Chandler, AZ  USA
>
> 480-552-0222
>
> tim.casey@intel.com
>
> @timcaseycyber
>
>
>
>
>
>
>
>
>
>